Redmond Interviews Ray Ozzie Page 34 Gimme Some Skin Comparing 3 Biometric Devices Page 28

0705red_cover.v3 6/14/05 10:26 AM Page 1

Bag Big Bucks for Your Next Project Page 43

JULY 2005 WWW.REDMONDMAG.COM

IT’S GROOVE BABY! Redmond Interviews Ray Ozzie Page 34 Gimme Some Skin Comparing 3 Biometric Devices Page 28

Dump Your DMZ! > $5.95 01

• Why You’re Not as Safe as You Think Page 65 JULY

WSUS

25274 867 27 Better Name, Better Product Page 23 71 Project2 5/31/05 10:09 AM Page 1

Do you know who's inside your network?

Beyond Scan and Remove - Think Spyware Prevention

Are Spyware and other Internet threats clowning around on your network? SurfControl Enterprise Threat Shield™ gives you the last laugh. If the threat is already on a user's machine, SurfControl Enterprise Threat Shield stops it from running and removes it. What is more, SurfControl Enterprise Threat Shield prevents reinfection, is enterprise-ready, gives you centralized management, and is user tamper-proof. Put the kibosh on spyware, key-loggers, instant messaging, P2P and games before they jeopardize security or productivity.

FREE 30-day trial www.surfcontrol.com/go/shieldtrial1 or call: 1.800.368.3366

Get rid of spyware across your enterprise, in minutes, without leaving your desk!

Within 15 minutes from now, you can get rid of spyware across your enterprise ... and keep spyware from returning for a full 30 days ...absolutely FREE!

It's so quick and easy to deploy. Within minutes, you can have SurfControl Enterprise Threat Shield up and running on your network ... wiping your PCs free of spyware ... and keeping them spyware-free for as long as you keep Threat Shield running. All without leaving your desk.

Enterprise Threat Shield not only finds spyware that is already lurking on an existing PC or server ... it stops, and removes spyware coming in from e-mail, downloads, Web sites, IM, P2P, USB drives, mobile workers' laptops, or PDAs connecting back to the network.

Download your FREE copy of SurfControl Enterprise Threat Shield, go to: www.surfcontrol.com/go/shieldtrial1 Project2 6/14/05 2:48 PM Page 1

Do you know who's inside your network?

Beyond Scan and Remove - Think Spyware Prevention Are Spyware and other Internet threats clowning around on your network? SurfControl Enterprise Threat Shield™ gives you the last laugh. If the threat is already on a user's machine, SurfControl Enterprise Threat Shield stops it from running and removes it. What is more, SurfControl Enterprise Threat Shield prevents reinfection, is enterprise-ready, gives you centralized management, and is user tamper-proof. Put the kibosh on spyware, key-loggers, instant messaging, P2P and games before they jeopardize security or productivity.

FREE 30-day trial www.surfcontrol.com/go/threatshield 1 800.368.3366

JULY 2005 WWW.REDMONDMAG.COM

Winner for Best Computer/Software Magazine 2005 RedmondTHE INDEPENDENT VOICE OF THE MICROSOFT IT COMMUNITY

COVER STORY REDMOND REPORT 9 News Analysis It’s Groove A Question of Scale Baby! 10 Event Log Redmond’s newest Windows Server 2003 R2, CTO hopes to make Windows XP Edition N and more. his mark on Microsoft’s collaboration efforts, and 12 Power Broker perhaps much more. A Script for Success

Page 12 Page 34

PHOTO BY JASON GROW

FEATURES 43 Building a Better Business Case Need cash for your next big project? 13 Mobile Feature Pack to Don’t sweat it—IT managers share Upgrade Security their time-tested tips for prying open the corporate wallet. COLUMNS 47 An Open Look at Groupware 4 Chief Concerns: Doug Barney Open source groupware is better than ever, CIO Blind Spots but for those seeking to replace Exchange, some caveats apply. Jim Conley examines 21 Beta Man: Don Jones the state of open source groupware and Virtual Server Grows Up why it matters in a Microsoft shop. Page 47 53 Windows Insider: Bill Boswell What’s New in R2 15 Management Muscle 23 Your Turn 63 Mr. Script: Chris Brooke Device Management AppManager WSUS: Better Name, gives you the Better Product 65 Security Advisor: tools you need Joern Wettern to keep a firm Readers report that Microsoft’s Dump Your DMZ! grip on network Windows Server Update Services operations. (WSUS) tool is a vast improvement 72 Ten: Paul Desmond over its predecessor SUS. Steps Microsoft Should 28 Roundup Take to Improve Security Halt: Who Goes 38 Get Your ALSO IN THIS ISSUE There? Groove On Biometric 2 Redmond magazine online Groove Virtual devices offer 6 Letters to Redmond Office can more security than standalone make remote passwords. Here are three prod- 71 Ad and Editorial Indexes collaboration almost as good as ucts that go beyond the basics for being there. authentication and verification. COVER PHOTO BY JASON GROW 0705red_OnlineTOC_2.F2 6/14/05 10:04 AM Page 2

RedmondJULY 2005 mag.com

REDMOND COMMUNITY REDMONDMAG.COM Redmond Newsletters Debuting This Month: Redmond Channel Partner Magazine Online! • Redmond Report: Our weekly e-mail As you may have heard, this month we’re launching a new, independent newsletter featuring news analysis, magazine just for the Microsoft partner community: Redmond Channel Partner. context and laughs. By Redmond’s The publication offers insight, ideas and practical advice for Microsoft partners, Editor in Chief Doug Barney and covering topics such Editor Paul Desmond. as sales strategies, FindIT code: Newsletters working with • Security Watch: Keep current on the Microsoft, using ROI latest Windows network security topics. to win deals and This newsletter features exclusive, much more. online columns by Contributing Editor In July, we’re also Russ Cooper of NTBugTraq fame. debuting the online home of Redmond Channel Partner, RCPmag.com. At FindIT code: Newsletters RCPmag.com, you’ll find: • The complete contents of the July issue of . Discussion and Forums Redmond Channel Partner • Daily news for the Microsoft partner community, including coverage of Post your thoughts and opinions under Microsoft’s Worldwide Partner conference. our articles, or stop by the forums for • Forums and other areas where you can connect with fellow partners as well as more in-depth discussions. the editors on the issues that matter to you most. FindIT code: Forum Be sure to stop by RCPmag.com in July to see everything the site has to offer. Your Turn And if you haven’t yet subscribed to Redmond Channel Partner magazine, do so The interactivity center of the today at: http://rcpmag.com/subscribe. Redmond universe, where you get to express your views. FindIT code: YourTurn MCPMAG.COM It’s “SAN for the Masses” with storage FindITCodes OTHER 101COMMUNICATIONS SITES guru Chris Wolf updating readers on Throughout Redmond, you’ll discover some stories contain FindIT what to look for in storage solutions. ENTmag.com codes. Key in those codes at Special Report: “Microsoft Licensing” Plus, Chris tackles your networking Redmondmag.com to quickly access Scott Bekker looks at Licensing 6.0 problems in “Tech Line,” a new column expanded content for the articles and whether or not you need to look for MCPmag.com readers. Also in July: containing those codes. • Mike Gunderloy dispels the myths Some of the FindIT codes for this over your shoulder for Licensing 7.0. month include: FindIT code: ENTLicSR behind the hype that is Office 12. • Don Jones’ “Scripting Answers” and • Ozzie: Read more of what cover story interviewee Ray Ozzie (p. 36) “Windows Tip Sheet” weekly. CertCities.com had to say on Groove, collaboration • Test your mettle with the return of and more. Exam Review: “The New Network+” “Pop Quiz” for the 70-290 exam. • Halt: Get more information on Andy Barkl reviews the latest version Live Chat: Microsoft MVP Andy authentication methods and other of CompTIA’s Network+ exam. Goodman and SBS Live! regulars get utilities to help secure your systems FindIT code: CCNetAB together online on Tuesday, July 19 at 7 (Redmond Roundup, p. 32). p.m. Eastern time. • OpenLook: Follow links to Groupware vendors and other TCPMag.com MCP Radio: Sean Moshir and Chris resources featured (“An Open Look Andrew from PatchLink Software Column: “Scott Morris Q&A” at Groupware,” p. 47). Every week quadruple CCIE Scott discuss the complexity of integrating Enter the code in the box at the top- Morris tackles your toughest Cisco IT compliance capabilities into right corner of any Redmondmag.com technology questions. software projects. And, Microsoft page. (Note that all FindIT codes are Find IT code: TCPQ&A reveals more details on the Microsoft one word, and are NOT case sensitive.) Certified Architecture Program.

2 | July 2005 | Redmond | redmondmag.com | Project6 4/1/05 2:50 PM Page 1

YOUR INFRASTRUCTURE MAY PROTECT EMPLOYEES INSIDE. What protects employees outside?

She works from home. She works from the road. And she endangers the network everywhere she goes. That’s why you need Websense software—to provide security protection at the desktop and beyond. Close the security gap. Download your free evaluation today. www.websense.com/mobile3

ChiefConcerns Doug Barney

CIO Blind Spots RedmondTHE INDEPENDENT VOICE OF THE MICROSOFT IT COMMUNITY JULY 2005 ■ VOL. 11 ■ NO. 7 o the IT community, the CIO is the pinnacle, an Editor in Chief Doug Barney all-knowing master of technology and business. I wish [email protected] Editor Paul Desmond it were always true. But as smart as most CIOs are, [email protected] T Executive Editor, Reviews Lafe Low [email protected] political intrigue and bureaucratic inertia have some top tech Managing Editor Keith Ward [email protected] execs paralyzed. They simply don’t know enough about what’s News Editor Scott Bekker [email protected] happening beneath them to truly make the right decisions. Assistant Managing Editor, Wendy Gonchar Web Editor [email protected] Editor, Redmondmag.com, Becky Nagel To put it succinctly, CIOs have a intranets or .NET hostage through CertCities.com [email protected] Editor, MCPmag.com Michael Domingo huge blind spot. It’s not totally their simple inaction. [email protected] fault. Managers are only as good as the Inaction has only gotten worse during Editor, ENTmag.com Scott Bekker information and trust gained from the budget crunch IT has faced in [email protected] Associate Editor, Web Dan Hong their subordinates. recent years. “No money” is a great [email protected] And too often, staff-level IT pros have excuse to do nothing. Contributing Editors Bill Boswell little—or no—interest in keeping their Recognizing the problem is the first Chris Brooke CIOs informed. step toward a solution. CIOs must look Don Jones Software jockeys, hardware wonks around and peer deeply into what they Joern Wettern and network geeks all have their own don’t know. And they should consider Art Director Brad Zerbel self-interest. They want a relatively 360-degree reviews where staffers cri- Senior Graphic Designer Alan Tao easy life (as easy as IT can be), and they tique the CIO and hopefully offer a tip want to protect that life and control or two. Finally, CIOs shouldn’t become Publisher Henry Allain their destiny. That means keeping the too detached from the technology— Associate Publisher Matt N. Morollo Marketing Manager Michele Imgrund CIO in the dark. losing your chops may mean losing the Audience Development Manager Janice Martin Unfortunately, many CIOs have respect of your technical troops. Senior Web Developer Rita Zurcher become too removed from the action Marketing Programs Associate Videssa Djucich to know the difference. Part of the An Ozzie Encore Director of Print Production Mary Ann Paniccia problem is that CIOs attempt to You may have noticed the sharply Manufacturing & Carlos Gonzalez control a huge range of technologies, dressed gentleman on our cover. Distribution Director each of which is staggering in New Microsoft CTO Ray Ozzie may complexity and choice. The bigger be the most technically accomplished issue is that CIOs are dis- employee in Redmond, tracted by business aside from Bill himself. issues, which IT staffers Ozzie worked on the very Enabling Technology Professionals to Succeed are only too happy to first spreadsheet, built President & CEO Jeffrey S. Klein take advantage of. Many Lotus Symphony, wrote Executive VP & CFO Stuart K. Coppens CIOs prefer the execu- Notes and started two suc- Executive VP Gordon Haight tive washroom and hob- cessful software companies Senior VP & Sheryl L. Katz nobbing with big wigs to from scratch. General Counsel Senior VP, Human Michael J. Valenti visiting the trenches. But there’s a lot more Resources The result of this sorry we can learn from Ray. Redmondmag.com situation is that technical cream does- Check out the full interview on The opinions expressed within the articles and other contents n’t rise to the top. Instead, fiefdoms Redmondmag.com and Ozzie’s blog—in herein do not necessarily express those of the publisher. Postmaster: Send address changes to have emerged. Just as mainframers particular his thoughts on why rich Redmond, 2104 Harvell Circle, Bellevue, NE 68005 fought the PC hordes, telecom groups clients make sense: www.ozzie.net/blog. have resisted all too successfully the As always, send your thoughts, logic of voice over IP, and program- good, bad or indifferent, to mers have held new projects such as [email protected].

4 | July 2005 | Redmond | redmondmag.com | Project23 6/15/05 12:05 PM Page 1

1« Ì ÞÕÀ iV «>ÌV iÃ¶

- >Û i«Ã ÞÕ VÕÌ >Þ «>ÌV >>}iiÌ Ì>Ã `Ü Ì Ãâi°

ÌÀ`ÕV} iÜ - >Û iÌ *ÀÒx >` - >Û -iVÕÀÌÞ }iÌÃÒx° Ì >ÕÌ>Ìi` «>ÌV >>}iiÌ ÃÕÌÃ >Ài >`i` ÜÌ >ÜiÃi iÜ V>«>LÌiÃ i i >Vi` Ài«ÀÌ} Ì >Ì }ÛiÃ ÞÕ Õ«ÌÌ iÕÌi iÌÜÀ ÃiVÕÀÌÞ ÃÌ>ÌÕÃ ÜÌ i>ÃÞÌÀi>` V >ÀÌÃ >` }À>« Ã° *ÕÃ] Ì iÞ Ìi}À>Ìi Ãi>iÃÃÞ ÜÌ ÕÀ Õ«V} >ÌÃ«ÞÜ>Ài «À`ÕVÌ] - >Û iÌ Ò -«ÞÜ>Ài° Û>Õ>Ìi Ì i vÕÞ vÕVÌ> ÌÀ> ÛiÀÃ v - >Û iÌ *ÀÒx À - >Û -iVÕÀÌÞ }iÌÃÒx Ì`>Þt 6ÃÌ ÜÜÜ°

/Ü iÜ Àii>ÃiÃ° Ã >Û°V] V> nää® ÈäÈ££ À i> ÕÃ >Ì vJÃ >Û°V° ` `ÃVÛiÀ Ü Ãi vÀ >}iÌL>Ãi` À >}iÌiÃÃ° - >Û V> } Ìi ÞÕÀ >`°

Ã ÕÃ >LÕÌ ÕÀ iÜ ->ÀÃ «>ÌV >>}iiÌ ÃÕÌt

-iVÕÀi 9ÕÀ 6Ã°Ò - >Û `ÀÛiÃ «>ÌV >>}iiÌ ÃÕÌÃ vÀ Ì iÃi `ÕÃÌÀÞ i>`iÀÃ\ 0705red_Letters_6.F 6/14/05 10:01 AM Page 6

Letters to Redmond

The Spaghetti Incident? What is the over-worn saying about the Chinese ideogram for “crisis” being a combination of “danger” and “opportunity”? Scott Bekker’s commentary on “Why Longhorn Still Matters” [Red- mond Report, April 2005] seems to focus entirely on the “opportunity” side of Microsoft’s looming mega-upgrade.

I hear a lot of “ifs” to the likes of, by up-all-night caffeine-fueled pro- “If no new killer 64-bit applications ... grammers who quit the moment their Phones suck up all those valuable new system stock vested years ago. resources.” But don’t forget that’s after: I hardly imagine that performance the Windows networking as its men- (a) the customer has been forced to pur- improvements rank highly on any tioned, but also as a remote desktop chase the latest-and-greatest new PC Microsoftie’s list—except for marketing, client that fired right up and allowed us hardware, (b) the system is now forced of course—when it’s clearly at odds with Ctoo managempute ourrs Windows farm and Evo- to run the resource-hogging new the laziness and inefficiencies that ever- lution, the open source equivalent of faster hardware and abstracted, high- Outlook. I configured the Exchange level programming allow and with the connector and five minutes later had resource-hogging No.1 security goal. full Outlook-like control. If you can tol- —Eric Wallace erate the big red N, I would recom- Portland, Maine mend NLD over SuSE (plus NLD includes YaST as well). My only qualm NLD Advantage is: Why did Novell have to move “Desktop Linux: Ready for Prime around some menu items?! I hated hav- Time?” [June 2005] is a good roundup ing to find where they were moved to. of what we at work discovered too. SKeeperve russ, eupdatedtc. on Linux desktops GUI (remember NT 4.0 moving the Seems we all prefer SuSE due to its from time to time! —Jason Stanke video into kernel mode?) and (c) the simplicity compared to the others, plus Indianapolis, Ind. inevitable slowness added by a billion YaST, the greatest tool ever. Recently, a new security checks—we can’t ignore couple of us tried the Novell Linux In-Depth Security that “pillar” of Longhorn. After all, it’s Desktop (NLD) knowing full well it Excellent “Picking the Right Firewall” Microsoft’s “highest priority”! Sadly for was SuSE underneath. I would say it is article by Joern Wettern in this month’s most of us techies, we probably won’t every bit as good as SuSE by itself but issue [May 2005]. I get a chance to see the faster hardware the NLD has a few advantages. Namely found his article very ever run a program that’s not straining informative and thor- its resources, because our companies ough. In a time when won’t pay for the hardware, software we are constantly bom- and operating system upgrades until YOUR barded with security they’re desperately needed anyway. What are the toughest issues products that promise And yet the x64 rewrite of XP and you face as an IT professional? to secure our networks,

Server 2003 is available today, for those Tell us what bugs you and TURN it is nice knowing who’ve got the hardware. Sure, it isn’t a keeps you up at night. We’ll what’s important and total rewrite of the OS code—but as the use your comments in a future what to look for when it comes time to last Microsoft code leak proved and feature article. Just send them picking the right firewall. dozens of Microsoft blogs reaffirm to [email protected]. I truly look forward to more in-depth daily, no code the company releases security articles from Mr. Wettern. today is free of the spaghetti strings of —Robert Alonso incomprehensible bug fixes keyed out redmondmag.com Weston, Fl.

6 | July 2005 | Redmond | redmondmag.com | Project6 5/10/05 3:22 PM Page 1

:PVSXFBQPO $PVOUFS4QZ&OUFSQSJTF $FOUSBMJ[FETQZXBSFFSBEJDBUJPO

4QZXBSF UIF OFX OVNCFS POF FOFNZ GPS *5 3FBMUJNF QSPUFDUJPO !CTIVE 2ECENT SURVEYS OF )4 SPECIALISTS SHOW THAT SPYWARE 0ROTECTION4- -ONITORS DELIVER REAL TIME INFECTIONS HAVE REACHED EPIDEMIC PROPORTIONS PROTECTION TO WORKSTATIONS TO REDUCE THE CHANCE 3PYWARE IS ONE OF THE MOST SERIOUS SECURITY THREATS AND PRODUCTIVITY OF SPYWARE INFECTION &ROM THE !DMIN #ONSOLE YOU HAVE THE ABILITY TO KILLERS TODAY )TS INSIDIOUS )TS CREATORS ARE WELL lNANCED RELENTLESS AND CENTRALLY CONTROL WHAT ACTIONS ARE TAKEN WHEN THESE MONITORS DETECT REMORSELESS &OR THE CHANGE ON THE DESKTOPS 5IF CFTU TQZXBSF EBUBCBTF JO UIF ENTERPRISE COMMON JOEVTUSZ 1FSJPE 4HE DATABASE BEHIND #OUNTER3PY %NTERPRISE HAS BEEN ANTISPYWARE CANT CUT IT INDEPENDENTLY VALIDATED AS THE BEST ANTISPYWARE DATABASE IN THE INDUSTRY $PVOUFS4QZ &OUFSQSJTF 7HY #OUNTER3PY %NTERPRISE BENElTS FROM MULTIPLE SOURCES FOR ITS ,OPDL PVU TQZXBSF SPYWARE DElNITION UPDATES INCLUDING 3UNBELTS 2ESEARCH 4EAM -ICROSOFT GSPN POF DFOUSBMJ[FE AND INFORMATION COLLECTED FROM CONSUMER USERS THROUGH 3UNBELTS MPDBUJPO #OMPANY WIDE 4HREAT.ET4- 3PYWARE DOESNT STAND A CHANCE 'SFF USJBM 'JOE PVU IPX SPYWARE MANAGEMENT NBOZ NBDIJOFT JO ZPVS PSHBOJ[BUJPO BSF JOGFDUFE /08 3CAN THE REQUIRES A REAL ENTERPRISE PRODUCT WITH CENTRALIZED MANAGEMENT MACHINES IN YOUR ENTERPRISE FOR FREE $OWNLOAD THE TRIAL AT #OUNTER3PY %NTERPRISE IS JUST THAT A SCALABLE POLICY BASED WWWSUNBELT SOFTWARECOMCSERED SECOND GENERATION ANTISPYWARE TOOL BUILT FROM THE GROUND UP FOR SYSTEM AND NETWORK ADMINISTRATORS TO KILL SPYWARE QUICKLY AND EASILY

-ÕLiÌ -vÌÜ>Ài /i\ £nnn /1/- Ènnn{xÇ® À £ÇÓÇxÈÓä£ä£ >Ý\ £ÇÓÇxÈÓx£ ÜÜÜ°ÃÕLiÌÃvÌÜ>Ài°V Ã>iÃJÃÕLiÌÃvÌÜ>Ài°V

^ÊÓääxÊ-ÕLiÌÊ-vÌÜ>Ài°ÊÊÀ} ÌÃÊÀiÃiÀÛi`°Ê ÕÌiÀ-«Þ >`Ê/ Ài>Ì iÌ >ÀiÊÌÀ>`i>ÀÃÊvÊ-ÕLiÌÊ-vÌÜ>Ài°ÊÊÌÀ>`i>ÀÃÊÕÃi`Ê>ÀiÊÜi`ÊLÞÊÌ iÀÊÀiÃ«iVÌÛiÊV«>iÃ°Ê Project2DESKTOP3TANDARD?2EDM%&PDF 6/7/05 11:12 AM Page 1 0-

,%!34 02)6),%'% #/-0,)!.#% )3 ./7 ). 9/52 (!.$3

)NTODAYSCORPORATEENVIRONMENT ITSNOTANOPTION$ESKTOP3TANDARDS'ROUP0OLICYSOLUTIONS TAKEYOUBEYONDBUILT IN7INDOWSSECURITYMANAGEMENT GIVINGYOUTHEPOWERTOLIMITRIGHTSANDPRIVILEGESTO THELEASTREQUIREDFORAUTHORIZEDTASKS2EDUCETHECOMPLEXITYOFMANAGINGYOURDISTRIBUTEDDESKTOPENVIRON MENTWHILEINCREASINGSECURITYANDCOMPLIANCE&INDOUTHOWATWWWDESKTOPSTANDARDCOM

DESKTOPSTANDARD» 'HVNWRS6WDQGDUG&RUSRUDWLRQ$OOULJKWVUHVHUYHG MANAGEWITHSTANDARDS 0705red_Report_9-13.F2 6/14/05 10:12 AM Page 9

RedmondReportJuly 2005 A Question of Scale Benchmark published for SQL Server 2005; scalability story is mixed.

BY SCOTT BEKKER SQL Server 2000 competed in the The scalability of SQL Server 2005 is 100GB workload range, but hadn’t an open question. A recent Forrester cracked the Top 10 in even the 300GB Research report, fiercely contested by category. With SQL Server 2005, Microsoft, contended that beta Microsoft is ranked fifth in the 1TB customers were unhappy with SQL grouping. SQL Server 2005 recorded Server 2005’s scalability. With the 20,231 queries per hour on the TPC-H database’s delivery expected in late (QphH) at a cost of $77/QphH. summer, the lack of published The results were not the kind of Transaction Performance Processing knock-it-out-of-the-park showings that A massive storage array supports the Council Microsoft engineered with SQL Server SQL Server 2005 benchmark runs. NewsAnalysis (TPC) bench- 2000. When Windows 2000 launched in socially acceptable configuration, using a marks, which April 2000, Microsoft used pre-release 64-processor HP Superdome similar to usually start popping up a few months code from SQL Server 2000 to produce the current configuration. before release of any major database, a jaw-dropping first place result for Although this isn’t a scalability home seemed especially ominous. TPC-C scalability. The benchmark run run, it puts to bed any speculation that Microsoft went part way toward required a highly controversial clustered SQL Server 2005 might not scale better answering those concerns at Microsoft configuration that Microsoft later with- than SQL Server 2000. The new system TechEd 2005 in June.Microsoft drew and resubmitted. beat SQL Server 2000 on similar hard- worked with Hewlett-Packard, NEC Then at the launch of Windows ware by 38 percent. It also compares well and Intel to publish results for SQL Server 2003, Microsoft, HP and Intel against the Oracle 10g database from a Server 2005 on the TPC-C (OLTP) showcased the scalability of SQL 2003 TPC-C run on a similar HP and TPC-H (decision support/ Server 2000 on the new operating Superdome configuration—beating business intelligence) benchmarks. system with another first place result on Oracle’s raw performance by 7 percent. First, the numbers. Running on a the TPC-C. This time it was a more Continued on page 10 64-way HP Superdome server with Itanium 2 processors, SQL Server BytheNumbers 2005 achieved a TPC-C result of 1,082,203 transactions per minute (tpmC) at a cost of $5.38 per tpmC. Windows-Unix Both are respectable results and Knock-Down Drag-Out represent Microsoft’s first time to pass the aesthetically satisfying threshold In the first quarter of 2005, factory of 1 million transactions. Still, the revenues from server systems $4.2 $4.2 result puts Microsoft fourth on the billion billion running Windows equaled factory OLTP scalability list. 34.4 % 34.4 % On the TPC-H benchmark, revenues from server systems Microsoft graduated to a new scalabili- running Unix for the first time, ty category but came in about halfway according to analysts at IDC. $1.2 billion down the list of results for that group- Out of a worldwide market worth ing. TPC-H results are segmented into $12.1 billion* for the quarter: 10.3 % five categories based on the size of the *Graphic doesn’t include revenues for mainframes and Windows Unix Linux workload. The categories include other server platforms. 100GB, 300GB, 1TB, 3TB and 10TB.

| redmondmag.com | Redmond | July 2005 | 9 0705red_Report_9-13.F2 6/14/05 10:12 AM Page 10

RedmondReport

Continued from page 9 A roundup of Windows- On the hardware side, Microsoft’s EventLog related happenings competitive decision to limit SQL Server to the Windows platform hurts Coming to a Branch Office Near You the database’s ability to really be tested A major focus of Windows Server 2003 “R2” is branch against database peers from Oracle and office server scenarios. But R2 isn’t the end-all, be-all of IBM. SQL Server has nowhere else Microsoft’s branch office product strategy. Branch offices to go—the 64-way HP Superdome running Itanium 2 processors has the are a major area of concentration for Microsoft. “Nearly 23 most headroom of any system available to Windows. On an IBM 64-way percent of servers are today ship until the week of Nov. 7, pSeries running IBM AIX, however, in branches,” says Radhesh will Microsoft be considering a Oracle 10g scored higher on the TPC- Balakrishnan, lead product name change to SQL Server manager for the Windows Server 2006 and Visual Studio 2006? division. Says Ravi Gopal, It’s an even more reasonable another Windows Server question given that BizTalk spokesman, “Today you have Server 2006 will ship at the customers with branch servers in same time as SQL and Visual a kitchen or a janitorial closet.” Studio. The answer: Not a You know who you are. chance, says Thomas Rizzo, Help is on the way. Well before director of SQL Server marketing R2 ships later this year with its for Microsoft: “We’ve got too host of branch office features, many T-shirts printed.” Microsoft is releasing the Branch Office Infrastructure Solution, Windows XP Edition N Microsoft got strong, but not record- designed to provide detailed guid- Microsoft has been dragged setting results in benchmarking SQL ance for customers and partners tooth and nail into delivering the Server 2005 on the HP Superdome server. setting up hub-and-spoke branch stripped-down version of office networks to provide the Windows XP. The retail and C. Using its own IBM DB2 database lowest bandwidth requirements volume licensing release of on the Unix/RISC box, IBM’s results and least on-site maintenance. Windows XP Edition N began are triple Microsoft’s. The first rev of the guidance lays this month for several European And when it comes to decision out best practices for using languages and OEM distribution support, SQL Server 2005 is nowhere Microsoft’s currently shipping for several more languages starts near the top of the scale. Microsoft’s products. It will be updated for R2 July 15. The special versions of database still doesn’t play in the 3TB and continuously thereafter. And Windows XP with the Windows or 10 TB classes. after R2, the rest of the Windows Media Player removed for Microsoft resorted to familiar, but Server System is slated for branch European markets come as reasonable, defenses. Paul Flessner, office-ication. “We are focusing on a result of the European senior vice president for Microsoft branch as a lens for the whole Commission first demanding it, server applications, pointed out that Windows Server System,” then quarrelling with Microsoft Microsoft’s TPC-C results are several Balakrishnan says. over an acceptable name. The times Visa’s daily traffic. retail box sports a red star In the end, Microsoft’s SQL Server SQL Server 2006? reading in large text either 2005 benchmarks put to rest any For anybody who remembers “Windows XP Home Edition N” doubts that SQL Server 2005 won’t that Windows Server 2003 once, or “Windows XP Professional scale better than SQL Server 2000. briefly, carried the name Windows Edition N.” In smaller print inside The fact that Microsoft didn’t also 2002, another question pops into the star: “Not with Windows resort to a scalability stunt to produce mind. Because SQL Server 2005 Media Player.” a record-breaking benchmark indicates and Visual Studio 2005 won’t — SCOTT BEKKER the confidence the database vendor is feeling about scalability.—

10 | July 2005 | Redmond | redmondmag.com | Project5 5/10/05 3:06 PM Page 1

COMPLIANCE ISSUES? What was lost is now found with Enterprise Vault TM 6.0. Manage to locate anything quickly in a maze of communications data and email. Even elusive PST files. Securely and cost effectively. Finally. Software for Utility Computing. veritas.com

© 2005 VERITAS Software Corporation. All rights reserved. VERITAS, the VERITAS Logo and Enterprise Vault are trademarks or registered trademarks of VERITAS Software Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. 0705red_Report_9-13.F2 6/14/05 10:12 AM Page 12

RedmondReport A Script for Success Former Novell VAR aims to put Boca Raton on Windows map—again.

BY DOUG BARNEY By 1999, with NTscript in hand, Mention Boca Raton, Fla., to older PC Styles was ready to give up the VAR life Product Portfolio: afficionados, and they’ll wax nostalgic and become an ISV.And so ScriptLogic about the late Phillip “Don” Estridge was born. “All of a sudden we became a and the birth of the original IBM PC. software company,” Styles explains. Desktop Authority – a superset of Jason Judge and Brian Styles hope that In its early life, ScriptLogic focused ScriptLogic, Desktop Authority is in a decade or so you’ll think of their on helping admins handle clients more a desktop management tool that company, the quickly and easily through scripting, automates scripting Boca-based PowerBroker security configuration and the Patch Authority – a patch manage- ScriptLogic Corp. management of user profiles, among ment tool based on Shavlik technology ScriptLogic isn’t as audacious as the others. That strategy now touches Cloak – Originally from Small Wonders computer to beat back the Apple II. Active Administrator – AD and GP Instead the goal is grounded—to help auditing and management (formerly Windows admins do their jobs more FunFact from Small Wonders) quickly and effectively through automa- ScriptLogic’s previous office was Enterprise Security Reporter – tion so they can spend time working on between a dog pound, a halfway AD, registry and NTFS reporting more exciting strategic projects. house and a dump. Secure Copy – data migration and It’s no surprise that ScriptLogic’s server consolidation tool strategy is so fundamental—the compa- some 3 million desktops, though Security Explorer – manages the ny started life as a Novell NetWare company CEO Jason Judge “wants the security of NTFS drives other 97 million.” Service Explorer – centrally man- Brian Judge, who joined in 2001 as employee ages OS services and scheduled tasks Styles number eight, made a leap of faith. On visiting the firm, he “saw that guys just didn’t leave—they were wearing the By late in 2003, ScriptLogic was same clothes.” That passion piqued ready to tackle servers—and bought Judge’s interest; he did some research Orlando-based Small Wonders and hit a few discussion forums. He Software which had an AD-aware asked a friend, a software analyst for server tool that ultimately became a large investment bank, about the ScriptLogic Active Administrator. opportunity, who told Judge it was the wrong move. “I hung up on him!” Judge Jason Judge explains, convinced that ScriptLogic was value-added reseller (VAR) named a diamond in the rough. Inteletek, explains company founder The company didn’t have a lot of infra- and ScriptLogic CTO Brian Styles. structure, so Judge helped craft a one- NetWare had a good run – until the year plan focused on new products, staff, late 1990’s when Windows NT came sales and marketing. “It took less than along and Inteletek started losing deals. eight months to meet the one-year goal,” Seeing no good Windows NT Judge says. scripting or admin tools, Styles wrote That’s when the venture capitalists his own. “I searched for such a tool, started calling, and despite the dramatic and couldn’t find anything. NT had tech market downturn, Insight Partners no centralized management, admin invested $8 million in 2003, roughly a The tool was a perfect fit, and so were or scripting,” Styles explains. Style’s third of all the venture capital invested the people—Judge says there’s been NTscript filled that gap. in Florida that quarter. 100 percent retention of Small Won-

12 | July 2005 | Redmond | redmondmag.com | 0705red_Report_9-13.F2 6/14/05 10:12 AM Page 13

RedmondReport Mobile Feature Pack to Upgrade Security Technologies coming this fall should make configuring, administering and securing Exchange e-mail via mobile phones an order of magnitude easier.

BY KEITH WARD (Microsoft has confirmed that the the simplicity of the system. Windows Here’s the scenario: Your scatter- feature pack will not be backwards Mobile uses a direct IP connection brained human resources director has compatible, so it won’t be available to from Exchange to the device, cutting once again left his PDA in a cab. On environments running previous out middleware and other servers used his PDA is salary information, Social versions of Exchange.) in a multi-tiered environment like Security numbers and other highly Microsoft touted some other BlackBerry. The data sent between the sensitive information for every single enhancements of the feature pack, device and Exchange is encrypted for employee in your organization. including the ability to look up global security. That simplicity, Microsoft Imagining an unscrupulous cabbie or address information on a wireless hopes, will also lead to reduced passenger abusing that information device, and manage and enforce hardware and software costs. has you in a cold sweat. corporate IT policy over the air. John Cutting out the extra layers seems to speed up communications. A Microsoft Devices like these from Symbol are among the partner offerings demo showed a PDA synching with that will support Microsoft’s new direct Exchange-Windows Exchange and pulling down e-mail, Mobile 5.0 integration. calendar, contact and other information in just seconds. According to Microsoft, if you have Starkweather, a senior product At its TechEd announcement of the Messaging and Security Feature manager for Windows Mobile, said the feature pack, though, the focus Pack for Windows Mobile 5.0, this there’s a huge untapped market for was clearly on the security aspects nightmare can be avoided. The ability the advantages offered by the feature of the update, in recognition of to remotely wipe the hard drive of pack. There are between 130 million the public and IT’s continuing a device that’s in danger of being and 140 million Exchange users wariness of Microsoft’s track record compromised is one of the enhance- worldwide, he estimated. By contrast, on security when it comes to new ments to its mobile operating system, only about 20 million people use products. The biggest security due out this fall. mobile e-mail in any form. threat with mobile devices, Stark- The feature pack works with Although that number is relatively weather said, is “someone leaving Exchange Server 2003 Service Pack 2, small, it appears the market has the device somewhere.” due around the same time. It’s part of embraced the promise of mobile But another common security Microsoft’s effort to win over users computing. Starkweather said there threat is not an issue for Microsoft of mobile devices like the RIM are currently about 40 OEMs building mobile devices—at least so far. BlackBerry, using similar “push” Windows Mobile devices today. Starkweather said there has never been technology to move data to PDAs, One advantage they have over a successful attack on a Windows-based cell phones and other handheld units. non-Windows mobile developers is mobile phone.—

ders employees. Small Wonders Authority as the ‘set it and forget it’ offer,” said a posting to the ScriptLogic founder Brian Small now serves as vice approach to ensuring that each desktop message board. president of product development, is auto-configured a specific way for ScriptLogic execs believe their firm focusing on the server side. each user when they log on. Map has made its mark in the Windows Users seem to like what they see, drives, deploy printers, and anything space. “We pioneered a market that especially from Desktop Authority, else that requires a certain configura- didn’t exist—we based a product on considered by many to be the compa- tion at logon and/or with a higher need. And being a VAR, we saw the ny’s flagship product. “We use Desktop degree of granularity that GPOs don’t need,” Judge says. —

| redmondmag.com | Redmond | July 2005 | 13 Project1 6/14/05 10:30 AM Page 1 0705red_ProdRev15-18.F 6/14/05 10:06 AM Page 15

INSIDE: We talk to Ray Ozzie and review the latest version of Groove Virtual Office. ProductReview Page 36 Management Muscle AppManager gives you the tools you need to keep a firm grip on network operations.

AppManager Pricing starts at $600 per managed server (based on a per managed server and application basis) NetIQ Corp. 408-856-3000 www.netiq.com

BY GERRY O’BRIEN Newly released software is As your organization grows, it often loaded with bugs that invariably takes more can cause dramatic problems resources to keep things run- like crashing your applica- ning smoothly. The IT infra- tions and servers or subtle structure you have to manage issues like memory leaks that and support becomes increas- continuously rob your ingly complex. More users, servers’ memory resources. systems, and servers are added If you’re in a small organi- to the network—all that zation with one or two Figure 1. This is just a partial list of some of the technology equates to more issues you’ll servers, you might be able to resources you can monitor with AppManager. need to resolve. deal with these issues as they Your users won’t always arise without much support. AppManager can monitor listed above seem relatively use their applications and As your systems get larger, processes that burn up the simple to verify, there are network resources correctly. this task quickly becomes most CPU time, watch how a “hidden” requirements that There will be software daunting. NetIQ has your server is performing in terms the system check utility will conflicts with the operating answer to this dilemma with of streaming media and watch help you uncover. system or other applications. its AppManager suite. your Exchange servers and When installing any of AppManager lets you moni- SQL servers. It could easily AppManager’s components, REDMONDRATING tor your Windows clients and become an indispensable part you’ll have the option to servers, as well as any Unix of your network maintenance perform a system pre-instal- Documentation: 20% ___ 10 Installation 20% ______9 systems you may have and troubleshooting toolbox. lation check prior to Feature Set: 20% ______9 attached to your network. If you’ve used NetIQ’s installing the full product. Performance: 10%______8 The sheer number of differ- AppAnalyzer, you will already Depending on which com- Management: 30%_____ 10 ent technological assets that know that NetIQ does a ponents you choose to you can monitor with App- fantastic job of helping you install, you may be asked to Overall Rating: 9.4 ______Manager is impressive to say determine if your systems select sub components as Key: the least (see Figure 1). The meet the requirements. well. These subcomponents 1: Virtually inoperable or nonexistent 5: Average, performs adequately tree view on the left of Figure AppManager uses the same will determine the nature of 10: Exceptional 1 shows the various categories concept by providing you the checks that AppManager of objects you can monitor. with an application for check- will perform on your Receiving a rating of 9.0 or above, this The detail pane on the right ing system requirements prior systems. In Figure 2, you product earns the Redmond Most Valuable displays objects for the to installing AppManager. can see an example of Product award. NT category. Although the requirements results returned from a

| redmondmag.com | Redmond | July 2005 | 15 0705red_ProdRev15-18.F 6/14/05 10:06 AM Page 16

ProductReview

pre-installation check for the After you’ve configured and Analysis Center install. Note run a set of Knowledge the issues with the SQL Scripts to gather monitoring Agent and Server running as data, you can then view the OLAP Administrators. information in a number of Once you’ve resolved any different chart formats. The pre-installation issues that bottom pane of the Operator arise, you’ll be ready to install Console displays the Events, the product. Resist the Jobs, Details and Graph Data temptation to forgo this step. tabs. Selecting the Graph tab If you don’t perform a will give you the option of pre-installation check, you producing charts for graphi- may find issues later on that cally displaying job results. prevent the product from AppManager offers several working correctly. NetIQ has preconfigured themes for provided the pre-install these charts. As you can see checks to help ensure a Figure 2. The subcomponents you choose to install will determine in Figure 5 on p. 18, you can smooth installation and oper- which pre-installation checks AppManager will make. view multiple charts in the ation of AppManager. an example of a Knowledge computers and applying the Charting Console to see Script configuration.) jobs to all computers in multiple job results in a Knowledge Is Power This particular Knowledge one operation. single view. AppManager lets you moni- Script is configured to moni- The Operator Console is With the Analysis compo- tor your systems with tor the processes that are where you’ll do most of your nent installed, you can also Knowledge Scripts. These using the most memory. configuration and monitoring use OLAP to view and scripts contain the necessary Using this script, you can tasks. AppManager lets you manipulate your data. For this determine if an application or run the Operator Console as to function correctly, you applications are using exces- an MMC snap-in or even must first install SQL Server sive amounts of memory or if remotely with Web-based Analysis on a server accessible an application is using more interface (see Figure 4). The to AppManager and its Analy- memory than it calls for. You ability to run the console from sis Services. Installing Analy- could use this Knowledge multiple interfaces lets you sis Services on the same Script to help you locate apps connect to your management computer as AppManager and with memory leak issues. server remotely whether in the repository will tax your Another well-thought-out the office or on the road. system, so make sure you have and useful feature is the abili- Figure 3. Here are the Knowl- ty to simultaneously apply the edge Script properties for NT_ same Knowledge Script to TopMemoryProcs monitoring. multiple computers. The information required to per- Operator Console displays all form monitoring tasks. By the computers that you’ve selecting a Knowledge Script configured for that particular from the list pane on the script. At the top of the tree right of the Operator Con- view is the master object. sole, you can drag and drop Once you’ve located the the script to the appropriate Knowledge Script you want computer in the tree view to apply to a group of pane on the left. AppManag- computers, simply drag the er will add that Knowledge script to the master object. Script as a job to that com- AppManager will apply that puter and will begin moni- script to all the computers in toring the values you have the tree view, highlighting the Figure 4. You can run the Operator Console through an MMC or specified. (See Figure 3 for appropriate options in those through this Web-based interface.

16 | July 2005 | Redmond | redmondmag.com | Project1 6/7/05 10:59 AM Page 1

- 9"1, 7, -- -- "" /" "¶

iÌÊÌÊÊÌ iÊ>ÌiÃÌÊ >` i`ÃÊ>`ÊÃÌÊ««Õ>ÀÊ iÌÜÀÃp>ÊÜÌ Ê>ÊÌÕÌÛiÊ"ÕÌiÊÌiÀv>Vi°

'OOD,INK» ENTERPRISE SOFTWARE DOES WHAT NO OTHER WIRELESS MESSAGING SOLUTION CAN )TPUTS THE FAMILIAR LOOK FEEL AND FUNCTIONS OF -ICROSOFT¸ /UTLOOK¸ ON A VARIETY OF PALM/3 AND 0OCKET 0# HANDHELDSUSING ALL THE MOST POPULAR NETWORKS

7ITH 'OOD YOU CAN ALSO WIRELESSLY ENABLE #2- %20 3&! AND OTHER BUSINESS APPLICATIONS !LL WITH ENTERPRISE CLASS SECURITY ROLE BASED ADMINISTRATION AND TRUE OVER THE AIR PROVISIONING AND MANAGEMENT

iÌ Ì i v>VÌÃ Ü ÜÌ > , Li ÜÀiiÃÃ vÀ>Ì Ì° > nÇÇÎ{ÈÈÎäÈ À ÛÃÌ ÜÜÜ°}`°VÉvÀiiÌ

^ÓääxÊ`Ê/iV }Þ]ÊV°Ê`]Ê`Ê/iV }Þ]ÊÌ iÊ`Ê}]Ê>`Ê`Ê>ÀiÊÌÀ>ì>ÀÃÊÀÊÀi}ÃÌiÀi`ÊÌÀ>ì>ÀÃÊvÊ`Ê/iV }Þ]ÊV°ÊÊÌ iÀÊÌÀ>ì>ÀÃÊ >ÀiÊÌ iÊ«À«iÀÌÞÊvÊÌ iÀÊÀiÃ«iVÌÛiÊÜiÀÃ° 0705red_ProdRev15-18.F 6/14/05 10:06 AM Page 18

ProductReview

Custom Scripts for if needed). You will need a Complex Tasks Pentium III 733MHz CPU, If yon need to perform some 512MB RAM and 200MB of monitoring tasks that aren’t hard disk space at a mini- provided out of the box, App- mum. You’ll also need Win- Manager lets you create and dows 2000 SP3 or Server customize scripts yourself. 2003 as the base operating You can use the script editor system. The repository server or the Developers Console to needs access to Microsoft view, create, customize and SQL Server 2000 SP3 or edit Knowledge Scripts. later with MDAC 2.6 or 2.7. Some of the scripts are If you want to run the written in Microsoft Visual analysis component, you will Basic Script, which uses the also need to install SQL Figure 5. The Charting Console gives a number of options for same syntax you may have Server Analysis Services on viewing data. already used if you’ve done your database server. the resources to handle both. that give you select snap- scripting for WMI or ADSI. Believe it or not, we have The recommended approach shot data. The performance You can also import existing merely scratched the surface is to install SQL Server on a pane at the top gives you PERL scripts into the here of what you can do separate system to reduce the real time CPU, memory Developer Console to create with AppManager. We could server load. and disk usage. The top custom Knowledge Scripts. easily fill this magazine with AppManager also includes a right pane shows you the As you might expect from more descriptions of what Diagnostic Console utility, status of your Exchange an application of this scale, AppManager can do. The which gives you a snapshot of services. The lower left there are some hefty system User’s Guide for the product how a computer is using its pane displays information requirements. Although not itself is 358 PDF pages long. resources. The Diagnostic about each graph, and big on hardware horsepower, Add the Administrator’s Console ( Figure 6) gives you the lower right pane lets you’ll need to satisfy software guide, the Installation much of the same information you get at commonly used requirements. AppManager Guide, the Knowledge you’re used to seeing in the system utilities. You can requires a repository server Script Reference Guide, Windows Task Manager. export the Diagnostic and a management server at Upgrading Guide and There are several panes Console data to an the very least (although these Reporting Guides, and you in the Diagnostic Console HTML summary. can both be the same server, can easily fill your summer reading list. It will require some time on your part to learn all of AppManager’s features, but you’ll earn it back with the time saved monitoring multiple computers. AppManager may provide more tools and utilities than you may need, but it’s better to have more than less in this case.—

Gerry O’Brien, MCP,MCT, MCSD, MCDBA, is a network administrator and IT instructor for the CompuCollege School of Business in Moncton, New Figure 6. The Diagnostic Console can display snapshot data like Directory Service access for Brunswick, Canada. E-mail him Exchange statistics. at [email protected].

18 | July 2005 | Redmond | redmondmag.com | Project1 3/31/05 12:48 PM Page 1

Are You Preventing Exchange Server Failure, or Just Preparing for It?

Reactive measures won’t prevent a disaster, repair problems or accelerate performance.

As an administrator, you understand the mission-critical nature of the collaborative information that flows through your Exchange servers. In today's dynamic business environment, your servers are strained to the limit, and failure is not an option.

Prepared for the Worst? To protect the information flow and minimize the cost of unplanned Exchange server downtime and data loss, organizations devote enormous resources to reactive solutions such as continuous back-up, monitoring, and high-availability systems. Many organizations also implement Exchange archive solutions to comply with legal and other regulations such as HIPAA and Sarbanes – Oxley.

Reactive vs. Proactive Solutions Reactive and archive solutions only protect you if your Exchange Exchange Database Before databases are healthy. But the Exchange database is the Achilles • Degraded performance heel of the entire operation. Therefore, the key to preventing • Questionable stability • Bloated message store server failure is to implement a proactive solution that ensures • Erratic and strange behavior the health, stability, and optimization of the Exchange databases. • Multiple errors and warnings • Deleted items still intact Protect Yourself with GOexchange GOexchange, from Lucid8, is the only automated preventative Exchange Database After maintenance solution for Microsoft Exchange 5.5, 2000, and • Optimized message stores • Reduced store size by 38% 2003 that prevents disasters, repairs problems and improves • 1557 errors removed performance. GOexchange minimizes unplanned downtime, checks • 232 warnings corrected • Increased performance & stability and corrects errors, and increases performance and stability • Deleted items completely removed by rebuilding indices and reducing the size of your Exchange information stores by 30 to 55%.

See for yourself why organizations worldwide are implementing GOexchange. Download your FREE demo now at www.Lucid8.com, Go to www.Lucid8.com/GOexchange or call 425.451.2595. – review the Whitepapers and Case Studies, then evaluate GOexchange, and get a FREE t-shirt.* *see website for details Project6 3/29/05 10:47 AM Page 1

Fr: barely managing your e-mail system

To: managing it while you check your voicemail

EMC EMAILXTENDER® SAVES YOU TIME AND MONEY WITH A SMARTER WAY TO MANAGE E-MAIL. Now you can handle everything from mailbox management to policy administration and corporate records with one solution. A solution built to lower your storage costs, streamline operations, and enable compliance. It’s what you need to gain control, minimize risk, reduce cost, and go home on time. Finally. To learn more, visit www.EMC.com/legato.

BetaMan Don Jones Virtual Server Grows Up

nless you’ve been living in some other virtual universe, Virtual Server 2005 you know that last year Microsoft acquired Virtual PC Service Pack 1 Version reviewed: Beta and Virtual Server from Connectix. After updating U Current status: Beta Virtual Server earlier this year, Microsoft is giving it more Expected release: Late 2005 muscle with its first Service Pack. The new Virtual Server the guest virtual machines running 2005 (VS2005) hints at the solidified customers to create applications using under VS2005. This level of manage- virtualization strategy that Microsoft this format. ment has always been an important announced at the Microsoft Manage- Microsoft partners will also find missing link—and a key competitive ment Summit last April in Las Vegas. It’s it easier to develop products like advantage for VMware’s GSX Server. part of a larger series of announcements migration solutions, management solu- By providing VS2005 manageability about how future versions of Windows tions and vertical-market applications through MOM, instead of a dedicated will incorporate virtualization as a key around VS2005. This new licensing console (as GSX Server does), Microsoft feature and how Microsoft will leverage model will help make VS2005 an open helps further integrate VS2005 with the hardware-level virtualization coming and programmable platform. Windows environment. from AMD and Intel. First and foremost among the key Even if you aren’t using VS2005 and have no plans to do so, it’s enhancements in VS2005 is extended an important product to watch. guest operating system support that includes Linux variants, x86-based Solaris and other x86-based operating New Power, New Manageability Virtual Vision systems. This is in stark contrast to The new service pack for VS2005 will Even if you aren’t using VS2005 and Microsoft’s earlier controversial decision run on 64-bit editions of Windows have no plans to do so, it’s an important to discontinue supporting these operat- Server 2003 in native mode, which lets product to watch. Microsoft CEO Steve ing systems as guests on Virtual PC. it take advantage of the increased mem- Ballmer said recently that we can expect Virtual Server has always been able ory and processing power available on to see virtualization become a core part to run non-Windows operating 64-bit servers. VS2005 will not, howev- of Windows. Ballmer said virtualization systems, but this makes it official. er, support 64-bit Windows as a guest would be integrated into Windows in the Having VS2005 support non-Windows operating system. That means guests Longhorn time frame and will be built operating systems is a sensible decision will continue to run only x86-compati- on Microsoft’s “Hypervisor” (its new for Microsoft because it helps position ble operating systems and applications. code-name for virtual computing) the product as a means to migrate This is not a serious limitation since technology. Hypervisor now refers to Linux- or Unix-based applications most VS2005 customers are running both full-virtualization technologies like to Windows by running them on a Windows NT 4.0 and Windows Server Virtual PC and VMware, and OS-level virtual machine. 2000 guests to consolidate legacy appli- virtualization like SWsoft’s Virtuozzo Elsewhere on the compatibility cation servers. Being able to host (see “Virtual Servers in the Real World,” front, Microsoft plans to license VS2005 on a 64-bit server greatly October 2004). VS2005’s virtual hard disk (VHD) increases the number of virtual Software virtualization will go format royalty-free. This will make it machines a single server can host and through some major changes, however, easier for Microsoft partners and boosts virtual machine performance. as Intel releases “Vanderpool” and Microsoft will soon ship a Microsoft AMD releases “Pacifica.” These BETAMAN’S ROUTINE DISCLAIMER Operations Manager (MOM) hardware-based virtualization solutions The software described here is incomplete management pack for VS2005. With promise greater flexibility, stability and and still under development; expect it to this, companies using MOM will have a performance for virtual machines. change before its final release—and hope it changes for the better. centralized health and performance Obviously, that special hardware will console for both the VS2005 host and Continued on page 28

| redmondmag.com | Redmond | July 2005 | 21 Project2 6/3/05 10:55 AM Page 1

FREE 30 DAY EVALUATION www.scriptlogic.com/patch

can really hurt.

Trust the dependability and security of Patch Authority Plus™ from ScriptLogic - your prescription for comprehensive, enterprise-class patch management

Simplify the process of updating Windows desktops and servers from a central location Deploy patch updates in just two simple steps Deliver patches with greater security and less down time Protect your network with interactive or scheduled patching

> www.scriptlogic.com/patch

Evaluate a fully-functional, 30-day trial version of Patch Authority Plus and Get a FREE T-Shirt* Call 1-800-424-9411

© 2005 ScriptLogic Corporation. All rights reserved. ScriptLogic, Patch Authority Plus and the ScriptLogic logo are trademarks or registered trademarks of ScriptLogic Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademark of their respective owners. * Offer good while supplies last. Allow 4-6 weeks for delivery. 0705red_YTurn\Beta21-26.F2 6/14/05 9:53 AM Page 23

Redmond readers test YourTurn drive the latest products. WSUS: Better Name, Better Product Readers report that Microsoft’s Windows Server Update Services (WSUS) tool is a vast improvement over its predecessor SUS.

BY JOANNE CUMMINGS Graham, manager of information install the updates at certain times, and In its latest incarnation, Microsoft’s free systems for the City of Ridgeland, Miss. you can give it a delay between restarts, patch management and update tool is “It’s not as full-featured as SMS but there’s no way you can tell it to not on its third acronym. It started out as [Systems Management Server], but it prompt the user for restarts.” SUS (Software Update Services). It bridges the gap a little better.” then bore the unfortunate acronym Graham manages nearly 120 This latest version WUS (Windows Update Services). The computers and 11 servers—all is as close to perfect new version is called WSUS (Windows running different versions of Software Update Services). More Windows and various Microsoft as I’ve seen. importantly, it also resolves many of the applications—for the city’s police Jason Stanke, Senior Consultant, shortcomings of the earlier version. department, fire department and MindGent LLC WSUS officially debuted in June, but city offices. He also appreciates has been embraced by final beta users. the greater degree of control he gets For most, that’s a small price to pay for “This latest version is as close to perfect as with WSUS. “I can control what’s going greater patching control. “The constant I’ve seen,” says Jason Stanke, a senior con- out instead of just doing automatic restart thing can be a pain,” says Jason sultant at MindGent LLC, an IT consul- updates on each individual machine,” he Griffith, information systems specialist tancy in Indianapolis, Ind. Stanke uses says. “And I can force updates down [to and assistant network administrator for WSUS internally and to support several client computers] now. With SUS, I the state of West Virginia’s Department customer sites. “We haven’t encountered couldn’t do that.” of Agriculture in Charleston, W.V. “But one bug. The performance is a lot quick- if you just set it to automatically reboot, er. It doesn’t break other things. It simply Reboot This you don’t have to worry. It’s not a real works, which makes my life easier.” WSUS provides much more control show-stopper.” A key WSUS improvement is the over the patching process than its pred- expanded menu of product updates. It ecessors. You can schedule patch Test Drive Those Patches now handles updates for Exchange deployment and require users to reboot The biggest advantage that WSUS has Server, SQL Server and Office, as well after patches are installed. You can even over SUS is that you can now set up give them the option to reboot later, group policies and test patches before Windows Server Update although there are concerns with this deploying them across the enterprise. Services (WSUS) feature. “That’s great if they’re in the “We liked SUS, but the disadvantage Free middle of something and they don’t was the lack of testing,” Burtoft says. “If Microsoft Corp. want to reboot right away,” says Jim you approved a patch with SUS, it went 800-426-9400 Burtoft, senior consultant at Blair out to everybody. The nice thing with Technology Group in Altoona, Pa. “But WSUS is that you can set up a test www.microsoft.com actually the prompting for restart is my group and apply your patches [to that biggest complaint right now.” group] first. After they’ve been deployed as Windows. It also improves on the If a user doesn’t reboot right away, and you haven’t had any problems, then performance, testing and reporting WSUS prompts them at approximately you can roll it out to everybody.” capabilities of its predecessors. five-minute intervals, says Burtoft. “It’s Burtoft says setting up Group Policies The expanded application support is a annoying. It would be nice if you could is fairly straightforward. “You can make definite plus. “The main reason I like it tell it to never prompt a user for a restart, your test group as big or as small as you is because it supports more platforms, but you can’t. You can tell it to not restart like,” he says. “We set up a series of test like Office and Exchange,” says Clyde automatically, you can tell it to only groups. First, we’ll set up a basic alpha

| redmondmag.com | Redmond | July 2005 | 23 0705red_YTurn\Beta21-26.F2 6/14/05 9:53 AM Page 24

YourTurn

test group to make sure the patch does- n’t blue screen anything or break any- 5 Ways WSUS Is Better Than SUS thing obvious. Then if it works there, we’ll roll it out to a more widespread esides bearing a less-unfortunate acronym (thankfully, it was never called test group of machines in different Patch Update Services), WSUS packs several notable improvements over its departments. If it works there, we’ll roll B earlier incarnations: it out companywide. It makes the whole 1. Reporting: You no longer need a separate reporting tool, and can sort and process much easier to manage.” sift through reports easier and quicker than with SUS. 2. Testing: You can now test patches before deploying them across the V8 Performance enterprise, and set a variety of test groups using Group Policies. Performance is also better with WSUS 3. Application Support: While SUS just supported Windows patches, WSUS because it uses a new technology called also handles Exchange Server, SQL Server and Office, plus more applications are Background Intelligent Transfer promised down the road. Service (BITS). It determines how 4. Performance: WSUS uses BITS technology to gauge available bandwidth much bandwidth is available on the and to ensure that patch downloads don’t negatively affect network performance. local network before sending patches to 5. Control: Administrators can schedule patch deployment, and force patches target machines. down to client machines. — J.C. “SUS didn’t use BITS, so if you pushed a big update, there’d be some lag time connection and I’m only using 1 per- patches and things like that. WSUS with the clients and people complained cent, so I can download 1MB and fulfills that need perfectly.” about that,” explains MindGent’s Stanke. nobody will even notice.’ Well, if it uses Other users agree the reporting has “The problem was that it would hit the 1MB over a 128K link, it’s a problem.” been vastly improved. “The reporting update server and if you had a lot of Burtoft searched the Internet for a fix features are phenomenal,” says Stanke. “I updates, it would suck them all down at and found that Microsoft offered a BITS can tell it to give me a status report of all once. If you were trying to do something template on its TechNet site that let him my computers and tell me what updates else at the same time, there was a visible set the BITS parameters to accommodate are needed across them, and I can find difference in performance. Now with the tighter WAN link. “You can limit it to out what patches are still needed across WSUS, it’s all done in the background 2K, which is the minimum, or 5K or my whole environment within 60 seconds. I can sort by failed installs, I can If you’re managing more than 20 machines, search by patches not needed and I can [WSUS] will pay for itself in two or three months. see which ones are already deployed. It’s You will more than earn back the time you flexible and very fast.” WSUS also provides a greater level of invested in spades. detail than SUS. “If I click on a computer, it can tell me what OS and service pack Chris Munger, Senior IT Manager, American Academy of Periodontology it has, when it last talked to Active Direc- and nobody even notices. There are no 10K, whatever,” he says. “Hopefully, tory, and what make of the hardware and performance issues.” they’re adding that to the regular tem- processor it has,” he explains. “We actual- That’s not always the case, though— plates in the final version.” ly use that as a very basic inventory.” especially when using it across a wide WSUS doesn’t require much in terms of area network. “BITS is great, but we Real Reporting computer resources. The only platform had trouble using it across the WAN,” Another big improvement in WSUS, caveat would be to avoid running WSUS Burtoft says. “It listens on the network according to early users, is reporting. In on a server with other Internet applica- and gauges how much traffic there is so fact, West Virginia’s Griffith says he tions. “We found that it doesn’t play well that it will use only a portion of the had to use a third-party reporting tool with SharePoint Portal Services,” Burtoft bandwidth. But the problem is that it for SUS. He sees no need for that with says. “Microsoft has a guide to show you can only look at the local network, WSUS. “I think the reporting built how to get it to run with other Internet which could be running at 10MB or into this is as good as my third-party apps, but it’s definitely a bad idea.” 100MB. If you’re downloading the tool, maybe even a little bit more patch over a 128K WAN link, it doesn’t in-depth,” he says. “I’m basically look- Waiting for Rollback figure that out. It only sees the LAN ing to see who needs patches, who The only thing that’s really missing from side and says, ‘Hey, I have a 100MB doesn’t, and then the success rate of the WSUS, users say, is an automated way to

24 | July 2005 | Redmond | redmondmag.com | Project1 6/13/05 2:34 PM Page 1 0705red_YTurn\Beta21-26.F2 6/14/05 9:53 AM Page 26

YourTurn

roll back or uninstall patches. This is ahead and try and install it, but about still requires some time to get set up and especially important as the patching halfway through it would freeze and working properly. Chris Munger, senior process becomes faster and more auto- lock up. So people would turn off the IT manager at the American Academy of mated. “We’ve had situations where we computer and reboot it, and it would Periodontology in Chicago, says he had had three or four machines where the lock up again.” to take time to sit down with the docu- patch just messed things up. It worked After spending a day reading through mentation to make sure he wasn’t miss- fine on about 90 percent of them, but newsgroups trying to figure it out, he ing anything important. there were a couple with problems,” says found a workaround. “A lot of people had “You also have to set up the server Griffith. “If you could roll back per the exact same issue because Microsoft that will be doing the downloading of machine, that would be nice.” installed it by default,” he says. “I ended the updates and adjust your group Rollback would have saved Stanke a up having to download the exact patch, policies so that you’re rolling them lot of headaches when he rolled out put it on a USB drive, reboot all the out in the controlled way you want,” a patch that locked up his entire development team’s computers into Safe he says. “It’s an afternoon, and development team’s computers for a Mode, install it through Safe Mode, sometimes it’s hard to find an day. “Microsoft has some key software reboot, and then it worked.” afternoon when you’re getting all pieces that allow clients to use the The workaround did the trick, but at your other calls from your end users.” Windows Update Services much more a cost. “The whole time, the develop- It’s well worth the time investment, efficiently, and one of those updates ment group is just sitting there,” says he says. “If you’re managing more was the Microsoft Windows Installer Stanke, “and they’re completely billable than 20 machines, it will pay for itself 3.1 beta,” he says. so we had a whole day of wasted in two or three months. You will more “If you’re using the update service like money. In a case like that, a rollback than earn back the time you invested we are here, Microsoft pushes that out feature would be really great.” in spades.— to clients. I didn’t approve that, but Microsoft did it by default.” A Serious Timesaver Joanne Cummings is a freelance technology Stanke’s entire development staff had Beyond the few glitches, the best journalist. Send your questions and comments difficulties. “Their computers would go part of WSUS is that it’s free, although it to [email protected].

Continued from page 23 difference, although the increased VS2005 would include a more robust only work with OS support, which is price for 64-bit servers doesn’t make it console, but it looks like I’ll have to where the integrated virtualization a free upgrade. wait a bit longer. targeted for Longhorn should come I’ve always been disappointed Still, as a free upgrade to VS2005, into play. that VS2005 relies on a Web-based SP1 is a must-have. The performance interface instead of a more robust gains for 64-bit machines could make Pumped-Up Performance Microsoft Management Console VS2005 one of the “killer apps” (the For now, we’re stuck with pure- snap-in. I get how cool Web consoles other major one being SQL Server) software virtualization. I caught a that really push those boxes—and demonstration of VS2005 SP1 For now, we’re stuck with pure licenses for the 64-bit edition of running on a four-way AMD 64-bit software virtualization. Windows 2003. With support for server, next to a similarly equipped non-Windows OSes, Microsoft makes server running 32-bit processors. are, but I’d bet an MMC-based a welcome acknowledgement of The performance difference was management tool would work much today’s business realities. It’s also a astounding. I hadn’t expected much, more like GSX Server’s superior tools. clever strategic move to help but some informal testing (Microsoft You can recreate a similar experience Windows capture some market share doesn’t allow formal benchmarking of with Windows 2003’s Remote from Linux variants.— beta products) suggested potential Desktop console, but that doesn’t performance gains in the 25 percent provide features like integrated access Don Jones is a contributing editor for to 30 percent range. to virtual machine settings and Redmond magazine and the founder of In practical terms, that means a resource allocations. The Remote ScriptingAnswers.com, a Web site for 64-bit server previously capable of Desktop approach doesn’t work for automating Windows administration. running six virtual machines at an non-Windows operating systems His most recent book is Managing acceptable performance level could either, which Microsoft is now for- Windows with VBScript and WMI run as many as eight at that same mally supporting in VS2005. I’d (Addison-Wesley).You can e-mail him at performance level. That’s a significant hoped that the next service pack for [email protected].

26 | November 2005 | Redmond | redmondmag.com | Project5 5/19/05 10:44 AM Page 1

Knock out spam at Exchange level!

Only $675 for 100 users!

DOWNLOAD YOUR FREE TRIAL FROM WWW.GFI.COM/MCP

Server level anti-spam for Exchange/SMTP

Eliminate spam from your mail server with GFI MailEssentials for Exchange/SMTP: Block spam at server level No need to update email clients Bayesian filtering Detects spam based on statistical message analysis Automatic whitelist management Keep whitelists up-to-date without extra admin User-based spam quarantine Sort spam to users junk mail folders GFI MailEssentials configuration Blacklists scanning Stop mail from blacklisted senders and invalid domains SURBL checking Checks email content against SURBL servers Email header analysis and keyword checking Blocks spam based on message field info and keywords Directory harvesting detection Checks validity of all recipient email addresses in an email Also supports Lotus Notes & SMTP mail servers

tel: +1 888 243 4329 / +1 919 379 3402 | email: [email protected] | url: www.gfi.com/mcp 0705red_Roundup30-34.vfinal 6/14/05 10:08 AM Page 28 RedmondRoundup Halt: Who Goes There? Biometric devices offer more security than standalone passwords. Here are three products that go beyond the basics for authentication and verification.

BY DON JONES Passwords are so passé. Their effectiveness as a security standard continues to decline. People write them down on sticky notes and stick them to the side of their monitors or use simple, easy-to-crack passwords. Even with longer, complex passwords, tools like Rainbow Crack can quickly generate a clear-text version of any it has to offer businesses needing to would be stored in AD and the biometric hashed password. lock down corporate systems. software would pass this information to It’s no wonder people are looking for It’s important to have an understanding AD for authentication, instead of just better, more secure alternatives. Smart of what these and most other biometric remembering your password. That level cards are popular and fairly economical, solutions can provide. Few biometric solu- of integration will take more work from but they’re still limited by the fact that tions today offer Active Directory integra- both Microsoft and the biometric device the cards themselves can be stolen or tion, which means you’re essentially manufacturers. Some biometric vendors lost. Just holding a card doesn’t truly limited to using them at the desktop. (including those described later in this identify someone as its intended owner. While some of the devices’ software article) have developed software to Only biometric authentication—an provides biometric-enabled AD authenti- integrate their biometric solutions with identification scheme based on exam- cation, they do so by remembering your AD. They typically use a proprietary ining unique biological factors like domain password and using biometrics to server to store biometric information and fingerprints—promises to offer true unlock that password and pass it through integrate with AD to complete the individualized proof of your identity. to the domain. In other words, you’re still authentication process. For this roundup, we’ve put three bio- authenticating to AD via password; you In the meantime, why bother with metric scanning and authentication just don’t have to have it memorized. biometrics? I’ve already mentioned the devices under the microscope to see Ideally, your biometric profile— Rainbow Crack tool, which bad guys can how the technology performs and what fingerprint scan, iris data or whatever— use to get their hands on a clear-text

28 | July 2005 | Redmond | redmondmag.com | 0705red_Roundup30-34.vfinal 6/14/05 10:08 AM Page 29

1: Virtually inoperable ber them, or worse yet, resorting to In this or nonexistent Roundup 5: Average, performs writing them down. REDMONDRATING adequately Better still, users can create different 10: Exceptional passwords that apply to different appli- OVERALL RATING cations and Web sites. That means the Microsoft Optical Desktop accidental disclosure of one Web site Documentation 10% with Fingerprint Reader Performance 20% Installation 50% Feature Set 20% password won’t compromise your $104 entire network. Naturally, convincing Microsoft Corp. your users to do this will be difficult, but providing them with a cool bio- 800-426-9400 metric authentication toy will go a www.microsoft.com 9979 8.6 long way toward winning their enthu- siasm and cooperation. Panasonic BMT-100US Authenticam Microsoft Optical Desktop $272 with Fingerprint Reader Panasonic Corp. There’s no cooler toy than a well- designed keyboard with a built-in fin- 866-726-2288 gerprint scanner. While Microsoft also www.panasonic.com 5878 7.5 offers standalone fingerprint readers, its new fingerprint keyboard is a won- Silex COMBO-Mini derful convenience. $179 It’s bundled with DigitalPersona software, which was custom-built for Silex Technology America Inc. this hardware. DigitalPersona acts as a 801-748-1199 fingerprint-secured password vault. www.silexamerica.com 5879 7.7 When prompted for a password, you simply lay your finger on the keyboard’s fingerprint scanner and once the software verifies your identity, version of a password. This tool works with a capital F is a long password. it passes along your login credentials. by generating a database of all possible That’s where biometrics can help out. The software works with Windows character combinations and their By remembering passwords, they help XP’s local logon, as well as many associated hashes. Then it simply looks users create and actually use complex other applications and Web sites up a hash in the database to discover the passwords without having to remem- (although it only functions with text version of that password. It’s time- consuming to pre-compute, although Microsoft Optical Desktop with Fingerprint Reader you can purchase entire, multi-gigabyte databases that will cover passwords of up to eight characters. The key to defeating tools like Rain- bow Crack is to have impossibly long passwords—passphrases, in fact—that are so long it would be computationally impractical to generate a large enough hash database. Microsoft recommends using passphrases as a way to more effectively secure your network. Here’s a reality check, though— users hate long passwords. Many users think something like “Fluffy”

| redmondmag.com | Redmond | July 2005 | 29 0705red_Roundup30-34.vfinal 6/14/05 10:08 AM Page 30

RedmondRoundup

Internet Explorer and not popular (fingerprint reader) feature in this camera can do double-duty as a video- alternatives like Mozilla and Firefox). device is not a security feature and is conferencing camera. Installing the software is easy. A num- intended to be used for convenience The Authenticam is not a retina scan- ber of stickers on the keyboard itself only. It should not be used to access ner (sorry, “Star Trek” and James Bond warn you to install the keyboard’s corporate networks or protect sensitive fans). Instead, it uses snazzy software driver software prior to actually plug- data, such as financial information. and firmware to locate your eyes and ging in the USB keyboard. I ran into Instead, you should protect your sensi- memorize your iris patterns (the col- one problem when the keyboard was tive data with another method, such as ored portion of your eye) in much the plugged into a powered USB hub. a strong password that you either same way that a fingerprint scanner The fingerprint scanner’s red light memorize or store in a physically scans your fingers. blinked and refused to scan my fin- secure place.” What the heck? The guts of the camera’s iris recognition capabilities come from Iridian [The fingerprint reader] recognized my fingerprint on the first try Technologies, which also provides a vari- almost every time. ety of SDKs and APIs that work with the camera. You can actually sit up to 20 gers. Plugging directly into a mother- Basically, Microsoft is acknowledging inches away from the camera lens and board-mounted USB port solved the that the DigitalPersona software stores still be recognized, unlike retinal scanners problem, leading me to suspect the your passwords, but not in a fashion that need to shoot a laser right into your quality of the USB hub I’m using. that’s guaranteed to be unbreakable. eyeball to scan the back wall (the retina). Using the software is easy. You start After all, it has to store clear-text pass- To train the camera to recognize your by touching the fingerprint scanner, words so the software can insert them iris, you stare at a light to get your eyeball and training it to recognize one or into logon prompts for you. The very in the right position. Once you’re in posi- more of your fingers. Because the presence of these passwords—no mat- tion, you’re set. scanner is on the left side of the key- ter how well-encrypted—is a potential I had no problem training the camera board, you’ll probably want to have it security liability. to recognize my iris. One farsighted memorize a couple of fingers on your This is actually fairly common among colleague, however, needed a couple of left hand, but you can pick whichever many biometric solutions, although only tries to get it right because he couldn’t fingers you like. Microsoft was this forthcoming about focus on the light. A second Once you’ve “trained” the software, those limitations. For the record, colleague tried to watch the you touch the scanner again whenever the DigitalPersona Pro screen and focus on the you come to a Web site or application software (available sep- camera at the same time, that requires authentication. Digi- arately) functions more which didn’t work so talPersona will prompt you for your securely, because well. When you’re credentials, and from then on, it will it centrally stores training the camera, insert them whenever required. To biometric authen- focus on the light. unlock and apply your credentials, you tication and inte- The Private ID just touch the fingerprint scanner. grates with AD. software (also I was impressed by how easily and from Iridian) con- accurately the fingerprint reader Panasonic trols the camera. worked. It recognized my fingerprint BMT-100US SecureSuite, anoth- on the first try almost every time. It Authenticam er bundled application, easily rejected my other fingers, as well Visions of Edna Mole performs many of the same as other people’s fingers. from “The Incredibles”— functions as the DigitalPersona However, my major complaint about and her method of software that comes with Panasonic BMT-100US DigitalPersona is its lack of support for peering into a security Authenticam the Microsoft keyboard non-IE browsers. I don’t use IE as my camera to enter a —storing passwords for Web regular browser, which renders the fin- secure area of her superhero costume sites and other applications. gerprint scanner useless for Web sites design lab—floated through my head as I SecureSuite was easy to install and that require authentication. installed the Panasonic Authenticam. configure. I was up and running with There’s a curious and confusing mes- The unit is physically similar to a Web no hitches. The software lets you sage in the “readme” file that comes cam in that it’s designed to sit atop your specify allowable logon methods for with the keyboard: “The biometric monitor or on your desk. In fact, the each account on your machine. For

30 | July 2005 | Redmond | redmondmag.com | Project1 6/6/05 10:42 AM Page 1

NTAVO 101 for Windows® Appliance Finally, A Low-Cost Alternative to Citrix®

Whether you use Citrix, a VPN, or some other approach, secure remote access solutions are expensive, complex, and difficult to implement and manage. The NTAVO 101 for Windows Appliance does the job at up to 90% lower cost per user and with 99% less demand on your IT staff. You can have secure, high-speed communications from PCs and thin-client systems to enterprise-wide Windows applications in minutes and with no modifications to your servers, applications, or your enterprise network. It’s the ultimate companion to Windows® Terminal Services. For $49.95/user.

Visit ntavo.com 1.888.524.9382 [email protected]

© 2005 Devon IT, Inc. NTA Virtual Office is a trademark of Devon IT, Inc. All other products and trademarks referred to are property of their respective owners. 0705red_Roundup30-34.vfinal 6/14/05 10:08 AM Page 32

RedmondRoundup

example, you could disable passwords a bit tricky to get the UIM out of the Naturally, it’s less suitable for use with entirely in favor of iris scanning. I scanner. You’d be more likely to just laptops, but laptops always present their wouldn’t recommend doing that, how- take the whole unit with you. Silex own unique security challenges. In fact, ever, because you won’t be able to use must have anticipated people doing some laptop manufacturers (most notably certain utilities that don’t integrate this, as it even has a little hole for a IBM) are building fingerprint readers with the camera. The Authenticam also key ring. right into the laptop itself. works with Iridian’s KnoWho server, The Silex unit and software worked The Silex COMBO-Mini has the which provides server-based authenti- about as well as the Microsoft key- advantage of being easily portable, so cation for corporate environments. board. However, the Silex unit is you can bring your “library” of pass- The Authenticam seemed hard to indeed more secure, because you can deceive. It properly rejected every eye remove the UIM or carry the whole other than my own. I couldn’t even get unit with you. GetMoreOnline it to accept a properly sized photo of The software that comes with the Go online to Redmondmag.com and my eye, which I thought would be a Microsoft keyboard stores passwords read more about various authentication sure-fire way to fool the system. on your computer, which means it’s methods and other utilities with which As cool as it is, I’m not sure I see a lot more difficult to carry them around you can secure your systems. of companies investing in iris-recogni- and protect them. The fact that the FindIT code: Halt tion (besides government agencies and Silex unit lets you physically separate superhero costume designers). Finger- your passwords from your computer is print scanners are cheaper and more a big plus. redmondmag.com convenient, especially when they’re built into a keyboard. A fingerprint Authentication Complete words with you by simply removing scanner also seems easier for users Each of these biometric solutions was the UIM or the entire unit. This adds to accept. accurate, relatively easy to install and both a degree of security for your pass- easy to use. In fact, I was genuinely words, and an element of risk should Silex COMBO-Mini surprised by their accuracy. While you ever lose the unit. The Silex COMBO-Mini fingerprint none of the products tested ship with While it worked well, I would antici- scanner is slightly larger than a USB robust, centralized AD pate particular support challenges with flash media drive. It comes bundled integration, some of the Authenticam system. I can just with the SX-Biometrics Suite, which the manufacturers imagine the help desk calls from peo- remembers passwords and inserts cre- offer additional ple using an iris camera for the first dentials for you. The Silex unit has a products that fill time: “Are you sure the camera is sliding plastic cover that protects the void. pointed at your face? No, your face. the actual fingerprint scanner. Microsoft’s The camera. The one on your comput- The scanner itself felt more keyboard and the er. Look behind your desk. Maybe it fragile than the Microsoft key- DigitalPersona fell off the monitor.” board, although it never gave software was my Even if an organization only imple- me any trouble. favorite solution, ments a biometric device for local use, One unique aspect of the simply because its value as a password vault—letting Silex unit is that it fea- it’s such a well- users store a variety of complex tures a User Identity integrated device passphrases rather than a single, sim- Module (UIM), a tiny that makes logical ple password—is significant in this era smart card similar to use of a piece of of increased security awareness.— the Subscriber hardware that’s Identity Module already on everyone’s Don Jones is a contributing editor for (SIM) used in GSM desktop. Coupled Redmond magazine and the owner of cell phones. The with DigitalPersona ScriptingAnswers.com, a Web site for UIM stores your Silex Pro for AD integration, I automating Windows administration. actual fingerprint COMBO-Mini can easily see every desk- His most recent book is Windows data. The theory is top in an organization Administrator’s Automation Toolkit that you can pull the UIM out and equipped with a Microsoft finger- (Microsoft Press). You can reach him at move it from device to device, but it’s print-scanning keyboard. [email protected].

32 | July 2005 | Redmond | redmondmag.com | Project2 5/5/05 10:07 AM Page 1

Why get MCSE certified: Reason # 6: [YourNameHere], MCSE. It’s got a nice ring to it.

Whatever your reasons, we’re here to help with intensive Boot Camps & hands-on training designed to ensure your certification. Go to www.globalknowledge.com/redmond for more info & incentives. 0705red_F1Ozzie_34-41.F 6/14/05 12:41 PM Page 34

34 | July 2005 | Redmond | redmondmag.com | PHOTO BY JASON GROW 0705red_F1Ozzie_34-41.F 6/14/05 12:41 PM Page 35

Redmond’s newest CTO hopes to make his mark on Microsoft’s collaboration

efforts, and perhaps much more. BY DOUG BARNEY

Ray Ozzie, the father of Lotus Notes, has long been both Redmond: How do you bring about that unification? praised and sought after by Bill Gates. In 2001, Microsoft Ozzie: [Part of my role] is to help Groove get invested $51 million in Groove Networks, Ozzie’s integrated. But my primary role is separate from any groupware startup. This year Gates sealed the deal, buying given product group. As part of Bill’s staff, I am the rest of Groove for a reported $120 million. attempting to influence those different groups with a With Groove firmly in Microsoft’s pocket, Ozzie reports comprehensive vision strategy. to Gates as his new CTO, leading some observers to wonder if the 49-year-old Ozzie could ultimately replace Redmond: What does a Microsoft CTO do and Gates as Chief Software Architect. Others are curious just what area has Bill carved out for you? how long the independent and entrepreneurial Ozzie will Ozzie: I don’t think stick around. After all, he only stayed with IBM for two there’s a specific pattern years after it bought Lotus. for what a CTO does. Redmond editors Doug Barney, Paul Desmond and Lafe Craig Mundie has Low sat down with Ozzie to talk about groupware, his shaped his world plans for Groove and what he thinks it will be like to work largely around the for Gates. IT’S Redmond: How does it feel to be working for Microsoft, a company that you competed with while at Lotus and then partnered with at Groove? GROOVE Ozzie: It has been interesting in the first few weeks. I have been using Notes for my own mail for as long as there has been a Notes. You get habits.You use it a certain way. Now I’m an Outlook and Exchange user. The Exchange groups and Outlook groups already have a wealth of feedback [from BABY! me] from those experiences. There are some aspects of Outlook that just kick Notes’ butt and there are some aspects of Notes that kick Out- intersection of technology and policies. He deals with look/Exchange’s butt. They have different heritages and governments worldwide on issues such as literacy, how different architectures. I think our experience with Notes Microsoft can be a good corporate citizen within those will help make Outlook and Exchange better products. But various nations, and health initiatives that are important to it is interesting calling them “we.” those countries. He is also very involved in Trustworthy Computing. It is a personal interest of his. Redmond: What are some of the high level issues David Vaskevitch is more of a platform person and has a you want to address with Exchange? much more pervasive internal influence on how various Ozzie: Microsoft has a broad variety of assets ranging aspects of the platform are built. That’s based on his interest. from Hotmail to Smartphones to different forms of Based on my background, a lot of [my work] will be communication and collaboration, Groove, LiveMeeting and in the communication and collaboration realm. I don’t things like that. I hope to bring a unifying influence from the know if there is a pattern, aside from the fact that all of us perspective of both the user and the IT administrator who are essentially staffed to Bill and aren’t [in charge of] wants to use these things in conjunction with one another. product groups.

| redmondmag.com | Redmond | July 2005 | 35 0705red_F1Ozzie_34-41.F 6/14/05 12:41 PM Page 36

IT’S GROOVE BABY!

Redmond: How do you exert influence if you don’t The three themes are: integrate user experiences so they have product groups reporting directly to you? can use the different modes seamlessly; unify the developer Ozzie: It’s influence as opposed to control. A lot of it story so people can build Groove applications that inte- is personal style. Both Notes and Groove were very grate other aspects of Microsoft assets. For example, we technically complex products to build, very deep and broad are currently a good citizen with respect to managed code architecturally. The reality is that developers and architects and things like that. There are additional things people do really build what they want to build and will say no if what when developing as an Office developer, so integrating they’re charged to build doesn’t match their world view. with some of that is important. I’ll declare victory if I can start to see over the next rev of a Administration is the third tenet. If you’ve got multiple number of products that people are starting to do the right servers, Office or Windows servers and Groove, how can thing on their own initiative and if everyone buys into a high- we make that administration experience more seamless level unified vision of how these things are going to work. from a policy deployment perspective?

Redmond: Has Bill given you specific goals? Redmond: Is there a vision of what users will Ozzie: We’ve worked up six-month/12-month/18- be able to do in a couple of years that they month/infinite directions, but it’s not that concrete yet. It’s can’t do today? such a broad organization. Besides work- Ozzie: We have a palette of things. ing on integrating Groove, the best thing Unfortunately it’s about 10 times broad- I can really do right now is immersion— er than we can do. There’s tremendous get to know people and get to understand potential in the realm of content man- the projects. You can’t really be effective agement in terms of organizing docu- unless the organization knows you and ments within a team and an you know the organization. organization. Many companies are starting to treat it as though it’s the next Redmond: Often when Microsoft generation file share. Lots of buys a company, it’s not just people have document libraries in for the product. It buys the SharePoint. Then they want to people, especially the top share them with people outside the people. How much of a factor organization while they’re working on a was that with Groove? project. So integrating Groove from the Ozzie: You’d have to ask Bill [laughs]. It perspective of speeding up work spaces wanted the people, but it was buying the and getting content from SharePoint business. It wasn’t buying the people per into Groove so you can work on it and se. There’s a product there, there are then seamlessly put it back—that I customers, there’s a way that Groove fits really want to make work very well. PHOTO BY JASON GROW into the Microsoft collaboration strategy There are scenarios involving that works really well. It satisfied a number of things at the mobile devices that I would like to make work more same time. I think the biggest single thing that reflects that it effectively. A lot of the awareness things we do in wants the people is that it let the company stay in Beverly Groove can be complemented very well by a mobile [Mass.]. I think Microsoft knows the best way to retain device, both in projecting your awareness and assessing people is to make sure [they] have an environment [in which] what the status of others, what are they working on, is they are highly productive. so-and-so awake yet?

Redmond: Can you talk about early plans to Redmond: Will Groove remain a stand-alone integrate Groove more fully into Microsoft product or will it be absorbed as part of the applications and operating systems? operating system and the applications? Ozzie: Groove was in early planning of V4 on its own. Ozzie: Groove has a user model that works really well. Now with Microsoft, [we] backed off a little and asked, Everything I’ve seen leads me to believe that it’s going to be “OK, we know what we would have done for our a separate thing. Whether that thing is in certain situations customers, but now what can we do better if we integrate bundled with other things or not are decisions that have yet with the real time communications stuff? What would to be made. be the better user experience if it is integrated with If you take Microsoft’s past, it does lots of interesting Office? What would be the better user experience bundling for licensing purposes and for specific targeted if we integrate with SharePoint from a content audiences. I would expect the same thing would happen. management perspective? I just don’t know exactly which ones yet.

36 | July 2005 | Redmond | redmondmag.com | Project1 6/2/05 1:01 PM Page 1 0705red_F1Ozzie_34-41.F 6/14/05 12:41 PM Page 38

IT’S GROOVE BABY!

Redmond: That bundling could allow Groove to Exchange, but not many people use those become ubiquitous and thus easier to use and features. What can the industry do to get people to exploit. to exploit collaboration technology? Ozzie: That’s the promise. Ozzie: The value of the collaborative technology rises in proportion to how vertical the collaborative solution is. Redmond: How does that ubiquity change the world of collaboration? Redmond: Is that Ozzie’s Law? Ozzie: I think it has a lot of potential for two reasons. One is Ozzie: [laughs] Yeah, it’s Ozzie’s law. It is actually a obvious—the network effects reason. Just [think about] law attributable to Notes VARs. Notes was a platform Word documents. If I know you have Word, I am more likely technology. Sure, it does mail and directory and to send you a .doc as opposed to .wp or .lwp. Similarly with calendaring when you install it. But its business value Groove—right now we have pockets of success, but even would really rise in proportion to how much a VAR would though we make it available so that it’s very easy to down- come in and customize it to a legal app, or emergency load, the likelihood of someone already having it, a random responder app, or any app based on what you do. person on the ’Net having it on their desktop is lower than it Groove is the same way. If somebody downloads it and would be if it were part of a larger Microsoft offering. it’s a blank page, they might see some value or they might not. But if somebody that they know and trust Redmond: There are a lot of products that have says, “Oh I’m using it for this and that. Let me give you rich collaboration functions, such as Notes and a template,” then suddenly it works for them because Get Your Groove On

he world of work has changed dramati- Groove helped cally. Different people from different us work Groove Virtual Office T groups in different companies work “together” $69 Groove File Sharing Edition together on projects from just about anywhere. across miles $179 Groove Professional Edition Telecommuters work from home almost as easily and time zones. $229 Groove Project Edition as they do in the office. Traveling executives Microsoft Corp. have virtually the same access to their data on Groovy (formerly Groove Networks) the road as in the office. The Internet is the key Baby 800-426-9400 to this brave new world. It’s inexpensive, it’s Enter Groove www.microsoft.com widely available and finally—it’s relatively fast. Virtual Office. www.groove.net While the concept of working anywhere contin- Groove is an ues to expand, the main problem is shared Internet-based resources. For remote workers, common office service providing version-controlled file sharing, infrastructure is absent—the tangible aspects like message boards, online meeting space and instant file servers and conference rooms and the intan- messaging, among other things. It is built to make gibles like water cooler conversations and drive- online collaboration easier and more efficient— by decisions. Without these elements, remote duplicating what you can do in a physical office collaboration can be difficult. You may find your- environment to the greatest possible extent. self setting up your own FTP servers, looking at There are several editions of Groove Virtual free teleconferencing services and so forth. Office—File Sharing, Professional and Project. It’s especially tough for people from different Besides file sharing, the File Sharing Edition pro- organizations working on the same project, or vides discussion boards, a shared calendar, independent contractors and freelancers with no sketchpad, notepad and offline folder synchro- shared infrastructure in the first place. I’ve just nization. The Professional edition adds basic started writing an advanced scripting book with task management, Microsoft SharePoint integra- another independent consultant like me. We tion, custom forms creation for collecting data, needed a way to pass files back and forth, leave document review workflows and virtual meet- one another notes, organize sample scripts and ings. The Project edition finishes off with a other tasks related to the project. That’s easy Microsoft Project-like graphical project timeline, enough to do in an office, but it can be tough dashboards, Microsoft Project integration, when you’re separated by an entire continent. resource allocation and some other project man-

38 | July 2005 | Redmond | redmondmag.com | 0705red_F1Ozzie_34-41.F 6/14/05 12:41 PM Page 39

they can place it in what they do. Suddenly the value is Ozzie: There are features there that people could be much higher. exploiting if they knew they were there. I agree with the fact that there are fundamental things that can be done Redmond: Is it too late to do anything with in the realm of how the Office suite is put together. T Longhorn, or do you already have plans to do he word processor is an automated typewriter, the something with Longhorn? spreadsheet is automat- Ozzie: We have conversations in terms of what features ed spreadsheet, Power- should be enabled in Groove as a part of Longhorn, but it’s Point is automated foils. GetMoreOnline too early to lock down what those would be. Today you don’t create Read more of what Ray Ozzie had to say content without doing to Redmond’s editors about Groove, Redmond: We’ve been looking at Microsoft something with it with collaboration and working for Microsoft, Office and it seems that the competitors are say- other people, whether and more about what’s new in Groove Virtual Office 3.1. ing it already has too many features. If it’s a fea- it’s presenting it to tures war, OpenOffice or SunOffice win because other people or working FindIT code: Ozzie they are a lot cheaper. Microsoft seems to think on it with other people. that if it keeps pushing the envelope in terms of It’s far more common redmondmag.com collaboration, then Office will continue to today that you’re look- improve. Do you agree and how can Groove be a ing at things on the screen rather than putting it on part of that? paper. If you stand back and ask, “How would I factor Groove Virtual Office can make remote collaboration almost as good as being there. By Don Jones

agement functions. There’s also a Trial Edition tions via e-mail or AOL Instant Messenger. With that offers a limited feature set for 60 days. Microsoft’s recent acquisition of Groove Networks, I Installing Groove 3.1 is straightforward and only expect Windows Messenger or MSN Messenger will takes a few minutes. If you have an activation key be added in the near future. for a fully licensed edition, you can apply it right Integrating Groove with Microsoft Office or any after installation. You’ll be prompted to establish a other application is a no-brainer. Simply open Groove account, which you can set up to work the Workspace-related folder on your local com- from multiple computers. This means you can use puter. Then you can create new files, open and Groove to access your workspace from your work edit existing ones, and whatever else you need laptop and home desktop computer, for example. to do. Groove will automatically synchronize any You start using Groove Virtual Office by creat- changes back to the Workspace, so it works ing a new Workspace (unless you’re joining a without any annoying Office add-ins. Workspace someone else has already created). You can configure Groove to display a Messen- For a file-sharing ger-like alert whenever any changes occur in the REDMOND RATING workspace, Groove will Workspace, which helps you keep on top of _____ create a corresponding Documentation 20% 9 project changes. Groove can also assign roles for Installation 20% ______9 folder on your local Feature Set 40% ______8 participants—such as Manager, Participant and computer (or let you Performance 20% ______9 Guest—to which you can set Workspace permis- choose an existing Overall Rating: 9 sions. This means you can let Workspace mem- ______folder). This is where bers view certain documents, for example, but Key: Groove synchronizes 1: Virtually inoperable or nonexistent not make any changes or revisions. 5: Average, performs adequately Workspace files with 10: Exceptional your local computer Ready, Set, Interact for offline use. Receiving a rating There are a number of services that provide of 9.0 or above, this The Workspace is the product earns the file sharing capabilities like Groove. What Redmond Most Valu- basis for Groove’s oper- able Product award. makes Groove unique is its built-in interaction ations. You can send capabilities. Groove provides discussion messages to other Workspace members, invite board messaging, which allows complex text other Groove users into your Workspace, add other conversations between people or groups within computers to the Workspace and so on (see Figure a Workspace. Participants can use both text and 1 on p. 40). Right now, you can send Groove invita- audio chat capabilities for instant interaction

| redmondmag.com | Redmond | July 2005 | 39 0705red_F1Ozzie_34-41.F 6/14/05 12:41 PM Page 40

IT’S GROOVE BABY!

these tools if I knew that I was trying to do so in a col- with two companies that were merging different mail laborative environment,” it might look quite a bit differ- systems. The project was to use Groove to coordinate ent. I personally think there’s quite a bit of opportunity all the people in switching from one mail system to if people are willing to open their eyes to the fact that another worldwide. there might be a better way or more productive way of Find a project that is relevant to you. Don’t think doing things. I don’t know what the future holds, but I about it as some dramatic new infrastructure that is do believe there is more than just happy talk in terms of going to rock your world. Just think about it very where this thing could go. selfishly for a project you are trying to get done with people that are spread out, either by time or Redmond: You talked about going back to the place. Download it, get it to the people, have small drawing board with Groove 4.0. Are there expectations and it just kicks butt. And then think how features you had planned that will still be in there? else in the organization it can be used. Ozzie: 4.0 should be the beginning of what 4s and 5s and 6s are, which is taking it deeper, taking it broader, enabling partners more. You’ll see largely more of Ozzie on Redmond the same. The message around 3.1 is going to be the —the Magazine message for 4.0, but you will see better integration. “So how did Redmond magazine end up in Redmond: What would you tell IT pros that haven’t Boston? That’s what I want to know. [Looking tried Groove yet? at the cover] It’s a good name. In the old days Ozzie: Download it, try it, buy it, tell people about it. of Groove, we had a skin for the product that Find a task, be very selfish. One of our most successful looked just like Microsoft products, and it was verticals to date is selling to IT as a business unit. called Microsoft something. They forced us to They have IT projects that they want to manage. The change [the name] to Redmond.” first Groove customer application was for a customer Get Your Groove On

and even save a transcript of text chats for archival purposes. The Discussion feature integrated with Microsoft Outlook lets you use one or more existing e-mail messages as a starting point for a Groove-based discussion. Groove has a shared Sketchpad feature, which works like an online whiteboard. This lets you share simple graphic concepts with other Work- space members. You can also set up your Work- space to have shared contact lists (you can even import contacts from Outlook) and a shared calendar. It also provides built-in instant messaging. The document-review workflow is helpful. Sim- ply right-clicking a document you’ve added lets you review that document. You can also specify other reviewers from the list of Workspace members. Reviewers are notified via a Groove message. They can then look at the document, mark Figure 1. From the Groove Workspace, you can it up, make comments and ultimately approve it. invite other users to work in your space. Through integration with Microsoft SharePoint, enable SharePoint. It extends the reach of what a Groove Workspace can become a Groove has typically been an intranet-only SharePoint “Mobile Workspace for SharePoint,” where the site to Workspace members, who may not other- Workspace data is synchronized to a SharePoint wise have access to that intranet. Groove even site. This essentially uses Groove to Internet- supports SharePoint’s embedded Microsoft

40 | July 2005 | Redmond | redmondmag.com | 0705red_F1Ozzie_34-41.F 6/14/05 12:41 PM Page 41

Redmond: What would you like your legacy at Microsoft to be? Groove a la Carte Ozzie: Hey, I’ve just begun! A net value add—I think the You can get as much Groove as you need. field experience that I have from Notes and Groove can add Besides the Client Editions which cost any- value to Microsoft. Aspects of the successes I’ve seen and the where from $69 to $229 per user, there are failures can help the approach to how one builds systems several server products as well. Here’s a look at with complex interdependencies, yet make things appear the complete pricing schema: seamless to the user. That’s a valuable asset that can be brought to bear on Microsoft because it has unprecedented • Enterprise Management Server: $23,995 numbers of initiatives [that can be brought together to make] • Enterprise Relay Server: $14,995 the user and the administrator progressively better. I’d be • Enterprise Auditing Service for the Manage- pretty happy if I could make a difference in this realm. ment Server: $4,995, plus $49 per user per year Service Access License Redmond: Who came up with the name Groove? • Enterprise Backup Service: $9,995, plus $19 Ozzie: I did. The collaborative systems of the past, per user per year Service Access License the way you managed them is to orchestrate. You have • Enterprise Data Bridge: $9,995 someone at the top, and a second layer of management, • Enterprise Data Bridge for CASAHL and you orchestrate how to get something done. The ecKnowledge: $24,995, plus $25 per user per nature of how work really does get done is kind of an year Service Access License overlay on that, which is people just working together. • Enterprise XMPP Proxy: $19,995 They assemble, they do something and they leave. I was thinking of things like [musicians] jamming, Groove also provides hosted services. Hosted you are in the groove. That nature of dynamic group Relay Services are $40 per user, per year, and formation and disassembly is what I was trying to Hosted Relay and Management Services are connote with the name.— $80 per user, per year.

InfoPath forms through Groove’s own form- which provides many of the same features as builder and form-filler features. This lets you use Groove to an intranet environment—then using Workspaces as data collection tools. Groove is an excellent way to bring all your project Another major aspect of Groove is its online files, contacts, schedules, and other data into a meeting management. You can use it to create single, shared workspace. meeting agendas, action items, and record meet- The tool’s straightforward user interface makes ing minutes. You can also publish meetings to it easy to use, and its configurable alerts help Workspace members’ Outlook schedules and ensure that everyone is kept informed and use Microsoft NetMeeting to actually hold the actively participating at all times. Groove’s core meeting. Another result of Microsoft’s recent file-sharing and review-workflow functionality is acquisition of Groove will most likely be some extremely valuable. Coupling that with meeting sort of Microsoft LiveMeeting integration. organization tools, discussion boards, instant Note that Groove doesn’t actually provide the messaging, and basic chat features helps provide infrastructure to hold the meeting—apart from a reasonable facsimile of the interaction you’d get launching NetMeeting. It doesn’t provide confer- in a physical office. For the price (much less than ence-calling, video or similar features. The meet- building a branch office), Groove bundles a lot of ing tools help you organize meetings and record functionality into one well-integrated product. minutes. They also help you make those elements (agenda, action items, and so on) avail- Don Jones is a contributing editor for Redmond able to other Workspace members. magazine and the owner of ScriptingAnswers.com, a Web site for automating Windows administration. Get into the Groove His most recent book is Windows Administrator’s If you’re working with a geographically dispersed Automation Toolkit (Microsoft Press). You can team and don’t have Microsoft SharePoint Server— reach him at [email protected].

| redmondmag.com | Redmond | July 2005 | 41 Project5 3/29/05 10:38 AM Page 1 0705red_F2BizCase43-45.F 6/14/05 9:53 AM Page 43

Build a Better

BUSINESS CASE BY LAUREN GIBBONS PAUL Need cash for your next big project? Don’t sweat it—IT managers share their time-tested tips for prying open the corporate wallet.

obert Boettcher was waiting for approval of an e- not, though, preparing and presenting business cases is mail upgrade project he had proposed when very much a part of any IT managers’ daily life. something fortuitous happened. The system The executives may get the big bucks and the corner offices, crashed for a day. but it’s the down-in-the-trenches IT managers who are on R“Suddenly everyone could see the immediate value of the line when it comes to making a solid business case for upgrading,” says Boettcher, IT manager at Artesia Mort- spending IT dollars. “They’re the ones who are doing the real gage Capital Corp., a commercial mortgage company with work to calculate the numbers,” says Ian Campbell, president 60 employees based in Issaquah, Wash. “Everyone was say- and CEO of Nucleus Research, a Wellesley, Mass., consulting ing, ‘Why hasn’t this been replaced?’” firm specializing in measuring IT project ROI. “They’re the Boettcher had presented his case for upgrading Artesia’s ones who are most likely to be fired if things go wrong.” e-mail system to his boss several weeks earlier, but hadn’t Campbell and his colleagues help IT managers and CIOs put yet received a green light for the six-figure project. Hav- together business cases before the fact and measure the ing management see the productivity impact of the sys- returns afterward. tem crashing and the cost of not doing the upgrade firsthand was priceless. Boettcher expects approval for his Small and Simple project any day now. When it comes to preparing a business case for an IT proj- Many IT managers see preparing a business case for ect—whether it’s part of the infrastructure or a specific proj- project approval as a necessary evil. Most have never ect intended to cut costs or drive revenues—IT managers at studied basic accounting, so learning to create a solid small- and medium-sized businesses (SMBs) like Boettcher business case is often a matter of trial and error. Like it or typically don’t have to jump through too many hoops.

| redmondmag.com | Redmond | July 2005 | 43 0705red_F2BizCase43-45.F 6/14/05 9:53 AM Page 44

Build a Better BUSINESS CASE

Their large-company counterparts are ing outlining the problem, identifying Proof of Productivity much more likely to have to contend the solution, running the cost and bene- Often, the hardest projects to cost-jus- with a “hurdle rate”—the amount of fit numbers and sketching out a time- tify are infrastructure projects like e- return a project must demonstrate line. “I whip up an executive summary mail where there is no demonstrable before approval. Also, Fortune 1,000- explaining why the project will decrease hard-dollar return. Suhale Vorajee, class companies frequently require IT TCO and increase ROI,” Patterson business support manager for a U.K.- managers to frame a project case against says. Her supervisors aren’t interested based branch of GE Commercial all the other IT projects up for consider- in technical details, but she keeps Finance, struggles with demonstrating ation by the corporate financiers. detailed documentation for every busi- the benefits of initiatives that don’t Mid-market IT managers (who com- ness case in case the board ever wants to pay off in hard dollars. “I often work prise the bulk of the IT managers in the drill down into the particulars. on business cases for technology projects that are more to support a strategic initiative. I get pushback from the Business Case Best Practices approval committee, which wants to see a hard-dollar benefit,” says Vora- Cover the Basics: Make sure your analysis and business case covers jee. “How can you cost-justify an the basics of clearly identifying the problem and the solution, costs, investment in innovative technology returns, benefits, timeframe and the cost of not doing the project. when no precedent has been set?” Those types of projects are always Be Prepared with the Details: Have all the technical documentation harder to justify, says Campbell. Imag- you might need in case you have to dive into the details. ine, for example, that you’re proposing a customer relationship management Envision Questions, Prepare Responses: Try to imagine every possi- (CRM) application that will enhance ble question a director might ask, and always be ready with an answer. customer loyalty. “You may not be able to point to hard savings, but if your Prove Productivity Gains: Be sure to prove how the new project will competitors are providing that service boost productivity and reduce TCO. Don’t neglect to quantify indirect returns and you aren’t, what percentage of (see “Quantify Those Indirect Returns,” opposite page). your customers will you lose?” Making that sort of measurement is Show and Tell: Be prepared to demonstrate the value of the new technology. certainly more difficult, but not impossible, adds Campbell. Bring in a Sponsor: Have a sponsor from the business unit help you make Still, IT managers labor over justify- your case. For example, if the project will benefit sales, have the sales manager ing infrastructure projects such as a sell it for you. voice mail or network upgrade. “Sometimes the best way to do it is to Mitigate Risks, Manage Expectations: Present a worst-case and assess the impact if you took the most-likely-case scenario to help with risk mitigation and managing expectations. technology away,” says Campbell. Watch the factors that affect critical numbers when preparing these scenarios. “How much would costs go up or — L.P. productivity go down?” Some IT managers don’t even attempt United States, due to the sheer number Patterson’s boss naturally gives a bit to quantify a project’s expected produc- of SMBs) usually don’t have to follow as more scrutiny to IT projects that tivity benefits. Their belief is that proj- formal a process. They’ll have to do cross the six-figure threshold. She has ects with a clearly demonstrable return some research, choose the best option already gotten the thumbs-up on a (such as a reduction in the number of and stroll down the hall for an informal project to upgrade her organization’s calls a call center takes or money saved chat with their boss. roughly 60 PCs next summer, along on printing costs) are more “pure” and Anne Patterson is typical in that with a migration from Windows Serv- therefore preferable to those relating to regard. “If I say, ‘This is what I need,’ er 2000 to Windows Server 2003. productivity benefits. they say, ‘We’ll get you the money.’ I “I’m very lucky,” she says. “They’ve This is a big mistake, says Campbell. don’t have to go up 18 chains of com- never said no to me.” Still, experience “If you don’t believe in soft benefits, mand,” says Patterson, director of with a difficult boss in the past has you shouldn’t have bought a PC. You IT for the Georgia Chamber of made her very detail-oriented. She shouldn’t have lighting in your office. Commerce in Atlanta. tries to imagine every possible ques- A significant part of any business case When Patterson prepares a business tion her director might ask and always is measuring the productivity gain,” he case, she has to cover the basics, includ- has a response. says. (See “Quantify Those Indirect

44 | July 2005 | Redmond | redmondmag.com | 0705red_F2BizCase43-45.F 6/14/05 9:53 AM Page 45

Quantify Those Indirect Returns sually, IT managers shy away from accounting for factor to account for what Nucleus calls the inefficient U productivity improvements in their business cases, transfer of time. The correction factor is less than 1 and preferring to stick to hard benefits they can prove. That’s a greater than 0. For example, salespeople on commission mistake, warns Ian Campbell, president and CEO of Nucle- are highly motivated to work more, so they might have a us Research. Indirect benefits are just as real—and often correction factor of .7 or .8. Marketing staff might not use have a much greater impact—than hard returns. Here’s one their time saved as effectively, so their correction factor way to translate intangible benefits into tangible returns: might be .5 or below. 1. Quantify the amount of time you expect employees to 3. In this example, multiplying the correction factor for save as a result of the new application or system. For exam- the salespeople (.8) by the total hours saved (1,000), the ple, a new CRM tool will save 10 hours a year each for 100 real time saved would be 800 hours. salespeople, so that’s a potential savings of 1,000 hours. 4. Then multiply that result (800 hours) by the average 2. Because time saved doesn’t translate directly to addi- salesperson’s hourly salary to quantify the benefit to the tional time worked, multiply the time saved by a correction company in dollars. — L.P. SOURCE: NUCLEUS RESEARCH INC. Returns,” for tips on measuring a pro- tion. Boettcher researched the available you have a $1.2 million project, and ject’s productivity benefits). technology options, supplied loads of consulting costs make up $1 million, If all else fails, seeing is believing. data and eventually recommended then consulting is obviously the most When Bill O’Reilly was trying to get his Microsoft CRM, but that was it. sensitive area. management team to realize the value “The business case has to come Anything that could drive up the of upgrading from Windows 98 to from that department. They’re the consulting costs is a clear threat to Windows XP,he resorted to just that. “I ones who say they need it. I’m an IT that project’s approval and outcome. was able to bring in a system from person, not a sales person. I can You need to establish milestones home and say, ‘Here’s QuickBooks run- supply information, but I can’t make related to those most sensitive ning on a new system running XP.Look the benefits happen,” says Boettcher. metrics. In this example, you would at the bloody difference,’” says O’Reilly, “I can talk about how it will integrate want to get a fixed price for consult- IT manager at the Seattle Prostate into our current environment. I can ing services. Since it’s crucial to the Institute. He only needed about talk about support costs. I can be an project’s outcome, you would then $30,000 for that project, but even that was a serious matter for the 75-person The business case has to come from that department. prostate health care company. Now, after being turned down once They’re the ones who say they need it. already, O’Reilly is still pushing for Robert Boettcher, IT Manager, Artesia Mortgage Capital Corp. approval on a project to upgrade the voice mail system to unified messag- advisor. But I don’t know what value want to assess your consulting costs ing integrated with Microsoft that has to the business until they tell every month to make sure they’re Exchange. “They choked on the up- me.” For those types of projects, not getting out of hand. front costs,” he says. “It’s still up in the don’t attempt to get approval or “You want to look very carefully at air. Sometimes it’s hard to get them to financing until you have a business anything that will affect the big num- see beyond the dollar sign up front.” sponsor to come in with you and bers. That’s more important than cal- supply that side of the equation. culating ROI,” says Campbell. Shift the Burden Another solid option is to present a It may never be an IT manager’s When putting together a business worst-case scenario along with the favorite part of the job, but most find case for a project that will benefit a most-likely scenario as a risk mitiga- that the process of making business specific business unit or type of user, tion strategy. This helps management cases gets easier over time. When he it’s critical to get an executive in that pick and choose the project with the first started in IT 15 years ago, group to accept responsibility least damaging worst-case scenario, Boettcher used to hate it. “Now I can for making the benefits happen. explains Campbell. make a much better case,” he says, Boettcher goes so far as to insist that The first things to look at in “and people listen.”— an executive make the case himself, preparing these scenarios are the with help from Boettcher of course. metrics that drive the project’s ROI. Lauren Gibbons Paul is a freelance For example, Artesia’s sales depart- These are clearly the project’s most business and technology journalist. You can ment was pushing for a CRM applica- sensitive numbers. For example, if reach her at [email protected].

| redmondmag.com | Redmond | July 2005 | 45 Project3 4/11/05 4:19 PM Page 1

REAL SECURITY REAL CROSS-PLATFORM REAL SUPPORT OPTIONS

¨ 0705red_F2OpenSource_47-50.F 6/14/05 9:55 AM Page 47

Open source groupware is better than ever, but for those seeking to replace Exchange, some caveats apply. Jim Conley examines the state of open source groupware and why it matters in a Microsoft shop. GroupwareAn Open Look at BY JIM CONLEY

icrosoft pulls the plug on Exchange 5.5 about Exchange alternatives. Bynari Insight Server is an Server on Dec. 31 after eight years of steady excellent Linux-based Exchange replacement, but isn’t service. While most of the Exchange 5.5 open source. Projects such as OpenGroupware.org and Mpopulation has migrated to Exchange 2000 Open-Xchange are open source. In theory, an administrator Server or Exchange Server 2003, some analysts estimate could build an open source groupware solution with no costs that as many as 25 million seats will still be on Exchange beyond hardware and developer time. In practice, most 5.5 at the beginning of next year. Without support from the groupware servers running on Linux (including those based mother ship, admins are on the lookout for their next on open source) use some closed-source components, platform—which may not be Microsoft. And as Microsoft especially if Outlook is the intended client. is finding with Linux, open source alternatives are enticing A variety of open source servers replicate the basic many of those looking to switch. functionality of Exchange 5.5, but accessing data from a Windows desktop requires either a proprietary connector Open Source vs. Runs-On-Linux for Outlook or a user base willing to try a Web interface A quick refresher for the Windows crowd—open source and to access much of anything beyond e-mail. Outlook “runs-on-Linux” aren’t synonymous, especially when talking connectors may carry substantial licensing fees, but they do

| redmondmag.com | Redmond | July 2005 | 47 0705red_F2OpenSource_47-50.F 6/14/05 9:55 AM Page 48

An Open Look at Groupware

offer the most painless transition on between the two most mature open SuSE, Netline open-sourced the the client side. Users know Outlook, source groupware solutions suitable majority of the Open-Xchange server and many power users rely on Out- for replacing an Exchange environ- code in August 2004 and now offers look. While Novell has announced a ment, OpenGroupware.org and both free and licensed versions. The future port to Windows of its popular Open-Xchange. The products share critical distinction between the versions open source groupware client Evolu- similar lineages. Both originated in is the inclusion of a proprietary tion, for now Outlook is the messag- Germany as closed-source groupware Outlook connector (Netline’s OXLook ing client of choice for corporate solutions running on Linux. Both connector), installation tools and Windows environments. developers (SKYRiX for OpenGroup- product support. ware.org and Netline for Open- OpenGroupware.org may lack Messaging vs. Groupware Xchange) subsequently donated the integrated messaging services but it For the majority of users, Outlook code base to the open source commu- does include SKYRiX’s SOPE applica- remains a personal information man- nity while retaining proprietary Out- tion server, which includes 16 packages ager rather than a groupware client. look connectors as a revenue source. and 1,500 classes handling XML, Recent statistics from Radicati Group OpenGroupware.org focuses purely MIME, IMAP4, LDAP, RDBMS and analysts on the number of corporate on groupware solutions, leaving mes- iCalendar. Many of the underlying clients using Outlook (489 million) saging to other parties. Open- components of OpenGroupware.org versus the number of Exchange seats are identical to those in Open-Xchange. (127 million) suggest how few organi- The Cost of Still, administrators considering the zations actually take advantage of the development of custom groupware groupware functionality of Outlook Connecting applications need to carefully examine and Exchange. Public folders, calendar Outlook the relative advantages of each product sharing and resource scheduling all as a platform. OpenGroupware.org require Outlook to be operating in Outlook connectors don’t come project leader Gary Frederick Workgroup mode, which means an cheap. The SKYRiX ZideLook con- described the project as “an Exchange Exchange server on the back end. nector costs $65 per user, accord- take-out” when the SKYRiX code Of those 127 million Exchange seats, ing to SKYRiX’s Web site. was open-sourced in July 2003. But the actual groupware usage varies dra- Netline’s OXLook, when bundled OpenGroupware.org by itself is not an matically among organizations. Some with SuSE Linux Openexchange, Exchange replacement due to the firms take advantage of little more costs $1,319 for 10 seats. Bynari’s lack of a messaging server. Open- than Exchange’s Global Address Book, Insight Connector is significantly Groupware.org can be installed as a while others rely on complex solutions cheaper than ZideLook and groupware component over an Open- based on custom Outlook forms and OXLook—$439 for 10 users, Xchange server or it can interoperate server-side events. Those with exten- including the server. — J.C. with pre-existing messaging servers. sive groupware customizations will find the transition to open source Xchange incorporates both messaging Developing Open Source more difficult and, in some cases, and groupware into a single package. Groupware impossible without a complete OpenGroupware.org and Open- Both OpenGroupware.org and redesign of the application. Xchange are by no means the only Open-Xchange provide extensive Even for domains that use Exchange open source groupware solutions, libraries for the development of primarily as a messaging server rather but they’re the most viable Exchange groupware applications. Developers than as a groupware platform, imple- replacements because of the avail- considering adapting groupware menting an open source solution ability of corporate support and based on Outlook and Exchange requires careful planning for a suc- active development communities. must keep in mind that with open cessful migration. Companies such as Open-Xchange remains the most source groupware, much of the code Binary Tree offer products and servic- popular corporate groupware pack- will be on the server instead of the es for moving an Exchange store to an age, largely because of its historical client. An Outlook/Exchange group- open source server. Evaluating one of association with SuSE Linux, which ware solution usually consists of cus- these solutions is a good idea when was acquired by Novell in January tomized Outlook forms with considering a migration. 2004. SuSE, Europe’s most popular VBScript event code, VBA modules Linux distribution, has offered for application-level events and C++ OpenGroupware.org vs. Open-Xchange under the name add-ins for radical customization and Open-Xchange Openexchange as an Exchange low-level messaging programming. The distinction between groupware alternative since 2001 under license An open source groupware solution and messaging mirrors the difference from Netline. Since Novell acquired that demands programmatic business

48 | July 2005 | Redmond | redmondmag.com | Project8 5/13/05 11:58 AM Page 1

Increase server uptime without wasting YOUR time. Monitoring the status of your servers isn’t supposed to be a Automated responses and alerts: Create automated challenge. It’s supposed to be fast and easy—and with our actions such as running a program, rebooting a system, or powerful new ServerVision™ server monitoring software, it is. restarting a Easy, powerful server and event log monitoring: Get service—as well a quick view of as sending you server status, alerts—based on Server Monitor Software DONE RIGHT prioritized event events or thresholds you deﬁne. Detailed analysis reporting: logs, disk space, Create detailed reports on event logs, performance, services, and memory, CPU, more. Conﬁgurable trend analysis: Create and view per- performance, formance trends, in intervals from minutes to months. and more—all Easy on your budget: Pricing starts at $245 per server, with without having to sliding-scale volume discounts. Free trial: Download a free sift through a mountain of details. And setting it all up is a snap trial copy at www.sunbelt-software.com/servervision. with our straightforward user interface and wizards.

Sunbelt Software Tel: 1-888-NTUTILS (688-8457) or 1-727-562-0101 Fax: 1-727-562-5199 www.sunbelt-software.com [email protected]

© 2004 Sunbelt Software. All rights reserved. ServerVision is a trademark of Sunbelt Software. All trademarks used are owned by their respective companies. 0705red_F2OpenSource_47-50.F 6/14/05 9:55 AM Page 50

An Open Look at Groupware

logic will generally require a Web Kontact, the personal information Exchange without AD is nearly interface because of the lack of a manager for KDE, is the target client impossible. Take the Global Address client-side application library com- application. The roadmap for Kolab List and Public Folder permissions, parable to Outlook’s Messaging API. suggests a groupware solution designed for example; no existing open source Although the code for Open-Xchange for advanced client-server integration solution comprehensively replicates and OpenGroupware.org is publicly comparable to Outlook and Exchange. these functions. Managing open available, learning how to customize or The Chandler project by the Open source groupware permissions is a manipulate the software is an uphill Source Applications Foundation, completely separate process from climb, especially for those used to while very much in alpha, is a cross- managing domain permissions. For MSDN documentation. The core of platform (Mac OS X, Visit this story at an organization with 25 knowledgeable open source groupware Windows, Linux) open Redmondmag.com people, independently re- developers is significantly smaller than source personal informa- for links to many of establishing directory per- for Exchange, and the solution for tion manager that could the projects and missions is a manageable products listed here, many issues is determined through trial be a future Outlook as well as a discus- annoyance. For an enter- and error. That being said, the underly- competitor. If Chandler sion on Bynari’s prise with thousands of ing components of open source group- matures into a full-fea- Insight product. users, it presents a logisti- ware are established open source tured groupware client FindIT code: cal nightmare. But for services such as Postfix (a mail transport while remaining plat- OpenLook those still on Exchange agent for handling routing and delivery form agnostic, it could be a viable 5.5, the lack of AD integration isn’t a of e-mail), Cyrus IMAPD (an IMAP4 Outlook replacement on the Win- concern, and may even mailbox store), OpenLDAP (LDAP dows desktop with a seamless migra- be a benefit of an open source authentication), PostGreSQL (data- tion path to an open source desktop. groupware solution. base) and Apache (Web). Organizations Mozilla’s Sunbird project is equally already using Apache and Postfix for exciting, if only slightly more mature Worth a Look Web and messaging services have an than Chandler. Sunbird is a calendar With a planned Windows port of Novell’s Evolution and the rapid Why Outlook Is So Hard To development of Sunbird and Chandler, the availability of an Connect To open source client capable of provid- Outlook communicates with Exchange through TNEF (transport neutral encap- ing functionality comparable to sulation format), a method to pass text, files and objects as well as binary Outlook seems imminent. The Out- message data that contains Microsoft Messaging API (MAPI) properties. Any look connector serves best as a genuine MAPI provider for Outlook needs to be able to create and interpret temporary measure for open source TNEF data. This is not a trivial task, especially considering the high number of groupware, a way of leveraging undocumented features in the MAPI object model (160 and counting). — J.C. existing Windows desktops with a mature closed-source client as an advantage when considering open extension for Thunderbird, the mail entry point for open source. For source groupware packages because client that uses the Firefox browser. Exchange administrators considering existing infrastructure can be used as What makes Sunbird any messaging or groupware upgrade the base for a groupware installation. interesting is that it’s based on or migration, open source groupware Mozilla’s XUL language, which deserves a look. With Windows- The Next Generation allows for the development of stand- based open source client alternatives While OpenGroupware.org and Open- alone applications far more function- to Outlook not yet fully baked, open Xchange are the most mature open al than traditional browser-based source groupware will remain an source groupware solutions, projects interfaces. As with Chandler, the unfeasible work in progress for some; such as the Kolab Server and the Chan- option of running Sunbird on a others will find the possibilities of dler and Sunbird personal information variety of platforms also provides server-side groupware carry enough manager applications could have a sig- greater flexibility for administrators. immediate benefit to replace an nificant role in the future of open Exchange installation.— source groupware. The Kolab server is Active Directory associated with the KDE desktop on Considerations Jim Conley is an Outlook developer from Linux, an alternative to the Gnome Perhaps more than any other Vancouver, British Columbia, Canada, desktop that the Novell Evolution Microsoft product, post-5.5 versions who is watching open source groupware client is based on. Although Kolab will of Exchange rely on AD integration. very carefully. You can contact him at interoperate with a variety of clients, Replicating some features of jimconley@ shaw.ca.

50 | July 2005 | Redmond | redmondmag.com | Project7 5/16/05 4:49 PM Page 1

Don’t Get Painted Into a Corner— Experience Citrix Training.

Are you searching online to learn about all the real-world scenarios, variables and potential for your Citrix access infrastructure? Don’t get cornered! Gain experience rapidly through a range of Citrix authorized training and certification resources. Whether you choose eLearning or instructor-led courses, you will gain essential experience and skills in:

• Best practices for product installation • Application integration solutions • Printing optimization • Data store setup and IMA optimization techniques

There’s no substitute for experience—the experience you get with Citrix Training and Certification.

Visit www.citrix.com/edu/redmond to find out which training courses and certifications are right for you!

©2005 Citrix Systems, Inc. All rights reserved. Citrix® is a registered trademark of Citrix Systems, Inc. in the United States and other countries. All other trademarks and registered trademarks are the property of their respective owners. Project24 6/15/05 12:41 PM Page 1

Concerned about broken links in files during data migrations? LinkFixerPlus™ is the first software application that automatically fixes broken links in Excel and other files caused by data migrations!

re you performing a data Word, PowerPoint, Autodesk Advanced Features: migration due to server AutoCAD, HTML, Adobe PageMaker, Aupgrades, server consolidations InDesign and PDF files, in batch, • Perform data migrations or new storage servers? Or are you including the files they point to, and of Excel, Word, performing folder reorganizations or the links to those files are PowerPoint, AutoCAD, server name changes? Are you automatically maintained! You can HTML, PageMaker, concerned about broken links caused even find and repair broken links in InDesign and PDF files, already by these changes? What if there was batches of files that have been in batch, without causing a way you could find and fix broken moved. Imagine not having to links automatically, eliminating the manually find or fix broken links due broken links. extra time and cost associated with to data migrations ever again! • Automatically fix broken manually fixing them? links in files that have LinkFixerPlus is the solution you already been moved. Well with LinkFixerPlus you can! need to report, find, manage and LinkFixerPlus is the first application repair links in many different types of • Generate broken link that automatically maintains links in files whether you are working with reports and detailed files when conducting a data dozens of files on a desktop computer parent and child file migration. With LinkFixerPlus, you can or thousands of files during a data reports. move or rename Microsoft Excel, migration.

Request your free 30-day evaluation copy of LinkFixerPlus from: www.linkfixerplus.com. E-mail us

Copyright © 2005 LinkTek. All rights reserved. LinkFixerPlus is a trademark of LinkTek at [email protected] or call +1-727-442-1822. Corporation. Patent-Pending. All other products mentioned are trademarks of their respective holders. 0705red_WinInsider53-58.F 6/14/05 9:59 AM Page 53

WindowsInsider Bill Boswell What’s New in R2

evolutionary new technologies eventually become an the replica in their site or the closest upstream site. integral part of the framework of life. Nowadays, even Unfortunately, the replication the smallest and cheapest automobiles have overhead engine that Windows 2000 Server R DFS uses to keep the content behind cams, fuel-injected engines and automatic transmissions. a DFS link with multiple targets in sync—the NT File Replication PDAs have embedded digital cameras and cell phones. Service (NTFRS)—simply doesn’t have the horsepower to handle large It’s all about maturity—and that’s Distributed File files or large numbers of files. Worse not a bad thing. Ask most people in System Upgrades yet, when stressed, NTFRS can fail their 30s if they’d rather be a teenager The Distributed File System (DFS) catastrophically. This often forces a again and most will quickly pass. lets you build virtual volumes that link complete rebuild of all replicas. Maturity fosters confidence, respect share points from different servers R2 has a completely new DFS repli- and a firm sense of place in the world. into a single, cohesive structure that cation engine that handles huge files Maturity can also make it much more difficult to make meaningful changes in lifestyle and appearance. Nowhere is this march toward technological maturity in the Windows world more apparent than in the upgrade to Windows Server 2003 that Microsoft has dubbed “R2.” There are lots of blockbuster technologies in R2—the documentation lists 16 distinct feature sets—but these technologies build on Windows. They don’t fundamentally alter the nature of Windows itself or introduce dramatic new ways to architect or administer your systems. The new items in R2 are incorporated into the Windows Components section of Add/Remove Programs, layering onto what Windows 2003 SP1 already added. Figure 1. The improved DFS Management console in R2 simplifies configuration of large The R2 portion of Setup also DFS volumes. makes changes to the Active Directory schema when installed users can browse without concern and huge numbers of files with great on a domain controller. for the names or locations of the aplomb. You can use the new engine The new components in R2 host servers. R2 sports a new DFS to maintain real-time replicas of large don’t form an integrated package. management console (see Figure 1) data volumes in a central location, R2 isn’t a novel you read from that greatly simplifies setting up which not only makes multiple- beginning to end. It’s more like a enterprise-strength DFS volumes. targeted DFS links a practical reality, magazine where you read articles The big news, though, is the new it also makes it simpler to set up a you find interesting. Let’s take a look handling for DFS links that targets low-cost data recovery center. at some of R2’s components and shares on multiple servers. This fea- If you have file servers in branch capabilities that you may find ture ushers users who touch a virtual offices and you’ve been looking for a interesting and useful. folder represented by a DFS link to cost-effective way to replicate those

| redmondmag.com | Redmond | July 2005 | 53 0705red_WinInsider53-58.F 6/14/05 9:59 AM Page 54

WindowsInsider

volumes to central headquarters for redundancy, check out DFSR.

Print Management I’m not sure if assigning an administrator to oversee print servers officially qualifies as cruel and unusual punishment under the terms of the Geneva Convention, but it certainly isn’t a job that most folks are eager to tackle. The new Print Management Console (PMC) in R2 won’t put gold trim around the Printer Administrator cubicle, but it sure will ease the pain of having that position. Figure 3. The Storage Resource Manager lets you assign quotas to user home directories. As shown in Figure 2, the PMC provides centralized control of all automatically add them to the console Storage Resource Manager Windows print servers (Win2K and as managed printers. Microsoft introduced quota manage- Windows 2003), all the printers serv- Not only can you see every single ment in Win2K, but it was a thin effort. iced by those servers and the print printer and its queued jobs, the PMC Several vendors leapt into the breach to queues represented by those printers. also has a handy little window for deliver functional storage resource If you cringe at the thought of sift- accessing the Web interface of management (SRM) solutions. In R2, ing through hundreds and hundreds network print servers. This doesn’t Microsoft has licensed and built-in of printers in a GUI interface, you’ll quite replace a vendor’s proprietary SRM tools from Veritas. SRM in R2 significantly improves the on-board quota handling in the operating system. You can also layer R2 onto Network Attached Storage (NAS) devices if they’re based on Windows Storage Server 2003. So with vendor approval, you can get quota management on your existing NAS devices. Unlike Win2K quotas, which you could only apply at the volume level and which relied solely on file owner- ship to determine disk utilization, quotas in R2 SRM can be assigned to individual folders or sets of folders (see Figure 3) and will limit folder size regardless of who created the files. There’s even an AutoQuota feature that’s particularly useful for putting Figure 2. The R2 Print Management Console makes it much easier to manage printers on multiple servers. limits on user home directories. By applying AutoQuotas to the top folder really like the folder filters in the management interface, but it above the user home folders, you can PMC. You can sort your printers sure beats juggling three or four limit the content of each user folder into various categories based on different interfaces in a large, mixed to a specific maximum, with interme- name, location, number of jobs in the environment of network print servers. diate settings for e-mail scoldings and queue and so on. The PMC also has The PMC is a superior innovation. In administrative notifications. an automated detection feature short order, you’ll wonder how you SRM also comes with a nifty file that you can use to locate all the ever managed distributed Windows screening utility with which you can network print servers in a subnet and printers without it. block storage of all sorts of non-

54 | July 2005 | Redmond | redmondmag.com | Project8 2/15/05 12:31 PM Page 1 0705red_WinInsider53-58.F 6/14/05 9:59 AM Page 56

WindowsInsider

business files. The feature relies on Hardware Management Active Directory file extensions, not content analysis, While we’re on the subject of Federation Services so it won’t stop a crafty user from consolidating the management of Speaking of Web services, R2 includes stashing piles of music videos and diverse technologies, R2 includes an implementation of another ripped DVDs, but it’s a step in the plumbing to support a broad-based potentially revolutionary-enabling right direction. computer management initiative technology called WS-Federation. Finally, SRM has quite a few handy called the Intelligent Platform Space prohibits going into even a frac- report formats that simplify quota Management Interface (IPMI). tion of the details of this feature administration. You can get usage In essence, IPMI uses a separate in this column, but here’s the bottom statistics by file size, owner, least processor on the motherboard— line: If your company engages in Web- recently used files, duplicate files and the Baseboard Management enabled transactions with business more. SRM can generate reports Controller (BMC)—to constantly take partners or customers and those trans- automatically every night so you can measurements and assess system actions require that you create and come to morning meetings armed with enough paper printouts to This technology [Intelligent Platform Management Interface] keep even the most detail-oriented manager happy. will eventually become the underpinnings of distributed system management. Storage Management for SANs Unrelated to SRM, the Storage operation. Because the BMC is a maintain identity information for out- Management for SANs component separate processor, it doesn’t rely on side users, then you absolutely should in R2 lets you use a single MMC the availability of an operating system be looking at ways to implement WS- console for managing a variety of to take action. Also, BMC can handle Federation. SAN devices. You can create, extend, IPMI commands arriving at the assign and un-assign logical unit Ethernet controller directly, giving Unix/Linux Interoperability numbers (LUNs), manage iSCSI tar- you the benefit of out-of-band R2 also comes with three components get devices, and get a view of storage management to do remote diagnostics designed to simplify Unix/Linux subsystems and the drives in those and system restarts. interoperability by letting a Windows subsystems. This feature requires the The Hardware Management system pretend to be a *nix system by SAN device to support Virtual Disk component in R2 exposes IPMI as donning a variety of masks: Services (VDS) in Windows 2003. a set of Windows Management • Identity Management for Unix Your vendor should have details. Instrumentation (WMI) classes. (IdMU) lets an AD domain controller But it goes one step further. WMI pretend to be a Network Information can be a bit, um, temperamental to Service (NIS) server for purposes implement on remote servers, of authentication and authorization especially in a diverse environment, (see Figure 4). so R2 includes an implementation of • Microsoft Services for Network WS-Management Web services that File System (MSNFS) lets Unix/Linux define a set of routines for accessing clients use NFS to mount shared the BMC both while the OS is folders on Windows servers. This functioning and if it’s unavailable. eliminates the need for configuring If all this mucking about with Samba and makes file storage more Web services and alternate mother- seamless in a distributed environment. board processors seems a little • Subsystem for Unix-based too abstruse to be truly useful for Applications (SUA) lets you compile system administration, let me reassure and run the source code for a you: This technology will eventually Unix/Linux application natively become the underpinnings of on a Windows machine without an distributed system management. intervening emulator. It’s well worth your time to do the All these features are present Figure 4. Identity Management for Unix lets an AD domain controller pretend to be a research and experiment with any in Services for Unix, but their Unix server for authorization purposes. tools that become available. capabilities have been enhanced, the

56 | July 2005 | Redmond | redmondmag.com | Project6 1/6/05 5:17 PM Page 1

Unfortunately, you can’t dream • Microsoft By day three, your way to certification. • Cisco

Jack was finally 1 TM • Oracle Our accelerated programs, featuring our exclusive 3 /2 step method, enjoying his makes learning fast and effective. In less than two weeks, you’ll • Sun return to your job empowered with the knowledge, confidence • Linux

IT training. and certification you need to advance your career…and your life. • CISSP

• CEH To find out more about our all-inclusive certification programs,

call 800-698-5501 or visit www.trainingcamp.com. • CompTIA

Enter the special promotion code “HELP” and receive a 20% • UNIX

discount on select courses. • Forensics 0705red_WinInsider53-58.F 6/14/05 9:59 AM Page 58

WindowsInsider

interfaces simplified and the that make use of ADAM to store direc- If you’re a Software Assurance or underlying system changes brought tory service information that would Premier customer, you already own in line with commonly accepted otherwise require a schema modifica- R2 so you might as well take advan- industry practices. tion to implement directly in AD. tage of its new components. If you’re If you’re a fan of SharePoint, you’ll a retail or volume license customer, General Upgrades like that R2 includes Service Pack there are no Client Access License and Enhancements 2 (SP2) of Windows SharePoint (CAL) upgrade requirements, but For the most part, the remaining Services, which incorporates a variety there is an upgrade cost. components of R2 are upgrades to of fixes and updated plumbing plus a The R2 Customer Preview Program existing technologies. For example, new Central Administration Website. beta is available for download at many of the tools in the R2 compo- If you prefer your clients a bit chub- http://www.microsoft.com/windows nents use the Microsoft Management bier than those provided by Share- server2003/r2/default.mspx. Be sure Console version 2.1’s great new fea- Point, R2 also includes version 2.0 of to let me know what you like and tures. One of these new features is a the Microsoft .NET Framework. don’t like. — field at the far right of the console for displaying the content of property How to Get R2 Contributing Editor Bill Boswell, menus so you don’t have to right- R2 is packaged as a second disk that MCSE, is the principal of Bill Boswell click your way through an unfamiliar accompanies a primary disk containing Consulting Inc. He’s the author of Inside interface. Sweet. Windows 2003 SP1. Once released, R2 Windows Server 2003 and Learning You’ll also find several improvements will replace Windows 2003 SP1 in the Exchange Server 2003, both from to Active Directory Application Mode retail channel, meaning that if you buy Addison Wesley. Bill is also a speaker for (ADAM), the underrated but highly new server software, it will include the 101communications’ TechMentor useful younger sibling of AD. You may R2 disk, even if you have no need for Conferences. You can contact him at encounter one or more applications the new R2 features. [email protected]. TechMentorJuly05AdFinal.qxp 6/14/05 1:53 PM Page 59

Network and Certification Training for Windows Professionals San Jose, CA October 17-21, 2005

Over 90 sessions categorized into tracks:

CCNA MCSA MCSE

Security Scripting Troubleshooting Linux

PRESENTED BY: TechMentorEvents.com TechMentorJuly05AdFinal.qxp 6/14/05 1:53 PM Page 60

Track Descriptions

CCNA (Cisco Certified Network Associate) The CCNA track will prepare you to take Cisco’s entry-level networking exam. Nearly every administrator has network-related duties, whether it’s firewall configuration, managing IP traffic or setting up a VPN. The CCNA track will teach you what you need to know with four days of intense training. The instructor for most sessions is Todd Lammle, one of the industry’s most well-known and popular speakers.

MCSA (Microsoft Certified Systems Administrator) The MCSA track is aimed at systems administrators with six months or more of hands-on experience with Active Directory and Windows 2000 Server or Windows Server 2003. You’ll get a thorough grounding in all aspects of Windows server administration, taught toward the MCSA test objectives, with plenty of demonstra- tions to help clarify difficult concepts. This track will focus on the following exams: 70-270, 70-290 and 70-291. The elective exam objectives being taught are for 70-299, Windows Server 2003 security. Bruce Rougeau, popular “certification slam session” instructor, heads up this track.

MCSE (Microsoft Certified Systems Engineer) The MCSE is the most difficult of Microsoft’s administration-related certifications to obtain, going beyond basic server administration into system design and planning. This track provides intense training in the concepts Microsoft expects you to know for the certification exams. The MCSE track will touch on all of the exams (core and design) necessary to obtain the MCSE. However, the main focus will be on the following exams: 70-290, 70-291, 70-293 and 70-294, with plenty of information related to the 70-297 and 70-298 exams as well. Derek Melber, nationally known speaker, trainer and author, leads this track.

Linux The Linux mini-track is geared toward admins who are experimenting with, or using, Linux in their day-to-day Windows environments. The two-day track begins with an overview of the basics of Linux, then moves into the Windows realm, detailing how to get Linux and Windows to play nice with each other. Noted author and speaker Jeremy Moskowitz, currently writing a book on Linux-Windows interoperability, leads this track.

Scripting The Scripting track will provide you with the foundation necessary to administer your servers and desktops more efficiently using scripts. You will start out with basic scripts that require no previous knowledge of scripting. Building on that foundation, you will work your way through more advanced concepts, with hundreds of examples and lots of opportunities to get your hands dirty building your own scripts. When you finish, you’ll have all the tools you need to replace those time-consuming manual processes that take up so much of your work day. This track is led by scripting guru, Redmond magazine Contributing Editor and instructor Don Jones.

Security The Security mini-track offers two days of in-depth instruction on all aspects of Windows security. It starts off with the basics and builds in a step-by-step fashion to more advanced topics. Learn security from three of the biggest names in the Windows security world: Windows author and speaker Mark Minasi, Microsoft Corp. security guru Steve Riley, and prolific author and speaker Roger Grimes.

System and Network Troubleshooting The Troubleshooting track is designed to strengthen and sharpen your diagnostic skills and show you exactly how to use the vast array of troubleshooting tools available from Microsoft and selected third parties. You’ll learn secrets for digging out core problems and eliminating them from your systems. You’ll also learn dozens and dozens of best practices to help you avoid problems in the first place.

TechMentor | October 17-21 | San Jose, California TechMentorJuly05AdFinal.qxp 6/14/05 1:53 PM Page 61

Instructors You Know and Trust

When you attend a TechMentor conference, you have direct access to the most respected instructors in the industry. Since 1998, TechMentor has provided in-depth, technical training from world-class instructors for thousands of Windows networking professionals. Our attendees leave fully capable of managing their networks smarter, faster and more effectively.

Roger Grimes, Steve Riley, MCSE: Security, CNE, Speaker, A+, Speaker, Author, Product Manager in Consultant Microsoft's Security Business Unit

Don Jones, Jeremy MCSE, Speaker, Moskowitz, Author, Consultant, MCSE, MCSA, Contributing Founding Editor, Partner of Founder of BrainCore.Net ScriptingAnswers.com LLC

Todd Lammle, CCNP, MCSE, Derek Melber, Speaker, Author, MCSE, Speaker, Consultant, Trainer, Consultant, President of Founding Partner GlobalNet Training, of BrainCore.Net CEO of LLC RouterSim, LLC

Mark Minasi, MCSE, Speaker, Author, Columnist

Peer Networking Events Who Should Attend There is plenty to learn outside the classroom from > Systems Administrators our network-savvy attendees and instructors — who > Network Administrators and Managers are authors and consultants, as well as skilled > Network/Systems Engineers speakers. Exchange ideas, share resources and > MCPs, MCSAs and MCSEs discuss lessons learned in a variety of casual settings, > IS/IT Managers and Directors such as: > Security Specialists > Attendee Networking Forum > IT/Network/Systems Analysts > Cocktail Reception > Tech Support/Help Desk Technicians > One-on-One Consulting with Instructors > Consultants > Improv Night

For complete conference details, download the brochure at TechMentorEvents.com.

TechMentor | October 17-21 | San Jose, California TechMentorJuly05AdFinal.qxp 6/14/05 1:53 PM Page 62

Network and Certification Training for Windows Professionals San Jose, CA October 17-21, 2005

TechMentorTechMentor ConferenceConference HighlightsHighlights

> Learn how to integrate Linux into your Windows environment > Upgrade your skills to Windows Server 2003 > Learn to diagnose and repair common network problems > Improve your network security > Make long-lasting professional contacts SoarSoar beyondbeyond thethe boundariesboundaries ofof whatwhat youyou thoughtthought youyou couldcould do.do. RegisterRegister todaytoday forfor TechMentor.TechMentor.

PRESENTED BY: TechMentorEvents.com 0705red_Mr.Script59.v2 6/14/05 10:02 AM Page 63

Mr.Script Chris Brooke Device Management

ne of the best things about scripting is taking control sethwid Modify Hardware IDs of listed root-enumerated away from the Windows interface. There’s nothing devices. stack finer than finding some hidden API that exposes the Lists expected driver stack O of devices. features of an oft-employed GUI tool. Unfortunately, status List running status of devices. Microsoft doesn’t always give their tools an API that we can update Manually update a device. updateni Manually update a device script against. Case in point: Device (see below). (non interactive). Manager. While WMI gives us some ... is one or more arguments if power over our physical devices, we required by command. Listing 1 shows all of DevCon’s don’t have an API that provides Device For help on a specific command, type: commands. By specifying the Manager’s powerful capabilities. Never- devcon help machine where you want to run the theless, (spoken in my best sinister command (DevCon uses Interprocess accent) “ve haf vays of makink it vork!” Classfilter Allows modification of communication—IPC —to access Microsoft has a command-line tool class filters. remote computers) and the necessary called DevCon.exe that you can use to classes List all device setup classes. arguments, you can get DevCon to enable, disable, restart, update, remove disable Disable devices that match perform a host of hardware-related oper- and query devices or groups of devices. the specific hardware or ations. Log on to Redmondmag.com to Wrap that up with the WScript.Shell instance ID. find some examples of how to use these object and you have something you can driverfiles List driver files installed commands. FindIT code: DevCon. really script with. Alternatively, you can for devices. just put it into a command-line script drivernodes Lists all the driver nodes Where Do I Begin? (.cmd file), but where’s the fun in that? of devices. As you can see, DevCon.exe provides a To get started using this fascinating enable Enable devices that match lot of functionality. In order to get a han- utility, you must first download it from the specific hardware or dle on its capabilities, you’ll need to play http://support.microsoft.com/default. instance ID. with it for a while. After all, it took you aspx?scid=kb;EN-US;Q311272 find Find devices that match more than just a couple of minutes to get (Note: Microsoft states that DevCon is the specific hardware or familiar with Device Manager, didn’t it? unsupported and not redistributable. It’s instance ID. And that’s a GUI tool! Be prepared to intended for use as a debugging and develop- findall Find devices including invest some time in learning how to use ment tool, so you’re on your own. ’Nuff said.) those that are not present. DevCon. It will be time well spent. This page also contains some infor- help Display this information. One suggestion: I’d recommend that mation to help you use DevCon— hwids Lists hardware IDs of you begin by working with the enable which is great, because it doesn’t have devices. and disable commands—specifically as an accompanying help file. Now that install Manually install a device. they relate to network interface cards. you’ve downloaded it, let’s take a look listclass List all devices for a setup There. I just gave you a big clue as to at what it can do. class. what we will be discussing next month. reboot Reboot local machine. Geez! It’s like having homework all Listing 1 remove Remove devices that match over again, isn’t it? And I was doing so C:\Devcon\i386>devcon /? the specific hardware or well avoiding that lately. — Device Console Help: instance ID. devcon [-r] [-m:\\] [...] resources Lists hardware resources for Redmond magazine and director of -r if specified will reboot machine of devices. enterprise technology for ComponentSource. after command is complete, if needed. restart Restart devices that match He specializes in development, integration is name of target machine. the specific hardware or services and network/Internet administration. is command to perform instance ID. E-mail Chris at [email protected].

| redmondmag.com | Redmond | July 2005 | 63 Project13 1/17/05 3:17 PM Page 1

got Windows?

get

THE INDEPENDENT VOICE OF THE MICROSOFT IT COMMUNITY Essential. Timely. Face to Face. Get it Now. Get it Free. Get it Fast. Each month, Redmond magazine gives you hands-on Order your FREE subscription to Redmond magazine at problem solving, tactical hard-core tech info, real-world Redmondmag.com. While you’re there, sign up for our reviews, expert columnists, interviews, news analysis and free newsletter, Redmond Report, get the latest news and strategic insights into all things Microsoft. And, much more. participate in discussion forums getting help in real time. Solutions. Resources. Technology. P.S. If you’re using Microsoft software, and are responsible for Spread the news. Pass it along — your peers will value the day-to-day technical troubleshooting, you must stay from this offer as well. one step ahead by reading Redmond magazine.

Visit us NOW to subscribe for your FREE subscription to Redmond magazine at Redmondmag.com. 0705red_SecAdvisor65-70.F 6/14/05 10:16 AM Page 65

SecurityAdvisor Joern Wettern Dump Your DMZ!

MZs (short for demilitarized zones) have been a stan- 110 for POP3 or port 443 for Outlook Web Access (OWA). dard component of network design ever since firewalls Because the front-end server has to be were invented. A DMZ is a network segment that con- a domain member and communicate D with the back-end server and domain tains all resources, such as Web servers and mail servers, controllers, you have to allow further traffic between the DMZ and the accessible from the Internet. Implementing a DMZ lets you internal network. This traffic includes protocols such as Kerberos, Light- limit network traffic from the Internet out, shown in Figure 1. With this weight Directory Access Protocol and to these resources in the DMZ, while design, a single firewall controls the Remote Procedure Calls. It’s difficult preventing any network traffic from the entire flow of network traffic. This to restrict the number of ports used by Internet to your internal network. As a includes connections from the Internet these protocols, but even if you general rule, a DMZ server should to the DMZ and from the DMZ to the succeed in narrowing down the range, never contain any valuable data, so even internal network. you still end up with a large number of if someone managed to break into a Operating Exchange with a firewall ports in your firewall. server in the DMZ, the damage would highlights the problems of such a You can improve the security of your be minor. design. Many network administrators firewall by using a second firewall to Things get more complicated when have used a front-end/back-end topolo- implement a back-to-back design, you need to allow some traffic between gy to allow Exchange to send and shown in Figure 2. With this design, an the DMZ and other servers. You may receive e-mail, and to allow users to external firewall controls the traffic have SMTP relay servers in your DMZ access their e-mail remotely. The fire- between the Internet and the DMZ. A that need to communicate with internal wall rules allow network traffic between separate internal firewall controls the mail servers or a Web server that gets the Internet and the front-end server flow of traffic between the DMZ and its data from an internal database over TCP port 25; incoming client the internal network. Using two fire- server. Unfortunately, implementing a traffic may also be allowed over port walls eliminates the single point of fail- DMZ-based solution that allows for such communications often leads to an DMZ inefficient or ineffective DMZ. I believe that DMZs can give you a false sense of security. If you do a thorough assessment of your security architecture, you may well decide you’d be better off just dumping it. Even considering such a move may Exchange Public Front-end Server Web Server seem like a sacrilege, but bear with me as I explain why DMZs, in most cases, are outdated security structures. The INTERNAL NETWORK idea of a DMZ is so ingrained that it may be hard to shake it loose, but doing Firewall so may just strengthen, rather than INTERNET

weaken, your security infrastructure. INTERNET

Common DMZ Designs Domain Database Exchange To illustrate the problem with DMZs, Controller Server Back-end it’s helpful to closely look at some of Server the most common DMZ designs. A type of DMZ often used by smaller Figure 1. Known as the “three-legged DMZ,” this configuration is common in organizations is the three-legged lay- smaller networks.

| redmondmag.com | Redmond | July 2005 | 65 0705RED_MCP TechLib v1 6/14/05 5:07 PM Page 1

FREESPECIAL Reports in our Tech Library REPORT

Featured eBook of the Month, Sponsored by Quest

Visit the MCPmag.com Tech Library for in-depth, technology specific reports for IT managers and professionals. These free reports are available in PDF format and cover topics ranging from Group Policies to Exchange Server 2003. You can also download free white papers and view webcasts from top industry vendors.

Check it out today! MCPmag.com/techlibrary 0705red_SecAdvisor65-70.F 6/14/05 10:16 AM Page 67

SecurityAdvisor

DMZ INTERNAL NETWORK

Exchange Domain Database Front-end Server Controller Server

External Internal Firewall Firewall INTERNET

Public Exchange Web Server Back-end Server

Figure 2. This dual firewall design, a typical DMZ configuration, is more secure than the one in Figure 1, but still isn’t the optimal setup for security.

ure in the three-legged design. In a authentication by severely restricting The problem with IP addresses is three-legged design, a hacker who and carefully monitoring any traffic that they can lie. They’re easily can bypass the firewall can gain access from the Internet, because you can’t spoofed, and logon requests to a to the internal network. With a trust any computer you don’t control. domain controller that appear to origi- back-to-back design, the internal Communications between computers nate from your mail server’s IP address firewall protects the internal network in the DMZ and your internal network may instead have come from a com- even if hacker has managed to bypass are different. A DMZ design assumes a puter that’s been taken over by an the external firewall. However, using certain level of trust between comput- attacker. Similarly, ports aren’t reliable two firewalls still doesn’t solve the ers in the internal network and com- indicators of the type of network traf- fundamental problem of using puters in the DMZ. Many DMZ fic. For example, port 80 is most often port-based control of traffic between designs use firewall rules that allow used for Web communications, but security zones. there’s no guarantee that it isn’t used I believe that DMZs can by an attacker to transfer confidential Why DMZs Don’t Work data out of your internal network to a The DMZ concept relies on firewall give you a false sense computer in the DMZ controlled by rules that allow network traffic to of security. this attacker. move between different security zones A final problem with DMZ servers is based on IP addresses and ports. Some domain communications from the that they often pass on Internet traffic firewalls add inspection of application- DMZ to internal domain controllers. without significantly changing it. layer filtering to the mix, inspecting For instance, communications from the When a Web server in the DMZ application protocols like HTTP. For IP address of a Web server in the DMZ queries a SQL Server in the internal communications between the Internet may be allowed to an internal SQL network, it may pass along legitimate and your publicly accessible servers, Server that contains customer data, and queries from the Internet along with you have to rely on addresses to Exchange front-end servers in the SQL injection attacks. Having a DMZ define firewall rules. Because there is DMZ may be able to freely establish gives you the impression that the SQL currently no technology that can connections to an internal back-end traffic into your internal network orig- reliably authenticate computers on the server and all internal domain con- inates from the DMZ, but in reality it Internet, you have no control over trollers. Firewall rules that allow such is traffic from the Internet that was what’s out there. A good security traffic are routinely based on IP simply converted to a different format design compensates for this lack of addresses and ports alone. by the Web server, then forwarded to

| redmondmag.com | Redmond | July 2005 | 67 0705red_SecAdvisor65-70.F 6/14/05 10:16 AM Page 68

SecurityAdvisor

the SQL Server. As you can see, mov- The worst case of misplaced trust is to ensure that internal servers only talk ing beyond IP addresses and ports is put a member of your internal domain to specific computers in the DMZ. an important part of overcoming the in your DMZ. This requires opening a When DMZs became popular, IP limitations of using a DMZ to keep large number of channels to domain address and port restrictions were all your network secure. controllers on the internal network. An that was available to control network attacker who’s gained control over a traffic. Today there are better tools to Trust No One domain member in the DMZ can use confirm the identity of a trusted Another weakness of using a DMZ is these channels to freely communicate computer. Implementing such authen- the antiquated idea of assigning differ- with internal servers, including domain tication along with application-layer ent levels of trust to different network controllers. This means that your fire- filtering provides a higher level of segments. You can’t trust computers wall design provides little—if any— security than most traffic controls I’ve simply because they’re part of your extra protection over a design that seen implemented on firewalls today. internal network—there may be allows direct connections from the Once you start using such technolo- employees who snoop around the net- Internet to your internal network. Plac- gies for communications between work and computers infected with ing an Exchange front-end server into your servers you’re likely to find that worms and viruses. In the same vein, the DMZ is one of the most common having a DMZ no longer provides any computers in your DMZ shouldn’t reasons for making this mistake, but it’s value and needlessly complicates automatically trust each other, because not the only one. Using a firewall to things. At that point you’re probably each of them accepts different connec- separate domain members adds com- ready to dump your DMZ. tions from the Internet and is poten- plexity to your network design, but it tially subject to attacks from the rarely adds security. What You Can Do outside. Most of all, computers in your Network designs that don’t recog- DMZs have been a standard compo- internal network should never trust a nize this problem with assigning trust nent of network design for a long computer in the DMZ, since it could give you a false sense of security, and time. Replacing them requires assess- well be compromised. fail at what they’re designed to do— ing the exact nature of network traffic

INTERNAL NETWORK

Exchange Domain Front-end Server Controller

External Internal Firewall Firewall INTERNET

Exchange Back-end Server

Figure 3. This design uses two firewalls, but doesn’t expose computers in a DMZ, providing your network more security than a standard DMZ configuration.

68 | July 2005 | Redmond | redmondmag.com | RCPSubAdFinal.qxp 5/11/05 2:25 PM Page 77

Make the Connection

Announcing

Magazine

With each issue, Redmond Channel Partner magazine gives you ideas and practical advice to help Microsoft partners grow their businesses. It’s FREE!

Get insights into topics ranging from: ✓Sales strategies ✓Working with Microsoft ✓Building partnerships ✓Negotiating with suppliers and customers ✓Using ROI to win deals And much more!

Take a look, it’s FREE! Redmond Channel Partner magazine—your best source for Microsoft partner information. As our tagline says, “Driving Success in the Microsoft Partner Community” is what we’re all about.

FREE Charter Subscription Offer Go to RCPmag.com today to order your subscription! 0705red_SecAdvisor65-70.F 6/14/05 10:16 AM Page 70

SecurityAdvisor

between computers. Here are some functions: mutual authentication, SMTP relay servers that send and general guidelines to use: packet integrity and encryption. receive e-mail messages but don’t store • Keep it simple. The first recommen- • Mutual authentication deals or process them are perfect candidates dation applies to all aspects of network with the inadequacy of relying for placement in a DMZ. design and security. Unnecessary com- on IP addresses and ports for plexity inevitably leads to security risks. authenticating network traffic. No Ideal Solution As you’re evaluating the design, ask When using IPSec, a computer After using the example of an Exchange yourself whether each element really only trusts IP packets from another front-end/back-end design to point out accomplishes its purpose. If not, drop computer if they were signed the problems of DMZ configurations, the unnecessary element. using a certificate from a trusted I’m often asked to recommend a better • Challenge your assumptions. certification authority. solution. There is no ideal solution, Just as having a firewall doesn’t auto- • Packet integrity ensures that packets and the specifics depend on an matically make your network bullet- haven’t been altered in transit. organization’s requirements, but the proof, implementing a DMZ doesn’t • Encryption can defeat eavesdrop- design shown in Figure 3 on p. 68 is solve your security challenges. If you’re ping attacks, but it also prevents appropriate for many networks. This using a DMZ, think hard about its traffic inspection by firewalls or design includes two firewalls to provide purpose and then analyze whether it intrusion detection systems. Because redundancy, with at least one of the really helps accomplish your goal. of this potential risk, you need to firewalls being smart enough to • Avoid shortcuts. I’ve seen many know exactly when to use IPSec for perform inspection of the application- cases where network administrators took shortcuts to handle implementa- You can’t trust computers simply because they’re part of your tion problems, and as a result created internal network. new security problems that were even worse. For example, some network authentication and integrity check- layer protocols allowed into your administrators create VPNs between ing only, and when to use it to network. ISA Server 2005 is one Exchange front-end and back-end encrypt network traffic. example. Also, such a design should servers, or put domain controllers into • Use smart firewalls. Old-style fire- incorporate tight control of network a DMZ when they weren’t able to walls that filter based on IP addresses traffic between internal servers. For configure their firewall to permit and ports have lost much of their use- more protection, implement intrusion communications between a domain fulness. This doesn’t mean, however, detection at several points in the member in the DMZ and an internal that there’s no role for firewalls today. network and use IPSec policies to domain member. That defeats any Today’s firewalls, which are able to control which network traffic is traffic inspection at the firewall and inspect application-layer protocols, can allowed between the servers and client can give an attacker easy access to a be an important component in control- computers on the internal network. domain controller. ling network traffic between publicly • Use host-based protection. Using a accessible servers and the resources Just Re-Do It firewall to control traffic between two they depend on (see my May 2005 No matter what your final network computers in different security zones Security Advisor column, “Picking the design ends up being, make sure that doesn’t protect against attacks from Right Firewall,” for more on firewalls). you carefully look at whether it really within the same security zone. Config- accomplishes what it’s designed to do. uring packet filters on your servers and When to Keep Your DMZ If it doesn’t, it’s time to dump your using the Windows Firewall included While there are often good reasons DMZ and replace it with other types of with Windows XP and Windows Server to dump your DMZ, there are still some protection, or to redesign it to make it 2003, Service Pack 1, can often achieve situations where using one makes sense. do what it was designed to do.— the same port-based traffic control The most common one is for servers between servers as a firewall. It can also that accept connections from the Inter- Joern Wettern, Ph.D., MCSE, MCT, prevent unwanted access from within net but don’t need to communicate with Security+, is the owner of Wettern Network the same security zone. your internal network, such as a simple Solutions, a consulting and training firm. • Use IPSec. IPSec, available public Web server. Also, if you’re using He has written books and developed training with Windows 2000 Server and simple protocols and require no comput- courses on a number of networking and later, provides security for IP er authentication, DMZs can provide the security topics. You can contact him at packets. It can provide three level of security you need. For example, [email protected].

70 | July 2005 | Redmond | redmondmag.com | 0705red_AdIndex_71.F4 6/14/05 4:07 PM Page 71

RedmondResources ADVERTISING SALES Henry Allain Matt Morollo AD INDEX Publisher Associate Publisher Advertiser Page URL 949-265-1556 phone 508-532-1418 phone Citrix Education 51 www.citrix.com 949-265-1528 fax 508-875-6622 fax CrossTec 46 www.crossteccorp.com [email protected] [email protected] DesktopStandard 8 www.DesktopStandard.com Devon IT 31 www.devonit.com Northwest East EMC 20 www.legato.com No. CA, OR, WA, Alberta, British LA, MS, KY, TN, AL, GA, ME, NH, VT, Geeks on Call 42 www.geeksoncall.com Columbia, Saskatchewan MA, RI, CT, NY, PA, NJ, DE, MD, WV, GFI Software 27 www.gfi.com VA, NC, SC, FL, Quebec, Ontario, Europe Bruce Halldorson Global Knowledge 33 www.globalknowledge.com Northwestern Regional Sales JD Holzgrefe GOexchange by Lucid8 LLC 19 www.goexchange.com Manager Eastern Regional Sales Manager Good Technology 17 www.goodtechnology.com 209-473-2202 phone 804-752-7800 phone 209-473-2212 fax 253-595-1976 fax LinkTek 52 www.linktek.com [email protected] [email protected] MCPmag.com Tech Library 66 www.techlibrary.com Network Automation 14 www.networkautomation.com West/Mid West IT Certification & Training—USA, Europe Network Instruments 58 www.networkinstruments.com AK, AZ, So. CA, CO, HI, ID, IA, IL, IN, Al Tiano PrepLogic C3 www.preplogic.com KS, MI, MN, MO, MT, ND, NE, NM, Advertising Sales Manager, IT NV, OH, OK, SD, TX, UT, WI, WY, Project Management Institute 25 www.pmi.org/NEXTSTEP.htm Certification & Training Manitoba, Pacific Rim, Australia, New Quest Software C4 www.quest.com 818-734-1520 ext.190 phone Zealand, India, Pakistan 818-734-1529 fax Redmond Subscription 64 www.redmondmag.com [email protected] Redmond Channel Partner 69 www.rcpmag.com Dan LaBianca Western Regional Sales Manager Scriptlogic 22 www.scritplogic.com 818-674-3417 phone Online Sales—ENTmag.com and TCPmag.com Shavlik 5 www.shavlik.com 818-734-1528 fax Sunbelt Software 7,49,55 www.sunbelt-software.com [email protected] Tanya Egenolf Adverstising Sales Manager SurfControl C2 www.surfcontrol.com 760-722-5494 phone Production TechMentor San Jose 59-62 www.techmentorevents.com 760-722-5495 fax Kelly Smith [email protected] The Neverfail Group 37 www.neverfailgroup.com Associate Production Coordinator 818-734-1520 ext.164 phone The Training Camp 57 www.trainingcamp.com 818-734-1528 fax Veritas 11 www.veritas.com redmondadproduction@ Websense 3 www.websense.com 101com.com

EDITORIAL INDEX Corporate Headquarters: 9121 Oakdale Ave., REDMOND magazine, 16261 Laguna Canyon Ste. 101Chatsworth, CA 91311, Road, Ste. 130, Irvine, CA 92618. The infor- Company Page URL www.101com.com mation in this magazine has not undergone any Advanced Micro Devices Inc. 21, 26 www.amd.com formal testing by 101communications and is Media Kits: Direct your Media Kit requests to distributed without any warranty expressed or Groove Networks 38-41 www.groove.net Matt Morollo, Associate Publisher, implied. Implementation or use of any informa- 508-532-1418 (phone), 508-875-6622 (fax), tion contained herein is the reader’s sole Hewlett-Packard Co. 9 www.hp.com [email protected]. responsibility. While the information has been IBM Corp. 10 www.ibm.com reviewed for accuracy, there is no guarantee Reprints: For all editorial and advertising that the same or similar results may be Intel Corp. 9, 21 www.intel.com reprints, contact Valeo IP at 888-VALEOIP or achieved in all environments. Technical Microsoft Corp. 9, 10, 12, 13, www.microsoft.com e-mail: [email protected]. inaccuracies may result from printing errors, 15, 16, 18, new developments in the industry and/or 21, 23, 25, 26, List Rentals: To rent REDMOND’s or other changes or enhancements to either hardware 28-30, 32, 34-36, 101communications’ publications postal, tele- or software components. 38-41, 47, 48, 50, marketing or e-mail lists, please contact our list REDMOND magazine (ISSN: 1081-3497, 53, 54, 56, 57, manager: Worldata, 3000 N. Military Trail, USPS: 0015-657) is published monthly by 59, 65, 70, 72 Boca Raton, FL 33431-6375, 1-800-331- 101communications LLC, 9121 Oakdale Ave., 8102, www.worldata.com Ste. 101, Chatsworth, CA 91311. Periodicals NetIQ Corp. 15, 16, 18 www.netiq.com postage paid at Chatsworth, CA 91311-9998, Panasonic Corp. 29, 30 www.panasonic.com CONFERENCES and at additional mailing offices. Annual sub- TechMentor Conferences: contact Al Tiano, scription rates for U.S. $39.95 (U.S. funds). Research In Motion Ltd. 13 www.blackberry.com Sales Manager, 818-734-1520 ext. 190, Postage for Canada/Mexico $15 (U.S. funds); ScriptLogic Corp. 13 www.scriptlogic.com [email protected]. The Data Warehousing and International $25 (U.S. funds). Subscrip- Institute: contact Diane Smith, Exhibit Sales, tion inquiries, back issue requests, and Silex Technology America Inc. 29, 32 www.silexamerica.com 206-246-5059 ext.108, Denelle Hanlon, Publi- address changes: Mail to: REDMOND maga- SWsoft Inc. 21 www.sw-soft.com cation and Sponsorship Sales, 206-246-5059 zine, 2104 Harvell Circle, Bellevue, NE 68005, ext.102, [email protected]. FCW email [email protected] or call (866) VMware Inc. 21, 26 www.vmware.com Events and Conferences: contact Lucy Coo- 293-3194 for U.S. & Canada; (402) 293-3194 ley, Events Director, 703-876-5081, lcooley@ for International, fax (402) 293-0741. POST- 101com.com. Syllabus Conference and MASTER: Send address changes to RED- Exhibition: contact Anne Morris, Exhibit Space MOND magazine, 2104 Harvell Circle, or Sponsorship, 818-734-1520 ext.219, Bellevue, NE 68005. Canada Publications [email protected]. Mail Agreement No: 40039410. Return Undeliverable Canadian Addresses to Circula- © 2005 by 101communications. All rights tion Dept. or DPGM 4960-2 Walker Road, reserved. Reproductions in whole or part Windsor, ON N9A 6J3, Canada. Copyright prohibited except by written permission. 2005 by 101communications LLC. All rights Mail requests to “Permissions Editor,” c/o reserved. Printed in U.S.A. This index is provided as a service. The publisher assumes no liability for errors or omissions.

| redmondmag.com | Redmond | July 2005 | 71 0705red_Ten_72.F 6/14/05 10:17 AM Page 72

Steps Microsoft Should Take to Improve TEN Security By Paul Desmond

You’ll find nothing funny about this column, for the security analyst at a company he’d topic this month is security—no laughing matter. Asked rather not name. “How many releases of IE have we had since then? You’re to submit ideas on steps Microsoft should take to telling me they couldn’t have re-written IE and prevented that vulnerabili- improve security in its products and networks, readers ty?” No, Mike, I’m not going to tell and analysts had no shortage of ideas. you that. Educate the Masses Check Compliance Let IE Stand Alone It’s often said that security is Yet another Grimes suggestion More than one reader had anoth- more about process than products. John (yes, I know, I should’ve had him write er IE-related suggestion. “If Microsoft Pescatore, a vice president with Gart- this column): Microsoft should develop were really serious about security it ner Research, echoes that theme. a better way to audit clients for group would create an IE that was totally “Microsoft should invest in a lot more policy compliance. “GPOs are a great standalone. No hooks into any user analysis and R&D work on safety: way to push security settings out, but [Microsoft] products or anyone else’s,” how to prevent naive users from having how do we really know if the settings says Patrick Dooley, of the Wisconsin security problems.” Besides helping and changes were applied?” he asks. Department of Revenue. Michael Hub- consumers, he says such steps would “Where did it fail? Why?” Vendors such bard, infrastructure supervisor at Circle help prevent hackers from using their as ScriptLogic, of course, will be happy Seals Controls, Inc., was more succinct PCs as launching pads for attacks on to sell you tools that perform a function yet equally clear: “Separate IE from business systems. quite similar to what Grimes describes. the OS!!!!” Security by Obscurity Launch Lawsuits Correlate, Correlate “Allowing users to easily change “Sue the vulnerability “Microsoft should buy or create default ports of different services would researchers,” says Pete Lindstrom, a vulnerability scanning tool that inte- prevent many attacks. You can do it research director at Spire Security. grates into System Center 2005,” says now, but it takes a researched registry “Increase the bounty on worm and Shawn Conaway, who works in the IT edit in most cases,” says Roger Grimes, virus writers.” I can see how you can services department at the Roundy’s, senior consultant with Banneret make that case, at least when it comes Inc. supermarket chain. “System Cen- Computer Security, describing what he to the irresponsible researchers who ter then should correlate SMS, MOM, calls “security by obscurity.” “Microsoft put out results before giving vendors a ACS (Admission Control Service) could do a better job by focusing its chance to write patches. and vulnerabilities.” Correlation of efforts on developing defenses that security alarms and vulnerabilities—a really work against automated malware. Enhance Auditing little slice of security heaven. I mean OS blocks that work even Waleed Omar, senior network when the malware gets past our initial administrator with Mantrac Group, says All Is Well defenses, which they always will.” Microsoft needs to enhance its auditing Charles Kolodgy, research director capabilities, so you can see who did what for security products at IDC, came back Better Best Practices when. “The audit trails I can generate with the most surprising response of Grimes also suggests Microsoft from a Windows server are nothing anyone I heard from. “Sorry I don’t have come out with more detailed best compared with other OSes,” he says. anything new to offer,” he replied. practice guides for securing desktops “Microsoft has been doing well with and servers. As an example, he cites End Buffer Overflows many of its existing initiatives. The the security templates available from A number of readers expressed anti-spyware product works well. It has the Center for Internet Ssecurity exasperation with the continued prob- improved patching and code reviews, (CIS). I like the CIS model lem of buffer overflows. More careful etc.” I guess I lied when I said there’d be (www.cisecurity.org), which is to create coding—even at the expense of prod- nothing funny in this column.— security benchmarks based on input uct delays—can correct the problem, from its members that specify in detail they contend. “How long has the Desmond is editor of Redmond how best to configure computers for buffer overflow been around?” asks magazine. You can reach him at proper security. Mike Ste. Marie, an information [email protected].

72 | July 2005 | Redmond | redmondmag.com | Project5 4/1/05 2:42 PM Page 1 Project4 5/10/05 2:56 PM Page 1

Don’t count on luck. When it comes to directory availability, count on Recovery Manager for Active Directory.

If you’ve never experienced downtime caused by corruption or improper modifications, consider yourself lucky. Unfortunately, luck runs out. Which is where Quest Recovery Manager for Active Directory comes in. e.

Recovery Manager empowers you with centralized backup and recovery d n

o for all or any part of the directory in minutes—not days—with remote, m d e R

/ online, and granular restore capabilities. Downtime is minimized. User 5 0 0 2 / productivity stays high. 6 6

Count on Quest—Microsoft’s 2004 Global ISV Partner of the Year—for quick recovery. Find out more today with a free white paper: 11 Things to Know about Active Directory Recovery. —————————————————————————————————— Visit www.quest.com/CountOnQuest for your free white paper! —————————————————————————————————— tware, Inc. rights reserved. All trademarks of Quest Softwar trademarks or registered Quest and Software are © 2005 Quest Sof All other brand or product names are trademarks or registered trademarks of their respective holders. trademarks of their respective All other brand or product trademarks or registered names are

Application Management | Database Management | Windows Management