Make Your SCCM Data Work Harder NOW@ BDNA

BDNA Normalize for ConĮ gMgr™ Free 60-Day Trial Download now and register to win a full conference pass to MMS 2012! hƩ p://sccm.bdna.com/now Details on the back

Make Your SCCM Data Work Harder NOW@ BDNA If you’re using MicrosoŌ System Center ConĮ guraƟ on Manager (SCCM), you already know what a great job it does at collecƟ ng tons of data about your server and client computers. But SCCM only collects the data that it’s capable of seeing, and in a lot of cases, it’s your client and server computers that are missing informaƟ on about themselves. If you’re trying to get a really detailed inventory of your environment as part of a Windows 7 migraƟ on, license audit, or other IT iniƟ aƟ ves—then BDNA Normalize for ConĮ gMgr™ is your answer. Learn more now. BDNA Normalize for ConĮ gMgr™ Free 60-Day Trial Download now and register to win a full conference pass to MMS 2012! Deadline to download: Monday, March 12, 2012, 11:59pm Winner announced on March 14, 2012

hƩ p://sccm.bdna.com/now

Untitled 2 2 1/13/12 12:37 PM Untitled-4 1 1/20/12 12:25 PM Foley: Microsoft’s Plan to Save Windows Azure

FEBRUARY 2012 VOL. 18 NO. 2 REDMONDMAG.COM

Software Life Support

Apps and OSes don’t just die when a publisher stops supporting them. Redmond readers share how they keep their favorite old software alive.

+A Kerberos Primer E-Mail Archiving Moves to the Cloud Untitled-4 2 1/5/12 4:20 PM Virtualize, the plug-and-play way.

With numerous hardware, software and networking options to choose from, virtualization can be a really complex process. The new IBM BladeCenter® Foundation for Cloud with Intel® Xeon® processors changes all that, dramatically. It’s a workload-ready platform with built-in management, so it’s quick to deploy and easy to manage. Also, the system integrates seamlessly with your existing infrastructure. So you can get started at once, without wasting precious resources. In addition, you have the option to transition to the cloud on your terms, not on your vendor’s. For improved business agility and reduced IT costs, look to the IBM BladeCenter Foundation for Cloud.

Take 10 minutes to see for yourself. See how the IBM BladeCenter Foundation for Cloud makes things easy for you. Visit ibm.com/systems/cloudfoundation

IBM, the IBM logo, ibm.com and BladeCenter are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at www.ibm.com/legal/copytrade.shtml. Intel, the Intel logo, Xeon and Xeon Inside are trademarks of Intel Corporation in the U.S. and other countries. © International Business Machines Corporation 2011. All rights reserved.

Untitled-4 3 1/5/12 4:20 PM Redmond The Independent Voice of the Microsoft IT CommunityContentsFEBRUARY 2012

COVER STORY REDMOND REPORT 10 Ballmer Touts Metro UI Keeping at CES 2012 The tile-like Microsoft UI Dead is seen as unifying the user experience across multiple Products devices. Alive

Software companies rely on regular customer upgrades and decommissioning old titles. But what is good for vendors isn’t so great for IT, which TECHNET often has to support PRACTICAL APP unsupported software. Page 14 12 Virtual Cloud Security Concerns Using virtual machines within the context of a cloud FEATURES computing infrastructure poses some interesting 21 The Rapid Move security challenges. to Cloud E-Mail Archiving COLUMNS While security is still 6 Barney’s Rubble: a concern for some Doug Barney companies, more and more Software Bloat businesses are outsourcing e-mail archiving to cloud vendors. And the vendors themselves are proliferating.

28 Decision Maker: Don Jones 24 Understanding the PowerShell Skills in Essentials of the the Workplace Kerberos Protocol 30 Windows Insider: Knowing the basics of Greg Shields this pervasive Windows System Center: Get Mature protocol can be critical in diagnosing and solving 32 Foley on Microsoft: security problems. Mary Jo Foley Can Microsoft Save Windows Azure?

ALSO IN THIS ISSUE 4 Redmondmag.com | 8 [email protected]

COVER IMAGES FROM SHUTTERSTOCK It’sIt’s thethe oneone timetime havinghaving youryour headhead inin thethe cloudsclouds isis aa goodgood thing.thing.

Call us crazy, but we think there’s a better way to fax other than relying on clunky machines or in-house servers. Esker offers Cloud Faxing solutions to achieve fax flexibility and reliability without hardware RUVRIWZDUHKHDGDFKHV¬

Discover the advantages of Cloud Faxing: ƒ No upfront investment ƒ Pay-as-you-go efficiency ƒ Repurpose IT resources to core business ƒ 24x7x365 availability

© 2010 Esker S.A. All rights reserved.Find Esker out and the more Esker logo at are www.esker.com/cloudfaxregistered trademarks of Esker S.A. All other trademarks are the property of their respective owners.

Untitled-6 1 10/4/11 2:27 PM Redmondmag.com FEBRUARY 2012

VirtualizationReview.com Posey’s 2012 Reader’s Choice Awards Tips & Tricks and Buyer’s Guide Be sure to check out seven- eruse the virtualization and cloud products that time Microsoft MVP and Pinterest you and see what your fellow readers Brien M. Posey regular Redmond contributor think about them in sister publication Virtualization Brien M. Posey’s online-only column. Review’s 2012 Reader’s Choice Awards and Ultimate Twice monthly he share’s his best-kept Buyer’s Guide. secrets on how to keep your network With a total of 274 products and 177 vendors, this is in top-notch shape. You can access all the most comprehensive list of virtualization and cloud of his columns at Redmondmag.com/ products in one place. PoseyTips. Be sure to download the full PDF, which includes descriptions and Web site information for every The Future Technology Nobody Is single product listed. VirtualizationReview.com/2012RCABG Talking About Does technology such as 3-D gaming Redmondmag.com and motion-controlled devices give us a hint about what Microsoft envisions for Clearing the Air in the future? Forest Recovery Redmondmag.com/PoseyA0212

ecision Maker columnist Don Jones discusses the confusion Windows To Go: Dsurrounding Active Directory forest recovery in his online Microsoft’s OS Becomes Portable Don Jones blog, IT Decision Maker. It appears even he was a bit confused Posey discusses the security issues at the message being sent by third-party vendors regarding the process and tangled with remote user access consequences involved with recovering a forest in Active Directory. and highlights how Microsoft might Even if you’re not sure your company needs a third-party forest recovery be simplifying the process with product, the bottom line, says Jones, is that “you should absolutely separate its upcoming Windows To Go forest recovery—which is the very defi nition of ‘disaster recovery’—from the bootable device. day-to-day data restoration that your company also needs.” Redmondmag.com/PoseyB0212 Redmondmag.com/Jones0112

ID STATEMENT Redmond (ISSN 1553-7560) is published monthly by 1105 Media, Inc., 9201 Oakdale Avenue, Ste. 101, Chatsworth, CA 91311. Periodicals postage paid at Chatsworth, CA 91311-9998, and at additional mailing offi ces. What Are Complimentary subscriptions are sent to qualifying subscribers. Annual subscription rates payable in U.S. funds for non- qualifi ed subscribers are: U.S. $39.95, International $64.95. Subscription inquiries, back issue requests, and address FindIT Codes? changes: Mail to: Redmond, P.O. Box 2166, Skokie, IL 60076-7866, email [email protected] or call (866) 293- 3194 for U.S. & Canada; (847) 763-9560 for International, fax (847) 763-9564. POSTMASTER: Send address changes What we once called FindIT to Redmond, P.O. Box 2166, Skokie, IL 60076-7866. Canada Publications Mail Agreement No: 40612608. Return Unde- codes are now easy URLs. You’ll liverable Canadian Addresses to Circulation Dept. or XPO Returns: P.O. Box 201, Richmond Hill, ON L4B 4R5, Canada. COPYRIGHT STATEMENT © Copyright 2012 by 1105 Media, Inc. All rights reserved. Printed in the U.S.A. Reproductions see these embedded throughout in whole or part prohibited except by written permission. Mail requests to “Permissions Editor,” c/o Redmond, 4 Venture, Redmond so you can access any Suite 150, Irvine, CA 92618. LEGAL DISCLAIMER The information in this magazine has not undergone any formal testing by 1105 Media, Inc. and is distributed without any warranty expressed or implied. Implementation or use of any additional information quickly. information contained herein is the reader’s sole responsibility. While the information has been reviewed for accuracy, Simply type in Redmondmag.com/ there is no guarantee that the same or similar results may be achieved in all environments. Technical inaccuracies may result from printing errors and/or new developments in the industry. CORPORATE ADDRESS 1105 Media, 9201 Oakdale followed by the FindIT code into Ave. Ste 101, Chatsworth, CA 91311 www.1105media.com MEDIA KITS Direct your Media Kit requests to Matt Morollo, VP your URL address fi eld. (Note that Publishing, 508-532-1418 (phone), 508-875-6622 (fax), [email protected] REPRINTS For single article reprints all URLs do not have any spaces, (in minimum quantities of 250-500), e-prints, plaques and posters contact: PARS International Phone: 212-221-9595. E- mail: [email protected]. www.magreprints.com/QuickQuote.asp LIST RENTAL This publication’s subscriber list, and they are not case-sensitive.) as well as other lists from 1105 Media, Inc., is available for rental. For more information, please contact our list manager, Merit Direct. Phone: 914-368-1000; E-mail: [email protected]; Web: www.meritdirect.com/1105

4 | February 2012 | Redmond | Redmondmag.com | NEW HARDWARE, NEW CONFIGURATIONS, NOW WITH INTEL®

Flexibility: Choose between AMD or Intel® processors Security: All 1&1 servers are housed in high-tech data centers owned and operated by 1&1 INCLUDED IN THE NEW 1&1 SERVER PORTFOLIO: Speed: Unlimited traffi c, high- speed connectivity SERVER SERVER SERVER Control: 4i XL6 XL 8i Parallels® Plesk Panel 10.4 for QIntel® Xeon® E3-1220 Q AMD Hexa-Core QIntel® Xeon® E3-1270 unlimited domains Q4 Cores with up to 3.4 GHz Q 6 Cores with up to 3.3 GHz Q4 (8 HT) Cores with up to 3.8 GHz Value: ® (Intel Turbo Boost  (AMD Turbo Core) (Intel® Turbo Boost Technology 2.0) More power, Technology 2.0) Q 16 GB ECC RAM Q24 GB ECC RAM great pricing Q12 GB ECC RAM Q2 x 1,000 GB 3 MONTHS Q2 X 1,500 GB SATA HDD Q 2 x 1,000 GB SATA HDD SATA HDD FREE!* $ .99 $ .99 $ .99 99 per month 129 per month 299 per month ®

1-877-461-2631 www.1and1.com 1-855-221-2631 www.1and1.ca

* 3 Months Free offer valid for a limited time only, 12 month minimum contract term applies. Set-up fee and other terms and conditions may apply. Visit www.1and1.com for full promotional offer details. Program and pricing specifi cations and availability subject to change without notice. 1&1 and the 1&1 logo are trademarks of 1&1 Internet, all other trademarks are the property of their respective owners. © 2012 1&1 Internet. All rights reserved.

Untitled-1 1 1/11/12 11:39 AM Barney’sRubble by Doug Barney Redmond THE INDEPENDENT VOICE OF THE MICROSOFT IT COMMUNITY

REDMONDMAG.COM

FEBRUARY 2012 ■ VOL. 18 ■ NO. 2

Editorial Staff Editor in Chief Doug Barney Executive Editor, Features Lee Pender Bloated Software Editor at Large Jeff rey Schwartz Managing Editor Wendy Gonchar Associate Managing Editor Katrina Carrasco

Contributing Editors Mary Jo Foley ame your favorite software program of all time. Don Jones Greg Shields Chances are it won’t be feature-fi lled Offi ce 2010, Art Staff Creative Director Scott Shultz Art Director Brad Zerbel NSAP R/3 or some highfalutin custom corporate app. Senior Graphic Designer Alan Tao Production Staff Director, Print Production Jenny Hernandez-Asandas I love it when my opinions match those Maybe this is why there’s a love affair Print Production Elena Sipagan Coordinator of real experts, especially when those with tablets, and so little feeling for Redmond Online/Digital Media experts are you, the magazine netbooks, which are able to stuff larger Online News Editor Kurt Mackie reader. And while it’s not unanimous, it software programs into an increasingly Executive Editor, New Media Michael Domingo Director, Online Media Becky Nagel seems that most of you agree with me smaller package. Associate Web Editor Chris Paoli Site Administrator Shane Lee that today’s software is bigger than it Tablet apps are the opposite. They’re Designer Rodrigo Muñoz need be, that the features wars have one tiny with minimalist interfaces. The Advertising and Sales main casualty: the user. fi rst time I used an iPad Associate Publisher JD Holzgrefe Northwestern Regional Bruce Halldorson How do I know? I was at a retail store. Sales Manager Microsoft Account Manager Danna Vedder talked to you and heard I’d never even used an Advertising Sales Associate Tanya Egenolf you yearn for MS-DOS, iPhone, but had spent simple old versions of about 10 minutes before

WordPerfect and new with an iPod touch. I President Henry Allain phone and tablet apps was surfi ng the Web Vice President, Publishing Matt Morollo Vice President, Editorial Director Doug Barney (even my 5-year-old- on the iPad in about Director, Marketing Michele Imgrund daughter Kiley can use 24 seconds. Microsoft Online Marketing Director Tracy Cook an iPad or iPhone with is getting that same zero training). religion with Windows

So now we have two Phone and the upcom- President & Neal Vitale ing Windows 8 Metro- Chief Executive Offi cer contrasting trends. Cli- Senior Vice President & Richard Vitale ent and server apps are style interface. Chief Financial Offi cer Executive Vice President Michael J. Valenti more bloated than an The question now Vice President, Finance & Christopher M. Coates uncle on Thanksgiv- is how Microsoft will Administration Vice President, Erik A. Lindgren ing night. Windows 7, reconcile the two Information Technology & Application Development Offi ce 2010, et al all approaches. How can it Vice President, David F. Myers need more resources to support more truly make simple phones and straight- Event Operations features. And how many server apps forward Metro apps enterprise class, Chairman of the Board Jeff rey S. Klein require 64-bit multi-core processing? and meanwhile keep big client apps Reaching the Staff That ain’t exactly lean. compelling? Staff may be reached via e-mail, telephone, fax, or mail. A list of editors and contact information is also available Often we can’t decide if we want this I think it has to do both. While most online at Redmondmag.com. E-mail: To e-mail any member of the staff , please use the hefty new software. If you get a new OS, classic software has too many features, following form: [email protected] Framingham Offi ce (weekdays, 9:00 a.m. – 5:00 p.m. ET) guess what? You need new apps, which our businesses rely on all these big Telephone 508-875-6644; Fax 508-875-6633 are generally larger and look and act dif- apps. Templates, fi le formats, macros, 600 Worcester Road, Suite 204, Framingham, MA 01702 Irvine Offi ce (weekdays, 9:00 a.m. – 5:00 p.m. PT) Telephone 949-265-1520; Fax 949-265-1528 ferent to boot. What if you don’t want a add-on software and middleware can’t 4 Venture, Suite 150, Irvine, CA 92618 new OS? Well, if you want security and just disappear. Nor can they just be Corporate Offi ce (weekdays, 8:30 a.m. – 5:30 p.m. PT) Telephone 818-814-5200; Fax 818-734-1522 support, you best get to upgradin’. given a pretty new face. Just think of 9201 Oakdale Avenue, Suite 101, Chatsworth, CA 91311 The opinions expressed within the articles and other contents New features are how vendors justify how many tablets are running rich herein do not necessarily express those of the publisher. the cost of new software, the same rea- Windows apps through virtualization. son cars get GPS devices, DVD play- What’s your ideal balance between ers and voice-activated vehicle control features and usability? I want to options. (Plus it keeps their dealers in hear from you—let me know at business fi xing all this junk!) [email protected]. ILLUSTRATION BY ALAN TAO/SHUTTERSTOCK

6 | February 2012 | Redmond | Redmondmag.com | ADVERTISEMENT

RVPREDMOND VENDOR PROFILE

Think your Anti-Virusnti Virus is Catching Everything?rything?

ow confi dent are you nin your IT security eff orts? Could your organizationn survive a data breach?

It’s easy to take IT security for granted, but with over 60,000 neww malware pieces created each day, relying only having anti-virus simplyply isn’t suffi cient to battle the increasingsing complexity and frequency of attacks.cks.

For over 10 years Faronics has helpedped businesses manage and secure theirheir IITT environments. Faronics is the ONLYLY enendpointdpoint

security software vendor to ooffff erer aa comprehensivecomprehensive layered security solution consisting of anti-virus, application whitelisting, and instant system restore protection.

Incorporated in 1996, Faronics has offi ces in the USA, Canada and the UK, as well as a global network of channel partners. Our solutions are deployed in over 150 countries worldwide, and are helping more than 30,000 organizations.

The impact of a security breach can be devastating; lost business, lost productivity, lost reputation, and costly fi nes are just a few of the possible ramifi cations.

Don’t leave your computers vulnerable to attack. To learn more about how Faronics can secure your endpoints, increase your system availability, and reduce IT support costs, visit www.faronics.com.

For more information please visit www.faronics.com

Untitled-2 1 8/12/11 2:22 PM [email protected]

Security Concerns This article is disturbing to say the least, not to mention, irresponsible [Windows Insider, “12 New Year’s Resolutions for Windows IT Pros in 2012,” January 2012]. Any one who refers to the very real and more-dangerous-than-ever secu- rity issues we face as “boogeyman” is someone with abso- lutely no idea about the current state of IT. Every single day brings us new stories of a network being breached. Add to that the fact that there’s more fi nancial, health, and other

critical and confi dential informa- began [“The List Issue: Top 14 Prod- tion being stored in the cloud and on ucts that Changed IT in the PC Era,” HotH t BButtons tt mobile systems, and you should know January 2012]. The fi rst real desktop that now—more than ever—we need PC that began the change was the Re: No. 12 [Foley on Microsoft, “12 Microsoft Hot Buttons for 2012,” January 2012]—rumor is that Micro- Any one who refers to the very real “boogeyman” soft makes more money off of every is someone with absolutely no idea about the Android device sold than it does off current state of IT. of the sale of Windows Phone 7-based devices. If true, then why would they want to impact Android sales? to lock down systems, tell users no PDP-8, brought to us by the late Digi- Posted Online and take drastic measures to secure tal Equipment Corp. (DEC). It was the systems. To say that users are “more gift of a DEC PDP-1 that got the fi rst Privacy Is Dead knowledgeable than ever before” generation going—turning out things You are not paranoid! The amount of would be hysterical if it weren’t such like the fi rst word processor (“expen- personal information that we’re mak- an ignorant (not to mention irrespon- sive typewriter” and video game ing public knowledge both knowingly sible) statement. (“Spacewars”). But the PDP-8 (1965) and unknowingly is staggering. Unfor- Posted Online by Todd from Ohio was the industry’s Model T, the fi rst tunately, staying computer to “Go Gold, then Platinum” offl ine is the The security boogeyman?!?! Appar- in sales, when computers were gener- only real secu- ently Shields has been living under a ally one-off or two-off products. rity. And even rock. From Operation Aurora to Stux- It was the fi rst computer students both that just protects net to the U.S. Defense Department legally and illegally had in their dorm you from your- being hacked, security threats are very rooms and homes, the fi rst product self. People that real and very much a threat to every cheap enough to put in high schools. have never been organization. Shields, you are a fool, The 8, at 250 lbs, easily fi t on the online have their get a helmet and stay down! typical academic battleship grey desk info passed back and forth as well. Posted Online by Tim of the era, along with the ASR-33 Another aspect to privacy that’s being from Massachusettes that provided the base 4K model with infringed upon is video privacy. There printer and long-term storage I/O on are more and more cameras watching us Too Young to Remember paper tape. And even when some pro- all and no way to opt out of those, either. You did it again, hiring too young a fessor owned it, at night, it was ours. Alan Lantz staff to remember where it really all Posted Online by Anonymous City of Rogers, Ariz.

8 | February 2012 | Redmond | Redmondmag.com | IMAGE FROM SHUTTERSTOCK FOLD PERF

Key Code Download our FREE Server Room Efficiency Kit and k621v enter to win one of five Smart-UPS™ units (SMX1000)! www.apc.com/promo (888) 289-APCC x6335 Fax 401-788-2797

Name: Title:

Company:

Address: Address 2:

City/Town: State: ZIP Code: Country:

Phone: Fax:

email:

©2012 Schneider Electric. All Rights Reserved. Schneider Electric, APC, and Smart-UPS are trademarks owned by Schneider Electric Industries SAS or its affiliated companies. 998-6212_US

Untitled-5 1 FOLD PERF 1/13/12 1:49 PM PERF FOLD

k621v

Untitled-5 2 PERF FOLD 1/13/12 1:49 PM Now, manage both your UPS and your energy proactively.

CO2

TM Energy usage and CO2 emissions Risk energy cost reporting: monitoring: assessment: Save energy and money by Reduce environmental impact Identify and proactively tracking energy usage and through increased understanding manage threats to availability costs over time of CO2 emissions (e.g., aging batteries)

Only APC Smart-UPS saves money and energy without sacrificing availability. Today’s more sophisticated server and networking technologies require higher availability. Why Smart-UPS is a That means you need more sophisticated power protection to keep your business up and running at all times. But that’s not all. In today’s economy, your UPS must safeguard smarter solution both your uptime and your bottom line. Only APC by Schneider ElectricTM helps you meet TM both of these pressing needs. Specifi cally, the APC Smart-UPS family now boasts Intuitive alphanumeric display models with advanced management capabilities, including the ability to manage your Get detailed UPS and power quality energy in server rooms, retail stores, branch offi ces, network closets, and other distributed information at a glance – including environments. status, about, and diagnostic log menus in up to five languages. Intelligent UPS management software PowerChuteTM Business Edition, which comes standard with Smart-UPS 5 kVA and below, enables energy usage and energy cost reporting so you can save energy and money Configurable interface by tracking energy usage and costs over time; CO2 emissions monitoring to reduce Set up and control key UPS environmental impact through increased understanding; and risk assessment reporting so parameters and functions using you can identify and proactively manage threats to availability (e.g., aging batteries). the intuitive navigation keys. On rack/tower convertible models, Best-in-class UPS the display rotates 90 degrees for easy viewing. Our intelligent, interactive, energy-saving APC Smart-UPS represents the combination of more than 25 years of Legendary ReliabilityTM with the latest in UPS technology including an easy-to-read, interactive, alphanumeric LCD display to keep you informed of important status, confi guration, and diagnostic information, a unique battery life expectancy Energy savings predictor, and energy-saving design features, like a patent-pending “green” mode. A patent-pending “green” mode achieves online efficiencies greater Now, more than ever, every cost matters and performance is critical. That’s why than 97 percent, reducing heat loss you should insist on the more intelligent, more intuitive APC Smart-UPS. and utility costs.

Download our FREE Server Room Efficiency Kit and enter to win one of five Smart-UPS units (SMX1000)! Visit www.apc.com/promo Key Code k621v Call 888-289-APCC x6335

©2012 Schneider Electric. All Rights Reserved. Schneider Electric, APC, Smart-UPS, PowerChute, and Legendary Reliability are trademarks owned by Schneider Electric Industries SAS or its affiliated companies. EMAILESUPPORT APCCOMs&AIRGROUNDS2OAD 7EST+INGSTON 2)53!s ?53

Untitled-1 1 1/12/12 11:35 AM RedmondReport

Ballmer Touts Metro UI at CES 2012 The tile-like Microsoft UI is seen as unifying the user experience across multiple devices.

By Kurt Mackie and will be available in “the next few new hardware on the stage, without n January, Microsoft CEO Steve months,” Ballmer said. AT&T will be naming the Windows version used. Ballmer delivered what might be the mobile carrier selling Nokia’s new She named the HP Envy 14 Spectra Ihis fi nal keynote address to a phones in the U.S. markets in the fi rst Ultrabook and the Samsung Series 9 Consumer Electronics Show (CES) half of this year. The Lumia 900 and notebook (less than 13-mm thick, 2.5 in Las Vegas. The company had the HTC Titan II will be supported lbs, 15-inch screen). announced earlier that it would no lon- with “4G speeds delivered by LTE Much of keynote covered old ground ger participate after 15 years at CES. or HSPA+” on the AT&T wireless for Microsoft, so one of the more inter- Also taking the stage at the CES 2012 network, with 4G speeds available in esting presentations turned out to be keynote was Tami Reller, Windows some markets. Sesame Street’s efforts in using the Kinect sensor add-on to the Microsoft Windows 8 Milestone Xbox gaming console. Sesame Street is Microsoft reiterated some important using Kinect to make interactive videos Windows 8 news during the keynote. for children. A cutaway video at the key- For instance, the next milestone for note showed a Sesame Street character Windows 8 (a beta release) will hap- counting coconuts thrown by the viewer pen in “late February,” something toward the TV screen. The magic that Microsoft had announced number was “4,” according to Elmo the back in December. Coinciding muppet, which verifi ed the count. with the Windows 8 beta, Micro- Prior to the Sesame Street bit, Ballmer soft plans to open its online added some impressive numbers of his Windows Store for Metro-style own. He said that Microsoft has shipped applications. The online store HTC Titan II has the largest Windows Phone display, a 16 megapixel camera will be available in more than 100 lan- and will run via the AT&T 4G LTE network. guages. Both free and paid apps will Nokia Lumia be available in more than 200 regions, 900 has Nokia’s largest chief marketing offi cer. The talk’s according to Reller. She claimed that Windows theme, if there was one, was the unify- developers will be able to write once Phone display ing experience of the Metro UI as used and have their apps run across both at 4.3 inches and will run via in Windows Phone 7 and Windows platforms (x86 and ARM). Presumably, the AT&T 4G 8 devices, as well as the Xbox game this capability is only true of Metro- LTE network in console. Users will see the same Metro style apps based on HTML5, XAML the spring. UI across applications, videos, games, or JavaScript, but Reller didn’t get into music and social networking. those specifi cs. A tablet running the AMD ARM- Windows Phone 7 based Tegra 3 chip and Windows 8 was Windows Phone 7 constituted much spotted at CES 2012. However, this more than 18 million Kinect sensors over of the “news” during the keynote, with keynote didn’t feature very much dis- the last year. He added that there are the Nokia Lumia and HTC products cussion about Microsoft’s Windows 8 more than 66 million Xbox console users featured. The Nokia Lumia 710 and ARM strategy, which had been a major and more than 40 million Xbox Live Lumia 800 will be coming, Ballmer topic at Ballmer’s CES 2011 keynote. users. Microsoft plans to bring Kinect to said. The Lumia 710 can be bought Similarly, there was no talk during Windows-based hardware on Feb.1 in now, but the Lumia 800 will be avail- the keynote about Intel and AMD’s 12 countries. able in “the next few months.” The progress in building system-on-chip Nokia Lumia 900 was unveiled at the processors for Windows 8. Kurt Mackie is the online news editor for show. It features a 4.3-inch screen Reller mentioned just a few pieces of the 1105 Enterprise Group.

10 | February 2012 | Redmond | Redmondmag.com | advertisement John Bagley: 10 Holiday Gifts for “Independently reviewed by industry experts these free tools proved to be useful for IT pros.” IT Professionals

$XGLW$FWLYH'LUHFWRU\DQGÀOHVHUYHUVVHFXUHO\ PDQDJHSDVVZRUGVGHWHFWLQDFWLYHXVHUVDQG more – for free.

ere is the updated list of freeware tools by Redmond ² 7KLV WRRO WUDFNV GRZQ LQDFWLYH XVHU DFFRXQWV HJ WHUPLQDWHG Readers’ Choice Award-winner NetWrix Corporation employees) so you can easily disable them, or even remove them which can save you a lot of time and make your network HQWLUHO\ WKXV HOLPLQDWLQJ SRWHQWLDO VHFXULW\ KROHV 7KH WRRO VHQGV H reports on a regular schedule, showing what accounts have been PRUHHI¿FLHQW±DWDEVROXWHO\QRFRVW$OORIWKHVHWRROVDOVRKDYH LQDFWLYHIRUDFRQ¿JXUDEOHSHULRGRIWLPH HJPRQWKV  advanced commercial editions with additional features, but the Download page: ZZZXUORSHQFRP7 freeware editions will not expire, and will not stop working when \RXXUJHQWO\QHHGWKHP 6. File Server Change Reporter V\VRSVFRPZZZXUORSHQFRP3) — This is a must-have tool 1. UPDATED! Active Directory Change Reporter IRUDXGLWLQJ¿OHVHUYHUVDQGDSSOLDQFHV7KHWRROGHWHFWVFKDQJHVPDGH (Windows IT Pro, Sep’09: InstantDoc ID 102446, TechRepublic: WR¿OHVIROGHUVDQGSHUPLVVLRQVDQGWUDFNVQHZO\FUHDWHGDQGGHOHWHG ZZZXUORSHQFRP$) — This is an updated freeware version with ¿OHV7KHWRROLVXVHIXOIRUGHWHFWLQJPLVWDNHQO\GHOHWHG¿OHVDQGLW VLJQL¿FDQWO\LPSURYHG$FWLYH'LUHFWRU\FKDQJHWUDFNLQJWHFKQRORJ\ DOORZVTXLFNEDFNXSUHFRYHU\RIDFFLGHQWDOFKDQJHV The tool simply keeps tabs on what’s going on inside your Active Download page: ZZZXUORSHQFRP. Directory, tracks changes to users, groups, OUs, and all other types of AD objects, sending daily summary reports with full lists of 7. Active Directory Object Restore Wizard VSHFL¿FFKDQJHV (Windows IT Pro: ZZZXUORSHQFRP1) — This tool can save the Download page: ZZZXUORSHQFRP= day if someone accidentally (or intentionally) deletes important Active 'LUHFWRU\REMHFWV,WSURYLGHVJUDQXODUREMHFWOHYHODQGHYHQDWWULEXWH 2. NEW! Password Manager (Active Directory Tools, Jun level restore capabilities that allow quick rollbacks of unwanted ‘11: ZZZXUORSHQFRP) — A recently released freeware version FKDQJHV HJPLVWDNHQO\GHOHWHGXVHUVPRGL¿HGJURXSPHPEHUVKLSV of the Password Manager supports up to 50 users and includes major HWF Download page: ZZZXUORSHQFRP2 features of the enterprise edition: forgotten passwords reset, account lockouts troubleshooting, manual account unlock through a secure 8. Windows Service Monitor :LQGRZV5HIHUHQFHFRP ZHE EDVHG LQWHUIDFH RU D ZLQGRZV DSSOLFDWLRQ HWF7KH QHZ IUHH ZZZXUORSHQFRP-) — This very simple monitoring tool alerts tool features integration with the Windows logon procedure, Google you when some Windows service accidentally stops on one of your $SSVVXSSRUWVODQJXDJHV VHUYHUV7KH:LQGRZV,73UR&RPPXQLW\&KRLFHDQG(GLWRU¶V Download page: ZZZXUORSHQFRP Best Award-winning tool also detects services that fail to start at boot WLPHZKLFKFDQKDSSHQIRUH[DPSOHZLWK0LFURVRIW([FKDQJH 3. 3DVVZRUG ([SLUDWLRQ 1RWL¿HU (Redmond Magazine Download page: ZZZXUORSHQFRP. Feb’09, 4sysops: ZZZXUORSHQFRP8) — This tool automatically reminds users to change their passwords before they expire, helping 9. Disk Space Monitor (MS TechNet Magazine Sep’09: NHHS KHOSGHVN DGPLQLVWUDWRUV VDIH IURP SDVVZRUG UHVHW FDOOV ,W ZZZXUORSHQFRP,) — Even with today’s terabyte-large hard works nicely for users who don’t log on interactively and, thus, never GULYHVVHUYHUGLVNVSDFHWHQGVWRUXQRXWTXLFNO\DQGXQH[SHFWHGO\ receive standard password change reminders at log on time (VPN This simple monitoring tool will send you daily reports regarding all DQG2:$ Download page: ZZZXUORSHQFRP9 VHUYHUV WKDW DUH UXQQLQJ ORZ RQ GLVN VSDFH EHORZ WKH FRQ¿JXUDEOH WKUHVKROGDownload page: ZZZXUORSHQFRP+ 4. NEW! Privileged Account Manager (TechRepublic Jul’ 11: ZZZXUORSHQFRP;, SC Magazine: ZZZXUORSHQFRP:) 10. VMware Change Reporter 7HFK7DUJHW6HDUFK9LUWXDO —This new freeware product maintains a repository of privileged Desktop: ZZZXUORSHQFRP/) — If you don’t know what is being user accounts (such as Administrator, root, service accounts etc) changed by your colleagues in the VMware infrastructure, it’s very in Active Directory, servers, and other systems, providing a secure easy to get lost and miss changes that can affect things that you are web-based portal for role-based access and automatic maintenance of UHVSRQVLEOHIRU7KLV:LQGRZV,73UR&RPPXQLW\&KRLFHDQG VKDUHGDGPLQLVWUDWLYHXVHUDFFRXQWV7KHIUHHZDUHYHUVLRQVXSSRUWV Editor’s Best Award-winner tracks and reports changes in VMware up to 50 users and also inherits the brand new Managed Account Virtual Center settings and permissions, such as newly created virtual 'LVFRYHU\IHDWXUHIURPWKHXSGDWHG(QWHUSULVH(GLWLRQ PDFKLQHVFRQWDLQHUVDOHUWVDQGPRUH Download page: ZZZXUORSHQFRP< Download page: ZZZXUORSHQFRP0

5. Inactive Users Tracker (MS TechNet Magazine May’08: ZZZXUORSHQFRP6, TechRepublic: ZZZXUORSHQFRP5) Scan this code with your Smartphone to get additional info

JOHN BAGLEY MRKQBEDJOH\#VEFJOREDOQHW LVDQ DZDUGZLQQLQJSURIHVVLRQDOZULWHUDQGLQGHSHQGHQWFRQVXOWDQWZKRFRQWULEXWHVWRQHZVSDSHUVDQGPDJD]LQHV

Untitled-2 1 11/7/11 4:11 PM Content provided by TechNet Magazine, PracticalApp Microsoft’s premier publication for IT Professionals MAGAZINE

Virtual Cloud Security Concerns Using virtual machines within the context of a cloud computing infrastructure poses some interesting security challenges.

By Vic Winkler

Adapted from “Securing the Cloud” (Syngress, necessarily make security better or worse. There are several important security concerns you need to address in consid- an imprint of Elsevier) ering the use of virtualization for cloud computing. irtualization is transitioning from One potential new risk has to do with the potential to compromise a virtual machine (VM) hypervisor. If the the technology that drives server hypervisor is vulnerable to exploit, it will become a primary V target. At the scale of the cloud, such a risk would have consolidation and datacenter opera- broad impact if not otherwise mitigated. This requires an tions to a key ingredient in creating a fl exible, additional degree of network isolation and enhanced detec- tion by security monitoring. on-demand infrastructure—another way of In examining this concern, fi rst consider the nature of a hypervisor. As security consultant and founding partner of describing cloud computing. While there are Nemertes Research Group Inc. (nemertes.com), Andreas certain issues to address when adopting virtu- Antonopoulos has observed, “Hypervisors are purpose-built with a small and specifi c set of functions. A hypervisor is alization in any environment, there are addi- smaller, more focused than a general purpose operating sys- tem, and less exposed, having fewer or no externally acces- tional security concerns that arise when using sible network ports. virtualization to support a cloud environment. “A hypervisor does not undergo frequent change and does not run third-party applications. The guest operating sys- When adopting virtualization for cloud computing, it tems, which may be vulnerable, do not have direct access to becomes evident that the management tools used in a the hypervisor. In fact, the hypervisor is completely trans- physical server-based deployment won’t suffi ce in a highly parent to network traffi c with the exception of traffi c to/ dynamic virtualized one. To begin with, in a physical server from a dedicated hypervisor management interface. deployment model, provisioning automation is generally not “Furthermore, at present there are no documented attacks as heavily used unless there’s a signifi cant enough number of against hypervisors, reducing the likelihood of attack. So, server OSes to warrant doing so. although the impact of a hypervisor compromise is great The typical strategy for provisioning physical servers (compromise of all guests), the probability is low because involves repetitive steps. In a heavily virtualized environ- both the vulnerability of the hypervisor and the probability ment like the cloud, OS provisioning will rapidly transition of an attack are low.” to being a highly automated process. Storage Concerns A New Threat Another security concern with virtualization has to do with Virtualization alters the relationship between the OS and the nature of allocating and de-allocating resources such as hardware. This challenges traditional security perspec- local storage associated with VMs. During the deployment tives. It undermines the comfort you might feel when you and operation of a VM, data is written to physical memory. provision an OS and application on a server you can see and If it’s not cleared before those resources are reallocated to touch. Some already believe this sense of comfort is mis- the next VM, there’s a potential for exposure. placed in most situations. For the average user, the actual These problems are certainly not unique to virtualization. security posture of a desktop PC with an Internet connec- They’ve been addressed by every commonly used OS. You tion is hard to realistically discern. should note, though, the initial OS may terminate in error Virtualization complicates the picture, but doesn’t before resources are cleared. Also, not all OSes manage data

12 | February 2012 | Redmond | Redmondmag.com | MAGAZINE clearing the same way. Some might clear data upon resource their lifecycle. They would only be colocated on physical release, others might do so upon allocation. servers with other VMs that meet those same requirements The bottom line: Control how you use storage and for colocation. memory when using a public cloud. Clear the data yourself, This approach could include some form of VM tagging carefully handle operations against sensitive data, and pay or labeling akin to labeling within multilevel OSes (such as particular attention to access and privilege controls. Anoth- Trusted Solaris or SE-Linux). You could also use the con- er excellent security practice is to verify that a released fi guration management database to track tenant requests for resource was cleared. application isolation. In all these examples, however, the problem occurs “when When adopting virtualiza- the tenant also needs the application components to have maximal separation from common mode failures for avail- ability. It’s not that such a scheme couldn’t be made to work, tion for cloud computing, it’s that the cost of all the incompatible and underutilized server fragments (which can’t be sold to someone else) has it becomes evident that to be carried in the service cost,” says Bill Meine, software architect and cloud expert at Blackhawk Network. the management tools One actual practice for managing traffi c fl ows between VMs is to use virtual local area networks (VLANs) to used in a physical server- isolate traffi c between one customer’s VMs from another customer’s VMs. To be completely effective, however, this based deployment won’t technique requires extending support for VLANs beyond the core switching infrastructure and down to the physical servers that host VMs. This support is now almost universal suffi ce in a highly dynamic with VM technology. The next problem is scaling VLAN-like capabilities virtualized one. beyond their current limits to support larger clouds. That support will also need to be standardized to allow multi- A further area of concern with virtualization has to do vendor solutions. It will also need to be tied in with network with the potential for undetected network attacks between management and hypervisors. VMs collocated on a physical server. Unless you can moni- tor the traffi c from each VM, you can’t verify that traffi c Certifi cation Matters isn’t possible between those VMs. Finally, in considering the security issues with VMs, it’s There are several possible approaches here. The fi rst is important to recognize that this technology is not new. Sev- that the VM user can simply invoke OS-based traffi c filter- eral products have undergone formal security evaluations and ing or a local fi rewall. There’s one potential complication received certifi cation. What this means in practical terms to doing this if you need multiple VMs communicating and is that several VM technology vendors have taken pains to cooperating. These VMs may be dynamically moved around obtain independent and recognized security certifi cation. by the service provider to load balance their cloud. If VM Virtualization absolutely complicates infrastructure man- Internet Protocol (IP) addresses change during relocation agement, but with the cloud, this simply must be automated (which is unlikely, but possible) and absolute addressing is if you are to use this technology at cloud scale and cloud used for fi rewall rules, then fi rewall filtering will fail. elasticity. The bottom line with virtualization risk is that In essence, network virtualization must deliver an appro- using this technology must be better planned and managed. priate network interface to the VM. That interface might By automating virtualization management with cloud be a multiplexed channel with all the switching and routing computing, you can achieve multiple benefi ts—better secu- handled in the network interconnect hardware. rity included. Further, the end of the ad hoc use of virtual- Most fully featured hypervisors have virtual switches and ization is a positive trend for security. It represents a return fi rewalls that sit between the server physical interfaces and to infrastructure control. the virtual interfaces provided to the VMs. You have to man- age all these facilities as changes are made to VM locations Vic (J.R.) Winkler is a senior associate at Booz Allen Hamilton, and the allowable communication paths between them. providing technical consultation to primarily U.S. government clients. He’s a published information security and cyber security Traffi c Management researcher, as well as an expert in intrusion/anomaly detection. Another theoretical technique that might have potential for ©2011 Elsevier Inc. All rights reserved. Printed with permission limiting traffi c fl ow between VMs would be to use segrega- from Syngress, an imprint of Elsevier. Copyright 2011. “Securing tion to gather and isolate different classes of VMs from each the Cloud” by Vic (J.R.) Winkler. For more information on this other. VMs could be traced to their owners throughout title and other similar books, please visit elsevierdirect.com.

| Redmondmag.com | Redmond | February 2012 | 13 COVER STORY | Dead Software

Keeping Dead Products Software companies rely on regular customer upgrades and decommissioning old titles. But what is good for vendors isn’t so great for IT, which often has to support Alive unsupported software. By Doug Barney

early 80 years ago, the term “planned obsoles- reader Fred Linton. But old software ends up just as obsolete cence” was coined by Bernard London, a New as your junk Ford. That’s because vendors choose to make York City real estate professional and amateur it that way. economist. The idea, which London thought Even though code doesn’t stop working unless corrupted, Nwas a darn good one, was to design products software goes out of date in a variety of ways. The biggest with a limited lifespan so consumers regularly had to get new death blow strikes when vendors stop support. No more fea- ones, thus keeping the economy going. tures but, more critically, no more security updates. This is why you don’t see many 1983 Ford Escorts tooling Another problem is when new environments won’t run old around. While cheap old cars rust out or fall apart, software products. Even if a new version of Windows looks and acts should keep chugging. “Unlike hearts, lungs, knees, eyes or largely the same, many older applications and hardware no kidneys, software just doesn’t wear out or get weak,” says longer operate.

14 | February 2012 | Redmond | Redmondmag.com | IMAGE FROM SHUTTERSTOCK/ DENNIS SEMENCHENKO/GRANDE DUC Redmond magazine heard from some 30 readers—all IT vastly prefer the old interface (they hate the Ribbon), but Of- pros—about their frustrations with unsupported software fi ce 2003 will soon be no longer offi cially supported. To main- and how they deal with them. tain full support, IT will have to upgrade and train users on a new interface they don’t even like. Short Course on Support Reader Dick Lutz is also weary of forced Offi ce upgrades. Each software company has its own support policies, which “Every now and then, Microsoft ‘fi xes’ the Offi ce suite, per- sometimes vary from product to product. For this article, haps hoping to reorient users away from the excellent adapta- we were mostly concerned with the basics of how Micro- tions of the previous style of interface by other vendors. The soft support works. When a Redmond product comes out, ‘Ribbon’ brings us nothing but a new and wholly unneces- it’s fully supported. That means service packs are created, sary learning curve. In tweaking what needs no tweaking, the patches written and released, and compatibility with current company creates minor chaos in the orbit of other software,” environments is maintained to the best of Microsoft’s ability. says Lutz, editor and publisher of The Main Street WIRE in This lasts for fi ve years, and patches and software updates Roosevelt Island in New York. “My determination to stick and service packs are all free. with products that I know well keeps me in WordPerfect’s After fi ve years comes “Extended Support.” Plain old cus- camp: I still use WordPerfect 5.1 for DOS almost every day tomers get software updates and service packs for free—but and—for page layout—use antique PageMaker, which does not much more. Those with a volume license go on “Extended everything I need without the learning climb of InDesign.” Support” and can also buy an “Extended Hotfi x Agreement” New OSes are also a big shift. “I hate the Windows 7 user that provides full security support. interface with a deep purple passion. Windows 7 took away Fortunately, all customers—so long as they’re legal—get functionality, and the UI is hard to use and dysfunctional in patches and other security-related fi xes. After 10 years, though, some ways,” says one Redmond reader. there’s basically no support, no patches and no security fi xes. Besides the hassle of upgrading and trading, there’s the pure issue of dollars and cents, often a lot of dollars and cents. “For Security Scare the most part, ‘upgrading’ means I pay additional dollars to The biggest thing that disappears when support ends are se- get nothing I need in return,” says developer Roeser. curity updates and patches for critical fl aws and zero-day ex- ploits. This is the main way vendors scare you into upgrading. The Case for New (and Old) Jim Adcock, a SharePoint consultant, works in a shop that Some IT pros like having a choice—the choice to move to uses iNotion as a repository for documents and records. “The new software where it makes sense and keep running the old repository cannot be accessed with browsers more recent than stuff when upgrading doesn’t make sense. “As an IT person, Internet Explorer 6. This leaves our systems with older un- you should always move up to the new operating system if supported browsers with security fl aws,” Adcock says. “We’re at all possible. If you’re going to keep an older machine, it’s currently migrating to a new product for document and re- functioning well and you’re not going to put the money into cords management: SharePoint 2010. There is no newer ver- it for upgrades, keep it until it dies. I don’t see the big deal,” sion of iNotion because the company that made it is no longer says W. Mitchell. “My various home systems will be on XP, in business. We tried a migration last year to another product probably until they die. I can’t justify $200-plus OS upgrades that did not meet our needs and had to roll back to iNotion.” for machines worth $50 to $100. The machines work fi ne, and Not all are so nervous about running old apps, though. “I do what I need them to do, so I can’t justify replacing them.” think the ‘security’ issue is a bit overcooked,” says Bruce Ro- Were it always so simple. Some shops buy new software to eser, an independent freelance developer. interact with others using new software. “If everybody you do business with is expecting your Word documents as .docx, Forced Upgrade March what are you to do? On the other hand, Microsoft has been Software wouldn’t become obsolete if companies didn’t want it pretty good with backward compatibility. There’s an exten- to be. Forced upgrades put money in vendors’ coffers but leave sion you can install to Offi ce 2003 that reads the extended you holding the bag—and your old software. And many of formats,” Roeser adds. these new titles aren’t wanted–even if they’re free. As one Red- mond reader says: “Microsoft is way too focused on rolling out I Heart XP new versions every three years and making us upgrade, [rather] While support for Windows XP won’t fully expire until than focusing on quality. I don’t need the interface of Windows 2014, IT is already agitated. Let’s face it: IT has fi gured out and Offi ce. My users hate the changes and prefer not to up- how to troubleshoot XP, and most XP PCs were long ago grade at all. We just started to get them sold on Windows 7 and paid for and amortized. And because IT gave Windows Vis- Windows 8 is changing the GUI again?” the reader complains. ta such a wide berth, there are plenty of fresh XP installs. One example is the Offi ce Ribbon, which debuted in Offi ce Looking at losing support in less than three years for an OS 2007 and now graces Offi ce 2010. A huge number of users that was just installed isn’t fun. “For our purposes, XP is the

| Redmondmag.com | Redmond | February 2012 | 15 COVER STORY | Dead Software

most reliable and functional OS that Microsoft ever devel- Windows 7 and haven’t found any advantage to Windows 7.” oped. We’ve had nothing but problems with Windows 7—on Webb’s views are echoed by reader Linton. “‘Still supported’ new machines! We’ve kept XP on old machines and laptops or ‘no longer supported’—makes very little difference. I’ve and netbooks with no problems,” says reader Dick Schultz. never been able to garner free support from Microsoft for anything. Either it’s been the responsibility of the OEM to support the OS or my issue was one that required payment,” Online Lifeline says Linton. “My ‘support’ has always come from friends or colleagues on Usenet or at work. And vendor support is, in my fter a Microsoft product turns 10, you’re mostly on book, as much a myth as the universally recommended and ut- Ayour own for support. There are third parties and Microsoft support partners, but they cost money. And terly fi ctional ‘Windows installation disk.’ Not since the days Microsoft off ers fee-based Custom Support, but this is of Windows 3.1 have I ever seen such a chimerical beastie.” really meant as a bridge for those who will ultimately Gary Lea is not worried about the impending end of XP sup- migrate to a new version. Plus, you have to have already port. “Are all the computers running XP just going to die on bought Premiere Support to qualify. Keep in mind, too, that this Custom Support is limited. If your problem that day? In [a bit more than] two years, Microsoft will stop needs a security update or hotfi x, you’ll have to upgrade. supporting XP. That doesn’t mean it’s dead. It just means we Support on the cheap can come online: won’t be getting updates every fourth Tuesday. We probably • Join TechNet and read Knowledge Base (KB) articles. won’t need them because the hackers will be concentrating Keep in mind that Microsoft only promises to keep KB on Windows 7 or Windows 8 or whatever the current over- articles up for a year after support fully expires. bloated Microsoft OS is at the time,” says Lea. “My theory • Bookmark Product Support Center FAQs for apps you need to support. has always been that if it works for you, there’s no reason to • Get to know the Microsoft Answers Community. —D.B. change. I know a few people that are still using Win 98! It still works, and you don’t need (tons) of RAM to support it.”

Longtime reader and development specialist C. Marc Self Support Wagner puts it more succinctly: “XP won’t die. Why should Keeping an old OS alive is easier if you have coding skills like it? The damned thing just plain works.” R. Loew from Elmont, N.Y. “I use Windows 98SE almost Software developer Roeser, who runs Offi ce 2003 at home, exclusively. It’s faster, more compact, more fl exible and easier is passionate about his old software. “You can have my Of- to debug than the newer versions. I’ve developed patches fi ce 2003 when you can pry it from my cold, dead fi ngers!” he and add-ons that support modern hardware, sometimes even exclaims. “I’ve thought about retrograding the suite on my of- better than the newer Windows. Windows XP will choke fi ce machine back to 2003, but the GUI in 2003 is just cleaner on a 3TB hard drive. I use 3TB hard drives with DOS and and easier to work with.” Windows 98 without problems,” says Loew. Developer Roeser goes out of his way to run the old stuff. “I We Don’t Need No keep the distribution sets on a USB hard drive and re-install Stinkin’ Support them if I’m moving to a new system. If an OS upgrade really Some products are so simple or stable they don’t need support. does break a piece of software, then I guess I just need a new “I’m still using Outlook Express—it’s easy to use, simple and gets version,” he says. the job done. Too bad it’s no longer supported, but who needs support? It just works,” says Dean, a Redmondmag.com reader. Total Abandonment Others just don’t see value in Microsoft support. “I won’t So far, we’ve mostly been talking about old products for miss their support when it’s gone. I use their support very which there’s a new version you can migrate to. Not all of little. We all know Microsoft is running a scam on introduc- ing new OSes in conjunction with the PC manufacturers to make it cheaper to get a new PC with the OS installed, than to update an old PC,” says Dennis Webb, DP technician for Teenage Software the Community Action Council in Lexington, Ky. “If the OS y word processor of choice is ArkoseWorks 3.0. works with my applications, that’s all I care about.” MIt was a Win 95 update of Novell PerfectWorks, which started life as WordPerfectWorks. It is a Webb currently supports some 100 PCs, running Windows down-and-dirty program that doesn’t mess me up by 95 and Windows 98, which are used in Head Start classrooms. trying to anticipate what I’m doing or making global “Windows 95 is all I need. What’s even more interesting is how changes. I’ve been using it for 15 years. I know its fast Windows 95 can be loaded. I use a Compaq restore disk, quirks and the ins and outs of running it. However, and it takes about 20 minutes to wipe out and restore the OS. it’s getting harder to install and set up on new computers because it wants to put the user profi le in Using a restore disk from HP, it takes about four hours to reload c:/Windows/Profi les. Getting that to work with User a Windows 7 laptop,” Webb says. He has some doubts about Access Control can get a bit hairy. Microsoft’s most recent OS. “I’ve rolled several HP computers —Reader Karl Anderson from Zerkel, Minn. back to Windows XP from Windows 7. I really prefer XP to

16 | February 2012 | Redmond | Redmondmag.com | you are so lucky. “Far worse than abandoning previous ver- sions of programs is the abandonment of entire products A Virtual Lifeline and the limbo that sometimes accompanies that. Microsoft indows Vista and Windows 7 are based on the Offi ce Accounting Pro (MSOA) was a great product that Wsame core foundation as Windows XP, but they’re made sense—especially for small businesses that could in- diff erent enough that a lot of stuff breaks. Wanting users to upgrade, and afraid of the backlash from old broken tegrate Outlook, Business Contact Manager and Account- software, Microsoft created XP Mode. Layered on top of ing,” recalls one MSOA customer. “However, MSOA sat in Microsoft Virtual PC, this is essentially a version of XP a freakish limbo for a long time until the issue was fi nally that runs in a virtual machine. Here you can run otherwise forced and Microsoft quietly admitted—in a software sup- incompatible apps and load older device drivers. port timetable—that they were bailing on it. Whether we But XP Mode doesn’t work for all apps, Redmond readers report. And it has certain requirements. You need to run asked MSOA specialist bloggers or even contacts within Windows 7 Professional, Ultimate or Enterprise, and you Microsoft, nobody had any clue for a long time.” need PC hardware with a virtualization-ready processor. Other virtual technologies such as VMware Workstation and VMware Player can do much the same thing. “You can have my Offi ce Virtualization can be a godsend. “I have virtual machines running—you name it, I’m running it. Software I 2003 when you can pry push out has to deal with clients who are perfectly happy it from my cold, dead with SQL Server 7.5 or 2000 running on perfectly func- tional Windows 2000 installations up through Windows fi ngers! I’ve thought about 7. Can’t say that I blame them,” says a Redmondmag.com reader from Pennsylvania. retrograding the suite on Another reader thanks his lucky stars for VMware. “We’re still using NT 4 and Siebel 6 in one of our depart- my offi ce machine back to ments because of all the customizations that have been done over the years and the cost—both money and time— 2003—the GUI in 2003 is to upgrade all that code to later versions of Siebel. Thank goodness for VMware, since not even Microsoft supports just cleaner and easier to virtualizing NT 4,” says a reader from El Segundo, Calif. Dick Lutz runs the newish Windows 7 but also needs to work with.” use older software. “This led me to overlay VMware Work- Developer Bruce Roeser station in order to run the software I prefer in XP, while still being able to run Windows 7 for newer software built specifi cally for Windows 7. The VMware product is vastly superior, in all respects, to Windows 7’s sluggish and fl awed XP-compatibility mode,” says Lutz, a consultant Dang Devices and publisher of The Main Street WIRE, the community Device drivers are one of the biggest bugaboos. And you can’t newspaper serving Roosevelt Island in New York. just upgrade unsupported hardware; you have to buy an all- Lutz still runs PageMaker 7.0 on Windows XP. “I’m still new device! “I’m still running a machine on XP due to HP running it seven years after its prime ended, and there- fore still running XP, though I’m running it on a virtual offering no Vista or Windows 7 drivers for a printer and a machine, using VMware, over Windows 7,” says Lutz. scanner of theirs. Not even a universal driver. Those were Lutz also runs WordPerfect for DOS 5.1. “I know its the last devices I purchased from HP. You don’t support me, macro capability cold,” he explains. He also uses the I don’t support you,” says a frustrated ex-HP customer. latest version of WordPerfect for Windows and Excel Some folks expect software drivers and hardware interfaces 2003—which he says he “had to buy special.” Custom software can also benefi t from virtualization. to work nearly forever. One Redmond reader has a scanner he “I have some old projects in Visual Basic 6 that wouldn’t bought for an Intel 80486-based PC that originally ran Win- install cleanly on my [Windows 7 Ultimate 64-bit] dows ME, an OS that’s more than 10 years old, with support machine, so I built a virtual XP machine and put it all that ended a half-decade ago. there. Works fi ne,” says software developer Bruce Roeser. This reader now wants to run the scanner under Windows —D.B. Vista—which the OS won’t do. His answer? Keep running the old driver on the old machine. He’s still fuming. “I’ll no longer buy HP or Microsoft products without remembering a program used to set up Motorola HT1000 portable radios. I they took my money then shut me off. Those who opine that can’t get it to run in a ‘DOS box’ under any version of Windows. these are hardware-driven product requirements, please shut The radios will probably last another fi ve to six years, so until up. These decisions were made to make money. Old devic- then, I have to keep a relic running,” the reader explains. es could easily communicate with more modern software if manufacturers and software developers didn’t think it accept- Older Is Better able to abandon their customers,” the reader says. In some instances, upgrading means going backward. “I have Another reader is running even older software. “I have an computers with most versions of Windows except Vista and ancient laptop chained under the desk running DOS 6.22 to run Windows 7. An old computer with Windows 98 is used with

| Redmondmag.com | Redmond | February 2012 | 17 COVER STORY | Dead Software

Access 97 for an ongoing database project. That combination We’ve been talking about software being old at fi ve or 10 is much faster even though the CPU isn’t particularly fast. years. Large systems software can last far longer than that. For safety, the computer isn’t connected to the Internet,” ex- “The lifecycle of some computer applications is as much as 15 plains one Redmondmag.com reader. years. The State of Michigan accounting system was old when Windows 98 also still has a loyal following. “We have one it was implemented in 1994 and is mainframe-based. Histori- Windows 98SE workstation left in our offi ce that runs an old cal data is important and many systems are integrated with it. program [for which we have] no plans to upgrade—it works Though the interfaces are old, the functionality still works. A fi ne. All of the offi ce workstations are XP running Offi ce wholesale Web-based rewrite would be expensive, catastroph- 2003, with no issues and no plans to change. We don’t need ic, time-consuming and a monster project. But it needs to be the new features or headaches. This is a working offi ce with done someday,” says a Michigan-based IT pro. no need for extra features or fancy screens. My Windows 7 SP1 crashes too many times at home to recommend any Feeling Vendors’ Pain change for the offi ce,” says a Redmondmag.com reader. Not all readers are so down on vendors, especially those that write software themselves. “That vendors want to discontin- ue support of older products to get you to buy new is partially true. But it’s very expensive to support multiple versions of Scoring Vintage Code any product. I do custom programming and have a product o you’ve got old, unsupported software, and maybe used by several clients. I have to insist that everyone update Sthe vendor even went under. Now the software your because it’s just too complicated to keep track of multiple ver- company depends on is corrupted. What do you do? I suppose you could copy the software from another sions,” says reader Mike from Ann Arbor, Mich. machine, as you likely have a license for the copy that Reader Wagner is a fan of new software. “Offi ce XP is aw- fried. But if you don’t have that spare, there are several fully long in the tooth now. After all, it was followed by Of- places to go. fi ce 2003 and Offi ce 2007 well before Offi ce 2010 became eBay is often a good choice, though you need to make available. Users should never allow themselves to fall more sure the copy is legal and you get the paperwork. There are several Web sites that sell old software, includ- than two versions behind any version of software upon which ing Oldversion.com. Here’s how the company explains they’re dependent. That just guarantees you trouble down the itself: “Sometimes upgrading to a newer version can be a road,” argues Wagner. good thing. Other times, your computer may not be com- Other developers have the most sympathy. “Considering patible with the new version, the new version is bloated or that they’re burping out a new OS every three years, I don’t all the options you liked are no longer available.” Oldversion.com believes many new Internet-centric apps know how else they could do it. For a product that you can are spyware and adware carriers. “It’s sometimes possible buy for just a couple hundred bucks—if you don’t buy a sys- to avoid spyware by downloading an older version of a tem—that’s awful generous. Think about it a minute: When program. Use Oldversion.com and show the industry your you buy a car, do you get the same? An OS like Windows rep- dissatisfaction with these types of business practices.” resents a massive investment in R&D and development. You There’s also OldApps.com, which focuses on Web apps such as instant messaging. “Often newer versions are can’t afford to give away free support on a $200 item forever,” more complicated to use, and we understand that it’s says developer Roeser. hard to fi nd older, more user-friendly versions of popular Roeser, however, sees both sides. “Old dogs like me feel software. Many software providers do not include older pulled in two directions. On the one hand, I really like the lat- versions of their software on their sites,” the company est cool gadgetry but, on the other hand, I see no reason to up- says. “As software updates are being released more fre- quently, not every computer is able to keep up with the grade a dozen other titles that continue to serve me well.” minimum requirements of new software. Many users with slow Internet connections may want to attain a leaner Doug Barney is editor in chief of Redmond magazine. program to avoid the common frustrations associated with the increasingly larger sizes of modern programs.” And www.retrosoftware.com sells what it argues are Doug says: I ride a 1988 Harley-Davidson fully licensed (not OEM or Academic) versions of out-of- Heritage Softail. It looks almost identical to date titles. —D.B. a brand-new model and usually runs great. When it didn’t, I used to schlep on down to my local dealer. The last time I went to the shop, and I mean the last time ever, I needed a headlight. Newer software doesn’t always support critical needs. “I “Sorry, your bike is obsolete,” I was told. Hmmm, that’s the needed central data storage for a typing program in a small same thing they told me when I needed a new petcock. school district for 16 computers. Because XP will only allow Like so many of the IT pros in this story, I was left to my 10 concurrent connections, I dragged out an old Windows own devices, and found third-party companies that refused to accept that my bike was done. 98 machine and set it up as the data repository. Why set up a What’s your take on obsolete software? Share your feel- server when a simple peer-to-peer network will do the job?” ings by writing me at [email protected]. asks a reader from western Montana.

18 | February 2012 | Redmond | Redmondmag.com | ADVERTISEMENT 5 Ways to Make Your SCCM Data Work Harder

e have some great news for you: Windows 7-incompatible applications, so that you Your System Center Confi guration can do something about them? Manager infrastructure is about to do a lot more for you. SCCM should do more for your hardware, too, like showing you its lifecycle information, telling you Wouldn’t it be nice if SCCM could not only show whether it’s a laptop or desktop, or which desktops you what software is installed on your computers— use wallet-busting high-wattage power supplies, but also show you which versions are supported by or showing you all computers that run a specifi c their vendor, and what the latest versions are? processor model. Wouldn’t SCCM be easier to use if its data was more complete, like knowing which software was The good news is that SCCM can do all of those installed standalone and which was installed as part things—it just needs to have a little more data— of a suite? Or how about being able to highlight enabling it to work a lot harder for you!

For more information, please visit Redmondmag.com/BDNA212

Untitled-6 1 1/13/12 1:56 PM Untitled-2 1 1/10/12 12:08 PM FEATURE | Cloud E-Mail Archiving The Rapid Move to Cloud E-Mail Archiving

While security is still a concern for some companies, more and more businesses are outsourcing e-mail archiving to cloud vendors.

And the vendors themselves are proliferating. By Paul Korzeniowski

espite some predictions of the demise of e-mail, it’s in e-mail volume is also creating management challenges. Dstill on the rise and with that growth comes contin- “With compliance and e-discovery regulations increasing, ued management challenges. companies need to manage their e-mail interactions in a In 2010, businesses worldwide supported 725 million e-mail proactive manner,” says Forrester Research Inc. Senior accounts, each generating 110 messages a day, according to Analyst Brian Hill. market research fi rm The Radicati Group Inc. Those num- E-mail archiving solutions have emerged as a way to fi ll that bers are expected to increase to 950 million accounts gener- void. These products help companies trail e-mail transac- ating 119 messages a day in 2014. While helping corporations tions, restore inadvertently deleted messages and generate re- exchange information more effectively, the continued rise ports outlining who sent what to whom. As it is with other

IMAGE FROM SHUTTERSTOCK/ZIVEN | Redmondmag.com | Redmond | February 2012 | 21 FEATURE | Cloud E-Mail Archiving

market segments, cloud computing is starting to have an impact on this A BEVY OF space because it has the potential E-MAIL ARCHIVING to offl oad processing chores to third parties and reduce costs. In OPTIONS EMERGES fact, market research fi rm Osterman merging markets tend to attract many suppliers, and e-mail archiving illus- Research Inc. expects that world- Etrates that axiom. wide revenue from cloud e-mail Microsoft’s own Offi ce 365 represents its most signifi cant foray into the cloud archiving services will rise from $191 arena. Its e-mail archiving service’s Legal Hold feature preserves users’ edited and deleted mailbox information (e-mail, appointments, tasks and so on) from million in 2011 to $336 million in both their primary mailboxes and personal archives. Legal Hold, which can be 2013. The high growth has attracted set for individual mailboxes or across the enterprise, works continuously or for vendors from startups to industry specifi c time periods, say 90 days. behemoths (see “A Bevy of E-Mail Astaro GmbH & Co. KG has made its mark in the Unifi ed Threat Management Archiving Options Emerges”). market with more than 56,000 installations in about 60 countries. The Astaro Mail Archiving solution off ers users unlimited storage capacity, works with Yet, cloud computing introduces Microsoft Exchange Server, and supports SMTP, POP3 and IMAP e-mail sys- more complexity into employee in- tems. In June 2011, Sophos, a global IT security and data protection company, teractions and therefore raises new acquired Astaro, which generated $56 million in revenue during 2010. security concerns. “Companies are Founded in 1996 as part of a research project at Cambridge University, leery of putting their information Autonomy Inc. started off in the search engine market but gradually transi- tioned to becoming an infrastructure software supplier. The company’s solution in the cloud because they’re not sure supports more than 14PB of information and 30 billion messages, has 6 billion vendors can protect it,” notes Mi- pages in active litigation review, and processes more than 3 million fi les per chael Osterman, president of Oster- hour. Last year, Hewlett-Packard Co. acquired Autonomy for $11.3 billion. man Research. Consequently, many Formed in 1999, Global Relay Communications Inc. has more than 14,000 fi rms fi nd themselves trying to strike customers. Its archiving platform supports a wide range of e-mail systems, including the company’s own Zimbra e-mail system, Microsoft Exchange, Lotus a balance between the putting the Notes, Google Apps, SendMail, Qmail, Postfi x, Scalix, Exim and Communigate. proper checks in place to secure their The service features Web-based search and retrieval features that provide e-mail information while still main- users with access to current and historical message records. taining it in a cost-effective manner. Google Inc. archiving services stemmed from a purchase of Postini Inc. for $625 million in cash in the summer of 2007. Its cloud option enables companies Oops, I Didn’t Mean to create content-based policies, so they can track messages with sensitive infor- To Do That mation such as Social Security and credit-card numbers. To ensure compliance, data is encrypted as it travels via the Secure Sockets Layer or the Transport Archiving solutions were designed Layer Security protocol. to help businesses address various In business since 1998, service from LiveOffi ce LLC features Microsoft Outlook- compliance concerns. For instance, like UIs and rapid search and retrieval. In the compliance realm, the service is designed to enforce corporate e-mail policies and accelerate legal discovery. an employee may accidentally de- Founded in 2003, Mimecast LLC has a staff of 200 and more than 3,500 cli- lete a message or two. If questions ents. The company’s service features Outlook integration, real-time searches arise during an e-discovery hear- and audit trails. Messages are tamperproof and access rules are maintained ing, the corporation must be able to throughout the lifecycle. retrieve the deleted messages—and Eric Hahn, former CTO of Netscape Communications, founded Proofpoint Inc. in June 2002. Since then, the company has garnered 4,000 enterprise do so quickly. Without an e-mail accounts. The vendor’s DoubleBlind Encryption function secures archived archiving system, the item could be e-mail and other correspondences. The service’s Active Legal Hold features lost. If not, the process of retriev- enable companies to create and enforce legal policies during e-discovery ing the message can often take a few periods. Its supervision review features streamlined auditing processes, so days compared to just a few quick companies comply with Security and Exchange Commission and Financial Industry Regulatory Authority regulations. clicks of a mouse with an e-mail ar- Smarsh Inc. was launched in 2001 as a fi nancial technology solutions and con- chiving system. sulting corporation. Its primary focus shifted swiftly to e-mail archiving as more Also, if corporations don’t have and more fi rms scrambled to meet government and industry electronic com- such a solution in place, they munications compliance mandates. With it, systems administrators can review can face court-imposed sanctions. electronic communications; implement classifi cation, data-leak prevention and encryption policies; and analyze the eff ectiveness of enforcement procedures. In 2002, the U.S. Securities and In business since 1982, Symantec Corp. has more than 18,500 employees and Exchange Commission fi ned fi ve operates in more than 50 countries. The company’s Intelligent Archiving fi rms a total of $8.25 million for not Software Platform enables legal and IT staff ers to search, preserve, review and properly monitoring and capturing export electronically stored information. their e-mail traffi c. Because of the high level of interest, corporations will fi nd many choices when they begin their search for a cloud based e-mail archiving solution. Cloud computing has become a Consequently, the chances that they’ll fi nd one that meets their needs are viable alternative to on-premises- improving. —P.K.

22 | February 2012 | Redmond | Redmondmag.com | based e-mail archiving solutions for avoiding such problems. job titles, and the system simplifi ed the setup and administra- In fact, a Forrester survey found that 22 percent of corpora- tion of remote mailboxes. tions that planned to evaluate e-mail archiving solutions in However, the investment enterprise opted for an 2011 expected to select a cloud solution. The top three driv- on-premises rather than cloud-based e-mail archiving ers behind the interest are perceptions of lower total cost of solution. “We are concerned about the level of security ownership, more rapid deployment capabilities and superior available in cloud services,” says Dan Evans, senior vice pricing structures. president of messaging and collaboration at Morgan Keegan. Indeed, cloud computing introduces new potential secu- The Kenmar Group Moves rity weak points. The fi rst area of concern is the connection up to the Cloud from the customer’s site to the cloud provider’s datacenter. One early adopter is The Kenmar Group, an investment fi rm When information travels along the Internet, it’s open to that has 50 employees scattered in offi ces from Rye Brook, N.Y., to the United Kingdom to Singapore. The company’s “Companies are leery of datacenter runs Microsoft Windows Servers with virtual- ization software from VMware Inc., and the Microsoft Ex- putting their information change e-mail system. For a few years, the fi nancial-services company relied on a Compliance Vault Inc. archiving solu- in the cloud because tion. “We were having some problems with the system’s reli- ability,” explains Frank Coloccia, senior vice president and they’re not sure vendors CTO at The Kenmar Group. can protect it.” So, in early 2008, the corporation contacted a handful of vendors, including Iron Mountain Inc., Symantec Corp. and Michael Osterman, President, Osterman Smarsh Inc. “We were interested in a cloud-based solution,” Research Inc. notes Coloccia. The Kenmar Group ultimately chose a cloud- based archiving offering from Smarsh. This approach didn’t interlopers at various points. Rather than an Internet link, require a signifi cant up-front investment for hardware and a corporation would be better served with a private network software licenses. Also, the fi nancial-services company’s IT connection, a closed link between its systems and the cloud department wouldn’t have to perform routine tasks such as archiving solution. allocating storage. Also, as the information travels, it must be protected. Migrating seven years of e-mail messages to the new sys- “E-mail archiving suppliers should encrypt information as it tem took about three months. In addition to reducing its travels from point to point,” notes Osterman. In addition, the maintenance requirements, the business improved its re- customer has to be sure that the data is protected after it porting capabilities. The organization has to send the Se- arrives. The best way to reach that goal is to encrypt the data curities and Exchange Commission (SEC) a report every while it’s at rest, a feature available in some, but not all, e-mail three months. “Generating the SEC report used to require archiving solutions. several steps; now, it’s completed with the press of a button,” As a result, when evaluating a cloud e-mail archiving so- explains Coloccia. However, there was one area where The lution, a corporation needs to check its vendor’s security Kenmar Group would like to see improvement: more com- procedures very closely. Third-party validation via certifi ca- prehensive management tools. tions, such as SAS-70 Type II audits, helps to ensure that the It’s quite typical for management—as well as security vendor’s security controls are strong enough to protect the tools—to lack sophistication whenever a new technology fi rm’s information. emerges. Consequently, resistance to moving to the cloud has In sum, customer interest in cloud e-mail archiving is grow- been evident. “Many corporations are leery of moving their ing. However, the various solutions are still in a nascent stage sensitive information into the cloud,” states Osterman. Cor- of development, so corporations need to examine them closely porations in areas like fi nancial services and health care fear to be sure that they meet their compliance, management and that cloud computing’s security checks will fall short of vari- security criteria. Nevertheless, the burgeoning sector of tech- ous industry statutes. nology might be worth investigating. Morgan Keegan & Co. Inc., a regional investment fi rm, is “Cloud e-mail archiving is an emerging area, one that one such company. Founded in 1969, the Memphis, Tenn., will continue to get stronger in the future,” concludes company has more than 300 offi ces in 20 states and more Forrester’s Hill. than 4,000 employees. The fi nancial-services corporation has been using Microsoft Exchange since 2003 when it Paul Korzeniowski is a freelance writer based in Sudbury, Mass., replaced a Lotus Notes system. In 2010, the company and can be reached at [email protected]. He’s been writing decided to move to Microsoft Exchange Server 2010 for a about technology issues for two decades, and his work has appeared couple of reasons. The product’s Role-Based Access Control in Boston Herald, Entrepreneur, Investor’s Business Daily, feature limits data connectivity to individuals with various Newsweek and InformationWeek.

| Redmondmag.com | Redmond | February 2012 | 23 FEATURE | Security

Understanding the Essentials of the Kerberos Protocol Knowing the basics of this pervasive Windows protocol can be critical in diagnosing and

solving security problems. By Gary Olsen

hile Windows IT professionals deal with that both client and service trust. I love the statement made security on a daily basis, very few under- by Fulvio Ricardi in his Kerberos Protocol Tutorial: Kerbe- stand the under-the-hood protocol, Kerbe- ros is “… an authentication protocol for trusted clients on Wros. Kerberos is a security protocol in untrusted networks.” So, if Kerberos is designed to trust on Windows introduced in Windows 2000 to replace the anti- an untrusted network, it should be even more effective on a quated NTLM used in previous versions of Windows. trusted corporate network. Kerberos has several important advantages. For example, it: •is very secure, preventing various types of intrusion attacks The Shared Secret •uses “tickets” that can be securely presented by a client or As noted previously, a key feature is the shared secret and a a service on the client’s behalf to a server for access to services password that doesn’t travel on the network. Thus the service •permits Cross-Forest Trusts to use transitive properties (on the server) and the client (workstation) both know the and eliminate the “full mesh” scenario; all domains in both password. The following scenario describes how this works: forests establish a trust with a single Kerberos trust at the root 1. An account is created on the domain controller, or DC •permits interoperability with other Kerberos realms such (the Kerberos Key Distribution Center or KDC) and given as Unix; this permits non-Windows clients to authenticate to a password. Windows domains and gain access to resources 2. The Kerberos client adds a text string (SALT) to the • provides authentication across the Internet for Web apps unencrypted password, along with a Kerberos version num- Therefore, it’s important to have a good understanding of ber (kvno), and runs those things through the “string2Key” how the Kerberos protocol works and be familiar with the conversion application. The “shared secret” is created. The details of the security functions. This will help with diagnos- SALT string is the username. ing a variety of security issues. In addition, IT professionals 3. At the workstation, the user enters the account name and should understand how Windows Time Service works be- password and requests certain services. The Kerberos client cause Kerberos security is highly dependent on time services. generates the secret key on the client. Because Kerberos uses Kerberos, or Cerberus, is a three-headed dog in Roman the same algorithm to generate this secret key as was used on mythology that guards the gates of the underworld, prevent- the KDC, the two secret keys will match as long as the user- ing inhabitants there from escaping. The Kerberos protocol name and password entered are the same. prevents the bad guys from getting in. There are three com- 4. The user and the Authentication Service (AS) running on ponents to Kerberos: the client, a service and a third-party the KDC communicate using the shared secret.

24 | February 2012 | Redmond | Redmondmag.com | IMAGE FROM SHUTTERSTOCK This is like a locked box inside a AS_REQ Authentication locked box. The outer box (packet) Service (AS) can be opened by the service because it has the user’s shared secret. It can Caroline then open the service ticket because AS_REP TGT it has the shared Session Key with Tyler the TGS. The user is thus validated. TGT TGS_REQ Jack The application server would then apply the appropriate permissions to Ticket Granting the user to determine if the action re- Service (TGS) quested (such as read, write, change to TGS_REP Service Ticket a document) is granted to the user. If mutual authentication is required, the AP_REQ Service Ticket application server uses the AP_REP Application to tell the client which service was re- Server/Services quested, as a security measure.

AP_REP optional The Replay Attack A replay attack occurs when an in- Figure 1. How a user can log in and access an application truder steals the packet and pres- using the shared secret method. ents it to the service as if the intruder were the user. The user’s credentials are there—everything needed to access a resource. This is mitigated by the features of the “Authen- Authentication and Authorization ticator,” which is illustrated in Figure 2. The Authenticator Using the shared secret method, a user can log in and get is created for the AS_REQ or the TGS_REQ and sends ad- access to some application or service, as illustrated in Figure 1. ditional data, such as an encrypted IP list, the client’s time- The APIs used are shown in the fi gure, such as “AS_REQ.” stamp and the ticket lifetime. If a packet is replayed, the The user logs into a workstation with an existing account. The timestamp is checked. If the timestamp is earlier or the same AS_REQ API makes the request of the server by sending the as a previous authenticator, the packet is rejected because it’s user name. AS_REQ is encrypted. The KDC uses the shared a replay. In addition, the time stamp in the Authenticator is secret associated with that user to decrypt the AS_REQ pack- compared to the server time. It must be within fi ve minutes et. If successful, the request is honored and a “Ticket Granting (by default in Windows). Ticket” (TGT) is returned in the AS_REP packet. The If the time skew is greater than fi ve minutes the packet is TGT can then be used by the client to prove the user is who rejected. This limits the number of possible replay attacks. she says she is and is properly authenti- cated. This ticket is good for a confi gu- rable time period. If the user wants access to some service User or application on a server that requires Authentication a service ticket, the TGT just obtained Service (AS) .%* %,( is presented to the server hosting the Ticket Granting Service (TGS) using the TGS_REQ. In a Windows domain, %)!/0), the TGS, like the AS, is hosted on each DC. The TGS contacts the database to Client sends IP List AS_REQ or fi nd the shared secret, decrypts the AS_ TGS_REQ REQ and grants the service ticket. The %"!0%)! service ticket is encrypted by the Session Key, which is shared by services only. Authenticator Created The user cannot decrypt a service ticket. The service ticket is returned using the Pre-Authentication uses an đƫ(%!*0ƫ0%)!/0),ƫ +),.! ƫ0+ƫ/!.2!. TGS_REQ. The client cannot decrypt authenticator (Kerberos v5) 0%)!ģ)1/0ƫ!ƫ3%0$%*ƫĆƫ)%*10!/ƫĨ !"1(0ĩċ the service ticket because only servers default in Windows Active can do that, but it can send it on. The Directory. Can be disabled. đƫ%)!ƫ!.(%!.ƫ+.ƫ/)!ƫ/ƫ,.!2%+1/ authenticator. client then sends the service ticket to the application server using the AP_REQ. Figure 2. The Authenticator mitigates the possibility of a replay attack.

| Redmondmag.com | Redmond | February 2012 | 25 FEATURE | Security

to computer, no matter what time zone the computer is in. This is often confusing to administrators, as it seems that a computer in Belgium would not be within the fi ve-minute time skew of a computer in Atlanta, fi ve time zones away. UTC 13:00 UTC/ It’s important to separate the computer’s reference clock GMT 13:00 from what you see in the Date and Time display in the notifi - Atlanta cation area of the taskbar. The Date and Time display is just a TZ: GMT -5:00 convenient way for users to see what the local time is and has No Change Local: 8:00 nothing to do with time synchronization for time services. in UTC Note that changing the time in the Date and Time display in Time fact does change the time of the reference clock by the delta that you choose. For instance, as shown in Figure 3, if the UTC time is 13:00, and I’m in Atlanta (GMT -5), then the Date and Time display shows the time as 08:00. If I change the Date and Time dis- UTC 13:00 UTC 13:00 play to 09:00, (Figure 4) then the reference clock is set ahead 1 hour to 14:00 when the UTC on all other machines is 13:00. Seattle Brussels TZ: GMT -8:00 TZ: GMT -8:00 This causes the time skew. That’s why you can fi x two com- Change Local: 5:00 Local: 5:00 puters that have a large time skew by changing the time with Time Zone the Date and Time feature. to PST Warning: Before changing the time, make sure you are indeed one hour out of sync with the actual time or it will cause Figure 3. UTC time is 13:00, but Date and Time shows the authentication failures. You can change the time for certain local time in Atlanta. troubleshooting techniques, but be careful that everything is While it is technically possible to steal the packet and present correct when you fi nish. it to the server before the valid packet gets there, it is very Note that you can change the time zone and it will not diffi cult to do. affect the reference clock time. In my example, if I change It’s fairly well known that all computers in a Windows do- my time zone to the U.S. Pacifi c Time zone, the display will main must have system times within fi ve minutes of each show the time as 05:00, but the reference clock will remain other. This is due to the Kerberos requirement. unchanged. This is demonstrated by a situation I found in our lab some Pre-Authentication time ago. I had a DC in Brussels that had been installed with In previous versions of Kerberos (v4 and older), a pass- word was not required for authentication. A simple valid user name would authenticate the user. In Kerberos v5, a password is required. This is called Pre-Authentication. It’s possible to disable Pre-Authentication in order to provide backward compatibility for old Kerberos v4 libraries and UTC 14:00 UTC/ Unix apps and so on. GMT 13:00 Warning: Disabling Pre-Authentication is a serious degra- Atlanta dation of security. TZ: GMT -5:00 Change Local: 9:00 One of the components of the Authenticator is the Time from ticket lifetime, also confi gurable in Group Policy. 8:00 to This permits the user to access server resources with- 9:00 out re-authenticating for 10 hours by default, and is renewable without intervention by the user. Out of Time Services Time As noted, the Windows Time Service is critical to proper UTC 13:00 Skew!! UTC 13:00 functioning of the Kerberos security model. To keep system Seattle Brussels clocks on all computers in the domain within fi ve minutes, TZ: GMT -8:00 TZ: GMT +1:00 Windows has used the Network Time Protocol (NTP) since Local: 5:00 Local: 14:00 Windows Server 2003, rather than the old Simple Network Time Protocol (SNTP) used previously. NTP uses a “refer- ence clock” on each computer. The reference clock is set at Figure 4. Changing the reference clock on one machine can UTC (think GMT) time and doesn’t change from computer cause time skew.

26 | February 2012 | Redmond | Redmondmag.com | Troubleshooting Windows PDC Time Issues Emulator External NTP Time Source Windows 2000, 2003 and 2008 all contain a utility called W32tm.exe, a utility for diagnosing and fi x- ing time-sync issues. However the Windows 2000 version has different options, which will not be de- scribed here. Time sync errors will be manifested in DC a number of ways: •System event log: look for W32time errors. These will be fairly descriptive, so read them. Note that over an unreliable network connection you might see Can sync Sync with events stating that the time server couldn’t be found. with any DC PDC PDC PDC in in own Emulator Emulator parent Just keep reading to see if it eventually found one. domain domain •For DCs, Repadmin/Showrepl or Repadmin/replsum/ bysrc/bydest/sort:delta will show time-sync errors. Users logging in or accessing network resources will get authentication failures. Logins will some-

Server DC DC Workstation times display an error saying the time is out of sync with the DC. There are several key options in the W32tm.exe Figure 5. The hierarchical time service structure. utility to resolve time errors: 1. W32tm –resynch. This forces a clock resync on the local the incorrect time zone. Rather than showing the Belgium computer. I always try this one fi rst if there are events stating time zone (UTC + 1:00), it showed Pacifi c Time (U.S. and that the sync to the server is lost. Canada). It had actually been like this for a couple of years 2. W32tm /confi g/syncFromFlags:DomHier. This forc- before we noticed it. The local admin had not noticed the es the DCs to get time in the normal domain hierarchy displayed time was off from the actual local time. Yet there scheme—such as resetting them all to a default confi guration. were no replication failures, no W32Time errors, and no au- 3. W32tm /monitor/domain:WTEC. This lists the time thentication failures. So we changed the time zone and the skew for each DC, in the “WTEC” domain, with the PDC display changed, but there was no effect on the reference being the reference. clock. If the local admin had noticed that the displayed time 4. W32tm /stripchart. This allows comparison of any two was nine hours slow and changed the time rather than the computers (as opposed to /monitor, which only does DCs). time zone, then that DC would have a nine-hour time skew The W32tm/monitor command is very handy to see if all and authentication failures would have resulted. DCs are within acceptable time skews of the PDC. To cor- In an Active Directory domain, time services are pre-con- rect the time sync, you could go directly to the DC and set fi gured out of the box. Figure 5 shows the hierarchical time the time, or try the /syncFromFlags option of W32tm.exe. In service structure. The PDC of the forest root domain is the addition, NTP has some self-healing power. It will look at the authoritative time server for the forest and the root domain. time difference, divide it by two and reset it. Over time NTP The PDCs of each child domain will use the forest root do- can correct some small time skews. main PDC as their authoritative time source. DCs in each Note that if the W32time service is disabled, logins will fail. domain use the PDC as their time source and clients use their Make sure the time service is set to Start and Automatic. authenticating DC as their time source. Note that while con- A good understanding of Kerberos and the Windows Time fi guring an external time source to sync with the root PDC is Service is critical to be able to diagnose authentication issues. a good idea, it’s not required. While this article did not have the space to do an exhaustive Troubleshooting Tip: External time description, it did provide the basics. servers can harm the domain and forest For further study there are some excel- if they experience errors. In one case, GetMoreOnline lent references that I recommend in “Get I saw an external time server back the Kerberos Protocol Tutorial More Info.” time on the PDC to a year previous, log- kerberos.org/software/tutorial.html ging event 52 in the system event log Basic Overview of Kerberos Gary L. Olsen is a systems software engineer and causing widespread authentication User Authentication Protocol in in the Hewlett-Packard Co. Worldwide failure. To prevent this, see Microsoft Windows 2000 Technical Expert Center for HP Services in support.microsoft.com/kb/217098 KB 884776 for a registry value to pre- Atlanta, Ga. He’s worked in the IT industry vent time changes in larger than pre- Basic Concepts for the Kerberos since 1981 and is a Microsoft MVP for Protocol technet.microsoft.com/ Directory Services and president of the defi ned increments. In this case, I set it at library/cc961976 15 minutes. Atlanta Active Directory Users Group.

| Redmondmag.com | Redmond | February 2012 | 27 DecisionMaker by Don Jones PowerShell Skills in the Workplace

recently conducted a survey on Windows PowerShell should be making the use of that technology—and the return on your skills in the workplace. My goal was to fi nd out which training investment—a formal part of I that person’s job. That means stating it specifi c PowerShell skills would be expected of different in some kind of measurable sense: Per job titles within IT, and how much emphasis is placed year, you will save at least x hours by automating tasks that were previously done manually. on PowerShell in terms of formal job I found it even odder that 70 percent Ever get frustrated when Congress task assignment. I was delighted to have of organizations don’t include Pow- passes some law, like debit-card almost 600 responses. (Follow me on erShell or automation to be a formal reform, on the grounds that it’ll save Twitter at twitter.com/concentrateddon job task that’s listed in employees’ job consumers all kinds of money, and if you want to take part in these things.) descriptions or included on employees’ then the promised savings never hap- One thing I found compelling: 40 formal performance reviews, although pen? That’s because Congress never percent of respondents said that PowerShell skills matter when they’re looking to hire new headcount for Most organizations feel that there’s value in mid- and top-tier IT professional spending time to automate repetitive tasks positions, and 20 percent said they look at PowerShell skills for top-level positions. Another 20 percent said all 20 percent of participants are consider- writes the desired end effect into the of their IT pros needed to have ing doing so. Seriously? Only 10 per- law. We do the same things when we PowerShell skills—that’s 80 percent cent of folks think they should ask for invest in employees and don’t make the of the participants who said that what they want? return on that investment a part of our PowerShell matters to some, if not all, The point is this: Most organiza- formal, written expectations of them job positions in their organizations. tions—90 percent, according to the via their job descriptions and perfor- More disturbingly, 80 percent said survey—feel that there’s value in mance reviews. that “scripter” is not a specifi c job spending time to automate repetitive Decision makers, your employees want title within their organization, and tasks; 92 percent felt that automation to do a good job. Most IT people are none of them is considering making can, if done properly, repay its invest- go-getters who want to solve problems. that a formal job title. That doesn’t ment quickly in saved time. All of the You just need to let them know what you actually square well with the stated participants said they wished there want, and then budget the time for them desire to have PowerShell skills in was more focus on, and time made, for to shine. If you think automation should the workplace. For example, if your automation in their environments. So be a part of your environment, make it a organization sees value in using why isn’t it on anyone’s reviews? formal part of your environment. Make PowerShell—or any tool, for that As a decision maker, it’s your job to it clear that team members who acquire matter—to automate job tasks, communicate your priorities to your automation skills and act on those skills then you should consider making team. You need to let them know will be recognized. Automation should “automater” or “scripter” a formal what’s important to you, and incent be something that your mid- and top- position. Further, we have to recognize them to perform at a level you feel tier IT professionals should be expected that not every employee will be the business needs them to. That’s to deliver. suitable for that task, making it what performance reviews and job more likely that a formal “scripter” descriptions are all about. So why is Don Jones is a principal technolgist for position would make sense in a cross- automation missing? strategic consulting fi rm Concentrated discipline position that focuses on If you’ve invested in training some- Technology LLC. You can contact him via automating things. one in a particular technology, you ConectratedTech.com.

28 | February 2012 | Redmond | Redmondmag.com | DPM’s Missing Piece Now available for DPM 2012!

DeduplicaƟ on & Compression The BridgeSTOR DeduplicaƟ on Technology for MicrosoŌ DPM combines industry-proven advanced data reducƟ on technology with high performance to reduce DPM data 35% to 60%, producing eī ecƟ ve virtual capacity that is 1.5:1 to 2.5:1 Ɵ mes the physical capacity. BridgeSTOR Appliances BridgeSTOR AOS Appliances for MicrosoŌ DPM combine hardware accelerated data deduplicaƟ on, compression and opƟ onal encrypƟ on to deliver in-line capacity opƟ mizaƟ on with an impercepƟ ble eī ect on performance, responsiveness and the user experience. BridgeSTOR ReducƟ on Cards DeduplicaƟ on Cards for DPM extend BridgeSTOR’s strategy by oī ering transparent data deduplicaƟ on, compression and opƟ onal encrypƟ on as card-and-soŌ ware soluƟ ons for new and exisƟ ng MicrosoŌ Windows Server 2008 R2, 64-bit systems.

Sign up for a free webinar to learn more: www.bridgestor.com/signup

www.bridgestor.com 1.800.280.8204

Untitled-1 1 12/5/11 11:12 AM WindowsInsider by Greg Shields System Center: Get Mature

ig deep into the inner psyche of any IT consultant successful ones also mandate culturally that they now dedicate themselves to and you’ll fi nd a bit of a voyeur. Not the bad kind, automation. D The second driving force goes back to mind you. Curiosity is what makes the difference Gartner’s maturity model. Encompass- between the good IT consultants and the indifferent ones. ing six discrete phases, Gartner’s model defi nes an IT environment as existing Spend enough time inside other of existence. The best-run IT shops somewhere between survival (at least) people’s datacenters and you’ll fi nd you are those with the most automation in and mature and partnered with the hear the same complaints voiced every- place, combined with the smoothest business (at most). An IT shop that’s not where. Spend more time, and you’ll processes that facilitate their use. yet mature enough isn’t likely to suc- begin seeing patterns emerge between And yet out of all the technologies ceed with System Center. At fault isn’t where the clients are maturity-wise I’ve consulted on in my long career, necessarily the IT staff, but the culture. and what they’re complaining about. System Center is unique. SCOM and As that IT shop evolves its culture The difference is maturity. SCCM are both notorious in that through Gartner’s awareness and That measurement of maturity is clients get excited about the products, committed, proactive, and service- so useful a yardstick that the smart call in the consultants, get hyped about aligned phases, it becomes more people at Gartner built an entire model the applications and quickly forget capable of recognizing System Center’s to describe it. Called the “Gartner about them once the daily toil returns. true value. In fact, the automation IT Infrastructure and Operations Two forces seem to drive this sce- functionality System Center provides Security Model,” this tool is the good nario. First, completing an initial con- eventually becomes a necessity for that consultant’s Rosetta stone for quickly fi guration for software such as SCOM shop to keep maturing. identifying the problems clients are and SCCM nets an environment little Not to fear, though, if you see your experiencing and exactly what issues more than an empty framework. The IT shop as immature in Gartner’s eyes. they’re complaining about. Microsoft installation is but the very fi rst step. There’s a third observation I’ve come even has a blog post that includes a It’s the ongoing use of that framework to embrace that presents a path to handy cheat sheet: bit.ly/i2b2l0. where these tools create their value. maturity. That observation is that the mere presence of System Center itself sometimes becomes a driver toward IT is unique among all industries in that its highest greater maturity. Call it maturity by goal is to automate itself out of existence. software osmosis. In a few of those IT shops calling back the consultants for a re-re-reinstall, every misstep Armed with the model, a consultant Too often, in the excitement of along the way nudges IT pros ever can walk into virtually any client’s bringing in new technology, IT profes- closer toward real automation’s—and offi ce and immediately know what the sionals fail to realize that these tools real maturity’s—tipping point. client is thinking, which projects it’s actually require hard work. They’re an It might take an install or two to get considering and which ones have been investment in future gains. The day there, but voyeuristically watching that successful (or unsuccessful). the consultants leave, it becomes your evolution is what makes consulting so I use Gartner’s model all the time job to continue populating them with worthwhile. when I’m asked to consult on Microsoft useful automations. That motivation System Center technologies, specifi - takes effort. Greg Shields is a partner and principal cally Operations Manager (SCOM) and Those who are successful are the technologist with Concentrated Technology Confi guration Manager (SCCM). IT shops that dedicate specifi c people to LLC, an IT analysis and strategic is unique among all industries in that System Center administration—and consulting fi rm. You can contact him at its highest goal is to automate itself out only System Center administration. The ConcentratedTech.com.

30 | February 2012 | Redmond | Redmondmag.com | TECHMENTOR 2012 AUGUST 20-24 MICROSOFT HQ, Powered by Microsoft TechNet REDMOND, WA

IN-DEPTH TRAINING FOR IT PROS This year, TechMentor is a ONE TIME ONLY event at a new special location – Microsoft Headquarters!

Receive Cutting-edge and practical education for the IT professional! Learn from IT experts and industry insiders on topics such as: 4 Windows 8 4 Windows Server 8 4 MCITP Training 4 Visit the Microsoft Campus 4 VMM in Redmond, Washington 4 Virtualization 4 Connect with IT Experts 4 Cloud Computing 4 Get In-Depth Tech Training . . . and much more! 4 Network with Peers and Microsoft Insiders techmentorevents.com

Register Today and Save $300! Use promo code TMFEB Visit techmentorevents.com or scan the QR code to register and for more event details.

Produced By: Supported By:

Untitled-10 1 1/6/12 3:25 PM FoleyOnMicrosoft by Mary Jo Foley

Can Microsoft Save Windows Azure?

icrosoft is slowly but surely working to make its roadmap—will include a number of other goodies, as well, such as the real- Windows Azure cloud platform more palatable to ization of some of its private-public M cloud migration and integration prom- the masses—though without the benefi t of roadmap ises. If you liked Microsoft’s increased leaks, it would be hard for most customers to know this. support for PHP, Java, Eclipse, Node.js, MongoDB and Hadoop from last year, take heart that the Windows Azure When Microsoft began cobbling customer- and partner-requested tweaks team isn’t done improving its support together its Windows Azure cloud to Windows Azure around pricing. for non-Microsoft technologies. Also plans back in 2007, there was a grand Then the ’Softies started getting a bit on the Q1 2012 deliverables list is sup- architectural plan. In a nutshell, more serious about providing support port for more easily developing Win- Microsoft wanted to recreate Windows for non-Microsoft development tools dows Azure apps not just on Windows, so that Redmond could run users’ and frameworks for Windows Azure. but also on Macs and Linux systems. applications and store their data across multiple Windows Server machines located in Microsoft’s (plus a few part- How many external, paying customers are on ners’) own datacenters. In the last fi ve Windows Azure? Microsoft offi cials won’t say—and years, Microsoft has honed that vision but has never really deviated too far that’s typically a sign that there aren’t many. from its original roadmap. For Platform as a service (PaaS) purists—and Microsoft-centric Developer champion and .NET Corpo- Microsoft’s new focus with Win- shops—Windows Azure looked like a rate Vice President Scott Guthrie traded dows Azure is to allow users to start distributed-systems engineer’s dream his red shirt for an Azure-blue one where they are rather than making come true. For those unwilling or (fi guratively—still not yet literally) and them start over. That may sound like unable to rewrite existing apps or devel- moved to work on the Windows Azure rhetoric, but it’s actually a huge change, op new ones that were locked into the application platform. both positioning- and support-wise Microsoft System Center- and .NET- Starting around March this year, for Microsoft’s public cloud platform. centric worlds, it was far less appealing. Microsoft is slated to make some very Not everyone—inside or outside the How many external, paying customers noticeable changes to Windows Azure. company—agrees that this is a positive. are on Windows Azure? Microsoft offi - That’s when the company will begin Hosting existing apps in the cloud isn’t cials won’t say—and that’s typically a sign testing with customers its persistent vir- the same as re-architecting them so that there aren’t many. My contacts tell tual machine that will allow users to run they take advantage of the cloud. It will me that even some of the big Azure wins Windows Server, Linux(!), SharePoint be interesting to see whether users who that Microsoft trumpeted ended up try- and SQL Server on Windows Azure— are tempted by the “new” Windows ing Windows Azure for one project and functionality for which many customers Azure are happy with the functionality then quietly slinking away from the plat- have been clamoring. This means that for which they’ve been clamoring. form. However, Windows Azure is no Microsoft will be, effectively, following Windows Vista. Nor is it about to go the in rival Amazon’s footsteps and adding Mary Jo Foley is editor of the ZDNet “All way of the Kin. But without some pretty more Infrastructure as a Service com- About Microsoft” blog and has been cover- substantial changes, it’s not on track to ponents to a platform that Microsoft has ing Microsoft for more than two decades. grow the way Microsoft needs it to. been touting as pure PaaS. She is author of the book “Microsoft This fact hasn’t been lost on the The fi rst quarterly update to Win- 2.0” (John Wiley & Sons, May 2008), Microsoft management. Starting last dows Azure this year—if Microsoft which examines what’s next for Microsoft year, Microsoft began making a few doesn’t deviate from its late 2011 in the post-Gates era.

32 | February 2012 | Redmond | Redmondmag.com | Untitled-6 1 1/13/12 2:51 PM Dell helps keep your business up and running Dell™ PowerEdge™ Servers and Microsoft® SQL Server® 2008 R2 support your mission-critical databases and applications

“With the new management tools in SQL Server 2008 R2, I can quickly see what caused a problem and proactively take action to prevent the problem from happening again. That feature is priceless.” —Reinaldo Kibel, Senior Database Engineer, Dell IT Team

Learn more at Dell.com/SQL

Ad# 10001540 *Based on comparison of one Dell PowerEdge R810 containing four Intel® Xeon® Processor L7555 with 128 GB of RAM running Microsoft® SQL Server® 2008 R2, plus two Dell EqualLogic™ PS5000XV storage arrays with 24 AMD Opteron™ 254-based HP ProLiant DL385 servers with 4 GB of RAM that were each running Microsoft® SQL Server® 2000 and each pair of which shared one of 12 HP StorageWorks MSA30 storage enclosures; Principled Technologies® report commissioned by Dell; July 2010; http://content.dell.com/us/en/ enterprise/d/business~solutions~whitepapers~en/Documents~sql-2008r2-r810-db.pdf.aspx