The Edge

Password resets are more or less the bane of the help desk agent's existence. Carrying that through logically, they also represent a significant expense for the organization to pay for the lost productivity of the employees and the time and effort of the help desk agent to get the issue resolved. So, many organizations seek single sign-on (SSO) solutions to minimize the number of usernames and passwords that users have to keep track of and hopefully reduce the amount of help desk calls.

This article that I wrote for the Midmarket Security Strategies and Tactics site at TechTarget examines a couple of ways to achieve SSO using protocols and technologies already built in to Windows. On the network server side, you can use Kerberos to achieve SSO, while users can make use of the Credential Manager feature in Windows XP and Windows Vista (and Windows 7) to store passwords and create their own SSO. Read  How to use Kerberos and Credential Manager for Windows single sign-on to learn more. 

Follow me on Twitter

Windows 7 marches on and is projected to be on retail shelves this October. Microsoft is providing free upgrades from Windows Vista to Windows 7 for consumers and businesses who purchase computer systems right now (albeit with some limitations). Microsoft has put together some animated video presentations to illustrate some of the new features and functions of Windows 7. You can view the Windows 7 videos on the Tour Windows 7 site.

Follow me on Twitter

This article that I wrote for the Midmarket Security Strategies and Tactics site at TechTarget focuses on the file access control possibilities of Windows Rights Management Services. Traditional NTFS file and folder permissions are effective for preventing unauthorized users from accessing data, but provide no control over what authorized users can do with the data once they access it. With Windows Server 2003 and Windows Server 2008 you can enable Windows Rights Managements Services (RMS) and be able to exercise control after files have been accessed and downloaded and even revoke access if necessary. You can learn more about Windows RMS and how you can use it to control and protect your data by reading Microsoft Windows RMS Enables Granular Access Control Over Sensitive Data.

Follow me on Twitter

I recently wrote an article for TechTarget's SearchMidmarketSecurity site. The new Mimarket Security Strategies and Tactics site focuses on practical knowledge and advice for SMB organizations. The article covers the basics of BitLocker- the scope of what it can protect and how it works. It also explains how BitLocker works with TPM (Trusted Platform Module) chips to provide even better protection of data and how to work with BitLocker keys to ensure that you don't lock yourself out of your own data. Check out the article here: Understand the Basics of Microsoft BitLocker Encryption.

Follow me on Twitter

Recent surveys suggest that businesses are ready to embrace and deploy Windows 7 en masse as soon as Redmond makes it available. Traditionally, businesses are slow to adopt new operating systems. Its like waiting for the second model year of a new automobile make. You want some other sucker to take care of the extended Beta testing affectionately known as the initial release.

That philosophy has led many organizations to hang on to Windows XP and forego Windows Vista entirely. Some organizations simply waited for Windows Vista Service Pack 1 (SP1), but by that time Vista had gotten a lot of negative press and developed somewhat of a bad reputation. One can debate whether the press was factual or whether the reputation was deserved, but the bottom line is that many enterprises simply decided that Windows XP was comfortable and that Windows Vista wasn't worth the risk.

Windows 7 on the other hand has been getting rave reviews since the Beta version has been available. Computer experts from all fields all the way down to consumers love the new operating system. Features such as DirectAccess and BranchCache also provide solid business justifications for upgrading and have the potential for changing the way enterprises work with their growing remote sites and roaming work force.

 Follow me on Twitter

Do you live in Washington state? Are you one of the millions of Americans currently unemployed and desperately seeking a new career? Finding a new career is never easy, but given the state of the economy and the fact that it seems like for every new job opening there are three new layoffs, it is even more important to have skills that employers need and to set yourself apart from the crowd.

Microsoft feels your pain and they want to do their part to help out. Microsoft announced that they will be giving away 30,000 vouchers over the next 90 days to unemployed individuals in Washington to help them learn new skills. The vouchers will entitle people to receive free training in computer skills and even to take Microsoft certification exams for free or at a discount. The training classes may be taken online or in person.

This is just the beginning of the program which Microsoft announced earlier this year at the National Governors Conference. The plan is to continue the program and expand it to other states. So, if you don't live in Washington just keep an eye out for the program to come to your neighborhood (a.k.a. state).

Follow me on Twitter

Many organizations have branch and remote offices. They might be across town, across the country, or around the world. A common problem facing organizations like this is having all of the various sites share information and work with data. Each site can't maintain their own files, spreadsheets, databases or other files. That would be too cumbersome to correlate and try to ensure that everyone is on the same page. The solution for that is to house the data in a centralized data repository at the headquarters location or a common data center.

That solution comes with its own issues though. Opening and working with large files over a remote network connection can be painstakingly slow. One or two users accessing data over the network from the central repository can also tie up a significant chunk of bandwidth, making the network slow and unresponsive for others as well.

Windows 7 has a solution to help remote and branch offices work with data more efficiently while reducing the impact on network bandwidth- BranchCache. Essentially, BranchCache acts as a proxy, storing (or 'caching') data that is accessed so that subsequent queries for the same data can be served up locally rather than being sent across the network each time. I am not really doing the feature justice though. If you really want to learn about BranchCache and understand how it can help your organization or your customers, check out the Windows 7 Feature Walkthrough for a short video overview of BranchCache.

Follow me on Twitter

Windows 7 will be here before you know it. So far, Windows 7 is getting much attention and rave reviews in its Beta version. The improvements from Windows Vista to Windows 7 are exciting and the new features like DirectAccess and JumpLists have many enterprises and users chomping at the bit.

Well, you don't need to sit by idly waiting. In fact, I recommend that you don't. Even if the operating system was available tomorrow there is a lot of planning and preparation that has to be done before you can just deploy it on your network. Some of the features require Windows Server 2008, so if you are still using Windows Server 2003 you should start to look at migrating to Windows Server 2008 so you are ready to capitalize on the new Windows 7 features.

Another thing that you can do to prepare is to validate that the applications your business relies on will work in Windows 7. Microsoft has released ACT (Application Compatibility Toolkit) 5.5 which you can use to begin verifying your applications for Windows 7. Conducting this exercise now will give you months to work with vendors to update any applications that have issues, or allow you to find other workarounds, or replacement applications that will work with Windows 7. Check out this interview between Stephen Rose and Jeremy Chapman to learn more about the updates and changes in the Application Compatibility Toolkit.

Follow me on Twitter

Are you an IT Pro? Have you installed the Beta of Windows 7 and started to work with and begin to understand it so you can be prepared to support it in your organization or with your customers? If so, Microsoft is looking for your feedback. Click on the link below to go to the survey and provide your input to Microsoft regarding your Windows 7 experience and the kinds of support and resources they should create to help you do your job and to help you help your customers adopt and implement Windows 7. Act fast- the survey closes today at 12:00 pm Pacific (you have less than 2 hours)!

http://www.surveymonkey.com/s.aspx?sm=64S8L4lmw5NUeSdW7PhT4A_3d_3d 

Follow me on Twitter

At the CanSecWest Security Conference in Vancouver this week, Charlie Miller made headlines by exploiting a Safari vulnerability on a fully patched Mac OS X system with a fully patched Safari web browser in mere seconds to claim the Pwn2Own prize. Ryan Naraine interviewed Charlie Miller for a ZDNet article and asked him why he exploited Safari- why not exploit Internet Explorer or Firefox. His answer?

"It’s really simple. Safari on the Mac is easier to exploit.  The things that Windows do to make it harder (for an exploit to work), Macs don’t do.  Hacking into Macs is so much easier. You don’t have to jump through hoops and deal with all the anti-exploit mitigations you’d find in Windows.

It’s more about the operating system than the (target) program.  Firefox on Mac is pretty easy too.  The underlying OS doesn’t have anti-exploit stuff built into it.

With my Safari exploit, I put the code into a process and I know exactly where it’s going to be.  There’s no randomization. I know when I jump there, the code is there and I can execute it there.  On Windows, the code might show up but I don’t know where it is.  Even if I get to the code, it’s not executable.  Those are two hurdles that Macs don’t have."

This is a commentary on Windows more than Internet Explorer. As Miller pointed out, "it's more about the operating system than the program". This is a testament to the security controls in place in Windows Vista and Windows 7. The combination of least privilege access enforced by UAC, with DEP (data execution prevention), ASLR (address space layout randomization), and Protected Mode IE provide additional layers of protection which make it harder to exploit vulnerable software. It was the ASLR in particular that Miller pointed out as the hoop that complicates exploits on Windows.

Miller even goes on to suggest that Firefox, and particularly Google's Chrome browser might be even harder than Internet Explorer to exploit, but its primarily due to the hoops an attacker would have to jump through to exploit a vulnerability in Windows. Seems like fairly high praise for Microsoft's efforts to build a more secure operating system, especially coming from the guy who just blew a fully patched Mac OS X with a fully patched Safari web browser out of the water in under a minute.

Follow me on Twitter

Forefront Client Security and other Forefront Server Security products, such as Forefront Security for Exchange Server and Forefront Security for Sharepoint, have been around for some time now. Microsoft's Forefront Security for Office Communications Server seems to have taken a painstakingly long time to get developed, make it through Beta testing, and finally now released to manufacturing (RTM). But, that day has finally arrived.

Check out this post for more details about the new Forefront offering: Forefront Security for OCS Finally Reaches RTM

Follow me on Twitter

I have been using Internet Explorer 8 (IE8) almost exclusively since the first Beta became available. Now, my primary OS is the Windows 7 Beta, so IE8 is built-in as my default browser. I have run into my share of page compatibility issues. The most notable for me- which has since been addressed by Microsoft, Google, or both- was that Google Maps just flat out did not work in native IE8 or in compatible mode. I guess that should have been a red flag clue that IE8 compatibility mode does not equal IE7. Obviously there are still things that are different between IE7 and IE8 compatibility mode or any site that worked in IE7 would work the same in compatibility mode.

Now that it is in Release Candidate (RC) mode, with an official release rumored to be on the imminent horizon, most of those types of issues have been resolved. However, there are still issues created by changes made by Microsoft in IE8. Web developers who have developed their sites to work in IE7, Firefox, Opera, Safari, or whatever else may very well have to modify the underlying code in order to make it work in IE8- even in compatibility mode.

To Microsoft's credit, the IE8 team posted a detailed breakdown comparing IE8 compatibility mode to IE7, and comparing IE8 standard mode to IE8 compatibility mode along with code descriptions of the issues and suggestions or recommendations for how to modify code to make it work or workarounds to make sites functional in IE8. Judging from the comments in response to the post, the reaction is quite mixed. Some praised Microsoft for the improvements they have made and for writing this post to help developers embrace the changes, while many attacked Microsoft for not simply playing by the same rules that seem to be working just fine for every other browser, as well as for taking so long to develop and release new versions.

They claim that because Microsoft has a dominant share of the Web Browser market that their lack of coordination with other browsers and lack of cutting edge development hinder the potential of the Web as a whole. I still prefer IE8 to Firefox or Chrome and will continue to use IE8, but some of the points seem to make sense. I am curious to know what other users, and especially what web developers, think of Internet Explorer in general, and IE8 specifically.

Follow me on Twitter

Windows 7 has a lot of exciting features both for consumers and enterprises. One of the most promising features for enterprises is DirectAccess. DirectAccess makes VPN connections obsolete and provides seamless connectivity between the internal enterprise network and remote clients roaming wherever they may be. As long as the remote computer has an Internet connection it is able to access network resources as if it was connected directly to the enterprise network. Conversely, the IT admin can manage the remote computers over DirectAccess as long as there is an Internet connection even if the user is not logged in. Unfortunately, Windows 7 is still in Beta so it will be awhile before it will hit the streets in its officially released version.

For enterprises that are looking forward to DirectAccess though, there is no need to sit back and wait. Windows 7 is not the only piece of the puzzle. Implementing DirectAccess also requires Windows Server 2008 and some specific technologies and configuration that enterprises can proactively put in place in anticipation of the release of Windows 7. Check out 'Paving The Way for DirectAccess' to see what the DirectAccess requirements are and what you can do now to prepare your network to take advantage of DirectAccess when Windows 7 becomes available.

Follow me on Twitter

The next major Service Pack release for Windows Vista and Windows Server 2008 is one step closer to its official release. Service Pack 2 (SP2) has moved from Beta to RC (Release Candidate). You can download the SP2 RC from the Microsoft Springboard site.

SP2 will only work with Windows Vista SP1 or Windows Server 2008 SP1, so if you have either of these operating systems and have not yet installed SP1, you should download and install that first. If you're curious what changes you can expect with SP2, you can read Notable Changes in Windows Server 2008 SP2 RC and Windows Vista SP2 RC. Here are some highlights of the changes in SP2:

 If you have the prior version of Service Pack 2 installed (Beta build 16497) you will need to un-install it before installing the newer RC build (16670) from the links on the Microsoft Springboard site.

Follow me on Twitter

For businesses with remote users that rely on VPN connections to securely access data and resources on the corporate network, DirectAccess offers a very compelling business case for Windows 7. VPN connections can be complex and cumbersome for users. Conversely, the organization can not effectively manage or maintain remote computers. DirectAccess provides a seamless connection between the internal network and the remote computer no matter where it may be as long as there is an Internet connection.

Check out the Windows 7 and Windows Server 2008 R2 DirectAccess Executive Overview for a brief, high-level look at the benefits that DirectAccess provides.

Follow me on Twitter

Combined with Windows Server 2008, Windows 7 will provide enterprises with unprecedented manageability and whole new methods for networking and administering clients. Microsoft has put together a white paper providing a detailed look at the new management features with Windows 7. Here is an excerpt from the white paper providing an overview of the information you can find in the white paper:

Windows 7 introduces a number of manageability improvements that can reduce total cost of ownership by helping to increase automation, improve user productivity, and provide flexible administrative control to meet compliance requirements. This paper provides an overview of each of these improvements.

IT professionals are often responsible for repetitive and time-consuming tasks. Windows 7's comprehensive scripting abilities enhance the productivity of IT professionals by automating those tasks, which reduces errors while improving administrative efficiency:

• Microsoft Windows PowerShell 2.0 enables IT professionals to easily create and run scripts on a local PC or on remote PCs across the network. Complex tasks or repetitive management and troubleshooting tasks are automated.
• Group Policy scripting enables IT professionals to manage Group Policy Objects (GPOs) an registry-based settings in an automated manner, thus improving the efficiency and accuracy of GPO management.

In addition to its powerful scripting capabilities, Windows 7 includes several features that improve user productivity and reduce costs:

• Built-in Windows Troubleshooting Packs enable end-users to solve many common problems on their own, and IT professionals can create custom Troubleshooting Packs, thus extending this capability to internal applications.
• Improvements to the System Restore tool inform users of applications that might be affecte when returning Windows to an earlier state.
• The new Problem Steps Recorder enables users to record screenshots, click-by-click, that reproduce a problem so IT can troubleshoot solutions.
• Improvements to the Resource Monitor and Reliability Monitor enable IT professionals to more quickly diagnose performance, compatibility, and resource limitation problems.

For IT departments to address their ever-increasing security needs and meet compliance requirements, Windows 7 also supports the following features:

• AppLocker enables IT professionals to more flexibly set policy on which applications and scripts users can run or install, providing a more secure and manageable desktop.
• Auditing improvements enable I professionals to use Group Policy to configure more comprehensive auditing of files and registry access.
• Administrators can require users to encrypt removable storage devices with BitLocker To Go via Group Policy.
• Group Policy Preferences define the default configuration, which users can change, and provide centralized management of mapped network drives, scheduled tasks, and other Windows components that are not Group Policy-aware.
• DirectAccess seamlessly connects mobile computers to the internal network, allowing IT professionals to manage them if the user has an Internet connection.

Altogether, the improvements introduced by Windows 7 can reduce the time IT professionals spend maintaining and troubleshooting, improve user productivity, and enable IT departments to better meet compliance requirements.

Download the white paper to learn about all of these features in more detail. Feel free to comment here if you have thoughts or questions about the Windows 7 manageability features.

Follow me on Twitter

Granted, Windows 7 will still be Windows 7. So, moving from Windows 7 Beta to Windows 7 RC will not fundamentally change your operating system. Still, the whole point of Beta testing is to identify problems and gather user feedback to incorporate changes into the final product. The Engineering Windows 7 blog posted a detailed look at 36 different changes we will see from Beta to RC once the Release Candidate becomes available.

You can read the post on the Engineering Windows 7 blog to get the complete details. But, here is a short list of some of my favorite updates:

• the ability to hold down the 'Shift' key when doing a drag/drop action to the Taskbar in order to invoke 'open with' rather than adding the file or program to the Taskbar or pinning it to the Jumplist of an existing application
• restricting the number of items automatically added to application Jumplists to 10 to keep the lists from being too long to provide any value
• changes made to the behavior of UAC to reflect some of the feedback and backlash about potential security risks introduced by the default UAC configuration in the Windows 7 Beta
• improving performance and speed from Beta to RC (although I have been happy with the Beta performance and speed- but faster is always better)

No word yet on when we might expect to see that RC, but at least we know when it is released it will have a number of compelling changes and updates.

The Microsoft Springboard program is leading the way in evangelizing for the Windows 7 operating system and providing the types of resources and information that IT pros and end-users need to understand the new features and capabilities and get the most out of the new OS. Toward that end, they have developed a series of screencast 'walkthroughs' providing in-depth looks at various features and functions of Windows 7. Currently the series includes the following instructional videos:

• AppLocker
• Deployment Image Servicing and Management
• Enteprise Application Compatibility
• Problem Steps Recorder
• BitLocker and BitLocker-to-Go
• Windows PowerShell 2.0

I am sure they will continue to expand the series to include more Windows 7 features, so check back on the Windows 7 Feature Walkthroughs site periodically.

On February 28 Stephen Rose and Joey Snow will be presenting an event in Irvine, CA kicking off Windows 7 and providing a comprehensive look at the new features and functions. You can check out the details of the session (titled TechNet and MSDN Unleashed: Windows Vista to Windows 7) below to see the topics that will be covered in this 5 1/2 hour event.

The live event is already maxed out, but  the session will also be broadcast via LiveMeeting. You can register to attend the LiveMeeting event here: https://www.clicktoattend.com/invitation.aspx?code=135966 

Event Code: 135966

2/28/2009

8:00 AM - 1:30 PM PST

SESSION TOPICS:

Better Together: Windows Server 2008 R2 and Windows 7

Overview of the Better Together story.

Is Vista Still Relevant? Windows Vista - The Path to 7

With Windows 7 on the horizon, is Vista still relevant? This presentation will cover why Vista is the best path to Windows 7 readiness as well as discuss the key underpinnings in the Windows 7 OS and product evolutions with Server 2008 R2, IPv6 and beyond. Focus will be around top 10 things IT Pros should know about Windows Vista and its evolution in Windows 7.


Welcome to Windows 7

This session will be an overview of the GUI and Feature improvements in Windows 7. This will include
  • Task Bar/System Tray Improvements
  • Aero Features
  • System Improvements
  • Control Panels and Features
  • Desktop Improvements
  • IE 8
  • Under The Hood

Windows 7 Deep Dive

Deep Dive will dig into Windows 7 and the new or redesigned under the hood features in the product.

The topics covered will be:
  • Microsoft’s understanding of the needs of IT Pros when designing Windows 7
  • Hardware Readiness
  • Improved Applications
  • Application Compatibility
  • AIK
  • VHD Images and Imaging
  • DISM
  • Dynamic Driver Provisioning
  • Multicast Multiple Stream Transfer
  • Streamlined Installation and File Migration
  • USMT
  • DHCP Hint
  • Enterprise Application Compatibility
  • Windows Troubleshooting Platform

Don’t get too excited. These updates won’t add any new features or functionality to Windows 7. You’ll have to wait for the Windows 7 Release Candidate (RC) for those kinds of changes. However, Windows 7 will be getting updates next week, February 24, but they will just be test updates. It is a drill more or less just to make sure that Windows 7 is communicating properly with Windows Update and able to download and apply the updates. It is important to note though that these will not be automatically applied. You will have to manually visit Windows Update and select the updates.

If you are participating in the Windows 7 Beta, please read the information below and participate in this Windows 7 update drill when the updates become available next week.

---------------------------------------------------------------------------

---------------------------------------------------------------------------

---------------------------------------------------------------------------

---------------------------------------------------------------------------

---------------------------------------------------------------------------