0207red_Cover.v5 1/17/07 11:32 AM Page 1 Web 2.0 Players Take the Battle to Microsoft 43 FEBRUARY 2007 REDMONDMAG.COM VivaViva Vista?Vista? Are Vista’s Gains Worth the Pain? 32 Vista 3-D Apps Are Coming (Slowly) 39 Readers: Vista Not Worth It—Yet 21 > $5.95 02 • FEBRUARY ++Ethical Hackers: A Fact of IT Life 51 25274 867 27 Google Ratchets Up Its Desktop Plans 11 71 Project2 1/9/07 11:37 AM Page 1 Project2 1/9/07 11:38 AM Page 1 FullArmorAdvertorialFinal.qxd 1/17/07 8:48 AM Page 1 ADVERTISEMENT Workplace Trends in the 21st Century Today, organizations rely heavily on computing technologies to manage their business workload. But with the rising cost of business, the increasing globalization of all business processes and the continuing need to remain competitive, businesses of all sizes have begun to change the way they work. One of the most significant of these changes is the move to telework—the ability to work from remote locations that are not necessarily under corporate control. In a report released in 2005, International Telework Advisory Council (ITAC) found that out of 135.4 million American workers, more than 33 percent were working from home. Of these, ITAC estimated that about 26.1 million do it at least one day per month and some 22.2 million at least once a week. Today, teleworking is continuing on an upward trend with more and more organizations supporting it. The Power and Limitations of Active Directory • Offshore outsourcing teams which have their own network but Another major trend is the use of Microsoft Active Directory (AD) must connect to yours for extended periods of time. and its corresponding Group Policy Objects (GPOs) to manage • Teleworkers, which may include users working from home on connected endpoints. With its extensive settings and controls, either corporate or personal equipment or employees working Group Policy provides an extremely powerful engine for the man- from public computer systems. agement of every aspect of a system’s configuration from compli- ance to security baselines. Each of these situations can lead to systems that are non-com- Group Policy is not the be all and end all of object management pliant because they do not have appropriate corporate settings. in Windows. That’s because GPOs are only effective with connected systems or systems that are part of a specific network and are The Arrival of Windows Vista members of a specific Active Directory structure. Disconnected sys- Group Policy remains very powerful and, with the coming of tems usually fall out of the scope of AD management. Disconnected Windows Vista, will boast more than 800 new settings, bringing the systems range far and wide (see Figure 1) and can include: total number of settings to 2,450. What’s more, Vista will also • Systems that are part of a connected network, but are subject change the way Group Policy is processed, using a new, independ- to GPO mismatches. ent processing engine that is now separate from the login system. • Systems that belong to road warriors or employees that spend This should help alleviate some of the problems previous editions of long periods out of the office. Windows had with Group Policy. • Branch offices or offices that are connected to the directory Organizations won’t move to Vista overnight, but one thing that through slow links. all public sources tend to agree on is the manner in which organiza- • Guest logins or logins to the internal network from systems tions will migrate. There are two: forklift or attrition. The first that are not members of the AD structure. involves a massive project that migrates all systems at once. The FullArmorAdvertorialFinal.qxd 1/17/07 8:48 AM Page 2 second relies on regular hardware refreshes to migrate systems as of this type of solution is the endpoint policy management products new hardware is introduced into the network. Hardware refreshes from FullArmor Corporation. These tools let you extend your exist- are usually performed on a three- or four-year cycle. This means ing policies and consistently apply them to both connected and that organizations choosing this method will need to manage mixed disconnected endpoints. In addition, they provide support for the client environments for at least two to three years. management of mixed Vista and non-Vista environments by sup- This can be significant, especially in light of the changes porting by-directional ADM to ADMX conversions. Microsoft has introduced to Group Policy in Windows Vista. Prior to Part two of this series will address how these solutions can help Windows Vista, all GPO definition templates used an ADM file your organization maintain a fully compliant state in any connected format—pure text files that were organized in a structured manner. or disconnected situation. If you’re interested in solving the discon- With Vista, Microsoft is introducing the ADMX format—a format nected management challenge, then don’t miss this second part. based on the Extended Markup Language (XML) which provides much richer content for GPO templates. ADMX templates are now language-independent, globalizing Group Policy settings. The ADMX format is incompatible with the ADM format, meaning that environments managing a mix of Windows 2000 and/or XP with Vista will need to either translate their existing templates to ADMX format or create new ones. They will also need to carefully manage mixed GPO content to make sure they do not cause more problems that they solve. Solving Disconnected Management Problems Whether you’re working with Vista or not, you need to make sure your systems and the systems that connect to your network are compliant at all times. There are several potential solutions to the issues disconnected systems present when it comes to compliance control. • First, you should try to leverage the investments you make Figure 1. Potential Disconnected Systems in Group Policy. Group Policy is very powerful, but designing a complete com- Resources: pliance strategy based on GPOs can be challenging and time- ITCA Survey: www.workingfromanywhere.org/news/pr100405.htm. consuming, especially if you do it from the ground up. One of the best ways to do this is to document each GPO. But, as Best practices information on how to design an Active Directory for you may know, tools such as the GP Editor in Windows or the object management: www.reso-net.com/Documents/ Group Policy Management Console (GPMC) do not offer the 007222343X_ch03.pdf. ability to document the content of a GPO, though the GPMC at least will report on the settings it includes. Most organiza- How to minimize the number of GPOs in your network while provid- tions have opted for the use of other tools—for example, ing compete management services: Download “Redesigning GPO Microsoft Excel spreadsheets—to document the purpose and Structure for Improved Manageability” at www.reso-net.com/ content of each GPO they produce. download.asp?Fichier=P73. • Second, you can rely on local Group Policy to control disconnected clients. Microsoft licensed an ADM to ADMX conversion tool from Local GPOs give you a lot more control over computers that FullArmor Corporation: This free utility is available at may or may not be connected to an AD structure. And while www.fullarmor.com/ADMX-download-options.htm. previous versions of Windows only included a single local Group Policy, Windows Vista has the ability to include more than one Information on endpoint policy management products: local GPO on each computer system. It applies these local www.fullarmor.com. GPOs in layers. As in previous versions of Windows, the first layer applies it to the computer system. The second applies it to ABOUT THE AUTHORS a local group, either the Administrators or a Users group. The Danielle Ruest and Nelson Ruest are IT professionals specializing third can apply a local policy to specific local user accounts. in systems administration, migration planning, software manage- • Third, you can rely on third-party solutions to manage ment and architecture design. They are authors of multiple books policies at all times. and are currently working on the Definitive Guide to Vista The best solution is to fully rely on your AD and Group Policy Migration (www.realtime-nexus.com/dgvm.htm) for Realtime investments but leverage them on all possible computer systems Publishers as well as the Complete Reference to Windows that interact with your network. For this, you’ll need third-party Server Codenamed “Longhorn” for McGraw-Hill Osborne. They solutions—solutions that can extend the power of Group Policy to have extensive experience in systems management and operating support all of the disconnected scenarios. One excellent example system migration projects. For a more in-depth overview of the new workplace trends, read the white paper at http://redmondmag.com/techlibrary/fullarmor 1.800.653.1783 Project1 1/3/07 10:06 AM Page 1 Uncontrolled use of USB sticks, MP3 players and PDAs opens up your network to data theft and viruses Control user access to all devices connected to your network with GFI EndPointSecurity You have invested in network anti-virus software, firewalls, email and web content security to protect against external threats. Yet any user can come into the office, plug in a USB stick and take in/out over 32 GB of data. Users can take confidential data or they can unknowingly introduce viruses, trojans, illegal software and more actions that can affect your network and company severely. Yet, as an administrator you had no way to control this until now! GFI EndPointSecurity allows administrators to centrally manage user access to devices such as iPods, USB sticks, PDAs, laptops and more.