1005red_cover.v1 9/13/05 1:40 PM Page 1

Beta Man Checks Out Spotlight on AD 27

OCTOBER 2005 WWW.REDMONDMAG.COM

MICROSOFT RESEARCH Rick Rashid heads the team that is “advancing the state of the art” 36

Internet Explorer: A Look at the Alternatives 53 The Ultimate Admin’s Guide 57 > $5.95 10 • OCTOBER

The Trouble 25274 867 27

71 with TCO 47 RED2005_CoverTip.tmp 9/6/05 3:56 PM Page 2

Improve Productivity and Security with Desktop Authority With Desktop Authority, you can: • Configure every aspect of the desktop including drives, printers, applications, the registry, Outlook settings and more • Use Desktop Authority’s patented Validation Logic technology to apply configuration settings to desired users and computers • Centrally manage the deployment of patches and removal from one central console • Securely manage and remote control clients from any web browser Discover why your fellow readers of Redmond Magazine named Desktop Authority the Best Network Automation Tool of 2005!

1.800.424.9411 > www.scriptlogic.com

SPECIAL OFFER! Go to www.scriptlogic.com/securityebook and register now for a FREE eBook, brought to you by ScriptLogic and Realtimepublishers.com

© 2005 ScriptLogic Corporation. All rights reserved. ScriptLogic, Desktop Authority and the ScriptLogic logo are trademarks or registered trademarks of ScriptLogic Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. RED2005_CoverTip.tmp 9/6/05 3:56 PM Page 1 Sneakernet Got You Ready To Drop? Configure and secure all your desktops from one centralized console with Desktop Authority®

ScriptLogic’s Desktop Authority significantly reduces total cost of desktop and application ownership by enabling administrators to proactively secure, manage and support desktops from a central location. See Back For FREE Security eBook

1.800.424.9411 > www.scriptlogic.com Project3 8/15/05 11:56 AM Page 1

Blended Threats Attack Multiple Entry Points…

Are You Ready?

Yesterday’s point-solution is no match for today’s blended threat—and you can’t expect your Enterprise Protection Suite enterprise IT security experts to be a 24/7 clean-up crew. But you can count on SurfControl’s Web, E-mail, IM/P2P, Mobile Enterprise Protection Suite to deliver unequaled protection against every threat—traveling through Enhance Security every entry point—every time. Manage Usage Policies & Compliance Increase Productivity It doesn’t matter whether it’s spam, spyware, phishing, viruses or a specialized day-zero hybrid. Reduce Costs & Administration Nor does it matter whether it comes from inside your organization, or from outside company walls. The SurfControl Enterprise Threat Protection Suite delivers a powerful unified threat management solution, securing Web, e-mail and IM/P2P traffic—from the network gateway to the user desktop. Plus, it’s backed by SurfControl’s 24/7 Adaptive Threat Intelligence Service.™ Now you’re ready. FREE 30-day trial www.surfcontrol.com/go/blended 1 800.368.3366

© 2005 SurfControl plc. 1005red_TOC_1.v5 9/13/05 2:59 PM Page 1

OCTOBER 2005 WWW.REDMONDMAG.COM

Winner for Best Computer/Software Magazine 2005 RedmondTHE INDEPENDENT VOICE OF THE IT COMMUNITY

COVER STORY REDMOND REPORT 9 News Analysis The Power Inside WinFS Questions Persist As head of Microsoft Research, Rick 10 EventLog Rashid leads a team that remains Longhorn gives Itanium 2 the largely anonymous, but whose work squeeze, “Centro” slated for finds its way into nearly every midsize businesses, “Project product Redmond ships. Green” gets new name and more. 12 Roadmap Page 36 Microsoft Maps Out a Plan to Integrate Virtualization PHOTO BY KATHERINE LAMBERT into Windows

47 Smoke, but No Fire for TCO COLUMNS Total Cost of Ownership (TCO) is a concept touted by Microsoft and various Linux vendors as proof that their products are cheapest to run. But 4 Chief Concerns: TCO claims aren’t what they’re cracked up to be, and most IT shops never Doug Barney use TCO, or just plain do it wrong. Spy Hunter 53 Test Drive a Better Browser 27 Beta Man: These alternatives to Microsoft’s Don Jones Explorer can add Spotlight Lights Web-browsing muscle, but they’re Up AD not without potential problems. 63 Security Advisor: Joern Wettern 57 Get Serious About Securing IE Page 53 Internet Explorer is one of the most Will R2 Make You More Secure? used products in nearly every environment, but most administrators know 68 Mr.Script: Chris Brooke little about how to tune it for best performance and security. Setting the Timer

ILLUSTRATION BY DAVE WHAMOND 72 Ten: Paul Desmond Creative Server-Naming REVIEWS Conventions 17 RX for Windows 24 All Is Not Lost The utilities in Winternals Admin When you need to find a Pak can help you get through most long-lost document, dtSearch of the Windows troubleshooting Desktop delivers quick results. incidents you’ll ever encounter. 32 Your Turn 19 Truly Wireless Networking Keep Data in Line, Page 72 Strix Access/One’s unique Most of the Time configuration can put an end to ALSO IN THIS ISSUE cabled networks. For synchronizing data on PocketPCs and Smartphones, 2 Redmond magazine online 21 SoftGrid Serves ActiveSync 3.8 is easy enough to use, but many users say OS 6 Letters to Redmond Up Applications and phone service issues can 71 Ad and Editorial Indexes Deliver applications to your users knock it off balance. safely, conveniently and without a lot of overhead.

COVER PHOTO BY KATHERINE LAMBERT 1005red_OnlineTOC_2.v5 9/14/05 10:28 AM Page 2

RedmondOCTOBER 2005 mag.com

REDMOND COMMUNITY REDMONDMAG.COM Redmond Newsletters Exclusives Available Only on Redmondmag.com • Redmond Report: Our twice-weekly Make sure you stop by Redmondmag.com this month to get your e-mail newsletter featuring news analysis, exclusive online content, including: context and laughs. By Redmond’s •The latest Redmond Negotiator column by Scott Braden, our Editor in Chief Doug Barney. licensing and negotiation guru. Get Open Licensing tips and get FindIT code: Newsletters up to speed on rebate percentages for LARs and Software Redmond Negotiator Scott Braden • Security Watch: Keep current on the Assurance. (Find IT code: Braden) FindIT code: Braden latest Windows network security topics. •Recaps of Doug Barney’s twice-weekly Redmond Report column, This newsletter features exclusive, covering the ins and outs of the latest happenings in the Microsoft IT space. online columns by Contributing Editor (Find IT code: RReport) This column is a featured part of our free Redmond Russ Cooper of NTBugTraq fame. Report newsletter. (Sign up at Find IT code: Newsletters) FindIT code: Newsletters If you haven’t already, don’t forget to download the PDF version of the Redmond salary survey. (FindIT code: SSPDF) This extended, 27-page version Discussion and Forums of last month’s cover story includes many more charts and figures than were Post your thoughts and opinions under our articles, or stop by the forums for available in the print version. The PDF version is completely free, but does more in-depth discussions. require registration with our Tech Library. FindIT code: Forum If you work with or manage Microsoft Certified Professionals, you might also want to download the MCPmag.com version of the survey, which includes exclusive Your Turn charts on average salaries by skill and specialty area, all of which are broken down by The interactivity center of the related Microsoft certification. (FindIT code: MCPSSPDF) Redmond universe, where you get to express your views. FindIT code: YourTurn MCPMAG.COM • A weekly watch on the latest OTHER 101COMMUNICATIONS SITES Tales from the security news from Security Watch Trenches! columnist and NTBugtraq founder, ENTmag.com Russ Cooper. Special Report: Windows Vista, IE7 and Tales from the trenches is back! Take a minute to • Get your scripting fix with Don Longhorn Server Jones’ Scripting Answers column. Scott Bekker with the latest on what to learn from other readers’ Plus: Check out the latest columns expect from these betas. experiences and share in MCPmag.com’s Server Solver posted at http://mcpmag.com/ FindIT code: ENTWVIE the horror and humor of Sekou Page what your IT colleagues columns. And don’t miss the weekly CertCities.com have gone through. These tales will be MCP Radio broadcasts on Fridays: Feature: CertCities.com’s Guide to Storage featured all month on the site. http://mcpmag.com/webcasts/mcpradio. Certifications Also this month, don’t miss: Dan Hong looks at the wide • Andy Barkl reviews the latest revision variety of storage-related credentials FindITCodes of Microsoft’s 70-290 exam,“Managing available. Throughout Redmond magazine, FindIT code: CCStorage and Maintaining a Server 2003 Environment.” you’ll discover some stories contain FindIT codes. Key in those codes at • Sekou Page, Zenprise’s Exchange and TCPmag.com Redmondmag.com to quickly access Exam Review: Getting Past the PIX messaging expert and MCPmag.com’s expanded content for the articles Firewall Exam new Server Solver columnist, containing those codes. Andy Barkl reviews the latest takes on your toughest Exchange Just enter the code in the box at version of Cisco’s PIX exam for the troubleshooting questions. the top-right corner of any page on Redmondmag.com. Note that all CCSP title. • TechLine’s Chris Wolfe takes on FindIT code: TCPPIX FindIT codes are one word, and are your most perplexing networking and not case sensitive. troubleshooting dilemmas.

2 | October 2005 | Redmond | redmondmag.com | Project1 9/13/05 11:46 AM Page 1

your infrastructure may protect employees inside

What protects employees outside?

It’s no surprise; employees are often unaware of the threats that put View the latest Websense Security Labs webcast: “Six Degrees of Spyware” the security of their laptops—and your www.websensesecuritylabs.com/webcast network—at risk every day.

Websense Remote Filtering extends your usage policies to the mobile workforce, keeping you protected from external web threats anytime, anywhere.

Close the security gap. Download your free evaluation today. www.websense.com/remote

© 2005 Websense, Inc. All rights reserved. Websense is a registered trademark of Websense, Inc. in the United States and certain international markets. 1005red_Chief_4.v3 9/13/05 1:38 PM Page 4

ChiefConcerns Doug Barney

Spy Hunter RedmondTHE INDEPENDENT VOICE OF THE MICROSOFT IT COMMUNITY OCTOBER 2005 ■ VOL. 11 ■ NO. 10 omething must be done about SpySheriff, SurfSidekick, Group Publisher Henry Allain Aurora and all the other foul varieties of spyware out Redmond Media Group Editorial Director Doug Barney there. Spyware is no longer low-level code that tracks Redmond Media Group S Group Associate Publisher Matt N. Morollo our movements, serves up ads and steals our data. It has Redmond Media Group Editor in Chief Doug Barney gotten even sneakier, embedding itself so deeply that [email protected] Editor Paul Desmond sometimes we have to reformat to rid ourselves of its filth. [email protected] Executive Editor, Reviews Lafe Low Not long ago, I wrote about Microsoft Microsoft pop-ups telling me there was a [email protected] Managing Editor Keith Ward Windows AntiSpyware in a Redmond problem were covered by the SpySheriff [email protected] Report newsletter (sign up at Red- pop-ups, and on it went. I did some News Editor Scott Bekker mondmag.com, FindIT code: Newslet- research on sites like bleeping [email protected] Assistant Managing Editor, Wendy Gonchar ters). When I first used it, I got so few computer.com and found removal Web Editor [email protected] positives that I couldn’t decide whether instructions that asked me to load five Editor, Redmondmag.com, Becky Nagel or not it was working. Just days after more programs, boot into safe mode and CertCities.com [email protected] Editor, MCPmag.com Michael Domingo that Redmond Report item ran, my 9- manually remove a bunch of files. I took [email protected] year-old son Nick was hit with the most the easy route and did a total reinstall— Editor, ENTmag.com Scott Bekker [email protected] vicious attack I’ve ever seen. losing bookmarks, screensavers and more Associate Editor, Web Dan Hong I heard him complaining about in the process. SpySheriff somehow [email protected] tons of pop-ups, which is strange survived, but Windows Anti- Contributing Editors Chris Brooke because the Google toolbar is Spyware found it quick enough to Don Jones generally effective. I got worried finally delete the beast. Joern Wettern when Firefox was hit just as Nick has another bad. When I looked into it, machine that was hit Art Director Brad Zerbel Senior Graphic Designer Alan Tao Nick’s machine was a mess. simultaneously by both Pop-ups wouldn’t stop SurfSidekick and Aurora, Director of Marketing Michele Imgrund popping: A legitimate- from the official- Director of Audience Marketing Janice Martin Senior Web Developer Rita Zurcher looking Microsoft error sounding ABI network. Marketing Programs Associate Videssa Djucich message warned that the Aurora is almost impossible machine was infected, and a to excise. It survived a full Director of Print Production Mary Ann Paniccia Manufacturing & Carlos Gonzalez huge pop-up conveniently sweep by four different anti- Distribution Director offered to fix it with SpySheriff. spyware programs, refused to SpySheriff masquerades as anti- be deleted by Add/Remove spyware and even has a Web site and has a Web-based unin-

where you could buy this garbage. stall that’s an .EXE file. My guess is that Enabling Technology Professionals to Succeed I tried to shut it down, but the Task you’re installing something even worse President & CEO Jeffrey S. Klein Manager was disabled. The software by clicking this link. Executive VP & CFO Stuart K. Coppens had stolen my admin rights! Using These programs are not exactly hid- Executive VP Gordon Haight Add/Remove took away SpySheriff, ing in the caves of Boro Boro, either. Senior VP & General Counsel Sheryl L. Katz which had already installed itself. Sec- Most have Web sites, so why can’t law Senior VP, Human Resources Michael J. Valenti onds later, it was back—along with enforcement track down the authors three or four other nasty new programs. and prosecute them? If the laws aren’t Redmondmag.com Meanwhile, it installed a dozen or so tough enough, make ’em tougher. The opinions expressed within the articles and other contents shortcuts, including some that would What are these canal-water sucking herein do not necessarily express those of the publisher. Postmaster: Send address changes to make a porn star blush—all this on a 9- spyware writers thinking anyway? Isn’t Redmond, P.O. Box 2063, Skokie, IL 60076-9699 year-old’s computer. the most effective spyware the most I loaded Windows AntiSpyware after subtle? Thoughts? Send ’em to me at the infestation and watched it battle. The [email protected]. —

4 | October 2005 | Redmond | redmondmag.com | Project1 9/14/05 10:05 AM Page 1 1005red_Letters_6.v4 9/13/05 1:48 PM Page 6

Letters to Redmond

New Respect I’m glad to read that the next step in developing software is to consider people. Mr. Allchin’s comment [“Mr. Windows” August 2005] that people in the loop are just as important a consideration as technology will ensure the success of his future efforts. I enjoyed the article and have a new respect for Mr. Allchin’s opinion. Lou Rizzo Huntsville, Ala.

A Brave New World: Why I’m Going to Buy a Mac even if there wasn’t a “silver bullet” changes between Windows 2000 and I read Doug Barney’s editorial [“Why I solution at the end. Windows Server 2003 should impact the Bought a Mac,” August 2005] with a little We make use of a dual-firewall DMZ ports that are affected. The bad news is that amusement recently because each year, here in an extranet between my company controlling domain traffic by using packet North Carolina has a back-to-school and my partner company that’s fairly filters can get rather tricky, in either version moratorium on sales tax (7 percent), secure and works well. of the OS. which applies to computer purchases. At I have one question: Let’s say I needed The biggest challenge is that some domain the biggest mall in the Research Triangle to connect users in an isolated DMZ to a traffic uses RPC, which uses port 135 for the Park (RTP) area during this time, there greater Windows domain. Wettern stated initial connection, but then uses an unpre- was a line of about 300 people outside the that a large number of ports need dictable high port for a second connection. Apple store. The Dell store had no line. to be opened up between the Most likely you won’t be affected by this, as I recently shot some video of a sail- domain controller and the RPC is primarily used for replication of some boat race and was planning to workstation in the DMZ for Group policy elements between domain con- edit it on my Dell home com- domain authentication to work. trollers, but your client-to-DC traffic will puter system. One of the crew What are the minimum ports I most likely not be affected. on my boat approached me need to open in order to get these As you’re setting this up, look at which ports after the race and asked how I guys to log in, authenticate and are labeled “GC.” Clients connect to Global was going to edit the video. process GPOs? Catalog servers.Those without “GC” are used When I responded with “Dell I’ve read the “Port Requirements to communicate with other DCs. Also, don’t PC” he looked at me squarely and for the Microsoft Windows Server forget to allow communications using TCP said, “Don’t waste your time. Plug your System” and the “How to Configure a and UDP ports 53 to your DNS servers. camcorder into an Apple iMac and you’ll Firewall for Domains and Trusts” docu- If your tests show that communications are be done in no time.” Weeks later, my ments put out by Microsoft. In the latter not successful, use network monitoring to pin- video still isn’t edited. So the effective document it shows the following ports: point which connection attempts fail. Finally, work output in this case for my Wintel • tcp/389 & udp/389 LDAP I recommend you use IPsec to authenticate system to date is zero, which means my • tcp/636 LDAP SSL and control network traffic between DCs and return on investment to date is zero, no • tcp/3268 LDAP GC domain members. Doing so should give you a matter what the investment was. • tcp/3269 LDAP GC SSL higher level of security than packet filtering. Therefore, I, too, am contemplating • tcp/53 & udp/53 DNS However, it’s also more complex to implement. buying an Apple computer soon. It • tcp/88 & udp/88 Kerberos could be the start of a whole new world • tcp/445 SMB of computing relaxation. It says these are for Windows 2000. Is it Whaddya Think Paul Triulzi the same for a Windows 2003 DC? RTP/Durham, N.C. Greg Shields Send your rants and raves Aurora, Co. about stories in this issue to ?! No Silver Bullet [email protected]. I liked Joern Wettern’s article “Dump Wettern responds: I have good news and Please include your first and last your DMZ” [July 2005]—good ideas, bad news. The good news is that none of the name, city and state.

6 | October 2005 | Redmond | redmondmag.com | Project7 9/15/05 3:01 PM Page 1 Project4 9/13/05 11:23 AM Page 1

LEAST PRIVILEGE COMPLIANCE IS NOW IN YOUR HANDS

In today’s corporate environment, it’s not an option. DesktopStandard’s Group Policy extensions take you beyond built-in Windows security management, giving you the power to limit rights and privileges to the least required for authorized tasks. Reduce the complexity of managing your distributed desktop environ- ment while increasing security and compliance. Find out how at www.desktopstandard.com.

desktopstandard™ © 2005 DesktopStandard Corporation. All rights reserved. manage with standards. 1005red_Report_9-14.v5 9/13/05 2:57 PM Page 9

October 2005 INSIDE: “Microsoft Maps Out Plan to Integrate Virtualization RedmondReport into Windows” Page 12 WinFS Questions Persist New beta includes only a client version, but sheds light on new details.

BY SCOTT BEKKER For example, a user could create a mail- The upside for Microsoft is an even A year after pulling the “WinFS” stor- ing list in a Word document that pulls 50 deeper reliance among developers on age subsystem from the Windows contacts out of a CRM application and Microsoft’s infrastructure. “Longhorn” (now Vista) client operat- another 100 out of Outlook. Relation- Architecturally, WinFS holds files in ing system, Microsoft posted a surprise ships between data maintained in differ- two ways. A stream view is similar to early beta of the technology for devel- ent applications can also persist in the way files are currently stored and to opers on MSDN, once again opening WinFS, making it possible to use stand- the way the file appears on disk. A logi- up questions about the product’s future. ing queries to retrieve the most up-to- cal view presents the properties and When WinFS was pulled out of Longhorn a year ago, Jim Allchin, The upside for Microsoft is an even deeper reliance among Microsoft group vice president of plat- developers on Microsoft’s infrastructure. forms, cited customer requests for a combined client-server infrastructure as date information. In that case, a Word components of files as entities that can the reason. The just-released beta, document might pull from a CRM appli- be individually queried. however, is strictly the client-side of the cation to list the Top 10 customers by In addition to the file system, the beta equation. For now, Microsoft has little revenue. Changes in the CRM applica- includes developer APIs, a language for to say about server integration plans. tion would automatically update in the defining new types and schemas and a And while Microsoft has committed Word document. query language for retrieving informa- only to delivering a beta of WinFS Despite the earlier-than-promised tion from the WinFS store. when Vista becomes generally available beta, Quentin Clark, director of Clark maintains the underlying in late 2006, it has evidently been work- program management for WinFS, says themes and functionality of WinFS ing steadily on the promis- Microsoft’s schedule for remain the same since the storage sub- ing technology and revealed NewsAnalysis WinFS hasn’t really system was disconnected from Long- lots of new detail about how changed. “We have more horn a year ago, but he says Microsoft WinFS will work on the client side. betas coming,” Clark said. “Our will emphasize different uses for WinFS, which stands for Windows delivery timeframe hasn’t changed. It WinFS because of subsequent work in Future Storage, is an integrated data will still be in beta when Windows Windows Vista. Improvements in Win- storage subsystem of the Windows Vista ships.” dows indexing technology promise operating system. Microsoft aims to In many ways, WinFS looks like one improved search and better organiza- bridge the gap between traditional OS more pipe in the plumbing that tion and navigation of folders and files file systems and relational databases by Microsoft provides for developers. in Windows Vista—both are functions bringing the flexibility, organizational With .NET and Visual Studio, WinFS was expected to support. and querying capabilities of databases Microsoft lets developers spend less “We emphasize WinFS being a data to the file system. time worrying about things like writing platform,” Clark says in reference to the Microsoft’s implementation centers secure code and more time on what developer possibilities of accessing data on the idea of reorganizing file storage they actually want the applications to across applications. A data platform on around “items,” which fall into certain do. With WinFS, Microsoft seems to be the client side only is nice but it’s of standard and extensible “types” such as aiming to help developers spend no limited usefulness in an enterprise set- a person, calendar, contact, document time thinking about questions like, ting, customers told Jim Allchin a year and photo. The approach opens the “What should a contact look like, and ago. Until Microsoft has more to say data within a traditional file for use by how should I store it?” Instead, devel- about the server side of WinFS, the other applications, without data trans- opers can focus on what the application industry will remain in a holding pat- formation or other interim steps. will do with the contact information. tern on this technology.—

| redmondmag.com | Redmond | October 2005 | 9 1005red_Report_9-14.v5 9/13/05 2:57 PM Page 10

RedmondReport

A roundup of Windows- Exchange SP2 Edges Closer EventLog related happenings Service Pack 2 of Exchange Server 2003 is just around the corner. Longhorn to Give Itanium 2 the Squeeze With a Community Technology As Microsoft aims to deliver, in VP Bob Muglia’s words, the Preview out at the end of August, “right server for the right job,” the list of jobs that the Intel Microsoft execs are saying the Itanium processor is considered “right” for is getting short- bundle could come any day. This is one of those service packs that’s a er. Once touted as the natural successor for 32-bit x86 little more than a bundle of bug processors, the high-performance 64-bit processor has fixes. SP2 is supposed to improve lost that role to the x64 processors pioneered by AMD. spam-fighting, capacity, mobility When Windows “Longhorn” server comes out in 2007, it and security. Anti-spam improve- will support the Itanium processor, but for only three roles: ments include support for Sender database workloads, line-of-business applications and cus- ID and an updated Exchange Intel- tom applications. According to Microsoft, the Itanium ver- ligent Message Filter. Mailbox stor- sion of Longhorn will be specially tailored for installation age size limits are increased to and management of those types of workloads. 75GB. Some of the new functional- ity will only work in concert with ‘Centro’ Reaches out to ‘Project Green’ Gets Dynamic other pieces of Microsoft-based Midsize Businesses “Project Green,” the code-name infrastructure that haven’t been If you work at an organization with for Microsoft’s plan to consoli- delivered, including Windows 25 to 500 PCs, you’re in Micro- date the Microsoft Business Mobile 5.0 devices and Outlook soft’s crosshairs. Microsoft officials Solutions products and realign 2003 Service Pack 2. Meanwhile, acknowledge they haven’t tailored them around business roles, has Microsoft has also decided to many solutions or licensing pro- been rechristened Microsoft deliver the next version of grams to midsize businesses. Said Dynamics. “We have designed Exchange, code-named “Exchange Microsoft CEO Steve Ballmer last the next generation of our 12,” only on DVD. month, “Today’s business software business solutions, which we’re doesn’t look enough like today’s calling Dynamics, around 50 of Software Assurance Grows Up businesses.” Microsoft took a step the most common roles in a Software Assurance is getting its toward the mid-market with the midsize company,” Microsoft biggest benefit expansion since three-server Windows Server Sys- CEO Steve Ballmer wrote in an September 2003. New benefits tem Midsize Business promotion. executive e-mail. As new include desktop deployment man- That effort will be expanded after versions of the core products agement services delivered by Windows Longhorn Server ships, come out over the next year, Microsoft partners, additional sup- the company says. In that time- the names will change from port incidents, extended training frame, Microsoft intends to deliv- Microsoft CRM to Microsoft and a new version of Microsoft’s er a package designed to run Dynamics CRM and the desktop virtualization software across two or three servers code- Microsoft Business Solutions called Virtual PC Express for SA, named “Centro.” Built on Long- products Great Plains, Axapta, according to sources familiar with horn Server, it will also include Navision and Solomon will Microsoft’s plans. Most of the Exchange 12, the next version of change to Microsoft Dynamics changes are set to take effect in ISA Server and appropriate com- GP, AX, NAV and SL, respective- February. Once again, Microsoft is ponents of the System Center ly. In 2008, we can look forward significantly expanding its pro- family of products. “This is really to two discrete products— gram, and it may be time to take the equivalent of Windows Small Microsoft Dynamics CRM and a another look at whether Software Business Server for the mid- “best of” product combining the Assurance is a fit for your organi- market,” said Steven VanRoekel, other four. Let’s hope for a more zation. (See Redmond’s cover senior director for Windows Server intelligible name at that point, story from April, “SA Exposed.”) Midsize Business Solutions. like, say, Microsoft Dynamics ERP. — Scott Bekker

10 | October 2005 | Redmond | redmondmag.com | Project1 9/13/05 11:30 AM Page 1

ADVERTISEMENT A bigger threat than viruses? Disk performance issues can be just as destructive as —here's why

What’s really at stake Protect now or wait Why do we protect against viruses? until it breaks? Think about it. A virus causes a computer to How do you handle slow down or stop, rendering the system viruses? Do you wait until a less usable or unusable. That impacts system is infected and the productivity and costs you and your damage is done, and then organization time and money. When a clean and repair it? Of course computer is infected by a virus, someone not. Yet that’s how many has to clean and repair it. That too costs computer users and system time and money. administrators handle disk From a productivity standpoint, the net fragmentation. They wait Fragmentation can have a disastrous effect on system reliability. effect of disk fragmentation is not unlike until fragmentation has that of a virus. When disk fragmentation already affected productivity, then specifically to handle fragmentation accumulates, files take longer and longer to manually defragment the system. But as proactively. Diskeeper is a true “Set It and access, resulting in sytem slowdowns and with a virus infection, the damage has Forget It”® utility. Like good real-time even crashes. Whether fragmented or already been done. (And as soon as they , it works in the infected, the computer impedes the user finish manually defragmenting, background, virtually unnoticed by the from getting his or her work done. In order fragmentation begins to re-accumulate.) users. It can be centrally managed, reducing to restore the user's ability to produce, Conscientious computer users address administration time to bare minimums. someone has to spend time fixing the the virus issue proactively by installing And like good antivirus software, machine. antivirus software and updating it regularly. Diskeeper pays for itself by eliminating In a corporate environment, installation and fragmentation-related productivity losses Disk fragmentation: updates are usually automated so as to and the need to repair them. The enemy within reduce the amount of administration time. There is one major difference: Viruses In order to avoid productivity losses, You’re already under attack come from outside. Disk fragmentation disk fragmentation must be handled the Here’s the clincher: Your systems may comes from inside. Even a newly-formatted same way—automatically. Like antivirus never face the threat of a virus. Antivirus PC with a fresh installation of Windows software, an automatic defragmenter software is insurance, just in case. do will be moderately fragmented. (It’s true. protects a system’s integrity by detecting But your systems face the threat of Try it yourself and see.) fragmentation and eliminating it before it fragmentation—every day, every hour, Compounding the problem is the fact impacts productivity. even as you read this. that today’s drives, as well as the files we store on them, are larger than ever and The industry-leading solution Don't leave your systems unprotected. Get ® growing rapidly. As a result, Diskeeper , The Number One the free trial edition of Diskeeper and see ™ fragmentation is a bigger threat than ever. Automatic Defragmenter , is designed the difference for yourself. Viruses work by attacking the weakest link—the unprotected computer or the Protect your systems against the threat of fragmentation. careless user. Likewise, disk fragmentation Try Diskeeper free for 30 days attacks the weakest link: The disk drive. www.diskeeper.com/redmond4 For volume license pricing and government or educational discounts, contact your favorite reseller Disk drives and disk arrays, fast as they or call 800-829-6468 reference number 4327 may be, cannot transfer data anywhere near as quickly as the CPU or memory. The disk drive is the performance bottleneck, and anything that slows down disk access slows down the entire system. The Number One Automatic Defragmenter

OVER 17 MILLION LICENSES SOLD

©2005 Diskeeper Corporation. All Rights Reserved. Diskeeper, The Number One Automatic Defragmenter, Set It and Forget It, the Executive Software logo and the Diskeeper Corporation logo are registered trademarks or trademarks of Diskeeper Corporation in the United States and/or other countries. Microsoft and Windows are either registered trademarks or trademarks owned by Microsoft Corporation in the United States and/or other countries. Diskeeper Corporation • 7590 N. Glenoaks Blvd. Burbank, CA 91504 • 800-829-6468 • www.diskeeper.com 1005red_Report_9-14.v5 9/13/05 2:57 PM Page 12

RedmondReport Microsoft Maps Out Plan to Integrate Virtualization into Windows Plan calls for support for Linux guest OSes and, eventually, use of hypervisor to incorporate virtualization into the OS.

BY SCOTT BEKKER The first move, announced in late • Built-in support for network instal- Over the next few years, Microsoft August, will be to eliminate Virtual Serv- lations of guest operating systems intends to phase out the virtualization er 2005 Service Pack 1, which has been • Higher availability through support products it acquired from Connectix in beta testing since April. Microsoft for failover clustering across hosts Corp. and develop virtualization func- decided belatedly that SP1 had too much tionality of its new functionality to be given away for Next Step Redmond own in the heart free to anyone except customers already Microsoft intends to quickly follow of the Windows paying for Software Assurance. Renamed the R2 release with another release of Roadmap operating system. Virtual Server 2005 R2, the product is Virtual Server. The as-yet-unnamed, In an online customer chat last scheduled for a mid-Q4 release to manu- post-R2 version of Virtual Server is month with Bob Muglia, senior vice facturing (RTM). There are no plans to supposed to enter beta testing in the president of the Windows Server update the beta code released as SP1 first half of 2006 and RTM in the Division, Microsoft offered much before R2’s RTM. With no major securi- second half. It will support the more detail than ever before about ty issues plaguing Virtual Server 2005, hardware-level virtualization plat- how it plans to integrate virtualization Microsoft has no plans to deliver a bug forms being developed by Intel technology directly within Windows. fix-only SP1 now either. and AMD. Both Intel, via VT or Redmond’s current virtualization Support for Linux guest operating “Vanderpool,” and AMD, with product lineup consists of Virtual PC systems is the most notable new feature “Pacifica,” are working to make their 2004 and Virtual Server 2005 (as well coming in Virtual Server 2005 R2. chips more adept at simultaneously as Virtual PC for Mac). Eventually, Other new features will include: running multiple operating systems. Microsoft wants to put virtualization • Support for x64 versions of The post-R2 Virtual Server beta into the operating system via a Windows Server 2003 and Windows release should coincide with the virtualization stack and a thin soft- XP as hosts to allow more virtual initial availability of server chips from ware layer called the hypervisor. machines per host those companies sporting the new Microsoft describes the hypervisor as • Performance enhancements virtualization architectures. code that sits at the lowest level of the like improved hyper-threading In the user interface, R2 will bring host OS to abstract and control (performance improvements will be only minor changes to the process of hardware access for multiple guest best on guest process switching and creating VMs and for branding. operating systems. memory-intensive applications) According to Mike Neil, product unit AVirtualTimetable

Virtual Virtual Virtual Post-R2 Post-R2 Windows Windows Windows Server Server PC: Virtual Virtual Longhorn server client 2005 2005 2006 Server Server Server virtualization: virtualization: SP1: R2: Beta: RTM: (no inherent Post- After cancelled Mid-Q4 1H 2H virtualization Longhorn the server 2006 2006 capabilities): Server version 2007 (maybe

SOURCE: MICROSOFT 2008-2009)

12 | October 2005 | Redmond | redmondmag.com | Project1 9/8/05 10:09 AM Page 1 1005red_Report_9-14.v5 9/13/05 2:57 PM Page 14

RedmondReport

manager for virtualization, Microsoft software that requires a no host oper- ones. With Windows virtualization, is also considering adding support for ating system (read no Windows). Microsoft expects to create virtual snapshot backups of virtual machines in “The future of virtualization is in thin machines on guest operating systems the post-R2 version. hypervisors with a virtualization stack encompassing several processors. On the client side, Virtual PC 2004 built into the OS. That is what we’re At the same time, Virtual Server cur- will go through another rev before doing,” Muglia said. rently runs on dual-core processors, hypervisors make their way into the The frequently requested features but doesn’t recognize or use the second Windows client. “We are planning an that Windows virtualization will sup- processor core. Microsoft aims to upgrade for next year that will have port include: change that when it brings virtualiza- performance improvements,” Neil said • A completely revamped UI tion into Windows. during the chat in response to a question • Support for 64-bit guest operating Along with the effort to shift from complaining about the speed of the systems virtualization products to hypervisors product versus competitors. “We have • Support for SMP guests and virtualization stacks within plans for an update to [Virtual PC] • Remote Desktop/Remote Desktop Windows, Microsoft is working on around Windows Vista that will provide Protocol UI integration improving virtualization management improved performance as well as 64-bit • Published interfaces to let develop- technologies within the System Cen- host support. Look for more details on ers of other operating systems plug ter product family. “We are building this toward the end of the year.” into the Windows infrastructure management tools to allow the place- Microsoft repeatedly answered • Copy-and-paste support and ment of VMs and migration. We’re requests for features during the cus- improvements in I/O performance also enhancing [Systems Management tomer chat by promising support in Server] and [Microsoft Operations Windows virtualization, which will Manager] to treat VMs as a core part not arrive for some time. “[Hypervi- GetMoreOnline of Windows,” Muglia said. sor support in Longhorn] will ship Go to Redmondmag.com for links to Microsoft clearly has many balls in after Longhorn Server,” Muglia said. the transcript of the Microsoft the air regarding virtualization. The chat on virtualization and other Longhorn Server is promised for virtualization resources. change coming in Virtual Server 2007. “The server implementation 2005 R2 to support Linux guest FindIT code: LessVirtual will come first as there are additional operating systems is an important things which need to be done on the fix for enterprise customers with client.” Microsoft plans to deliver redmondmag.com heterogeneous environments. At the support in an R2 version, a service same time, the recent chat highlighted pack or an update of Longhorn Serv- The SMP guest issue is one of the a number of customer concerns, er. With the client piece so far out, most interesting features. Virtual especially about I/O performance and there’s been no decision on whether it Server currently scales across multi- feature parity with VMware in the would be an upgrade for Windows processor servers up to 32 processors. SMP guest area. Microsoft’s design Vista or whether it will ship with No individual virtual machine, how- decision to focus development efforts some other client operating system. ever, is allocated more than a single on bundling virtualization into As if there were any doubt, processor. Running Virtual Server on Windows means many of those issues Microsoft is not working on any large SMP systems lets users run will have to linger for another three VMware ESX-style virtualization more virtual machines, not larger to five years.—

Interesting quotes pulled from blogs by current or former BlogoMSphere Microsoft employees or about Microsoft technologies.

“A few years back [new Microsoft CTO] Ray Ozzie came the same old operating system and storage capabilities ... to Microsoft to speak [about his company Groove He was right; and I told him we had already started on it, Networks] at an internal workshop. ... [Groove] was a and that it was called WinFS.” pretty cool app trying to be a platform (tough to do for a small company). ... His comment to me was that Peter Spiro, general manager of SQL Server for WinFS, in an Aug. 29, 2005, post called, “Bored with computers.” Microsoft should build such a platform and stop selling http://blogs.msdn.com/winfs/archive/2005/08/29/457622.apx

14 | October 2005 | Redmond | redmondmag.com | Project1 3/31/05 12:48 PM Page 1

Are You Preventing Exchange Server Failure, or Just Preparing for It?

Reactive measures won’t prevent a disaster, repair problems or accelerate performance.

As an administrator, you understand the mission-critical nature of the collaborative information that flows through your Exchange servers. In today's dynamic business environment, your servers are strained to the limit, and failure is not an option.

Prepared for the Worst? To protect the information flow and minimize the cost of unplanned Exchange server downtime and data loss, organizations devote enormous resources to reactive solutions such as continuous back-up, monitoring, and high-availability systems. Many organizations also implement Exchange archive solutions to comply with legal and other regulations such as HIPAA and Sarbanes – Oxley.

Reactive vs. Proactive Solutions Reactive and archive solutions only protect you if your Exchange Exchange Database Before databases are healthy. But the Exchange database is the Achilles • Degraded performance heel of the entire operation. Therefore, the key to preventing • Questionable stability • Bloated message store server failure is to implement a proactive solution that ensures • Erratic and strange behavior the health, stability, and optimization of the Exchange databases. • Multiple errors and warnings • Deleted items still intact Protect Yourself with GOexchange GOexchange, from Lucid8, is the only automated preventative Exchange Database After maintenance solution for Microsoft Exchange 5.5, 2000, and • Optimized message stores • Reduced store size by 38% 2003 that prevents disasters, repairs problems and improves • 1557 errors removed performance. GOexchange minimizes unplanned downtime, checks • 232 warnings corrected • Increased performance & stability and corrects errors, and increases performance and stability • Deleted items completely removed by rebuilding indices and reducing the size of your Exchange information stores by 30 to 55%.

See for yourself why organizations worldwide are implementing GOexchange. Download your FREE demo now at www.Lucid8.com, Go to www.Lucid8.com/GOexchange or call 425.451.2595. – review the Whitepapers and Case Studies, then evaluate GOexchange, and get a FREE t-shirt.* *see website for details Project2 8/11/05 1:29 PM Page 1

Your weapon: CounterSpy Enterprise. Centralized spyware eradication.

Spyware: the new number one enemy for IT. Recent Real-time protection. Active ProtectionTM Monitors surveys of IT specialists show that spyware infections have deliver real-time desktop protection to workstations to reached epidemic proportions. Spyware is one of the most reduce the chance of spyware infection. From the Admin serious security threats and productivity killers today. It’s insidious. Its creators Console, you have the ability to centrally control what actions are taken when these are well-financed, relentless and remorseless. For the enterprise, common monitors detect change on the desktops. The best spyware database in the antispyware can’t cut it. CounterSpy Enterprise: Knock out spyware industry. Period. The database behind CounterSpy Enterprise has from one centralized been independently validated as the best antispyware database in the location. Company-wide industry. Why? CounterSpy Enterprise benefits from multiple sources for spyware management its spyware definition updates, including Sunbelt’s Research Team, requires a real enterprise Microsoft, and information collected from consumer users through product with centralized Sunbelt’s ThreatNetTM. Spyware doesn’t stand a chance. Free trial. management. CounterSpy Find out how many machines in your organization are Enterprise is just that: a infected NOW. Scan the machines in your enterprise for free. scalable, policy-based, second-generation antispyware tool built from the ground Download the trial at www.sunbelt-software.com/csered. up for system and network administrators to kill spyware quickly and easily.

Sunbelt Software Tel: 1-888-NTUTILS (688-8457) or 1-727-562-0101 Fax: 1-727-562-5199 www.sunbelt-software.com [email protected]

© 2005 Sunbelt Software. All rights reserved. CounterSpy and ThreatNet are trademarks of Sunbelt Software. All trademarks used are owned by their respective companies. 1005red_ProdRev17-24.v9 9/14/05 9:48 AM Page 17 ProductReview RX for Windows The utilities in Winternals Admin Pak can help you get through most of the Windows troubleshooting incidents you’ll ever encounter.

Admin Pak 5.0 $1,199 ($240 for annual product assurance contract) Winternals Software LP 512-330-9130 www.winternals.com

BY BEN BRADY The ERD Commander When I go out on an IT trou- includes a tool for creating bleshooting job, I pack three disk images that can make different tool kits, a binder bootable ERD Commander with more than 150 CDs and CDs customized for your a 1GB USB drive loaded with environment, and a Firefox programs and utilities. After browser that comes in looking at the latest version of handy when you’re trying Winternals’ Admin Pak, I’m to recover a machine and going to have to make room you need to install patches Figure 1. From the Admin Pak 5.0 main console, you can for one more CD. or driver updates. choose from numerous troubleshooting functions. Winternals Admin Pak 5.0 There’s a built-in locksmith is a nice little suite of utilities tool that lets you reset local damaged Windows installa- It also has some nice filtering for recovering and trou- passwords—including the tion to perform a virus scan. options. This isn’t included bleshooting Windows envi- administrator password. This There’s also a crash analyzer with the standard install of ronments. At the heart of the may seem like a security flaw, that let me interpret dump Admin Pak. You’ll have to Admin Pak collection is the but you can also password- files generated by a Win- choose custom install to ERD Commander, a bootable protect your custom image. A dows system crash. include TCPView. This tool CD that gives you a Win- hotfix uninstall wizard that is Another utility called can save the day, so go ahead dows-like environment— also part of the ERD Com- Insight for Active Directory and install it. Having to speci- regardless of which version of mander lets you quickly and works well for viewing Active fy custom install to include Windows is on the machine easily undo any damage done Directory’s LDAP communi- TCPView is the only quirk in you’re trying to fix. by the latest “fix.” cations, and working with an otherwise straightforward The Disk Commander utili- Active Directory objects installation process. REDMONDRATING ty helps you recover files and directly through its interface. Documentation: 10% ____ 7 complete partitions that have Filemon is a file monitor Live Testing ______Installation 10% 7 been damaged or formatted. utility that lets you monitor After spending a few minutes ______Feature Set: 35% 9 This worked well for restor- file access. Regmon is a simi- acquainting myself with the Performance: 35%______8 Management: 10% ______8 ing previously deleted files. lar utility that lets you moni- clean and well-designed inter- ERD Commander is the tor registry activity. Both of face, I created a standard Overall Rating: 8.2 heart of the Admin Pak, but these monitor in real-time. ERD Commander bootable ______it includes several other Admin Pak also provides a CD and stuck it in my laptop Key: 1: Virtually inoperable or nonexistent helpful utilities. With the nice analyzer tool called bag. I truly intended to set up 5: Average, performs adequately remote recovery tool, I TCPView that monitors some scenarios in my home 10: Exceptional connected to a system with a TCP/IP activity in real time. lab later in the week for test-

| redmondmag.com | Redmond | October 2005 | 17 1005red_ProdRev17-24.v9 9/14/05 9:48 AM Page 18

ProductReview

ing. The next day, however, I key. One simple regedit and simplify and speed up resolu- The documentation is was on a call where a user once again, all was well. tion every time. fairly straightforward, and had forgotten the local Then I came across a virus- The product saved the day it does assume some prior administrator password. I infected Windows 2000 a couple of months ago. My knowledge of the Windows used my ERD Commander Server. The attack was fairly wife mistakenly placed her environments and network- disk and reset the password standard, but the virus had class notes in the recycle ing. Installation was quick within two minutes. installed several gigabytes of bin and emptied it before and easy, but make sure you turning off her laptop the choose “custom” so you can For a one-stop shop of valuable tools that can night before an exam. install the helpful TCP/IP help you save the day, Admin Pak is well worth Using Disk Commander, I tools. The clean interface the investment. got her notes back in less and use of wizards helps than 10 minutes. make this package quite Several days later, I came files that couldn’t be deleted. user friendly even for the across a user having trouble Admin Pak made short work Well Worth It beginning admin.— with a Microsoft Office com- of cleaning up those files. It There are other comparable ponent. Once again, the Win- took longer to reboot the tools available, but for a Ben Brady, MCSE, CCNP, is ternals Admin Pak gave a server than it did to repair one-stop shop of valuable the Operations Manager of solution in a matter of min- the problem. tools that can help you save ISDN-Net, Tennessee’s oldest utes, and I didn’t have to visit The three instances men- the day, Admin Pak is well and largest private network the Microsoft Knowledge tioned earlier are routine worth the investment. The service provider. He’s been in the Base and search through end- problems faced by IT suggested price of $1,199 IT business for more than 12 less articles. While running admins. All three could have may feel a bit steep, but this years and currently oversees Regmon, I replicated the been solved with a bit of figure pales in comparison projects in LAN, WAN, VoIP problem and saw the Reg- knowledge and a little time, to your server being down and converged networks. Reach istry call with an incorrect but the utilities in Admin Pak for several hours or longer. him at [email protected]. 1005red_ProdRev17-24.v9 9/14/05 9:48 AM Page 19

ProductReview Truly Wireless Networking Strix Access/One’s unique configuration can put an end to cabled networks.

Access/One Network fer that it refresh at shorter $600-$1200 per node, depending on configuration intervals. It takes more than two minutes to correct the Strix Systems Inc. display to reflect any 818-251-1000 changes made to the net- www.strixsystems.com work topology. On several occasions, the plug in dis- played obsolete information BY YONG CHO communication and a second for such an extended period It’s ironic that you have to radio module (either A-, B- that I had to close and worry about laying down or G-band) to support user Figure 1. Strix System’s restart the browser. The cable when you roll out a connections. You can also Access/One modules stack “refresh” command didn’t wireless network, but it’s add additional radio modules to form a wireless node. immediately update the net- true. In a conventional wire- to the stack to support mul- ble with IE 6.0 or later. It also work topology data. less network, all the wireless tiple radio bands. installs mDNSresponder, The utility pane helps you nodes are actually cabled to Although most nodes don’t which searches for attached determine the IP addresses the main network. require a wired Ethernet con- Strix nodes. You’ll have to of individual modules and Access/One Network (AO) nection, at least one of them reboot to complete the gives you a quick overview of eliminates the need for hard must be wired to a backbone setup process. the network topology. You wiring the wireless nodes. It network. Also, all nodes still need an IP address to log in uses wireless technology require externally supplied Wireless Management to a module, and the plug in itself to connect those nodes 18-volt power. The IE plug-in opens a Man- is the simplest way to to the corporate network. For this evaluation, I ager/One (MO) utility pane retrieve that. Double-click- The wireless data packets received three nodes. The on the left side of the browser ing on the network server hop from node to node until module icon is the quickest they reach a gateway to a You can add radio modules to the stack to way to open the MO on the wired network connection. network server. AO comes in stackable support multiple radio bands. The MO console displays modules that assemble into a valuable information like node (see Figure 1). AO sup- first was configured as a net- window and displays the indi- node statistics, node stack ports A, B and G radio band work server, the second as a vidual wireless modules it has details and network infra- modules. Each node requires relay node and the third as discovered. The MO is the structure for your entire net- an A- or a G-band radio an edge node. I installed an network management and work, individual modules module for node-to-node Ethernet cable between the configuration tool for AO (see and network activities. The first node and my router, Figure 2). This is present in intuitive mouse-over feature REDMONDRATING which simulated a wired net- each module as a Web server, also displays a wealth of Documentation: 10% ___ 10 work and acted as a DHCP and you can get to it with information, such as module Installation 10%______10 server. The server node con- most Web browsers. You can IP addresses and communi- Feature Set: 20%______10 trols up to eight relay or use the MO with the network cation status on individual ______Performance: 30% 7 edge nodes. The edge node server to simultaneously con- objects. Online help and a ______Management: 30% 8 connects users’ devices to figure all the modules in a legend describing the icons Overall Rating: 8.5 the network and the relay network cloud, instead of and the color scheme used ______node simply extends the cov- manually setting one module on the MO display would Key: erage area of the edge nodes. at a time. have helped here. 1: Virtually inoperable or nonexistent 5: Average, performs adequately The setup software adds an The MO updates its data Deploying the hardware is 10: Exceptional IE plug-in that is compati- periodically, but I would pre- simple—just plug the AC

| redmondmag.com | Redmond | October 2005 | 19 1005red_ProdRev17-24.v9 9/14/05 9:48 AM Page 20

ProductReview

gram to predict node quantity and locations instead of doing an on-the-ground RF site survey. Security is a critical requirement for wireless networks, where the physical security boundary is nonex- istent. It needs strong authentication protocols to verify that each user has the proper credentials, as well as a strong encryption protocol to protect transmitted data. AO supports most of the Figure 2. The Manage/One network management software lets you configure and manage your standard authentication and Access/One nodes. encryption protocols, includ- adapter into an AC outlet require rebooting. I tend to determine which node is at ing MAC address control list and the hardware installa- reset modules whenever I fault if an error occurs spo- and 802.1x EAP (TLS or tion is done. Configuring change any configuration and radically or inconsistently. TTLS) authentication pro- the network, however, is refresh the screen frequently I had a few unexpected tocols. It also supports Stat- much more time consuming. to see if that change has regis- packet drops when I moved ic/Dynamic WEP and For a network parameter tered. Adding or removing a my laptop from one area to Dynamic AES encryption change to take effect, you node on the network infra- another. My laptop briefly protocols, and RADIUS have to reset all affected structure isn’t automatically lost the network connection server support. It will be nodes. This process takes updated on the MO display. I then reconnected through your job to properly config- about three minutes. had to press the refresh but- the new node. After that ure AO’s security settings. Nodes reboot one at a time ton repeatedly until it updat- brief lapse, it went through AO is an ideal solution to reduce network disruption, for buildings that are but data packets will be Deploying the hardware is simple—just plug difficult to wire and for blocked while the network the AC adapter into the AC outlet and the deploying temporary server resets. Also, after a hardware installation is done. wireless networks. You node is reset, it does a DHCP could also use it as an alter- request and the IP address ed the network topology. Due a new DHCP cycle. This native to wired nodes. I like might change. Therefore, to network latency, it usually would be a problem when the simplicity and flexibility Strix requires that the DHCP took about two minutes. transferring a file. Since a of the hardware, although it server supports IP address new network connection was disappointing that the persistence to minimize Can You Hear Me Now? starts a new session, it will configuration process invalid self-configurations Roaming lets you move disrupt file transfer, so requires resetting a module. and network topology from one node coverage area I wouldn’t recommend This is a good product that changes. I’d recommend to another with minimal risk transferring a large file needs a bit of fine-tuning assigning a static IP address of losing data (but you can while roaming. in the configuration and to the network server. lose data if the handoff is not The recommended radio monitoring interface to I had trouble determining properly handled). Your signal range for each node is become a great product.— whether or not certain com- computer decides when and about 60 feet, with about 30 mands executed successfully, with which node it will con- users per radio. Each net- Yong Cho, CCNE, is an because there is no feedback nect. The wireless network work server will serve a max- electrical engineer and has to indicate if a command was nodes must provide fast imum of eight nodes. To add worked on network product started, in process or done. authentication to allow more than eight nodes, design. He has installed, There are some commands instant login to the new you’ll have to add another tested and debugged network that require a reset, but it isn’t node. In the event of data network server. You can use hardware. You can reach him obvious which commands loss, it can be difficult to the Strix Architect/One pro- at [email protected].

20 | October 2005 | Redmond | redmondmag.com | 1005red_ProdRev17-24.v9 9/14/05 9:48 AM Page 21

ProductReview SoftGrid Serves up Applications Deliver applications to your users safely, conveniently and without a lot of overhead.

SoftGrid $200 per user with unlimited SoftGrid Servers and Sequencers (price scales down as node count goes up) Softricity Inc. www.softricity.com

BY BILL HELDMAN Instead, the SoftGrid appli- The problem with applica- cation server and client both tions is that they have to live use application cache files Figure 1. The SoftGrid Server management console is delightfully somewhere—whether on prepared by the Sequencer. simple to use. desktops, standard servers or What’s even more interest- on a Terminal Services (TS) ing is that the client doesn’t rough idea of how the The Gotchas or Citrix Server, right? Along consume the entire file. If Sequencer works. There are very few gotchas with applications come the your users never use the The Sequencer is installed during this process. If you’ve usual problems like memory speech capabilities of Office on at least one computer— ever messed around with the issues, disk space shortages, 2003, for example, it won’t generally a reference SMS Installer, you’ll find the security loopholes and the load that part of the applica- machine that is similar to the Sequencer to be 10 times eas- so-called “DLL hell.” tion file until the first time a systems in your production ier—and that’s saying some- With SoftGrid Server’s user calls it up. Then it’s environment. After watching thing. During application application virtualization downloaded from the Soft- the application installation, sequencing, you can add cus- technology, those troubles Grid Server and becomes a the Sequencer prepares the tom registry keys and other can be a thing of the past. Its part of the user’s application files that SoftGrid Server elements you might want to unique approach greatly cache file. will need to present the bundle with the application. simplifies the way you pro- There are three different application to the user. After sequencing the applica- vide applications to your components required to set Those files include applica- tion, you can also edit the users—whether those appli- up the SoftGrid virtual appli- tion descriptors, icons, the application descriptor file cations are office automation cation environment (four if actual application file itself with Notepad if you have to. suites or something else. you have TS or Citrix): and a project file. One issue I had was in You’ll appreciate how clever • SoftGrid Server using pre-sequenced test it is, and how easy it is to • SoftGrid Sequencer REDMONDRATING applications that had a dif- install and use. • SoftGrid Client for Documentation: 20% ____ 9 ferent host name and default SoftGrid lets you serve up Windows Installation 20%______10 directory in them. I couldn’t applications without • SoftGrid Client for Feature Set: 20% ______9 get a program to launch for ______installing them on the users’ Terminal Services Performance: 10% 10 awhile until it dawned on me Management: 30% _____ 10 desktops or on the TS or The cache files that the that it was pointing at a Citrix server (or any other SoftGrid Sequencer prepares Overall Rating: 9.6 different directory than the application server for that are really the secret sauce. ______one in which the application matter). That’s right, no The Sequencer watches the Key: was installed. 1: Virtually inoperable or nonexistent installing application code installation of each applica- 5: Average, performs adequately Rectifying that problem anywhere, except for the tion you want to serve up. If 10: Exceptional was simple. Softricity has a SoftGrid Sequencer—more you’ve had any experience healthy error reporting Receiving a rating on that in a moment. with Microsoft’s Systems of 9.0 or above, this capability that shows up on product earns the No INI files, no registry Management Server (SMS) Redmond Most the client for quick prob- entries, no DLL exchanges. Installer, then you’ll have a Valuable Product award lem-resolution, although it

| redmondmag.com | Redmond | October 2005 | 21 1005red_ProdRev17-24.v9 9/14/05 9:48 AM Page 22

ProductReview

provided by SoftGrid Server just fine. There is also a and receive it again to reset. choice to install to the Once client installation is Quick Launch bar. done, your users will instant- That’s it. The whole thing ly receive any applications is really very simple. For that have been imported into laptop users, you can set the the SoftGrid Server. You application cache file down- control who gets what appli- load so they receive the cations through the use of entire file and can run the Windows groups. application even when they’re not connected to Virtual Serving the network. Setting up SoftGrid for TS Softricity can provide or Citrix is just as simple (I training, but given how easy tested the TS environment, it is to use Softgrid Server and assume things would and the Sequencer, it won’t Figure 2. Setting the default cache in the SoftGrid for Windows client. work largely the same way be necessary in most cases. I assigns an esoteric error puter. This box should be a in Citrix). Using the Con- got into trouble a couple of code to each situation. If beefy enterprise-class unit, trol Panel to Add/Remove times because I wasn’t famil- you’re new to Softricity, you and should not be used as a programs on your TS box, iar with the application may have to look up the domain controller as well. add the SoftGrid client for descriptor files and basic error codes on the Softricity In the lab, I installed Soft- Terminal Services.All your configuration elements, but Web site to figure out what Grid Server on an older Dell users will still have to have it didn’t take me long to get it’s trying to tell you. server with 512MB RAM the Windows client the system up and running. You have to have at least running Windows Server installed. Using the If you’re looking for a way one SoftGrid Server to host 2003. SoftGrid ran just fine to simplify application deliv- the cached applications. and served up applications ery and reduce risk in your When you’re installing very quickly. However, I only environment, SoftGrid is an SoftGrid Server, it gives you had a handful of clients con- enormously useful tool. The the choice of installing the nected to the machine. Size only real miss is the complex associated SoftGrid data- your deployment according- error coding that will base on Microsoft SQL ly, as you can have more than require you to check out the Server or MSDE. In the lab, one SoftGrid Server Web site or have a trou- I chose MSDE and it machine in your environ- bleshooting manual handy. worked just fine. ment. I would recommend Figure 3. Firefox shows up as a The upsides are consider- Terminal Services client. Once you’re done running starting out with one server able. SoftGrid is very an application through the and monitor the perform- easy to use and provides a Sequencer, you just copy ance your users get so that Sequencer to prep and pop- significant ROI. the file output to the Con- you know how to architect ulate the cached application Your service levels and tent directory of the Soft- your deployment from that file into SoftGrid Server security will improve, and Grid Server. Then use the starting point. works the same as before. you can install the system in management console (see The last part of the process When your TS clients no time at all. — Figure 1 on p. 21) to import is to install the SoftGrid for connect to the TS box, the the new application. Windows client, noting how application is available for Bill Heldman is a Computer much disk space you’ll need them to use (see Figure 3). Technology Instructor with a Sized Just Right to allocate for cached applica- Softricity came with some vocational high school in Gold- Whether you’re going to tion files (see Figure 2). The “test sequencings.” For my en, Colo. He has written sev- provide virtual applications client component shows up TS test, I chose Firefox. eral books for Sybex (now to your users with or without in and has sev- You can see in Figure 3 that Wiley Books), including the the benefit of a TS or Citrix eral different adjustments you the choice to install the CompTIA Project+ Study box, you must have at least can make, including the abili- application on the desktop Guide. Reach him at bheld- one SoftGrid Server com- ty to remove an application and the start menu worked [email protected].

22 | October 2005 | Redmond | redmondmag.com | Project1 9/13/05 10:42 AM Page 1

/œ`>Þ] Ì i ܜÀ`° -«ÞÜ>Ài /œ“œÀÀœÜ]*ÀœÌiV̈œ˜ Ì i /܈˜ ˆÌˆið

-iVÕÀˆÌÞ *>ÌV >˜>}i“i˜Ì

iÜ - >ۏˆŽ iÌ ŽÒ -«ÞÜ>Ài }ˆÛiÃ ÞœÕ >˜ >Õ̜“>Ìi` œ˜i‡Ìܜ «Õ˜V >}>ˆ˜ÃÌ Ìœ`>Þ¿Ã “œÃÌ «iÀÈÃÌi˜Ì ˜iÌܜÀŽ Vœ˜ViÀ˜Ã°

œÜ Ì i Vœ“«>˜Þ Ì >Ì LՈÌ Ì i ˆ˜`ÕÃÌÀއÃÌ>˜`>À` «>ÌV “>˜>}i“i˜Ì ܏Ṏœ˜] - >ۏˆŽ  iÌ Ž*ÀœÒ] œvviÀÃ ÞœÕ Ì i vˆÀÃÌ ˆ˜Ìi}À>Ìi` «>ÌV “>˜>}i“i˜Ì >˜` ëÞÜ>Ài “>˜>}i“i˜Ì Û>ˆ>Li ˆ˜ œ˜i i>Ãއ̜‡ÕÃi Vœ˜Ãœi ܏Ṏœ˜ `iÈ}˜i` vœÀ Ì i i˜ÌiÀ«ÀˆÃi° 7ˆÌ - >ۏˆŽ ÞœÕ V>˜ >Õ̜“>Ìi Ì i “>˜>}i“i˜Ì œv VÀˆÌˆV> œÀ ܏` Ãi«>À>ÌiÞ° ÃiVÕÀˆÌÞ «>ÌV ià >˜` ëÞÜ>Ài vÀœ“ œ˜i i>Ãއ̜‡ÕÃi Vœ˜Ãœi œÀ >à Ãi«>À>Ìi ܏Ṏœ˜Ã° / i V œˆVi ˆÃ ޜÕÀð ˆÌ iÀ Ü>Þ] - >ۏˆŽ ˆÃ ˆ˜ ޜÕÀ VœÀ˜iÀ° ˜` ˆŽi > - >ۏˆŽ ÃiVÕÀˆÌÞ «Àœ`ÕVÌÃ] ˆÌ¿Ã Õ« >˜` À՘˜ˆ˜} ˆ˜ Îä “ˆ˜ÕÌià œÀ iÃð /œ `œÜ˜œ>` œÕÀ ÌÀˆ> ÛiÀȜ˜] ÛˆÃˆÌ ÜÜÜ°Ã >ۏˆŽ°Vœ“] V> ­nää® È™ä‡È™££ œÀ i“>ˆ Õà >Ì Ã>iÃJà >ۏˆŽ°Vœ“°

-iVÕÀi-iVÕÀi 9œÕÀ 9œÕÀ 6ˆÃˆœ˜° 6ˆÃˆœ˜°ÒÒ

- >ۏˆŽ `ÀˆÛià «>ÌV ܏Ṏœ˜Ã “>˜>}i“i˜Ì vœÀ Ì iÃi ˆ˜`ÕÃÌÀÞ ÃœṎœ˜Ã i>`iÀÃ\ vœÀ Ì iÃi ˆ˜`ÕÃÌÀÞ i>`iÀÃ\

7MQTPMJ] 7IGYV %YXSQEXI 7MQTPMJ] 7IGYV %YXSQEXI 1005red_ProdRev17-24.v9 9/14/05 9:48 AM Page 24

ProductReview All Is Not Lost When you need to find a long-lost document, dtSearch Desktop delivers quick results. dtSearch Desktop $199 dtSearch Corp. 301-263-0731 www.dtsearch.com

BY ERIC JOHNSON searching through individual Do you keep all of your files, you can also include important documents in per- web URLs and outlook fold- fect order? Do you have sub- ers in your search indexes. folders within subfolders for Once you’ve defined your every category known to indexes, you have to let man? If this sounds like you, dtSearch Desktop build them. Figure 1. Search results show you a thumbnail image with the target you may need therapy, but This is the only time you will words highlighted. you probably don’t need a spend waiting on dtSearch file search utility. Desktop. Again, indexing with the search term(s) proximity of other words. If you’re like the rest of us time will vary depending on highlighted in yellow. For example, a search for mere mortals, you could the number of files you’re “security w/2 policy” will probably use a little extra including in your index. Sophisticated Searches find all occurrences of the help to find long lost files. After dtSearch builds your Besides a basic word search, word security that exist That help is here—dtSearch indexes, you can start dtSearch Desktop lets you do within two words of policy. Desktop is a powerful search searching. Simply open the several other types of more There are many free desk- engine that will help you search screen and type in advanced searches. DtSearch top search tools available find any file almost instantly. what you’re looking for. It’s lets you do stemming, phonic, from companies like Google, You set up dtSearch Desk- that easy. The results come synonym and fuzzy searches: but the features of dtSearch top using a simple wizard, but back as a list of documents • Stemming searches will Desktop are far superior. the real configuration comes containing the term or return results in other gram- DtSearch Desktop is a pow- after installation. Your first terms you entered as search matical forms. For example, erful document search engine task is to define your search parameters (see Figure 1). searching for the word that can be helpful to just indexes. An index is a group The bottom of the results “secure” will return docu- about anyone. Whether of files that you want to be screen shows a preview of ments containing “securing” you’re doing research or just able to search. You could have an individual document or “secured.” looking for something you multiple indexes for different • Phonic searches will find lost, it would be hard to types of documents, such as REDMONDRATING words that sound similar. beat the speed and ease work files, personal files, and Documentation: 10% ____ 8 • Synonym searches base of dtSearch. — so on. You could also config- Installation 10% ______9 their results on a thesaurus ure a single index containing Feature Set: 40% ______9 to locate words with similar Eric Johnson, MCSE2K, everything you might ever Performance: 30%______9 meanings. MCDBA, MCSD, MTA, works ______want to search. Management: 10% 7 • Fuzzy searches help you for Premier Global Services in The latest release of Overall Rating: 8.7 sort through misspellings. Colorado Springs, Colo., where dtSearch Desktop, version ______Connector searches are he can indulge his personal 7.0, claims it can search Key: also quite useful. A connec- passions for fishing, woodworking 1: Virtually inoperable or nonexistent more than a terabyte of text 5: Average, performs adequately tor lets you search for words and dogs. He has also recently in a single index. Besides 10: Exceptional that are within a specified added Dad to his list of titles.

24 | October 2005 | Redmond | redmondmag.com | Project2 5/5/05 10:07 AM Page 1

Why get MCSE certified: Reason # 6: [YourNameHere], MCSE. It’s got a nice ring to it.

Whatever your reasons, we’re here to help with intensive Boot Camps & hands-on training designed to ensure your certification. Go to www.globalknowledge.com/redmond for more info & incentives. Project1 3/10/05 10:40 AM Page 1

->ۈ˜} ޜÕÀ œÜ˜\ SMART° ->ۈ˜} Ì i LœÃýÃ\ VERY SMART°

->ÛiÊÌ iÊ`>ÞÊÜˆÌ Ê 7 `“ˆ˜ˆÃÌÀ>̜À½Ã *>ŽÒ x°ä° / i ˜iÜ `“ˆ˜ˆÃÌÀ>̜À½Ã *>Ž x ˆÃ i>ÈiÀ ̜ ÕÃi Ì >˜ iÛiÀ° 7ˆâ>À`à }Ո`i ÞœÕ Ìœ Ì i V>ÕÃià œv ÃÞÃÌi“ VÀ>à iÃ] >˜` ˜>ۈ}>̜Àà i« ÞœÕ V œœÃi Ì i Àˆ} Ì Ìœœ ̜ Ài«>ˆÀ Ì i“° 7 i˜iÛiÀ > ÃÞÃÌi“ LiVœ“ià ՘ÃÌ>Li œÀ ՘LœœÌ>Li `Õi ̜ Ài}ˆÃÌÀÞ œÀ ÃÞÃÌi“ wi VœÀÀի̈œ˜] œÃÌ `“ˆ˜ˆÃÌÀ>̜À «>ÃÃܜÀ`Ã] ÃiÀۈVi œÀ `ÀˆÛiÀ Vœ˜yˆVÌÃ] “>Ü>Ài ˆ˜viV‡ ̈œ˜] i˜`‡ÕÃiÀ iÀÀœÀ] œÀ > œÃÌ œv œÌ iÀ «ÀœLi“Ã] `“ˆ˜ˆÃÌÀ>̜À½Ã *>Ž >œÜÃ ÞœÕ Ìœ LœœÌ >˜` ÀiÃ̜Ài Ì i `i>` ÃÞÃÌi“ µÕˆVŽÞ >˜` i>ȏް 9œÕ V>˜ ÕÃi ޜÕÀ i݈Ã̈˜} >˜Ìˆ‡ÛˆÀÕà ÜvÌÜ>Ài ̜ `ˆÃˆ˜viVÌ >˜ ˆ˜viVÌi` ÃÞÃÌi“ Ü ˆi ˆÌ ˆÃ Ã>viÞ œvyˆ˜iÆ ÀiVœÛiÀ > Ș}i œÃÌ wi œÀ >˜ i˜ÌˆÀi œÃÌ `ˆÀiV̜ÀÞÆ >˜` ۈiÜ Ài>‡Ìˆ“i Ài«œÀÌà œ˜ wi ÃÞÃÌi“ >˜` Ài}ˆÃÌÀÞ >VViÃÃiÃ] / *É* >V̈ۈÌÞ] V̈Ûi ˆÀiV̜ÀÞ >˜` œÌ iÀ  *‡L>Ãi` ÌÀ>vwV ̜ µÕˆVŽÞ «ˆ˜«œˆ˜Ì Ì i V>ÕÃià œv ÃÞÃÌi“ >˜` ˜iÌܜÀŽ «ÀœLi“ð 7 i˜ ˆÌ½Ã ̈“i ̜ Ã>Ûi Ì i `>Þ p œÀ >˜ÞÌ ˆ˜} iÃi p Ài>V vœÀ `“ˆ˜ˆÃÌÀ>̜À½Ã *>Ž x°

,i«>ˆÀ° 4HE #OMPLETE 3UITE %2$ #/--!.$%2 © ,iVœÛiÀ° "OOT DEAD SYSTEMS DIRECTLY TO #$ WITH EXTENSIVE REPAIR AND DIAGNOSTIC TOOLS #2!3( !.!,9:%2 7):!2$© VViiÀ>Ìi° 0INPOINT THE CAUSE OF SYSTEM CRASHES SO THAT YOU CAN MAKE RAPID REPAIRS 2%-/4% 2%#/6%2© 2EMOTELY ACCESS DEAD SYSTEMS VIA THE NETWORK FOR REPAIRS

.4&3$/3 02/&%33)/.!,© !CCESS .4&3 VOLUMES FROM $/3

&),%2%34/2%© 2ESTORE DELETED FILES EVEN THOSE DELETED FROM THE RECYCLE BIN

&),%-/.© 6IEW REAL TIME REPORTS OF ALLV FILE SYSTEM ACTIVITY ON A SYSTEM

2%'-/.© 6IEW REAL TIME REPORTS OF ALL REGISTRY ACTIVITY ON A SYSTEM

).3)'(4 &/2 !#4)6% $)2%#4/29© 6IEW REAL TIME REPORTS OF ALL ,$!0 TRAFFIC ON A SYSTEM

!$ %80,/2%2© %XPLORE YOUR !$ STRUCTURE TO FIND AND MODIFY OBJECTS AND THEIR ATTRIBUTES

4#0 4//,3© $ISPLAY ALL ACTIVE 4#0 AND 5$0 ENDPOINTS AND REAL TIME 4#0)0 ACTIVITY DATA ON A SYSTEM

i>À˜ œÀit £‡nää‡{än‡n{£x ÜÜܰ܈˜ÌiÀ˜>Ã°Vœ“

¥ 7INTERNALS3OFTWARE,0!LLRIGHTSRESERVED7INTERNALS3OFTWAREISAREGISTEREDTRADEMARKOF7INTERNALS3OFTWARE,0!DMINISTRATORS0AK %2$#OMMANDER #RASH!NALYZER7IZARD 2EMOTE2ECOVER .4&3$/30ROFESSIONAL &ILE2ESTORE &ILEMON 2EGMON )NSIGHTFOR!CTIVE$IRECTORY !$%XPLORER AND4#04OOLSARETRADEMARKSOF7INTERNALS3OFTWARE,0 1005red_BetaMan27-30.v8 9/13/05 1:36 PM Page 27

BetaMan Don Jones Spotlight Lights Up AD

lthough Active Directory is more than five years indicators spin faster as CPU utilization increases. It’s a very visual and effective old, effectively managing it—especially in large way of communicating the overall sta- organizations—is an elusive goal for most tus of your domain at a glance without A actually having to stop and read any of administrators. Quest Software is aiming to make monitoring the values. If everything is spinning madly, though, you’d do well to look at and troubleshooting AD easier with a new version (6.0) of those values to see what’s wrong. Spotlight on Active Directory, which presents AD’s most A slideshow mode toggles you between the different consoles. I rec- important statistics in a graphical, single-screen view. ommend running Spotlight on a work- station that’s connected to a large Spotlight provides a deep level of plasma screen, and mounting the insight into any problems with your Quest Software screen right outside your data center AD domain. The main screen (see Fig- Spotlight on AD door. That will definitely scare off any ure 1) is a space-age looking console Version reviewed: Final Beta techno-peasants who happen to wander indicating critical AD performance Current status: Final Beta by, because the console looks like it areas, such as the network, the Local Expected release: 4Q2005 could be monitoring a nuclear reactor. Security Authority Subsystem Service (LSASS), NT File Replication System Variety of Views (NTFRS) and the AD store itself. This (see Figure 2, p. 28) gives you details You can drill down to see greater detail gives you a quick, intuitive look at the about the problem, links to Microsoft on various aspects of your domain. For overall health of your domain. Indica- Knowledge Base articles on the subject example, Figure 3 on p. 30 shows the tors in the upper-right corner of the and suggestions for fixing it. DNS registration status for the screen tell you whether the targeted All of the graphical indicators are ani- domain, listing all records and whether domain controller (DC) is the Intersite mated. Arrows indicating traffic flow or not they’re registered. Actually, you Topology Generator (ITSG),a global move faster as traffic picks up. Circular can click on most elements in the con- catalog, or if it’s handling any of the five Flexible Single-Master Operations (FSMO) roles like Primary Domain Controller (PDC) emulator. Rather than just rolling out an ongoing display of statistics, Spotlight incorporates intelligence to warn you when things aren’t looking good. For example, because I’ve pointed Spot- light at the only DC in a domain, it notices the DC has no replication part- ners. In a normal domain, this would be a bad situation, so the “Replication Links” indicator reads zero and blinks red. Clicking on this alarm indicator BETAMAN’S ROUTINE DISCLAIMER The software described here is incomplete and still under development; expect it to change before its final release—and hope it changes for the better. Figure 1. Spotlight’s main console gives you an at-a-glance view of your domain’s health.

| redmondmag.com | Redmond | October 2005 | 27 1005red_BetaMan27-30.v8 9/13/05 1:37 PM Page 28

BetaMan

sole for further explanation of what you’re seeing. A drill-down button dis- plays additional details. Some drill- downs are displayed as lists, like the DNS records. Others, like memory uti- lization, are presented as graphs and histograms. They’re similar to System Monitor, only they’re preconfigured so you don’t have to set them up yourself. Spotlight has an option to reduce a graph’s vertical scale over time. This moderates the display of momentary spikes as Spotlight becomes accus- tomed to normal operating levels in your environment. It only registers prolonged changes as graphical devia- tions. This is another helpful option, because you don’t typically worry about one-second spikes. Instead, you want to look at a larger, longer-term picture of Figure 2. The alarm indicators give you a quick look at potential problem areas. performance and resource utilization. There’s also a graphical topology for making these reports optional—you and resolution actions are shown in a viewer (see Figure 4, p. 30) that helps don’t have to install those reporting tools pane on the right-hand side. Expand- you visually navigate your domain. and IIS unless you’re comfortable doing ing an area near the bottom—like the This viewer makes it easier to spot so (because having IIS around does add Resolve Time Synchronization area— replication breaks and problems (as do some ongoing maintenance to your plate jumps back to the top of the pane, similar tools from Microsoft). It also in terms of patch management and those forcing you to scroll back down to provides a number of built-in tools types of issues). see the area you just expanded. This with which you can select a server or Spotlight is easy to install, although isn’t a functional problem, but is a link and view its events, verify DNS you will need an instance of MSDE or minor annoyance. Spotlight is playing in the same space Spotlight is worth a close look for anyone tasked with AD as products like NetPro Directory Trou- bleshooter, which also seeks to be an all- performance tuning and troubleshooting. in-one information and troubleshooting repository. I’d say Spotlight compares health, verify server health and so on. SQL Server in order to use it (the favorably, providing roughly the same All these features are designed to make product ships with MSDE and can functionality with a sexy user interface. Spotlight a one-stop destination for install it for you). I really like the “Get- Speaking of the interface, you can AD troubleshooting. ting Started” tabs. You’ll find these in configure it to a somewhat simpler You run a variety of tests to ensure both the Topology Viewer and the main “classic” scheme. It would be even that a particular server is working. console. They list simple step-by-step cooler if it came with a few different- There are tests for replication, DNS, instructions for configuring a domain looking themes. Not every organiza- FRS, overall performance, time sync connection, discovering domains and so tion, for example, will find the and more. Additional tools help you on. These help you get up and running largely-black color scheme attractive. configure and resolve problems within without reading the manual, which I In a tool like this, visual presentation those same areas. You can schedule tests never do anyway. is definitely a selling point. to run on a regular basis and store the I found Spotlight easy to use and intu- results on a central “Analysis Test So Far, So Good itive. If you’ve spent any time monitor- Results” tab within the product. I didn’t run across many snags with ing and troubleshooting AD, you’ll Spotlight also includes a number of the beta product, and the ones I did know that being able to glance at one or Web-based reports, but you need to be were minor. For example, in the two screens and quickly spot problem running IIS to use them. Kudos to Quest Topology Viewer, tasks such as tests areas based on color-coding, flashing

28 | October 2005 | Redmond | redmondmag.com | Project2 9/2/05 11:07 AM Page 1

Knock out spam at Exchange level!

Only $675 for 100 users!

DOWNLOAD YOUR FREE TRIAL FROM WWW.GFI.COM/RME

Server level anti-spam for Exchange/SMTP

Eliminate spam from your mail server with GFI MailEssentials for Exchange/SMTP:  Block spam at server level – No need to update email clients  Bayesian filtering – Detects spam based on statistical message analysis  Automatic whitelist management – Keep whitelists up-to-date without extra admin  User-based spam quarantine – Sort spam to users’ ‘junk mail’ folders GFI MailEssentials configuration  Blacklists scanning – Stop mail from blacklisted senders and invalid domains  SURBL checking – Checks email content against SURBL servers  Email header analysis and keyword checking – Blocks spam based on message field info and keywords  Directory harvesting detection – Checks validity of all recipient email addresses in an email  Also supports Lotus Notes & SMTP mail servers

tel: +1 888 243 4329 | fax: +1 919 379 3402 | email: [email protected] | url: www.gfi.com/rme 1005red_BetaMan27-30.v8 9/13/05 1:37 PM Page 30

BetaMan

alerts and animation speed is valuable since it helps direct your attention to problem areas quickly. While some might question the value of a tool that is basically an extensive system monitor, that is an undeniably essential function. Spotlight doesn’t include as much in the way of remedial tools as do some other products in this category. For example, Directory Troubleshooter can run a much broader array of jobs and tasks to help further diagnose or even repair AD problems. While the alerts you see within Spotlight are very detailed and much appreciated, NetPro is known for its extensive in- house knowledge base of AD trou- bleshooting and repair. Quest may want to consider adding a more inter- active knowledge base to help users Figure 3. You can drill down for details like DNS registration status. get additional expert information when problems occur. server system you support and have server product (Exchange, SQL Spotlight also comes in flavors for intelligent monitoring that uses the Server, BizTalk and so on) the Exchange, Oracle, Siebel, SQL Server, same visual appearance, indicators company makes, so MOM certainly Sybase, Linux/Unix and Windows and so on. That greatly reduces the offers broader support. Although itself, providing you with a suite of learning curve. MOM has a small degree of at-a-glance tools with similar functionality and How does Spotlight compare to reporting, it doesn’t provide anywhere visual appearance. This broad range of more robust and general monitoring near the amount of immediately useful, coverage helps Spotlight stand apart solutions like Microsoft Operations visual information as does Spotlight. from its competition. You can use a Manager (MOM)? Microsoft provides The animations that indicate overall version of Spotlight with every major Management Packs for almost every workload for various components, for example, are tremendously useful for diagnosing your entire environment at a glance. Spotlight is worth a close look for any- one tasked with AD performance tuning and troubleshooting. With a quick glance at the Spotlight console, you can instantly see if your environment is in good shape or if you’re having problems that will soon result in a flood of help desk calls. After all, being on top of the situation is half the battle.—

Don Jones is a contributing editor for Redmond magazine and the owner of ScriptingAnswers.com, a Web site for automating Windows administration. His most recent book is Windows Administrator’s Automation Toolkit (Microsoft Press). You can reach him at Figure 4. You can get a better feel for your network topology with this graphical view. [email protected].

30 | October 2005 | Redmond | redmondmag.com | Project2 8/11/05 12:51 PM Page 1

IS YOUR WIRELESS MESSAGING GOOD TO GO?

It can be with the Palm® Treo™ 650 smartphone. What’s more, with Good and Treo, you can wirelessly

GoodLink™ software on the world-class Palm Treo smartphone enable CRM, ERP, SFA, and other business applications.

puts the familiar look, feel, and functionality of Microsoft® All with enterprise-class security, role-based administration,

Outlook® in your pocket. So, your calendar, contacts, and and true over-the-air provisioning and management.

e-mail are with you everywhere you go.

Get GoodLink FREE for 30 days on the Palm Call 877-346-6306 or visit www.good.com/freetrial. Treo smartphone.

©2005 Good Technology, Inc. All rights reserved. Good, the Good logo, GoodLink, GoodAccess, and “Information at the point of business” are trademarks or registered trademarks of Good Technology, Inc. All other trademarks are property of their respective owners. Screen image simulated. Palm and Treo are among the trademarks or registered trademarks owned by or licensed to Palm, Inc. Third-party software sold separately. Requires wireless data services and ISP sold separately.

rdmond_mag_50052_02jw.indd 1 8/8/05 5:10:57 PM 1005red_YourTurn32-34.v8 9/13/05 3:01 PM Page 32

Redmond’s readers test YourTurn drive the latest products. Keep Data in Line, Most of the Time For synchronizing data on PocketPCs and Smartphones, ActiveSync 3.8 is easy enough to use, but many users say OS and phone service issues can knock it off balance.

BY JOANNE CUMMINGS up his e-mail, contacts and calendars on Microsoft ActiveSync 3.8 Sometimes, the best utilities are the least his Sprint Audiovox 6600 PocketPC glamorous. They do what they do and phone with the data on his corporate Free they do it well. Microsoft’s ActiveSync Exchange server. Microsoft Corp. 3.8, the latest version of its data synchro- “I have a lot of issues with the Sprint 800-426-9400 nization software for PocketPCs and phone service conflicting with Active- www.microsoft.com Smartphones, fits that bill. It seamlessly Sync,” he says. If the phone service kicks syncs up files—such as e-mail, contacts in when ActiveSync is running, the entire and calendar items—between mobile device freezes up and locks him out. “The problems. Wesley Bielinski, network devices and PCs. And it’s usually pretty only way to get the device back up and administrator for the American Board of efficient, according to Redmond readers. running is to pull out the battery and Medical Specialties in Evanston, Ill., “It has been seamless and the client reboot. It’s crazy.” Misery must love com- uses it to synchronize data between mul- devices are very easy to configure,” says pany, because Kohli isn’t alone in facing tiple handheld and desktop devices. He Vinit Kohli, director of MIS at Sibcy this issue. “I was in a Microsoft seminar syncs his e-mail, contacts and calendars Cline, a residential real estate company in last month with five other PocketPC on an HP 4150 and an HP 6315 with Cincinnati, Ohio. “Microsoft has done a users, with service from different carriers, Outlook on his PCs at work and at good job in making it as easy to sync up Cingular, Sprint and others,” he says. home. Sometimes, he says, ActiveSync syncs up all his files in two minutes. Other times, it takes up to 15 minutes Even when people are first learning how to use and hangs up. Seldom, if ever, can he the software, we hardly spend more than 15 pinpoint a reason for the difference. minutes synching up with these devices. “There are a lot of quirks that are very annoying. Just yesterday, it was synch- Vinit Kohli, Director of MIS, Sibcy Cline Inc. ing a favorite and two files. It just froze on them,” Bielinski says. “It couldn’t tell as possible. Even when people are first “They all said the same thing. If the me which file was having a problem, so learning how to use the software, we phone service kicks in, I ended up having to remove all Log on to hardly spend more than 15 minutes ActiveSync freezes up and Redmondmag.com the files, sync it, put the files synching up with these devices.” locks up the device.” to learn more back on and then sync it again. However, as the mobile devices that use That problem is most about ActiveSync I should be able to just pop it in ActiveSync have become more elaborate likely due to ActiveSync 4.0 and download and forget it, but I can’t. It and more capable—sporting state-of-the- 3.8’s inability to broker a developer’s copy. requires some babysitting and I FindIT code: art Secure Digital (SD) cards and phone between services and its DataSync wish it were more reliable.” services—ActiveSync has been slow to less-than-robust error keep pace. As a result, the synching handling capabilities. In fact, when Start Me Up process can sometimes be a bit sub-par. Microsoft rolled out Windows Mobile ActiveSync’s inability to gracefully han- “It can be a bit buggy, especially where 5.0 software in May, it also announced dle errors is compounded by the inabili- the phone service is concerned,” Kohli ActiveSync 4.0 that it billed as having ty of most PocketPC and Smartphone admits. For example, Kohli does his syn- “more robust error handling features.” devices to do a soft restart. “There is no chronization primarily through a wireless Until the new version is widely avail- way to end the task or stop the process,” connection. He uses ActiveSync to sync able, however, users will continue having Kohli says. “Basically, you just have a

32 | October 2005 | Redmond | redmondmag.com | 1005red_YourTurn32-34.v8 9/13/05 3:01 PM Page 33

hard restart, and that [means] pulling wireless connection, he says. “It’s just to have certain bugs fixed, but that was- out the battery.” hit or miss.” n’t the case here. I don’t see much of a Kurt Hudson, president of HudLogic, a Others agree that for the most part, difference between the two versions.” Flagstaff, Ariz., consultancy, believes the the differences between version 3.71 Hudson’s PocketPC has wireless net- problem lies more with the device and and 3.8 seem negligible. “I upgraded working and unlimited Internet serv- the PocketPC operating system. “When when 3.8 came out,” says Hudson, who ice from T-Mobile. It usually doesn’t you’re sold one of these devices, they tell has been using ActiveSync with his hang up during the synching process. you that it’s just like a little laptop. The PocketPC for the past six months. “It doesn’t even take five minutes, big difference is its ability to do error “Usually, I upgrade because I’m looking although I sync directly connected handling. Basically, every time you get an error, you have to restart.” Hudson says he can restart by pushing Hit a home run with management his pen stylus into the restart button on With the new GFI FAXmaker 12 fax server his PocketPC, but it certainly isn’t fool- proof. “You have to be careful,” he says. “A quick hit will restart, whereas if you hold it for two seconds, it flushes the memory and everything, so you lose your contacts

and all that. It’s not very elegant.” Only Still, Hudson is generally happy with $699 for 25 users ActiveSync. It has saved him a lot of time when synchronizing a Flash appli- cation between his PocketPC and desk- top system. “It’s actually easier for transferring files than moving my mem- ory stick back and forth,” he says.

Wireless—More or Less Version 3.8 of ActiveSync didn’t pro- vide anything all that different from the previous version, as far as Bielinski DOWNLOAD YOUR FREE TRIAL FROM WWW.GFI.COM/RFX can tell, but now he has more trouble with wireless synchronization. “I can get it to sync up wirelessly once in a while, but now I tend to just stick it in Fax server for Exchange Server & SMTP servers the cradle and do it that way,” he says. GFI FAXmaker for Exchange/SMTP is an advanced fax server that integrates directly “It’s easier and at least it also charges with Exchange Server and other mail servers and offers users easy faxing from Outlook, up the battery.” Outlook Web Access or other email clients. That could be due to the new securi- • New FAXmaker 12 connector works via SMTP ty features Microsoft added to version • Supports Brooktrout, ISDN and modem cards • Supports DID/DTMF routing 3.8. As a precaution, it turned off the • 4 fax lines as standard, expandable to 32 ability to sync up via Wi-Fi or LAN by • No schema updates or installation on Exchange necessary • Supports Exchange 2003/2000/5.5 and other SMTP servers simultaneously default. Users can reactivate that fea- • Fax archiving to SQL Server ture by checking off a menu item, but • More than 75,000 installed worldwide the change isn’t very intuitive for users • Used by companies like Microsoft, Ericsson, Siemens and Volkswagen accustomed to the old way of synch- ing. Even after Bielinski made sure he had the settings properly configured, he still couldn’t get it to work with a tel: +1 888 243 4329 | fax: +1 919 379 3402 | email: [email protected] | url: www.gfi.com/rfx

| redmondmag.com | Redmond | October 2005 | 33 1005red_YourTurn32-34.v8 9/13/05 3:01 PM Page 34

YourTurn

from my cradle of the PocketPC—not nect itself and it won’t work. It’s a ActiveSync creates for synchronization. wireless—so that may be why I don’t whole process.” Some devices don’t support that capa- have problems.” bility, so it’s more of a device limitation Where Hudson does have problems is Other File Types than an ActiveSync one.” He says getting everything—his Bluetooth con- Most users say they’re happy with ActiveSync can synchronize Excel, nection, GPS software and ActiveSync— ActiveSync’s ability to sync up with Out- Pocket PowerPoint, InkWriter, Pocket to work together. “I don’t think look and Exchange. As they use their Excel, Word, Notes, PowerPoint, Pock- ActiveSync is the problem there,” he says. devices for different purposes and put et Word and Note Taker. “Once the software kicks in, it seems to more items on SD cards, they would like If your device doesn’t support other work. It’s when I’m trying to get the com- to be able to sync up other file types, such file synchronizations, ActiveSync also munication between the phone and the as Excel, Word and even photos. lets you drag and drop files between the other mechanisms like my GPS. Some- “Once we start adopting more CRM- SD card and the desktop. This will help times it works and sometimes it doesn’t, type applications, I think ActiveSync is you transfer files, but it won’t actually and I can’t tell why.” going to become more critical,” Kohli synchronize them. Kohli would also like to see support for synchronizing photos. “I have a camera on this device,” he says. “It ActiveSync Wish List isn’t that great, but it’s good when or the most part, users are happy with the features and functions that you’re really in dire straits.” He says ActiveSync 3.8 provides. If they had their way, though, here’s what they would he uses it to help clarify issues in the F like to see in the next version of Microsoft’s mobile synchronization software: server room. He takes a picture of 1. Support for more applications. The ability to synchronize e-mail, contacts something questionable so he can dis- and calendars within Outlook and Exchange is easy and seamless, but most users cuss it with someone. That ensures would like to see that extended to Excel, Word and other applications. “It shouldn’t they both have the same point of ref- be something you have to hunt for,” Kohli says. erence. “So synchronizing pictures 2. Support for multiple devices. “It would be nice if there were a way to would be on my wish list.” keep everything synched,” says Bielinski. Currently, it’s difficult for him to use Another issue is ActiveSync’s per- ActiveSync to synchronize the data on his two PDAs and two PCs. “If you want to ceived inability to sync up more than add something like synching with an Internet calendar like Yahoo or something one inbox. “I divide my inbox into a [similar], you’re out of luck. I’d like to see it be able to work with multiple devices.” couple of sections or folders, and I was- 3. SD card synchronization. Although ActiveSync lets users synchronize files n’t seeing an option to sync multiple by placing them within a certain synchronization folder, it currently doesn’t sync up inboxes,” Hudson says. “I really wanted the whole SD card. “That would be a nice feature,” says Kohli. it to do that.” Later, he found that 4. Better error handling. When ActiveSync encounters an error—from phone ActiveSync does provide for syncing up service interference or whatever—it should provide a less-intrusive way to stop multiple inboxes, but that the informa- and restart the session. “Removing the battery is not a good way,” Kohli explains. tion was buried in the help files. 5. Remote info wiping. In the event that a mobile device is lost or stolen, “Synchronizing subfolders is support- Windows Mobile 5.0 can remotely wipe the data from that device the next time it ed only on Windows Powered Pocket connects to the network. “That would be a nice feature to have in ActiveSync as PC 2002 and later and Windows Pow- well,” Bielinski says. — J.C. ered Smartphone 2002 and later, but it does support the feature,” Hudson says. Bielinski has the same issues. “I use says. “At that point, I’d like to see “Seems to me a lot of the things people ActiveSync with my Bluetooth headset more support for synching Word and are wishing for are already in there, but and GPS unit simultaneously. It took Excel documents. Right now, I have this not necessarily enabled by default.” me a long time to figure out how to 512MB SD card, so I have plenty of space Consequently, he advises anyone to get them all to work together,” he says. to put my Word documents. It would be fully research the ActiveSync help files “The trick is you have to start them up great if it could sync up everything on the before concluding that it lacks support in a certain order, otherwise it doesn’t SD card—if not the whole document, for certain features. There may be more work. You have to get the headset first, then at least just the changes.” to it than you think.— and then be in the Bluetooth manager. ActiveSync does indeed let users syn- Then turn on the GPS unit and imme- chronize Word and Excel documents, Joanne Cummings is a freelance technology diately click on the connection. Hudson says. “You just have to place the journalist. You can reach her via e-mail at Otherwise, it will automatically con- document in the special folder [email protected].

34 | October 2005 | Redmond | redmondmag.com | Project3 8/2/05 10:58 AM Page 1

Peace of Mind... Offered by Citrix Education

Whether you choose Training or Certification, Citrix Education offers you peace of mind by providing you with the knowledge and skills to achieve the following benefits:

• Ensures skills and knowledge are current and can be applied on the job • Increases value and productivity of IT professionals • Improves reliability and efficiency of the Citrix environment • Exposes IT professionals to new products and functionality • Helps IT professionals troubleshoot problems without the help of technical support

Visit www.citrix.com/edu/redmond to find out which training courses and certifications are right for you!

©2005 Citrix Systems, Inc. All rights reserved. Citrix® is a registered trademark of Citrix Systems, Inc. in the United States and other countries. All other trademarks and registered trademarks are the property of their respective owners. 1005red_F1MSR36-44.v8 9/13/05 1:41 PM Page 36

THE POWER

36 | October 2005 | Redmond | redmondmag.com | PHOTO BY KATHERINE LAMBERT 1005red_F1MSR36-44.v8 9/13/05 1:41 PM Page 37

As head of Microsoft Research, Rick Rashid leads a team that remains largely anonymous, but whose work finds its way into nearly every

product Redmond ships. BY KEITH WARD

f you get less spam than you used to, great places, but the environment at MSR looked Joshua Goodman is probably a big reason like it was going to be the best. There was much why. If Bill Gates’ prediction that spam more opportunity here to have an impact.” Iwill soon be a thing of the past comes true, Goodman will have had a large role in that, too. Sudden Impact Goodman is a Microsoft Researcher, one of That’s an attitude that separates MSR from about 700 worldwide, and his work in the area of much of the academic research community. INSIDE

e-mail and spam has been part of the effort that “The reason they [researchers] come here became Sender ID, Microsoft’s flagship anti- is that they want to see their stuff in shipping spam technology. products,” says Kevin Schofield, general man- Of course, you’ve probably never heard of Joshua ager of strategy and communications for MSR, Goodman or any other Microsoft researcher. But who handles the technology transfer process. if you use Microsoft Word, Outlook, Windows “My job is to help them do that. I don’t have to Media Player or SQL Server, you’re using tech- go around convincing them to get their stuff in nology from Microsoft Research (MSR). shipping products.” Goodman works at the Redmond research lab, That’s certainly true of Goodman. “Our spam one of Microsoft’s six research centers world- filter is used by [more than] 100 million people. wide. He’s been with MSR for about seven years, It’s fantastic to have that kind of impact.” and his current research interests are in e-mail Impact is much further down the road for and spam. “The goal,” he says, “is to learn what other projects. Nebojsa Jojic, of the Redmond good e-mail looks like and what spam looks lab, has been with MSR five years. He researches like.” Much of his work is involved in developing machine learning, where he’s developing algo- algorithms to spot the “Amazing New Diet rithms for “data analysis of any type of data— Pill!!!” ads, and to try to keep up with the endless audio signals, text or anything,” he says. He variations spammers use to elude the spam filters worked on data analysis of graphic images for he and others write. some time, and now he’s working on biological Goodman is an MSR old-timer. When he grad- data, including genetic sequencing. While he uated with a Ph.D. in computer science from says some of his work has made it into applica- Harvard, he was working on speech recognition, tions, most of his current efforts won’t be in a and had offers from two other labs. “They were shrink-wrapped box for some time.

| redmondmag.com | Redmond | October 2005 | 37 1005red_F1MSR36-44.v8 9/13/05 1:41 PM Page 38

THE POWER INSIDE

Where’s the Beef? calls “social computing.” “We’re looking at all sorts of Jojic’s experience illustrates the quandry in which MSR different aspects of how computers can be used to man- sometimes finds itself. On the one hand, good research age social groups. Something almost like a super-blog- takes years of painstaking effort; but when there aren’t a ging tool that covers the space between e-mail, IM lot of obvious end results, Microsoft gets blasted for not [instant messaging], blogging, sharing photos, all in one coming out with lots of hot, industry-changing products. interface. It automatically builds a social network; it Some of the groundbreaking, paradigm-shifting products looks at who you’ve interacted with and builds a network like the iPod and iTunes, and Google’s search capabilities, out of that.” were produced by much smaller companies, and Microsoft is scrambling to catch up. Think about it: When was the It Just Works Better last time you saw an upcoming Microsoft product and said Roy Levin, director of MSR’s Silicon Valley lab, says “Wicked cool!”? “there can be a huge amount of quite significant innova- tion going to various places in that product line that are The rules are simple: if people ask for resources not immediately visible at the end as individual things; it’s they need, they get them. If they ask for resources just that it works better.” they don’t need, they don’t get them. He cites the example of the Help system in Microsoft Office. “In roughly 1995, you had keyword-based lookup. That’s not a fair comparison, argues Senior Vice President Pretty straightforward technology. The natural language Rick Rashid, who oversees the research division. “Our job processing group in MSR [the oldest research group] is to produce fundamental technologies. Pretty much any contributed technology that did semantic analysis on the product Microsoft produces will have technology that queries that were then put in the Help system. So the comes from Microsoft Research.” interface looked identical, but the pages you got back Rashid gives some examples. “The development of Win- were better, because they weren’t restricted to things dows Media Audio; we have better quality than MP3 at where you had keyword matching. That’s a pretty sub- half the [file size]; high-definition video technology came stantial change, going from string matching to semantic out of Microsoft Research. These aren’t the products. We analysis, yet the innovation is almost transparent.” do fundamental things, things that move the state of the art forward.” Outside the Pressure-Cooker That’s a phrase you hear a lot coming out of MSR: Although MSR has contributed a lot of the plumbing to “Advancing the state of the art.” It’s become MSR’s products, Levin is quick to point out that the product teams motto. But advancing it how? For example, Rashid points don’t pressure MSR to develop products to get to market. to an area he’s particularly excited about, something he “We certainly consult when they have a problem we can Fast Facts About Microsoft Research Founded: 1991 • Microsoft Research Silicon Valley. Established in Employees: Approximately 700 August 2001 on the Microsoft campus in Mountain Research Centers: Six. The main (and largest) lab, employ- View, Calif., the lab now employs 25 researchers who ing about 350 researchers, is in Redmond. The others, and focus on distributed computing, including privacy, their main areas of research: security, resource location, protocols, the Internet • Microsoft Bay Area Research Center (BARC). Estab- as a platform, reliability, availability, scalability, lished in 1995, San-Francisco-based BARC comprises management and related theory. approximately six researchers working primarily on • Microsoft Research, India. Bangalore, India. The lab issues that involve scalable servers and the future of currently has about two dozen scientists, interns and virtual communication, such as telepresence. support staff. It specializes in long-term basic and applied • Microsoft Research Cambridge (England). Research at research, mostly in four areas—multilingual systems, the facility in Cambridge encompasses programming technologies for emerging markets, geographical languages, security, information retrieval, operating information systems and sensor networks. systems and networking. Established in July 1997, the Areas of research: MSR is currently working in about 55 lab has more than 75 researchers. different areas, a number that increases regularly. • Microsoft Research Asia. The lab, located in Beijing, China, Annual budget: The total budget for Microsoft was founded in 1998. Currently, more than 150 researchers Research and Development is $6 billion to $7 billion are developing next-generation multimedia applications for 2005-2006, although the lion’s share goes to and Asia-specific computing technologies such as adapt- development operations. ed user interfaces and language-conversion systems. — K.W.

SOURCES: MICROSOFT, INTERVIEWS WITH MSR EMPLOYEES.

38 | October 2005 | Redmond | redmondmag.com | Project2 9/14/05 10:24 AM Page 1 1005red_F1MSR36-44.v8 9/13/05 1:41 PM Page 40

THE POWER INSIDE

help solve. We do a lot of that. And we develop new things on spec, with the expectation that they’ll be attractive to the business units. But there are no year-by-year metrics that say ‘you have to transfer this amount of stuff.’” That’s another way of saying that there’s a different mindset at MSR. “We’re very disconnected from sales. Customers are interested in today’s products; researchers are interested in ‘three-years-in-the-future’ products,” Levin says. PHOTO BY KATHERINE LAMBERT That doesn’t mean the researchers are coasting along, playing Doom on their high-speed work connections. The hours for a researcher are long. Jojic estimates that he puts in 50 to 60 hours in an average week. He describes his typical routine: “I spend a lot of time with products and in front of the computer, adjusting algo- rithms. I also spend a good amount of time writing papers Roy Levin heads up the Microsoft Research Silicon Valley lab. Microsoft Research Contributions to Products A small sampling of MSR contributions to a number of Tablet PC popular products. • Concepts and team leads behind the Tablet PC originated in Microsoft Research and became a product Windows XP team once it became clear that the Tablet PC was a • ClearType display technology that allows a crisper, project worth advancing. higher-resolution display of text on ordinary LCD • Digital Ink technology enables users to write directly screens. on the Tablet screen to control their PC and to input • MSR implemented full IPv6 functionality in the shipping information as handwriting or drawing. version of the operating system. • Several algorithms that enable handwriting and sketch • Performance optimization tool advancements optimize the recognition technology allow users to manipulate load time, memory requirements and overall performance handwriting notes. of the operating system. SmartScreen Technology Office 2003 • An advanced spam filter designed by Microsoft Research • Junk-mail filter. Researchers in the Machine Learning is patented technology based on a machine-learning and Applied Statistics Group first deployed this filter approach, in which examples of e-mail that would be con- in MSN 8. sidered spam are submitted by e-mail users themselves • Cryptography and anti-piracy improvements. Technologies and used to train the filter to know what to look for. from the Cryptography and Anti-Piracy Group were used to create security enhancements and provide SPOT increased protection against software piracy. • Smart Personal Objects Technology (SPOT) is a special project incubated within Microsoft Research focused on Office XP making everyday devices (e.g., wristwatches) better at • Smart tags technology automatically recognizes what they do, and enabling them to provide timely, person- “factoids,” specific data such as dates, company alized information in a convenient, “glanceable” format. names and locations, and enables rapid access to information from the Web, Office or third-party Xbox applications via automatically generated links. • IP network probing. Xbox Live provides online gaming and uses Microsoft Research technology to help ensure that Microsoft SQL Server gamers get the best online experience. This technology • Test tools generate random and complex SQL Server measures the connection quality between gamers players, queries, which can more fully test and exercise the pairing them with others who have similar connection Microsoft SQL Server engine. speeds, which ensures a more equal gaming experience. • Key range locking allows more users to access the database simultaneously. Bayesian Analysis • Multilevel recovery allows the system to bring itself • Technologies that build probabilistic models can be back to a stable state even when very complex oper- used to predict and anticipate users’ behavior, prefer- ations were only partially completed at the time of ences and needs, allowing software to automatically the failure. customize itself to a particular user.

SOURCE: WWW.MICROSOFT.COM

40 | October 2005 | Redmond | redmondmag.com | Project6 3/29/05 10:47 AM Page 1

Fr: barely managing your e-mail system

To: managing it while you check your voicemail

EMC EMAILXTENDER® SAVES YOU TIME AND MONEY WITH A SMARTER WAY TO MANAGE E-MAIL. Now you can handle everything from mailbox management to policy administration and corporate records with one solution. A solution built to lower your storage costs, streamline operations, and enable compliance. It’s what you need to gain control, minimize risk, reduce cost, and go home on time. Finally. To learn more, visit www.EMC.com/legato.

EMC, EMC2, Legato, and where information lives are registered trademarks of EMC Corporation. © 2005 EMC Corporation. All rights reserved. 1005red_F1MSR36-44.v8 9/13/05 1:41 PM Page 42

THE POWER INSIDE

and traveling, working with interns, coding, answering e- mail, reviewing papers for conferences and journals.” Research: A Primary Despite the long hours he and his colleagues put Focus for Gates in, there isn’t a lot of turnover. “You sometimes get Bill Gates always seemed to love technology first and overworked, but the core work is really fun,” he says, “So running a business second, so it should be no surprise most people just work until they get too tired, [then take a that he keeps a close eye on Microsoft Research break and] get back to the trenches. We’re not waiting for 5 (MSR). After all, it was Gates who made the expensive o’clock so we can get home. I haven’t met anybody in MSR decision to launch MSR. that’s just burned out.They might switch focus, but nobody The person in charge of MSR, Senior Vice President really gets burned out.” Rick Rashid, interacts frequently with Gates. “I see Bill a lot, because I sit in on all the product reviews he Follow the Money does. I sit next to him several times a week for many hours. He keeps pretty good tabs on what the research Part of that is due to the group is doing.” fact that unlike most other But that doesn’t mean Gates is calling all the shots at divisions within Microsoft, MSR. “Bill does not do that,” says Roy Levin, head of MSR doesn’t have to make the Silicon Valley MSR lab. But he is around more often a profit. “Our focus is in these days. “Bill spends more time with research than creating new technology. he used to. We meet with him about four times a year It’s not really a corporate- to present selected projects that have gotten interest- focused goal,” says Rashid. ing, intriguing results that are not yet ready for com- Explains Schofield: “Rick mercialization but are intriguing.” [Rashid] doesn’t run a The meetings, Levin says, are “Mostly an education, exposing Bill to what’s going on. He loves to think of profit/loss center,” he says. ways to apply that research in ways the researchers Nebojsa Jojic has been with The overall R&D budget Microsoft Research for five years, may not have thought of.” and works in the Redmond lab. for the coming year is Kevin Schofield, general manager of strategy between $6 billion to $7 and communications for MSR, says Gates “gives us billion, but of that R&D, according to Levin, “D gets a lot of feedback on what he thinks is interesting. most of it.” He’s always been very interested and involved Precise figures were not forthcoming, but Rashid in research.” confirmed Levin’s estimate of where the lion’s share of Gates will also seek out the researchers themselves money is spent. “The vast majority [of spending] goes to from time to time for input. Researcher Joshua Good- building our products—Windows and Office and Xbox. man, who works on minimizing spam, says “On one Basic research is not an incredibly expensive endeavor.” hand, I’m pretty far from Bill Gates, but I’ve actually had a surprising number of chances to interact with But R&D isn’t incredibly cheap, either, given that most of him. We have what are called ‘BillG Reviews,’ and I’ve those 700 researchers have Ph.D.s. “We try to make their gone to four or five of those. Once he also sent me lives easy so they can concentrate on research,” says Scho- an e-mail asking what we should be doing about field. “The rules are simple: If people ask for resources they spam in general.” need, they get them. If they ask for resources they don’t MSR has had an even more personal impact on need, they don’t get them. We don’t ask principal Gates, as Rashid revealed an anecdote relating to researchers to manage their own budgets; we don’t want the U.S. Deptartment of Justice’s anti-trust trial. them focused on budgets. We want them to focus on doing According to Rashid, Gates was depressed about great research.” how the case was going. “At the worst point of the To keep things simple,MSR is organized like an academic anti-trust trial, Gates sent me an e-mail that said how computer science department, with a flat structure. Also much he appreciated the opportunity to work with the research team and interact with them, because similar to academia, researchers are given a lot of autono- it’s one of the things that gave him hope for the my, but Microsoft researchers might have it even better. “I future. All these new things [research was working have a huge amount of freedom,” says Goodman. “It’s an on] gave him kind of an uplift.” interesting thing about MSR vs. academia: [in academia], — K.W. you typically have grant money you need to apply for and then have somebody approve your time [to meet grant requirements]. Here we have more freedom than we might an environment where they can exercise that creativity. in an academic institution.” Management doesn’t say “Gee, I think you should go That’s by design, says Levin. “We hire researchers for work on this,” because then it would be limited by our their creativity, and the job of management is to provide ideas, and that’s not good.”

42 | October 2005 | Redmond | redmondmag.com | Project1 6/6/05 10:42 AM Page 1

NTAVO 101 for Windows® Appliance Finally, A Low-Cost Alternative to Citrix®

Whether you use Citrix, a VPN, or some other approach, secure remote access solutions are expensive, complex, and difficult to implement and manage. The NTAVO 101 for Windows Appliance does the job at up to 90% lower cost per user and with 99% less demand on your IT staff. You can have secure, high-speed communications from PCs and thin-client systems to enterprise-wide Windows applications in minutes and with no modifications to your servers, applications, or your enterprise network. It’s the ultimate companion to Windows® Terminal Services. For $49.95/user.

Visit ntavo.com 1.888.524.9382 [email protected]

© 2005 Devon IT, Inc. NTA Virtual Office is a trademark of Devon IT, Inc. All other products and trademarks referred to are property of their respective owners. 1005red_F1MSR36-44.v8 9/13/05 1:41 PM Page 44

THE POWER INSIDE Running Out of Researchers Bill Gates must have said it four times during a recent The effect, according to Rashid, is that Microsoft press conference describing the state of technology Research has “grown mostly outside of the country. We research in the United States: “We’re keeping smart have about 200 [researchers] in Beijing, about 100 in people out of the country.” He was referring to the Cambridge [England], and we started a new research H-1B visa program, which limits to 65,000 the number center in Bangalore [India]. Expansion outside of the of aliens who can work in the United States. Gates United States is necessary is concerned because Microsoft relies heavily on to continue growth. We’ll computer scientists from foreign countries, especially do a significant amount in Microsoft Research (MSR). of growth in Redmond,” Gates paints a bleak picture. “At Microsoft, we’re having Rashid says, but non-U.S. a tougher time hiring. If you look out at the future, that’s hiring is still seeing just going to get tougher. The jobs are there, they’re greater increases. high-paying jobs, but we’re just not seeing the pipeline Gates says it’s by where it needs to be.” necessity, though, not The H-1B visa issue is critical because there are fewer choice. “We’re going to U.S. undergraduates going after computer science the top universities, but degrees. That will have a “trickle-up” effect in the there just aren’t as many years to come, according to Senior Vice President of graduates with that Research Rick Rashid. “This year, hiring has been spec- specific type of back- tacular. These are the students that were in school ground. We have those General Manager of Strategy when the boom started. The problem is that you look open positions, and it and Communications for out in two years, and the number [of computer science Microsoft Research Kevin creates a dilemma for us Ph.D.s] drops by 30 percent, the year after that maybe Schofield is concerned in terms of how we get 60 percent, and that’s when you start panicking. Some about the narrowing pipeline our work done.” of the people we’ve hired were in school before there of researchers. What this means for were Web browsers. That’s a long pipeline. In a few you is that a lucrative, years, we could be in a world of trouble.” satisfying career in computer research awaits if you Gates concurs. “We’re quite concerned that the go back to school and get your Ph.D. “We’re always United States will lose its relative position in something looking for new, smart people,” says Kevin Schofield, [research and development] that’s very critical to the general manager of strategy and communications for economy. Our elite position, where we develop the best MSR. Without new blood coming in, he says, “Two to people in this country and many of the best people from three to four years from now, we’re going to be in other countries come here, that’s certainly eroding.” serious trouble.” — K.W.

That management style has led to a work atmosphere technology transfer is a Rube Goldberg contraption. It’s that Goodman describes as “laid-back intensity. It’s about people, relationships, communications and trust.” laid-back in that we can do whatever we want. For a lot of One way that’s facilitated is a yearly Microsoft- what we’re doing we don’t have deadlines, but what we only trade show, where groups present their projects. do, we do in an intense way.” Following this, Rashid says, “The product group takes the research and integrates it, moving forward.” Levin Getting Ideas into Products says that “Rick Rashid is very well plugged in to what the There are some deadlines, though, and most have to do product groups are doing, but the real choice of what to with the technology transfer process. Goodman says that work on lies in the hands of the researchers.” “when I work with product groups, I need to do what I In the end, that kind of freedom may be the key to hap- promised to do and get them stuff on time.” piness as a Microsoft researcher. As Jojic says, “It’s hard There is no formalized “technology transfer” process, to imagine I’ll do anything else. It is a really good job, a though. It’s mostly about relationships, says Jojic. “In the really good thing to do, at Microsoft or anywhere else.” end, it’s about having a relationship with a Says Goodman: “It’s not the easiest or most lucrative way product group, and it happens a different way in each to spend your life, but we love what we do.”— instance.” There’s a lot of give and take, he continues. “The product teams come and give talks to MSR to say When he wrote this piece, Keith Ward was managing editor for what they’re doing next. Technology transfer is about Redmond magazine. He has since left the publication to form his working with someone in a product group.” own video production company. We thank him for his service to the Schofield echoes that sentiment. “People think that magazine and wish him well.

44 | October 2005 | Redmond | redmondmag.com | Project1 6/13/05 2:34 PM Page 1 Project3 4/11/05 4:19 PM Page 1

REAL SECURITY REAL CROSS-PLATFORM REAL SUPPORT OPTIONS

¨ 1005red_F2TCO47-51.v5 9/13/05 1:44 PM Page 47

Smoke, but No Fire for TCO

Total Cost of Ownership (TCO) is a concept touted by Microsoft and various Linux vendors as proof that their products are cheapest to run. But TCO claims aren’t what they’re cracked up to be, and most IT shops never use TCO, or just plain do it wrong. BY STUART J. JOHNSTON

he debate about which operating system delivers the best total cost of Townership is over—over-rated, that is. TCO has been a major battlefront in the Windows vs. Linux marketing wars for years. But it’s a complex task to actually determine what costs comprise TCO, and it’s even trickier to figure out how to compare one sys- tem with another. In fact, many companies that claim to have achieved a lower TCO with one system over the other cannot or will not disclose how they actually did the measurement. And to protect proprietary advantages, many on both sides of the debate are reticent to open the TCO kimono.

| redmondmag.com | Redmond | October 2005 | 47 1005red_F2TCO47-51.v5 9/13/05 1:44 PM Page 48

Smoke, but No Fire

Also, many shops that claim to have “Nobody’s infrastructure is the done thorough TCO comparisons same, so it’s unrealistic that you could may not have been as thorough or do a vanilla survey that fits every- complete as they think—or as their body,” says JupiterResearch senior vendors would like you to believe. analyst Joe Wilcox. Indeed, many IT organizations only Wilcox and other analysts point to get part way down the path to a comparisons that use “list” prices for rational, detailed comparison before Microsoft software. In reality, many picking a platform. And—no sur- enterprises participate in Enterprise prise—the winner is often the one IT Agreements and other volume deals, staffers are most familiar with. which can dramatically lower costs At the end of the day, incumbency based on volume and commitment. and familiarity count for a lot. That There are others issues as well. Are means Windows servers will continue survey respondents self-selecting, as to dominate for now, although lines can often happen in a Web-based or between the two systems’ capabilities call-in survey? That can prejudice sur- have begun to blur as Linux has vey results because only interested matured. And that just makes it harder parties respond. Phone-call-out or in- to come up with any real numbers to Analyst Rob Enderle, of Enderle Group, person randomized surveys are gener- says many, if not most, TCO studies compare them. are tainted by their source of funding, ally more accurate but more time which is often a company with consuming and, thus, more expensive The Problems with Surveys something to gain. to conduct. Most, if not all, TCO studies have to That brings up another important be taken with a grain of salt. Maybe When evaluating a TCO survey or question: What’s the sample size? The even a block of it, many analysts say. case study, there are a number of smaller the sample, the less accurate First, there’s the issue of who com- questions you should ask in order to the results. missioned the study. get a proper comparison between Results can also be off because of the “I have trouble finding a study the case study and your particular number and depth of questions or without it quickly being disqualified situation. Here’s a starter list: number of variables in the model. The by who funded it,” says Rob Enderle, • What do you measure? possibilities for variables and options principal analyst at consultancy • For how long a period? are dizzying. Enderle Group. • How many parameters should you “You end up with a number that’s as However, the problems with any examine? accurate as an EPA mileage rating … TCO survey or study go much deeper • How do you quantify and allocate ‘Your mileage may vary,’” says Direc- than whether an interested party costs? tions on Microsoft’s Cherry. sponsored it. • What is a legitimate expense to Ultimately, analyst Wilcox questions “[TCO studies] are like a house of include and what isn’t? how much weight even a thorough cards … where’s the proof?” asks • How do you model a real-life TCO analysis should get in the deci- Michael Cherry, lead analyst for situation? sion-making process. “I think cost operating systems at consultancy • Where do you get your data? containment is the wrong priority for Directions on Microsoft, pointing • What’s a reasonable making technology decisions,” Wilcox out that even subtle psychological lifecycle for a given sys- says. “You should be thinking about biases can spin a study’s results. tem or application? the business.” In addition, accusations often Some TCO “studies” That same sentiment is echoed are made that one side cheated are so simplistic as to by Robert Rosen, president of and stacked the deck in favor of provide a spreadsheet SHARE, the giant IBM user their system, particularly in non- with blanks where users group. “People aren’t looking at production simulations. fill in costs for mostly big- IT as a cost center any more Apart from questions of bias lurks an ticket items such as software [which means] TCO isn’t the even bigger analysis problem: How do or staffing. While these may driving issue … it’s the total eco- you model any specific-enough sce- be useful in a very broad-brush nomic picture,” Rosen adds. nario to provide meaningful data sort of way, many analysts criti- without being so specific as to make cize them for being too general The Devil Is in the Details one company’s comparison to another and therefore not a good basis for Most of the TCO studies publicly company’s scenario unrealistic? decision-making. available were either funded by

48 | October 2005 | Redmond | redmondmag.com | 1005red_F2TCO47-51.v5 9/13/05 1:44 PM Page 49

vendors or are at least a year out of that “there is no universal clear-cut the average hourly cost for downtime date, or both. TCO basis to compel the corporate for Windows and Linux, and what One that’s not is the Yankee Group’s masses to do a wholesale switch from kinds of workloads a company puts on “2005 North American Linux and Windows to Linux as there is for a Linux vs. Windows servers. Windows TCO Comparison Survey.” migration from Unix to Linux, and “If you don’t have those estimates, Released last spring, it follows Yan- there is no indication that users are how do you do a TCO? That’s scary,” kee Group’s 2004 survey, which was replacing Windows with Linux.” DiDio adds. Without that informa- roundly condemned by the Linux While that’s good news for Win- tion, she wonders how those IT community because a portion of it dows, Linux isn’t going away. The shops run their businesses, much less was hosted on a Web site owned by a same report found that “from 2004 to calculate TCO. Microsoft Certified Gold partner. 2005, Linux maintained—but did not While Yankee Group defended its expand—its healthy 15 percent mar- Familiarity Breeds Respect methodology, the 2005 survey was ket share—compared to 73 percent The answer is that many companies done with no involvement by any market share for various versions of do not really conduct TCO compar- outside parties. Windows servers.” isons, even when they say they do. It also has twice as much detail as DiDio also found that while more Witness the percentage of respon- the 2004 survey. The firm’s March than half of all respondents said dents in the Yankee Group’s 2005 sur- 2005 survey reached 550 IT decision they’d done a thorough TCO com- vey who said they had performed makers and asked respondents 50 parison in advance, when asked, “on TCO analyses but couldn’t cite questions, double the number in the average 75 percent could not answer detailed costs needed for the calcula- 2004 survey. Despite that, the report’s explicit questions.” tion. Despite the TCO lip service, conclusions were similar in many What’s missing, DiDio says, is infor- other criteria tend to win out in respects to 2004. Neither report actu- mation and metrics that you would choosing a product, according to both ally spells out any bottom line num- expect most IT shops to normally analysts and IT managers. bers comparing TCO for Linux vs. gather and evaluate, such as how long Applications are the biggest criteria Windows, instead identifying trends. on average it takes to recover from a for platforms, and it’s often the case In 2005, for instance, a study by Yan- system crash, how many calls are that a key application is available on kee Group analyst Laura DiDio found made to the help desk in a typical day, one platform and not the other. “The 1005red_F2TCO47-51.v5 9/13/05 1:44 PM Page 50

Smoke, but No Fire

TCO is roughly the same [for Win- house, a custom assembler of PCs and ing costs [such as] moving data, train- dows and Linux so] the deciding fac- servers headquartered in Warren, ing, additional support, management tor is ‘Are the applications users need Mich., of that company’s 2003 deci- and on and on … it all adds up and it available [on the platform]?’” says sion to consolidate both its internal makes TCO analysis that much more SHARE’s Rosen. Linux and Windows-based servers difficult.” But perhaps most important is the onto a single platform. While he reck- Certainly, Yankee Group and other current staff’s familiarity with the sys- ons the company saved somewhere firms feel TCO studies are still a valu- tem. It’s a touchy subject. around $600,000, Brookins says that’s able tool when constructed using proper survey techniques that gather Linux vs. Windows TCO studies are great business for analysts enough detailed information. and wicked sales propaganda for companies. What even the Yankee Group stud- ies show, however, is that Linux is “One thing we find in our research an estimate based primarily on making inroads into the data center. is so much of what gets adopted has to decreased staffing levels. “We had two Eleven percent of the companies sur- do with [IT users’] familiarity and separate staffs [prior to moving every- veyed in DiDio’s 2004 report planned their skill sets [and not TCO con- thing onto Windows], and when we to migrate entirely from Windows to cerns],” quietly admits a vice president staffed up, it was a lot easier to find Linux in the data center. An additional at one of the largest analysis firms Windows IT talent.” 4 percent planned to migrate all their who asked not to be identified. All of which underlines the unset- Unix systems to Linux. And while measurement before the tling conclusion that TCO, while “The metamorphosis of Linux from a fact is suspect, TCO measurement often discussed, is rarely calculated. free, hobbyist software environment to after the fact is almost non-existent. “Most organizations don’t do TCO a major revenue-producing operating “All of the TCO [analysis] that I’ve [and instead] they make decisions on system is occurring with the same sure- ever seen was forward-facing projec- other bases,” agrees John Rymer, ty and swiftness of a neighborhood tions … I never saw an audit of TCO vice president in Forrester undergoing gentrification,” DiDio says. [after the fact],” says a highly experi- Research’s application development To date,however, many, if not most, enced manager of technology and and integration group. of the Linux deployments in enter- operations for one of the largest coun- That, he says, is short-sighted. “TCO prise environments still come at the ty governments on the West Coast. is a long-term cost analysis. If you can expense of more expensive Unix And when he went looking to see what quantify those longer-term costs and boxes, and not Windows Server. other IT organizations had done, it benefits, you can use that information “[Linux] is brought in by corpora- was “like nailing jelly to a tree.” in a lot of places,” Rymer adds. tions’ Unix groups, so the first thing “It was impossible to find anyone that that’s displaced is Unix,” says Wilcox. actually did TCO [calculations] … so I Home-Court Advantage came to the conclusion that TCO is a For the time being, the older and Hearing Footsteps marketing tool,” the manager adds. more entrenched Windows has what Longer term, however, perhaps in as That TCO takes a back seat to Wilcox refers to as “home-court few as two years, Microsoft may be more important issues is true for advantage.” His point, and one with struggling to maintain its dominance both platforms, it turns out, one ven- which most analysts agree, inside the walls of data centers that it dor reports. “We’ve never had any- is that incumbency most only recently breached itself. Over body ever complete [a TCO study],” often beats new chal- time, TCO studies or not, it’s obvi- says Don Keeler, CTO of Lumen lengers—no matter ous that in the future Windows Software, a Linux portal technology who the incumbent is. will be sharing more of the vendor in Kansas City, Mo. “We “When I look at data center’s rack-mount thought originally there would be a Linux, the playing field space with Linux. need to do TCO evaluations, but isn’t level because In the long run, all of users really just wanted to get their Microsoft is the incum- the angst and number problems solved,” Keeler continues, bent,” says Wilcox. twiddling may not matter a adding, “It’s the application [that sells “Forty-eight percent [of com- lot. Given the dearth of Linux] because we don’t lead with panies] have Windows end-to- accurate information on Linux at all.” end. That’s a big number [and] if TCO, many IT customers Windows incumbency can also seal you’re running Windows already, have come to the conclusion deals. “Everybody we had knew Win- you’re probably going to get some that Linux will soon match dows,” says Nick Brookins, former IT cost savings from standardization,” Windows in terms of capabili- director for Computer Builders Ware- Wilcox says. “You can’t ignore switch- ties, if it hasn’t already.

50 | October 2005 | Redmond | redmondmag.com | 1005red_F2TCO47-51.v5 9/13/05 1:44 PM Page 51

nies, but I don’t think high-tech ven- Facts” program, which has spearhead- dors or their customers should take ed Microsoft’s TCO studies strategy. much stock in them,” JupiterRe- TCO is not the only criteria for eval- search’s Wilcox said on his Weblog uating systems investments, she con- after being interviewed for this article. cedes, but it is an important one that Many industry observers say you customers ask about frequently. should use TCO models and surveys “CIOs are really in a tough space, as a tool, the same way you would especially in non-technology compa- ROI analyses, tête-à-tête product nies,” Morgan says. “They see large reviews/shoot outs, business needs amounts of money [being spent on analyses, and similar-business com- IT] and really want to know about parisons. In other words, be skeptical, their ROI over time.” But, she admits, but don’t ignore them completely, “It’s not the sole element of our because they can provide value. conversations with customers.” “TCO is just a data point,” says John Note: Several large and midsize Michael Cherry, of Directions on Hogan, vice president of strategic companies whose Windows TCO success Microsoft, says TCO comparisons are marketing for Novell. “What is per- case studies are posted on Microsoft’s problematic due to the huge number of variables involved. haps more effective is when you can site declined to be interviewed for steer a customer to someone who has this article.— For many IT decision-makers, that’s a similar situation.” why TCO is pretty far down the list “You can’t look at costs in a vacuum, Stuart J. Johnston has covered technology, of considerations when it comes to so they’re [IT managers] not looking especially Microsoft, since February upgrade or replace systems, or build at TCO but instead are looking for 1988 for InfoWorld, Computer- new ones. the net gain,” says Rosen. world, Information Week, and PC Several analysts say rightly so. Amanda Morgan agrees with both World, as well as for Enterprise “Linux vs. Windows TCO studies Hogan and Rosen—but only to a Developer, XML & Web Services, are great business for analysts and point. After all, she’s global campaign and .NET magazines. You can contact wicked sales propaganda for compa- manager for Microsoft’s “Get the him at [email protected]. Project1 9/15/05 9:49 AM Page 1 1005red_F2IEAlt53-56.v7 9/13/05 1:42 PM Page 53

et’s face it—Internet Explorer 6.0 is getting pretty long in the tooth. It has been out since August 2002 and IE’s security holes, some of which have Test Drive Ltaken Microsoft considerable time and effort to patch, make news with distressing regularity. Originally, Microsoft hadn’t planned to release a new browser until it shipped Longhorn (now called Vista) a Better sometime in 2006. It claimed that—among other things— IE was a core component of the operating system, which made it impractical to release a standalone version. With competition from third-party browsers heating up, though, Microsoft couldn’t help but take notice. Redmond Browser did give IE a minor update with Windows XP Service Pack 2. While that added significant features like an integrated BY DON JONES pop-up blocker and content protection from certain types of spyware, it’s only available to Windows XP users. All These alternatives to Windows 2000 users running IE 6.0 are left out in the cold. Recently, Microsoft announced it will indeed deliver a Microsoft’s Internet Explorer new, standalone version dubbed Internet Explorer 7.0 sometime in late 2005 or early 2006. Unfortunately, IE can add Web-browsing 7.0 won’t improve the security situation for Win2000 users, because it’s only being developed for WinXP. (See muscle, but they’re not sidebar, “What’s Coming in IE 7.0?” next page.) While IE’s existing security shortcomings are indeed seri- without potential problems. ous, there are some fundamental elements of its architec-

ILLUSTRATIONS BY DAVE WHAMOND | redmondmag.com | Redmond | October 2005 | 53 1005red_F2IEAlt53-56.v7 9/13/05 1:42 PM Page 54

Test Drive a Better Browser

ture that leave it open to spyware, lost significant market share to the Firefox can replace IE for most— adware and other types of malware. troika of Mozilla-based offerings, espe- perhaps 98 percent—of the Web sites The Browser Helper Object (BHO) cially Firefox, Mozilla’s current darling. out there, although many of those Web model in IE, for example, has made it sites won’t even realize it. In fact, many easy for BHO-based spyware to infil- Fire It Up may display errors or display a down- trate millions of home computers. IE’s These days, Firefox is probably graded version of the site because they support for embedded ActiveX con- the most popular replacement for don’t properly recognize the Firefox trols has also been a sore point with IE. For the most part, it does every- feature set. A Firefox add-in called IT administrators who justifiably fear thing IE can do in terms of Web Prefbar (http://prefbar.mozdev.org) the extensive functionality these con- technologies (supporting XML, helps Firefox “lie” about its identity, trols allow—functionality that could CSS, advanced HTML and so on). It appearing to Web sites as a version of just as easily be used for evil as good. also features tabbed browsing, a IE. That lets you get through to a larg- It’s no surprise that many organiza- fairly secure plug-in model and er number of Web sites and render tions are examining their options for JavaScript support. It obviously lacks their full experience. browsers other than IE. The numer- IE’s support for ActiveX, but many Internal Web sites based heavily on ous Carnegie Mellon University’s would regard that as an improve- Microsoft-specific technologies present Computer Emergency Response ment, not a shortcoming. the biggest challenge. Outlook Web Team (CERT) advisories regarding IE security issues should be enough to make browser shopping a priority. But What’s Coming in IE 7.0? what else is available? The next version of Internet Explorer—version 7.0—is coming later this year Remember Netscape? or early next. So what’s it going to include? Back in the day, Web browsing was We know that we’ll get tabbed browsing a la Mozilla. Of course, third pretty much defined by a company parties have long built shells around IE that offer tabs, and MSN’s new called Netscape and its Navigator Web toolbar offers tabbed browsing. That’s one of the most-cited reasons for browser. Once IE came out, though, it using an alternative browser. trashed Netscape in the marketplace. It will also support per-pixel gradual transparency in PNG graphics Then America Online and Sun (something in the original PNG spec but not widely implemented). A teamed up to buy Netscape. (Oddly decent set of additional features is also planned. enough, AOL still has IE as the embed- What’s unclear at this point, however, is how Microsoft will address some ded browser in its client software.) of IE’s past weaknesses. You can’t just rip out the Browser Helper Object That acquisition led to two critical (BHO) model, for example, which has been a major entry point for spyware. developments: AOL spun off the core Major incompatibilities would result. How Microsoft will update this source code for Netscape Navigator architecture to make it less susceptible to an independent, community- to attack remains to be seen (but based organization called the Mozilla rest assured that Beta Man will keep Foundation. AOL also continued to you posted). develop the Netscape browser using IE’s checkered past with ActiveX the Mozilla source code as a base and controls is also worth addressing in adding a great deal of functionality version 7.0. Again, Microsoft can’t and features. simply remove the functionality While there are numerous without creating compatibility issues. alternative browsers available Hopefully, IE 7.0 will offer broader, today, for all practical purposes, more detailed and easier-to-use you have three major options (all central configuration through Group Policy. This feature has been sorely based on the Mozilla platform): under-utilized and under-implemented in previous versions. It doesn’t • Mozilla: A suite that includes a appear as if any of the third-party browser manufacturers are taking browser, e-mail client and so on advantage of Group Policy, so this is an area where Microsoft could really • Netscape: A similar suite built on be competitive. the Mozilla base Unfortunately, the new version of IE will only be available for WinXP (Win2000 • Firefox: The standalone browser is now officially in its “extended support” phase, which essentially means MS built on the Mozilla core doesn’t produce new features). By the time you read this, IE 7.0’s first public Other browsers like Opera exist more beta should be out or coming very soon. Be sure to check it out. — D.J. or less on the sidelines. They have all

54 | October 2005 | Redmond | redmondmag.com | Project4 9/2/05 11:24 AM Page 1

 '# "  $ JOGPSNBUJPO $%(#* %$ .WT.,)BOBSDIZ ZPV ONLYONEWILLLEAVETHERING!! ") /%+ )'&$" WITH SPECIAL- * HEAVYWEIGHT )& " ,/- GUESTS: * +)*) SEAMLESS)#")) INTEGRATION $*(* %$ % OF MORE9 TYPES% OF& INFORMATION,'   WHATEVER 9 THE* SOURCE &%-( %)$* " #%(B VOJGJFE*/&) % WJFX $%(# PG* %$ BMM9 ZPVS JOGP;) %" MFTT TFBSDIJOH-  # NPSF9 )%*- XPX.JOH( %# $ - * * -*UIF, QPXFS( * PG)%+( BTDFOUJBM TPGUXBSF9 #" DPNCJOFE XJUI UIF # JOOPWBUJPO # PG9 XFCTQIFSF $$%,* %$ % -)&( PLUS: JNQSFTTJWF TDBMBCJMJUZ- TVQFSJPS BDDVSBDZ- FBTZ SF.VTF9 PG BTTFUT JCNNJEEMFXBSF/&"+)  "# QPXFSGVM/ "  QSPWFO/ $) GJHIUCBDLBU #% " XXX/JCN/DPN0NJEEMFX! % #)BSF0DPOUFOU "%#  # $

IBM,IBM, the the IBM IBM logo logo and and WebSphere WebSphere are are registered registered trademarks trademarks or or trademarks trademarks of of InternationalInternational Business Business Machines Machines Corporation Corporation # # "-(inin the the United&%- United States States(+ and/or and/or"&(% other other countries. countries.,$   ©2005 ©2005*! IBM IBM Corporation. Corporation. * All All- ri ri-ghtsghts- reserved. reserved. #%# # "-( $*(* IBM, the IBM logo and WebSphere are registered trademarks or trademarks of International Business Machines Corporation in the United States and/or other countries. ©2005 IBM Corporation. All rights reserved. 1005red_F2IEAlt53-56.v7 9/13/05 1:42 PM Page 56

Test Drive a Better Browser

Access (OWA) 2003 is a notable excep- Shutting Off IE support. With IE 7.0 on the horizon, tion to Firefox’s ability to go head-to- If you decide to completely replace IE, Microsoft has the opportunity to make head with IE, because OWA uses XML you’ll have to come to terms with how drastic changes in the product’s archi- capabilities that are unique to IE. difficult it is to actually do so. First, you tecture and functionality, like making For that reason alone, completely have to realize that IE consists of two the current difficult-to-manage “securi- eliminating IE in favor of Firefox isn’t a basic parts—an under-the-hood ty zones” comprehensible and manage- practical choice for many organiza- browser and an HTML rendering able for mere mortals. tions. At best, they can suggest using engine, often referred to as MSHTML. That is one significant area where Firefox whenever possible and switch- This is the core part of the Windows every third-party browser falls down— ing to IE when necessary. operating system, and it’s exceedingly manageability. Neither Mozilla nor Also, while it’s tighter than IE, Fire- difficult to get rid of this. Netscape has yet seen fit to offer their fox isn’t completely free of security The other major part is the graphical browsers in an IntelliMirror-friendly problems. A recent CERT advisory user interface (GUI), which actually MSI file (although you could obviously (which was Firefox’s first) proves that instantiates the MSHTML. You can use tools to repackage their EXE-based any software can have security bugs. hide that GUI to a certain extent by distributions into an MSI). Doing this Still, Firefox’s lack of support for IE using Windows’ “Set Program Access would let you distribute the browser with Group Policy. Furthermore, If you decide to completely replace IE, you’ll have to come to there’s no third-party browser I’m terms with how difficult it is to actually do so. aware of that stores user preferences and other settings in the all-important BHOs, ActiveX and other potentially Defaults” utility. That’s part of Policies section of the Registry, which problematic technologies makes it an Microsoft’s agreement with the US.. would let you centrally configure the attractive option. Department of Justice in its antitrust browser via Group Policy. settlement. However, that won’t remove While I can almost understand this A Blast from the Past IE in its entirety. shortcoming in a cross-platform brows- The folks at AOL and Netscape haven’t Removing IE completely is complex er like Firefox (as other platforms don’t been sitting back and lazily watching and can cause problems, because many have a Registry), it makes no sense in a IE and Firefox duke it out. While built-in Windows components (includ- Windows-specific browser like Netscape’s previous version is a ing numerous management console Netscape 8. To date,the alternative cross-platform browser and e-mail snap-ins) rely on it. The best you can browser developers seem to be focused suite, the new version (Netscape 8) is a do in most situations is to disable IE on individual users more than compa- Windows-only effort with a unique and use an alternative browser. If you nies and organizations—a crying shame. twist that may offer a solution to the don’t use IE to surf Web pages, then It’s unlikely that IE 7 will include alternative browser problem. Built on most of its security problems won’t any major changes that lead to version one of the Mozilla Firefox core, come into play (for more information compatibility issues. That means we Netscape 8 offers everything Firefox on securing IE, read Read more about IE may still be working with a does like tabbed browsing and a high Greg Shields’ feature and its alternatives at highly extensible—and degree of Web site compatibility. on p. 57, “Get Serious Redmondmag.com. therefore exploitable— If you encounter a Web site that About Securing IE”). FindIT code: TestDrive architecture. Were the the Firefox engine can’t handle, click So where does that leave you? It’s major browser alternatives like a button and Netscape will initiate the practical to use a non-IE browser like Firefox and Netscape to incorporate MSHTML engine and reload the Firefox for most of your Web brows- some centralized management site automatically. ing. Netscape 8 offers a great combina- capabilities, they’d be much better Best of all, it remembers your tion of Firefox and IE. It can cover any alternatives for the enterprise. But browser preferences, so future visits to Web site using one of the two render- despite that, they are still strong those sites will use the preferred ing engines it supports. From a security alternatives, especially in environ- engine to display the site. This lets perspective, the Firefox and Netscape ments that don’t require continued you have a single browser that uses engines benefit from an architecture IE support for certain Web sites.— the somewhat safer Firefox engine that’s less extensible.This makes them whenever possible, but gives you the less open to attack through things like Don Jones, contributing editor to option of using the quick “switch to plug-ins and ActiveX controls. Redmond magazine, is the founder of IE” function for sites that need it. However, both of these alternatives ScriptingAnswers.com. His latest book is Netscape 8 is the best offering I’ve lack any kind of centralized manage- Windows Administrator’s Automation seen yet to resolve the alternative ment, which makes them more difficult Toolkit (Microsoft Press). You can contact browser problem. for enterprises to deploy, maintain and him at [email protected].

56 | October 2005 | Redmond | redmondmag.com | 1005red_F2IEAdmin59-63.v5 9/13/05 1:47 PM Page 57

f you’re a Windows shop, you’re more than likely an Internet Explorer shop, too. Love it or hate it, you’re responsible for keeping IE running. That’s not an easy Get Serious Ijob, because IE doesn’t play fair—full of holes and easy to hack, IE can be your network’s biggest vector for infection. Add in a pinch of spyware sending off your per- About sonal information to who knows where, a dash of adware popping up ads every third mouse click, and it’s under- standable how IE got such a bad reputation. Despite its from-the-other-side-of-the-tracks standing, it Securing IE still has to be controlled. And because it flies so low under the radar, it’s easy to forget how vital a part of your net- work infrastructure IE is. It’s a major management chal- BY GREG SHIELDS lenge, but most admins pay it only lip service in their day-to-day work. That’s a mistake, and failing to correct it could lead to disaster. Take control.Now. Internet Explorer is one of the Marching in Step most used products in nearly Your first line of defense against IE’s issues, holes and vul- nerabilities is central control. IE has one major advantage every environment, but most over many of the freeware browsers—it’s easy to centrally administrators know little control using Active Directory. With AD locking down IE’s configuration, you’ll limit your users from damaging about how to tune it for best themselves and your network. In order to do this, you’ll need to create a Group Policy. performance and safety. Here you have a choice for your IE Lockdown Group Policy

ILLUSTRATIONS BY DAVE WHAMOND | redmondmag.com | Redmond | October 2005 | 57 Project6 1/6/05 5:17 PM Page 1

Unfortunately, you can’t dream • Microsoft By day three, your way to certification. • Cisco

Jack was finally 1 TM • Oracle Our accelerated programs, featuring our exclusive 3 /2 step method, enjoying his makes learning fast and effective. In less than two weeks, you’ll • Sun return to your job empowered with the knowledge, confidence • Linux

IT training. and certification you need to advance your career…and your life. • CISSP

• CEH To find out more about our all-inclusive certification programs,

call 800-698-5501 or visit www.trainingcamp.com. • CompTIA

Enter the special promotion code “HELP” and receive a 20% • UNIX

discount on select courses. • Forensics 1005red_F2IEAdmin59-63.v5 9/13/05 1:47 PM Page 59

Get Serious About Securing IE

matic tools like LavaSoft’s AdAware, Safer Networking’s SpyBot Search & Destroy, and Microsoft’s AntiSpyware Beta exist to assist you with removing the PUS from your system, but at pres- ent none do the job without help. PUS removal often requires multiple removal tools to completely eliminate it from your system. This is due primarily to two prob- lems. First, the behavior of PUS is different than viruses. It isn’t neces- sarily destructive, and sometimes isn’t even illegal; this makes it difficult for the PUS hunters to identify a scannable behavior. Second, partly because of its not-quite-illegal nature, PUS writers in the wild are writing Figure 1. The system on the right has spyware code faster than anti-spyware many more processes running than the vendors can keep up. one above—a strong indication that it’s infected by spyware and/or adware. Until the scanners get better, good systems experience and knowledge of Object (GPO). Depending on your the processes that should and should network’s characteristics, you might not be a on a system can supplant link it to a user or workstation GPO. • Computer Configuration | those developing tools. With a little For example, if your users don’t have Administrative Templates | Windows skill and some knowledge of how the dedicated computers and their user Components | Internet Explorer Windows OS works, you can become accounts are split into separate GPOs • User Configuration | Windows Set- your own PUS scanner. by function, you might consider config- tings | Internet Explorer Maintenance Can you tell the corrupted system from uring IE settings per user. In this situa- • User Configuration | Administra- the uncorrupted system in Figure1? tion, you could have multiple IE tive Templates | Windows Compo- In this example, it’s relatively easy to Lockdown GPOs, depending on the nents | Internet Explorer tell that the Task Manager on the right class of user. Power IE users get a light- The second location is the most shows quite a few additional processes ly locked-down GPO, while problem- important for central configuration, that don’t belong on this system. atic users get one screwed down tight. the third for securing the browser. You should have some basic under- In a typical office environment Make sure whenever adjusting these standing of the applications on your scenario where users have dedicated settings to test them in a separate OU workstations and the processes that machines and everyone falls under a prior to rolling them out; it’s possible make up those applications. You similar Internet Use policy, you’ll to inadvertently lock down IE such should also have a baseline for the probably link the GPO to your that Web sites don’t function at all. apps on your network—any applica- Workstations OU. tions not on your baseline shouldn’t Either way, IE includes settings in Lance the PUS from IE be on your network. HKEY_LOCAL_MACHINE as well So, you’ve centrally configured IE on as HKEY_CURRENT_USER, so the your network. You’ve done your best The Nuclear Option GPO you create will involve elements to secure it against external attack. But Performing a search-and-destroy mis- from Computer Configuration as the baddies still make their way in, sion for unsightly PUS is easier with well as User Configuration. If you clogging processor cycles and trans- the right weapons. Add these free link your IE Lockdown GPO to a mitting personal information to the tools to your arsenal and make it Workstations OU, make sure to world’s product marketers or worse. much easier to identify and eliminate enable the policy User Group Policy Let’s shift gears for a moment and rogue processes and inappropriate loopback processing mode so User talk about adware, spyware and mal- auto-start apps on a system. (These Configuration policies get applied. ware, a class of software Microsoft calls types of tools aren’t offered natively There are three main locations Potentially Unwanted Software, and by Microsoft. Also note that they’re within Group Policy where IE is we’ll shorten to the wonderfully appro- manual, but currently they’re the best centrally configured. priate acronym PUS. Numerous auto- way to clean up the mess).

| redmondmag.com | Redmond | October 2005 | 59 1005red_F2IEAdmin59-63.v5 9/13/05 1:47 PM Page 60

Get Serious About Securing IE

free time,” his tool “HijackThis” has a growing following. The freeware tool, downloadable at www.merijn.org, detects differences between the charac- teristics of your current IE installation and that of a default IE installation. By showing what changed between the default installation and your installa- tion, you can determine what should and shouldn’t be there. In a Redmond interview with Bellekom, he said “There are only so many places a parasite can hide on your system, and HijackThis just lists those places. This means it’s fairly easy to maintain since there’s no database of known baddies to keep up-to-date. It only needs an update when the hijacker programmers come up with a new trick Figure 2. Sysinternals’ Windows Process Explorer provides rich information on each to install, hide and start their stuff.” running process, its associated files and Registry handles. Running HijackThis against an The first of these is the Task Manag- Note that Autoruns doesn’t delete infected machine shows a number of er on steroids: the Windows Process the process executable, so you’ll likely differences, as you can see in Figure 3, Explorer by SysInternals. The Win- want to delete the offending program opposite page. Some of these dows Process Explorer, shown in Fig- after removing its Registry reference instances, like the changed home ure 2, lets you not only see the to eliminate it completely. page, are legitimate; some are not. For processes currently running on your The third terrific tool for manual each change, the item can be fixed. system, but the Registry keys and files PUS elimination is directed specifically Be careful when choosing to fix currently touched by those processes. at users of IE. Developed by Merijn anything noted in HijackThis. As Right-clicking a process in the Win- Bellekom, who calls himself “a student any legitimate changes are identified dows Process Explorer shows the in the Netherlands that codes in his along with the ones made by PUS, properties of that process, including its path and command line. You can How To Bury IE quickly kill the process from the properties window or even link to If your network environment is highly sensitive to Web-based intrusions, or if Google for more info. you want to eliminate IE altogether, you can prevent it from even running. Do But killing the process only stops the this with a Software Restriction Policy: PUS for a little while. You also need >> Create a new GPO and link it to your desired OU to determine from where it’s being >> Right-click Computer Configuration | Windows Settings | launched. Our second SysInternals Security Settings | Software Restriction and choose New tool, called Autoruns, assists with Software Restriction Policies this process. >> Under Additional Rules, select “New Hash Rule …” Autoruns identifies each of the >> Navigate to IEXPLORE.EXE and hash the file. Set the Securi- locations where a process is set to ty Level to “Disallowed” automatically run, either at login or Before taking this Draconian measure, consider the following: startup. For each process you can >> Some applications require IE, so you should test this view properties of the process and change thoroughly prior to implementing it. delete its Registry reference right >> When Microsoft releases cumulative update patches for IE, be aware that within the tool. For each process, the the patch might change the file hash. You may need to re-hash the file code signature can also be verified. after patching to maintain the software restriction. Because most PUS doesn’t include >> Microsoft best practices suggest keeping all Software Restrictions in a signed code, it’s relatively easy to run separate GPO. This allows the policy to be separately disabled from all other the tool and search for any lines with policies in case of emergency. >> Be careful if you set the Default Security Level to Disallowed. This a blank or “Not Verified” entry in the automatically disables all software except where specifically allowed. —G.S. Publisher column.

60 | October 2005 | Redmond | redmondmag.com | 1005red_F2IEAdmin59-63.v5 9/13/05 1:47 PM Page 61

you can fix something that didn’t run the code associated with that CLSID. Kill bit set equals “goodbye need fixing. CLSID. This effectively prevents the BHO.” There is an accompanying BHO from ever starting. To set the uninstall .REG file to double-click if Pull out the Hooks “kill bit,” create or configure the Reg- you need to back out. So far we’ve focused strictly on istry key Compatibility Flags with the Note that because the .REG file processes and how to eliminate them, REG_DWORD value 0x00000400 at creates the registry keys and “kill bits” but there’s more to the problem of this location (see Figure 4): for each known BHO—even the ones PUS. Many of IE’s insecurities stem HKEY_LOCAL_MACHINE\SOF not previously Go to from the browser’s design that allows TWARE\Microsoft\Internet Explor- present—which Redmondmag.com for other apps to “hook” into it. This er\ActiveX Compatibility\CLSID of will prevent any more information on a application hooking is handled by the bad BHO previously unseen free best practices guide to securing IE. Browser Helper Objects, or BHOs. “Great,” you say. “Now I know PUS from starting FindIT code: SeriousIE how to kill the PUS, but there are when encountered hundreds of CLSIDs on my system. in the wild. With a little scripting, you How do I know which are PUS and could turn this into a Group Policy to which will stop key system services push to all your machines. from running?” Therein lies the crux! Finding them It’s a Wild World is difficult. However, another tool We’ll probably never get rid of IE, but exists that removes the guesswork. we can secure it the best we can and

Figure 3. HijackThis shows you what’s changed between a current version of IE and a default version.

Originally designed as a mechanism to extend IE’s capabilities, these BHOs are how spyware apps like Claria/Gator and CoolWebSearch operate with System-level permissions. Depending on how they’re coded, when IE launches or attempts to pull down a Web page, a BHO can be acti- vated. It’s this BHO code that causes pop-ups, slowdowns and personal information disclosure. Knowing a little about BHOs will Figure 4. Browser Help Objects and class IDs can be set to never run with a simple help you understand how to eliminate Registry hack. them. In the HKEY_CLASSES_ ROOT key of your system’s Registry Navigate to www.spywareguide.com. learn the tricks to clean it when we are the class IDs (CLSIDs) that This site keeps an up-to-date list of must. Oh, and if it helps, feel free to uniquely identify software compo- known PUS CLSID identifiers—a swat the next user that clicks “Yes” after nents of your system. Like other sys- total of 717 at the time of this writing. re-enabling pop-ups on their XP SP2 tem components, a BHO has to It also maintains a downloadable machine. It’ll make you feel better. register itself with your system; it can .REG file that allows you to apply the therefore be identified by its CLSID. “kill bit” to all 717 at once. By down- Greg Shields, MCSE: Security, CCEA, loading and installing the .REG file, is a senior systems engineer for Raytheon Kill Bit, Vol. 1 you can prevent known PUS from Company in Aurora, Colo. An avid moun- Microsoft Knowledge Base article even installing on your system. tain biker, climber and snowboarder when 240797 discusses CLSIDs and some- Double-clicking the .REG file auto- outside the office, Greg provides engineer- thing called the “kill bit.” This bit is matically sets the “kill bit” by preset- ing support and technical consulting in an associated Registry entry for each ting the Compatibility Flags key to Microsoft and Citrix technologies. Reach CLSID that tells the system to never 0x00000400 for each known bad him at [email protected].

| redmondmag.com | Redmond | October 2005 | 61 Project2 8/11/05 1:14 PM Page 1

’ And end-users Your life shouldn t. The always get email Windows IT Pro Readers’ Choice Winner three years in a row, from the people iHateSpam for Exchange lets you control spam according to the in their own for Microsoft Exchange 5.5, 2000 and 2003 needs of your company and users — not to mention your needs. Contacts folder. Constantly updated dual spam engines: Spam detection 98.5% Field-tested, powerful spam detection. outofthebox: You can Filtering based on tunable parameters: “configure it and forget it” Use our default engine or customize for easy, effective with your own rules or blacklists. “hands-off” spam Customizable treatment of spam: management. Delete it, route it to a designated mailbox, And setup takes put a custom message in the subject, or even quarantine minutes, not it to a spam folder in the end-user’s mailbox. Filter at hours or days. the server — no client software needed: Set flexible Low false positives: Control aggressiveness of spam detection server-level policies for groups or single users. with simple threshold settings. Set server or user-level whitelists.

Download the 30-day FREE trial at www.sunbelt-software.com/ihred

Sunbelt Software Tel: 1-888-NTUTILS (688-8457) or 1-727-562-0101 Fax: 1-727-562-5199 www.sunbelt-software.com [email protected]

© 2005 Sunbelt Software. All rights reserved. iHateSpam is a trademark of Sunbelt Software. All trademarks used are owned by their respective companies. 1005red_SecAdvisor63-67.v7 9/14/05 10:37 AM Page 63

SecurityAdvisor RobertaJoern Wettern Bragg Will R2 Make You More Secure?

icrosoft will soon release the next iteration of and partners collaborate. For example, there’s a huge growth in SharePoint sites Windows Server 2003, dubbed R2. The R2 release being extended to allow partner access from the Internet. Setting up authentica- M has several new components that add some new tion for such projects can be time-con- functions to your Windows network. suming and frustrating, since you need to establish and maintain a user account In outlining its roadmap for Windows internal and external domains. Users database for external users. Most often Server, Microsoft committed to releasing from one company could use their reg- this means configuring and maintaining a feature update to the 2003 version ular credentials to log on to a partner’s a new domain or AD forest for all exter- approximately two years after it first network. For example, an HP hardware nal users. Not only is this a lot of extra appeared. As such, this release seems to engineer on assignment at Microsoft work, but you also have to rely on the be targeted mainly at customers in Soft- would use his corporate credentials to partner companies to notify you about ware Assurance or another of Microsoft’s log on to Microsoft’s corporate net- user changes, such as when someone has subscription programs. After all, why pay work and access Microsoft’s resources. left or changed jobs within the company. yearly fees if the software only gets This sounds like a great idea. In the That’s where ADFS comes in. It’s updated every four years? real world, however, few companies are designed to simplify collaboration Bill Boswell gave an overview of R2’s willing to establish domain trusts with between business partners without new features in his July Windows Insider other companies (even Microsoft doesn’t requiring users to remember different column (“What’s New in R2”). Most of do this). Setting up a full-fledged domain user names and passwords for access to the improvements aren’t directly securi- or forest trust between companies simply each company’s resources. It does this ty-related. Microsoft spent more time on allows too much network access. by allowing Web applications to trust other areas after concentrating so much At the same time, though, many organ- credentials from other forests without on security in Service Pack 1, which was izations are adopting information-shar- requiring full-fledged trust relation- released last March. The focus in R2 is ing models designed to let employees ships. Such a limited trust can help in a on adding new functionality, like making connections to branch offices easier and more efficient. Allied General Wingdings Widgets Security wasn’t completely ignored, however. Two of the new components are directly targeted at security pros: • Active Directory Federation Services (ADFS) promises to allow for Active Directory Active Directory User authentication across AD forests. • New services for Unix will better integrate Unix and Windows Internet

environments. Trust Let’s take a look at R2’s security Federation Federation Server Server features and see if it’s something you Web Application need on your network. Access Trust

Web Application Access Web Extend Authentication with ADFS Server Five years ago when AD was officially born, Microsoft said it would make it User much easier for companies to work Figure 1. Active Directory Federation Services makes it easy for users from these two together and establish trusts between business-to-business companies to access information in the other domain.

| redmondmag.com | Redmond | October 2005 | 63 1005red_SecAdvisor63-67.v7 9/14/05 10:37 AM Page 64

Internal Network Figure 2. Since authentication happens in the DMZ, rather SecurityAdvisor than internal domain controllers, Active Directory Federation Services can make your DMZ more effective, and your net- work more secure.

Active Directory number of scenarios, but the most com- DMZ Internet mon ones are business-to-business communications, customer access to Authentication relevant data and DMZ authentication.

Business-to-Business Authentication Federation Let’s start with B-to-B. Consider the net- Server Proxy work configuration in Figure 1, p. 63. Federation General Widgets maintains an ordering Server Authentication and inventory Web site for both their own employees and employees of Allied

Wingdings. Access to the site needs to be Web Application Access Web Application Access controlled based on user accounts. This is easy to configure for users in User the General Widgets forest because Web ISA Server the Web server is in the same AD for- Server Firewall Firewall est as the user accounts. Both compa- nies have to add ADFS to a server the resource site (General Widgets) Even better, if General Widgets has running Windows 2003 to also allow recognizes credentials from the multiple Web apps running on different Allied Wingdings users to authenticate account side (Allied Wingdings) and servers, ADFS creates access tokens for with their regular logon credentials. creates the access tokens required by all of them. Users are only asked for Once they do this, the ADFS server on the Web application. their credentials once, creating a single sign-on (SSO) experience. Once every- thing is set up, a purchase manager at Allied Wingdings logs on to his com- puter with his Allied Wingdings account and password. When he then connects to the General Widgets Web site to place an order for 100 Widgets, no separate authentication is required and no dialog box asks for a user name and password. Authentication will be as automatic and effortless as if he was using an internal Web application. It sounds easy enough, but there’s a catch. If your Web application isn’t ADFS-aware, you have to create a “shad- ow account” in the resource domain for each user in the accounts domain. These shadow accounts do not require configu- ration, but setting them up can still be a lot of work. Things get easier if your Web application is ADFS-aware, but there are only few of those today. R2 includes a new version of SharePoint Services that will work with ADFS, and Microsoft has promised more. Also, because ADFS is standards-based, there will be more interoperability with third- party applications. As of today, though, you’ll probably have a lot of configura- tion to do once ADFS is installed.

64 | October 2005 | Redmond | redmondmag.com | 1005red_SecAdvisor63-67.v7 9/14/05 10:37 AM Page 65

Live on your SecurityAdvisor Authenticating Customers ADFS can also be a huge help if you Desktop have customers that access your Web applications. Today you often have to create a separate AD forest to maintain accounts for these customers. R2 Free Web includes a new version of ADAM (Active Directory Application Mode) that lets you store these user accounts with much less infrastructure overhead than main- Seminars taining a whole AD forest. Because ADFS can create access tokens for user accounts that are defined in ADAM, you can create an SSO experience for your customers and control access to applica- tions both for your organization’s employees and your customers . ADFS can use accounts from multi- ple sources and create access tokens for them and present these access tokens to one or more Web servers. Of course, configuring such an infra- structure works best if the Web appli- cations are ADFS-aware. ADFS also requires customer accounts to be stored in AD or ADAM. If you’re cur- rently using AD to store user accounts for Web access, you should definitely look at how ADFS can simplify your life and create an SSO experience for your customers.

Active Directory and the DMZ Many companies set up a DMZ for servers that need to be accessible from the Internet. As long as all user accounts for authenticated access are stored on domain controllers in the DMZ, and all domain controllers for this forest are in your DMZ, configur- ing authentication is easy. Brought to you by: But if you also want to use accounts in your internal forest to access DMZ resources, you have to choose between two methods, both of which erode the protection the DMZ is designed to provide. Regardless of whether you Visit: Redmondmag.com/ make DMZ servers members of an internal domain or create a trust rela- techlibrary/webcasts tionship between internal and DMZ domains, you have to allow AD traffic across your firewall. This isn’t a good

| redmondmag.com | Redmond | October 2005 | 65 Project13 1/17/05 3:17 PM Page 1

got Windows?

get

THE INDEPENDENT VOICE OF THE MICROSOFT IT COMMUNITY Essential. Timely. Face to Face. Get it Now. Get it Free. Get it Fast. Each month, Redmond magazine gives you hands-on Order your FREE subscription to Redmond magazine at problem solving, tactical hard-core tech info, real-world Redmondmag.com. While you’re there, sign up for our reviews, expert columnists, interviews, news analysis and free newsletter, Redmond Report, get the latest news and strategic insights into all things Microsoft. And, much more. participate in discussion forums getting help in real time. Solutions. Resources. Technology. P.S. If you’re using Microsoft software, and are responsible for Spread the news. Pass it along — your peers will value the day-to-day technical troubleshooting, you must stay from this offer as well. one step ahead by reading Redmond magazine.

Visit us NOW to subscribe for your FREE subscription to Redmond magazine at Redmondmag.com. 1005red_SecAdvisor63-67.v7 9/14/05 10:38 AM Page 67

SecurityAdvisor

solution—enabling AD communica- Unix servers most often use NIS for possible to download the public tions across a firewall creates enough centralized authentication; R2 main- release that allows you to test the new holes in the firewall to make it look tains the NIS master database on a features yourself. The site also has sev- like Swiss cheese. Windows domain controller, allowing eral whitepapers on ADFS, including a ADFS can help in this scenario, too you to use the same username and walkthrough document that lists the (see Figure 2, opposite page). Instead password to access all Windows and steps needed to set up ADFS in a test of creating a trust relationship environment. Even if you don’t see an between a forest in the DMZ and an Even if you don’t see an immediate need for ADFS, you should internal forest, use ADFS to handle immediate need for ADFS, take a look. I expect Windows-based the authentication. Doing this means you should take a look. Web applications to be increasingly that you have to open fewer ports in ADFS-aware, turning this technology your firewall, and no user account Unix servers. Password changes will into a standard tool for configuring information from your internal be automatically synchronized between Web applications, including Share- domain needs to be stored on servers AD and NIS. This can be a great solu- Point. Exploring this technology now in the DMZ; but employees with tion in an organization that primarily will make it easy to take advantage of internal user accounts can still use uses Windows but also has a number of what ADFS has to offer once there is DMZ-based Web applications and be Unix-based systems. broader application support.— seamlessly authenticated. What You Can Do Now Joern Wettern, Ph. D., MCSE, MCT, Unix Integration If you think that ADFS or better Unix Security+, is the owner of Wettern Many companies have a mixed integration can help you solve current Network Solutions, a consulting and Windows-Unix environment, and R2 authentication challenges, you should training firm. He has written books and promises to help integrate these two take a look at Microsoft’s R2 Web developed training courses on a number of systems better by synchronizing user site, www.microsoft.com/windows networking and security topics. Reach him accounts and passwords. server2003/r2/default.mspx, as soon as at [email protected].

Wish to access your data from anywhere? WithRADMIN ,® it’s easy.

RADMIN is reliable and secure remote control software designed to work on and monitor the remote computers just if they were right there in front of you.RADMIN proved itself as incredibly fast and easy to learn and use.RADMIN is a complete remote control solution with such features as file transfer, NT security, Telnet-access and multiple connections support built in.

RADMIN is the most cost-effective solution which may be deployed over a corporate network at an affordable price.

Download the free 30-day trial version And see for yourself!

See details at: www.radmin.com 1005red_Mr.Script68-69.v3 9/13/05 1:51 PM Page 68

Mr.Script Chris Brooke Setting the Timer

ast month we created a basic VBA application form in putting oft-used code in the module, you can make it available application- Excel that we’ll use as a front-end to our “integration wide, rather than just form-wide. application.” Before we jump into performing the L Hurry Up and Wait different tasks we need for the integration, let’s step back The first thing you need to do is set up the automation server application to and look at the big picture of what we’re trying to automate. wait for something to do. Since you’re using VBA in Excel, you have access to Remember that we’re attempting to burner attached. Our customer service Windows libraries you can’t access integrate a Web-based order system representatives run a separate applica- through VBScript. One such library is with electronic software delivery and tion that allows them to add jobs to the User32 (User32.dll), which contains a CD burning/shipping (when required). queue (at least until we get this thing timer function you’ll use to ensure that While we could simply put buttons on completely integrated into our existing each queued job completes (one way or our Excel form to manually initiate each applications so that it all happens auto- another) before the next job is started. task, this is a bit too low-tech for me. I matically). This will also allow users to This is referred to as a semaphore. You’ll would much rather create an event-based independently schedule tasks that aren’t set a timer to fire off every 10 seconds. system where each order automatically triggered by the order system. For The first thing it does is check to see if a triggers an “action list,” which is placed example, part of this process involves job is running. If so, it resets itself and into a queue. Then we can have our main logging on to the shipping provider’s goes back to sleep. If not, it executes the application simply sit back and watch the Web site and printing a shipping label. next task in the queue. In order to use queue. In addition to reducing the By isolating this function, we can pro- the timer functions of User32, you must amount of manual intervention required, vide users with a quick and automated first declare it in your module. this also has the advantage of allowing way of shipping something (or any- Private Declare Function SetTimer Lib multiple requests to simply “stack up” thing) besides a customer order. "user32" _ while the system is processing other (ByVal HWnd As Long, ByVal orders. Imagine the frustration if you had A Tweak Here and There nIDEvent As Long, _ to wait until previous orders were com- Let’s prepare our automation server ByVal uElapse As Long, ByVal pleted before entering new ones! application by making a few changes to lpTimerFunc As Long) _ the form we designed last month. Open As Long Log on to Redmondmag.com the Excel spreadsheet you created last Private Declare Function KillTimer Lib to read Part I of Mr. Script, month. Click on Tools | Macro | "user32" _ which appeared exclusively online last month. Visual Basic Editor and double-click (ByVal HWnd As Long, ByVal FindIT code: Theory1 frmMain to open the design view of nIDEvent As Long) _ your form. Now add text fields, for As Long Get in Line Order ID, e-mail and so on, as well as a For most of you, this is a completely The queue in this case is simply a folder label field and checkbox. new concept, since you can’t point to on a network share that’s accessible to all When it comes to the actual code, external functions in VBScript. Howev- users of the order system. Each time an where we put the different functions er, if you think way back to my series order is placed, a file is written to this depends on what they’ll do. The more on Windows Script Components, this folder. Our application retrieves the immediate code will go in the code sec- will indeed look familiar (from declar- order detail files, processes it, and deletes tion of the form’s event. Code that ing properties of WSCs). For now, it from the queue. Lather, rinse, repeat, we’re likely to reuse will go in the mod- though, just think of it similarly to a until there are no items left to process. ule. For example, clicking the “Create a CreateObject statement. You’re simply By taking this approach, we can sepa- CD for this order …” button will cause declaring your intention to use this rate the tasks logically. The automation code to run that will likely call subrou- object and setting aside the resources server application (our main Excel VBA tines from our module1. You separate (more or less). app) runs on a specific computer— functionality in this manner to allow You also need to create three global namely, the computer that has the CD for the addition of more forms later. By variables you’ll use with the timer:

68 | October 2005 | Redmond | redmondmag.com | 1005red_Mr.Script68-69.v3 9/13/05 1:51 PM Page 69

Mr.Script

Public bProcessing As Long Public Sub TimerProc _ This is the important one, as you’re 'Processing? True/False (ByVal HWnd As Long, ByVal uMsg passing the address of the TimerProc sub. Public TimerID As Long 'Used to As Long, _ So now, after the timer counts down 10 invoke SetTimer ByVal nIDEvent As Long, ByVal seconds, it fires the timer event and calls Public TimerSeconds As Single 'Time dwTimer As Long) the TimerProc sub. Put the code you remaining ‘The procedure is called by Windows. want to execute each timer cycle in this Now all you need to do is start the ‘Put your timer-related code here. sub; this is where the check is made to timer. To ensure that the timer is always If bProcessing = 0 Then Call see if the app is busy. If bProcessing is running, start the timer when the form CheckQueue set to ‘True’, simply exit and check again is loaded. Add this to the form’s code: End Sub at the next timer cycle. If bProcessing is Private Sub UserForm_Initialize() false, then it’s safe to execute some code, Call StartTimer Stay With Me … which in this case involves checking the End Sub The UserForm_Initialize sub is called as queue for any pending jobs. And add this to the module code: soon as the form is loaded (and you We’ll explore that next month. For Sub StartTimer() already added the Auto_Open sub to now, though, you can take the concept 'If there isn’t a timer set, set it load the form when the spreadsheet is of the semaphore into other tasks—any If TimerID = 0 Then opened). This in turn calls the StartTimer task, really, that may require this kind TimerSeconds = 10 'how often to sub. StartTimer then calls into the of exclusive, or modal, behavior. — "pop" the timer. User32 library and executes the SetTimer TimerID = SetTimer _ function with a string of arguments. Chris Brooke, MCSE, is a contributing editor (0&, 0&, TimerSeconds * We’ll discuss HWnd handles and ID for Redmond magazine and director of 1000&, _ Events later. For now, the arguments to enterprise technology for ComponentSource. AddressOf TimerProc) take note of are the time (in millisec- He specializes in development, integration End If onds, which is why we multiply 10 by services and network/Internet administration. End Sub 1,000) and the AddressOf TimerProc. E-mail Chris at [email protected].

E-Learning is the ultimate online learning tool. It’s all yours 24 hours a day, 7 days a week, and it will give you everything you need to conquer even the toughest IT challenge. Give e-Learning a try and we’ll teach you everything we know. Visit www.transcender.com or call 1-866-639-8765.

® © 2005 Kaplan IT, Inc. All rights reserved. TRANSCENDER Kaplan IT, Inc. All rights reserved. RCPSubAdFinal.qxp 5/11/05 2:25 PM Page 77

Make the Connection

Announcing

Magazine

With each issue, Redmond Channel Partner magazine gives you ideas and practical advice to help Microsoft partners grow their businesses. It’s FREE!

Get insights into topics ranging from: ✓Sales strategies ✓Working with Microsoft ✓Building partnerships ✓Negotiating with suppliers and customers ✓Using ROI to win deals And much more!

Take a look, it’s FREE! Redmond Channel Partner magazine—your best source for Microsoft partner information. As our tagline says, “Driving Success in the Microsoft Partner Community” is what we’re all about.

FREE Charter Subscription Offer Go to RCPmag.com today to order your subscription! 1005red_Index71.v4 9/14/05 3:46 PM Page 71

RedmondResources AD INDEX ADVERTISING SALES Advertiser Page URL Henry Allain Matt Morollo BindView Corporation 5 www.bindview.com Publisher Associate Publisher Citrix Education 35 www.citrix.com 949-265-1556 phone 508-532-1418 phone CrossTec 46 www.crossteccorp.com 949-265-1528 fax 508-875-6622 fax DesktopStandard 8 www.desktopstandard.com [email protected] [email protected] Devon IT 43 www.ntavo.com Diskeeper Corporation 11 www.diskeeper.com Northwest East EMC Legato 41 www.legato.com No. CA, OR, WA, Alberta, British AL, CT, DE, FL, GA, KY, LA, MA, MD, Famatech 67 www.famatech.com Columbia, Saskatchewan ME, MS, NC, NH, NJ, NY, PA, RI, SC, GFI Software 29, 33 www.gfi.com TN, VA, VT, WV, Quebec, Ontario, Europe Bruce Halldorson Global Knowledge 25 www.globalknowledge.com Northwestern Regional Sales JD Holzgrefe GOexchange by Lucid8 LLC 15 www.goexchange.com Manager Eastern Regional Sales Manager Good Technology 31 www.goodtechnology.com 209-473-2202 phone 804-752-7800 phone 209-473-2212 fax 253-595-1976 fax IBM 55 www.ibm.com [email protected] [email protected] Interactive Study Systems 52 www.examsaver.com iTripoli 51 www.AdminScriptEditor.com West/Mid West IT Certification & Training—USA, Europe NetSupport 18 www.netsupport-inc.com AK, AR, AZ, So. CA, CO, HI, ID, IA, IL, Al Tiano Network Automation 39 www.networkautomation.com IN, KS, MI, MN, MO, MT, ND, NE, Advertising Sales Manager, IT NM, NV, OH, OK, SD, TX, UT, WI, WY, Network Instruments 49 www.networkinstruments.com Certification & Training Manitoba, Pacific Rim, Australia, New PrepLogic C3 www.preplogic.com 818-734-1520 ext.190 phone Zealand, India, Pakistan 818-734-1529 fax Privacyware 64 www.privacyware.com [email protected] Project Management Institute 45 www.pmi.org Dan LaBianca Western Regional Sales Manager Quest Software C4 www.quest.com 818-674-3417 phone ENTmag.com &TCPmag.com Tanya Egenolf Redmondmag.com 65 www.redmondmag.com/ 818-734-1528 fax techlibrary/webcasts/ [email protected] Account Executive 760-722-5494 phone Redmond Subscription 66 www.redmondmag.com 760-722-5495 fax Redmond Channel Partner 70 www.rcpmag.com Production [email protected] Subscription Kelly Smith Associate Production Coordinator Shavlik Technologies 23 www.shavlik.com 818-734-1520 ext.164 phone Sunbelt Software 16, 62 www.sunbelt-software.com 818-734-1528 fax SurfControl C2 www.surfcontrol.com redmondadproduction@ 101com.com The Neverfail Group 13 www.neverfailgroup.com The Training Camp 58 www.trainingcamp.com Transcender 69 www.transcender.com Websense 3 www.websense.com

Corporate Headquarters: 9121 Oakdale Ave., prohibited except by written permission. Winternals 26 www.winternals.com Ste. 101Chatsworth, CA 91311, Mail requests to “Permissions Editor,” c/o www.101com.com REDMOND magazine, 16261 Laguna Canyon Road, Ste. 130, Irvine, CA 92618. The informa- Media Kits: Direct your Media Kit requests to tion in this magazine has not undergone any for- Matt Morollo, Associate Publisher, mal testing by 101communications and is 508-532-1418 (phone), 508-875-6622 (fax), distributed without any warranty expressed or EDITORIAL INDEX [email protected]. implied. Implementation or use of any informa- tion contained herein is the reader’s sole Company Page URL Reprints: For all editorial and advertising responsibility. While the information has been Apple Computer Inc. 12, 38 www.apple.com reprints, contact PARS International at (phone) reviewed for accuracy, there is no guarantee 212-221-9595/(fax) 212-221-9195; e- that the same or similar results may be achieved Citrix Systems Inc. 21 www.citrix.com mail:[email protected]; Web: in all environments. Technical inaccuracies may Dell Inc. 22 www.dell.com www.magreprints.com/QuickQuote.asp result from printing errors, new developments in the industry and/or changes or enhancements dtSearch Corp. 24 www.dtsearch.com List Rentals: To rent REDMOND’s or other to either hardware or software components. Google 38 www.google.com 101communications’ publications postal, REDMOND magazine (ISSN: 1081-3497, telemarketing or e-mail lists, please contact our USPS: 0015-657) is published monthly by Hewlett-Packard Co. 32 www.hp.com list manager: Worldata, 3000 N. Military Trail, 101communications LLC, 9121 Oakdale IBM Corp. 48 www.ibm.com Boca Raton, FL 33431-6375, Avenue, Ste. 101, Chatsworth, CA 91311. 800-331-8102, www.worldata.com Periodicals postage paid at Chatsworth, CA Microsoft Corp. 9, 10, 12, 17, 18, www.microsoft.com 91311-9998, and at additional mailing offices. 21, 22, 30, 32 CONFERENCES Annual subscription rates for U.S. $39.95 (U.S. TechMentor Conferences: contact Al Tiano, funds). Postage for Canada/Mexico $15 (U.S. Mozilla Organization, The 54, 56 www.mozilla.org Sales Manager, 818-734-1520 ext. 190, funds); and International $25 (U.S. funds). Sub- Netscape 54, 56 www.netscape.com [email protected]. The Data Warehousing scription inquiries, back issue requests, and Institute: contact Diane Smith, Exhibit Sales, address changes: Mail to: REDMOND, P.O. Novell Inc. 51 www.novell.com 206-246-5059 ext.108, Denelle Hanlon, Publica- Box 2063, Skokie, IL 60076-9699, e-mail Opera Software 54 www.opera.com tion and Sponsorship Sales, 206-246-5059 [email protected] or call (866) 293-3194 ext.102, [email protected]. FCW for U.S. & Canada; (847) 763-9560 for Interna- Quest Software Inc. 27, 28, 30 www.quest.com Events and Conferences: contact Lucy Cooley, tional, fax (847) 763-9564. POSTMASTER: SanDisk Corp. 34 www.sandisk.com Events Director, 703-876-5081, lcooley@ Send address changes to REDMOND, P.O. 101com.com. Syllabus Conference and Box 2063, Skokie, IL 60076-9699. Canada Softricity Inc. 21, 22 www.softricity.com Exhibition: contact Anne Morris, Exhibit Space Publications Mail Agreement No: 40039410. Strix Systems Inc. 19, 20 www.strixsystems.com or Sponsorship, 818-734-1520 ext.219, Return Undeliverable Canadian Addresses to [email protected]. Circulation Dept. or DHL Smart & Global Mail, Winternals Software LP 17, 18 www.winternals.com 2-7496 Bath Rd., Mississauga, ON, L4T 1L2, Yahoo! Inc. 34 www.yahoo.com © 2005 by 101communications. All rights Canada. Copyright 2005 by 101communica- reserved. Reproductions in whole or part tions LLC. All rights reserved. Printed in U.S.A. This index is provided as a service. The publisher assumes no liability for errors or omissions.

| redmondmag.com | Redmond | October 2005 | 71 1005red_Ten_72.v5 9/13/05 2:58 PM Page 72

Creative Server-Naming Conventions TEN By Paul Desmond, Editor ([email protected])

When we asked Redmond readers to report their most infrastructure servers after cheeses. creative server naming conventions, many gave us names “Not only was it tough to remember the function of each because the from jobs long past. Because IT has a higher profile these name had no correlation, but it was difficult to spell and say some of days, most companies have server naming conventions that them, like Camembert, Gouda and make some sort of sense—in other words, they’re no fun at Gruyere,” he says. “It would have been nice if they named their printers all. Several respondents also pointed out that publicizing after wines.” your server naming conventions could lead to security Elvis vulnerabilities. “Shame on you for asking! Now be gone Lives One anonymous while I get back to petting my firewall.” contributor worked for a client OK, we get the picture. So we’re ing in the company cafeteria: Queasy, that had a server withholding crucial identifying infor- Smelly, Squishy, Rotten and Whatisit. named Elvis. mation (gee, that was easy) from these Of these, Queasy is still in production “Whenever the gems submitted by kind souls who after four years. The rest have been server was pinged, share our love of total nonsense, while thrown out with the other leftovers.” it responded with hoping the day will come when we can ‘Elvis is alive.’” collectively lighten up. Inmates Runing the Asylum Admins Behaving Holy Crappie “Before we were taken over by a com- Badly Over the years, one Kansas City- pany with absolutely no imagination, Tim Hoekstra used to work in “a based reader has seen naming conven- all of our servers and printers were pretty loose shop,” that had wide dis- tions based on actors, monsters and given names related to Monty Python’s cretion in terms of server names. eventually, fish. “Bass, Grouper (Lotus Flying Circus,” says one contributor They abused it admirably, naming Notes, of course), Pike and so on. We who preferred to remain anonymous. servers after beers, including Becks were a Dell shop, so when we were “Our newest printer was named and Tecate.“But my favorite two forced to install a Compaq server for Asylum, referring to the work condi- servers were our WINS servers: Citrix access from other sites, that tions prevalent at the time.” Crash and Burn.” server was dubbed ‘Crappie!’” Lasting Impressions Hello, Newman “You Cannot “I started naming my office In addition to dead presidents, Be Serious!” network based on my impressions of Matthew Woods, a network admin in Stephen Platt started Microsoft at that time (and maybe Chicago, says his company’s servers are naming servers for great still),” says Kerry Erb, who runs his named after Seinfeld characters: “Jerry, tennis players, such as own computer service business. Choice Elaine, Kramer, Costanza and New- Williams, Agassi, Con- examples include: man—the mail server, of course!” ners and Graff. “After all, • Domain controllers: Pompous and they’re ‘servers,’” he says. Audacious Imagine the “We were going to use McEnroe, but • Servers: Grandiose, Braggard, Possibilities we didn’t want a server that blew up all Blowhard and Goliath Douglas Peters, senior network tech- the time.” • Workstations: Pretentious, nician with Examination Manage- Gargantuan, Bloated and Ostentatious. ment Services Inc., in Waco, Texas, Lunchtime Musings gets my vote for most creative A network engineer whose iden- Chardonnay with name—even if he’s never used it. “I’ve tity I have chosen to protect for his that Gruyere? always wanted to name a server own good says, “We have named Mike Piontkowski of Irvine, Calif., ‘MyPants,’ just to hear the users servers based on how we feel after eat- had a client that named all of its shout ‘MyPants is down!’”—

72 | October 2005 | Redmond | redmondmag.com | Project6 6/28/05 2:55 PM Page 1 Project7 8/8/05 3:41 PM Page 1 e. d n o m d e R / 5 0 0 2 / 9 9 Group therapy for Group Policy. Breakthrough: extend the power of Windows Group Policy to Unix and Linux with Quest.

What could be better therapy for you and your organization than increasing security, minimizing manual effort, and reducing complexity? Doing all that with your existing infrastructure investments. Quest Software can help you take control of Windows Group Policy and extend its value for the desktop. And now, through the power of the Vintela Integration Architecture, use it to reduce the complexity of your heterogeneous environment.

Find out more about Group Policy solutions from Quest—Microsoft's 2004 Global ISV Partner of the Year. Download your free technical brief today,

tware, Inc. rights reserved. All trademarks of Quest Softwar trademarks or registered Quest and Software are titled: Manage, Extend, and Simplify with Group Policy. —————————————————————————————————— Visit www.quest.com/grouptherapy to get your free technical brief! © 2005 Quest Sof All other brand or product names are trademarks or registered trademarks of their respective holders. trademarks of their respective All other brand or product trademarks or registered names are ——————————————————————————————————

Application Management | Database Management | Infrastructure Management