0306red cover.v2 2/14/06 10:45 AM Page 1pdf.1105media.com/RedmondMag/2006/RED_603DG.pdf · 7125274...

71

25274

86727

03>

MAR

CH•

$5.9

5

Spyware: Readers Strike Back! 39

M A R C H 2 0 0 6 W W W . R E D M O N D M A G . C O M

The 800-Pound

GorillaThe 800-Pound

GorillaCan Microsoft Be KnockedOff Its Perch? 28

New ColumnMr. Roboto: Automation for the Harried Administrator 50

Your Worst IT Nightmare 45

0306red_cover.v2 2/14/06 10:45 AM

www.101com.com

www.redmondmag.com

��

� � � � � ��

!"#�$��%��&��'��(�)�� %$*+�"��

� ��

� �� !"��#��$�� !�� %�� %�� !"��%�� &��'�%�� (��#��&��'�� #��!"�%� �� )�� % �� $��)�� %�� "�� %�� !�#�� *��+�� %�)�#,#�� $�� )��%!"�%� ��$�� -��,#��.��"�#�� %�� /�$��

( -��#��./��.��$�.-$��.0�� %��

!"#�$��%��&��'��(�)�� %$*+�� %�� .�"�� .�%�� ,�� %��,#�� %��#��%�� 120/��$��3�� .�� %��%�� )��4�� %�� %�� .��+�� %�� 4� �"��%��.�� #�� "��5�1�1.��.��#��64� &��'�%�� .��#��&��'��4�� !"��#��$�� .��"��#��4� ��1

20/��$��

Project2 1/20/06 10:55 AM

��

��

��

��

��

!��"��#"��$��%&'!(�$��

��$��)�� '��*��%�#��+��,��

Project2 1/20/06 10:54 AM Page 1


www.2x.com

REDMOND REPORT

9 Vista Security: Worth Paying For?Why the next version of Windowsmay not be as secure as you think.

10 Next Chapter Opens for Open FormatsMassachusetts reaffirms its openformat vision with new CIO.

12 Windows Vulnerabilities for SaleHackers sold the WMF zero-dayexploit for as much as $4,000 onRussian black market Web sites.

Microsoft Banishes BetaSmaller, faster Vista test cyclesalready improving feedback.

COLUMNS

4 Barney’s Rubble: Doug BarneyLinux (and the Mac) Aren’t Even Trying

22 Beta Man: Don JonesWindows Goes High Performance

50 NEW COLUMNMr. Roboto:Don JonesService Pack It Up

52 Windows Insider:Greg ShieldsDown the Winding InfoPath

57 Security Advisor: Joern WetternThat Isolated Feeling

64 Foley on Microsoft:Mary Jo FoleyIs Microsoft Buying into the Web2.0 Hype?

ALSO IN THIS ISSUE

2 Redmond Magazine Online

6 [email protected]

63 Ad and Editorial Indexes

REVIEWS

13 Kill Two Birds with One StoneNetChk Protect combines thefunctionality of Shavlik’spatching and anti-spywaretools in a single console.

16 Schedule Jobsthe Easy WayThe latest version ofSmartBatch helpsyou centralize and streamlineWindows job scheduling.

20 Manage the Forest and the TreesAdminister your entire Active Directory domain fromone location.

25 Your Turn:BizTalk Server: GettingBetter All the TimeUsers say Microsoft BizTalkServer 2004—and the 2006 version—significantly ease enterprise application integration.

The 800-Pound Gorilla Windows and Office each dominatethe landscape, like King Kong on SkullIsland. What would it take to shootthis monkey down and give otherspecies a fighting chance?

Page 28

COVER STORY

RedmondTHE INDEPENDENT VOICE OF THE MICROSOFT IT COMMUNITY

M A R C H 2 0 0 6 W W W. R E D M O N D M A G . C O M

Winner for BestComputer/Software

Magazine 2005

COVER ILLUSTRATION BY GERAD TAYLOR

ILLUS

TRA

TION

BY

GER

AD

TAY

LOR

FEATURES

39 Reader Tips: Do Away with SpywareMany programs block spyware, but few know howto get rid of it. Redmond readers offer some cleverways to banish these nasties.

45 Never AgainWhat’s the worst thing that’s happened to you inyour IT career? Readers share their scariest on-the-job experiences, and you can learn fromtheir mistakes.

Page 39

0306red_TOC_1.v5 2/14/06 2:20 PM Page 1

www.redmondmag.com

MCPMAG.COM

Coming to MCPmag.com in March:

• Recovering fromChaos: Disaster RecoveryTales from the Trenches

• What’s all the hubbubaround security patchesfrom non-Microsoftsources? Mike Gunderloy takes a closer look at how our patching practices can be better

• Greatest Scripting Hits: Don Joneslooks at his most popular scripts ever

• Your Network Troubleshootingpains can be eased here: Send your networking woes [email protected] with “ITHelp” and get assistance from oursharp networking and server expertsChris Wolf, Zubair Alexander andSekou Page

• MCP Radio: HostMichael Domingo inter-views Zenprise MarketingManager Ahmed Datooand Macrovision ProductManager Bob Corrigan

• SBS Live! MicrosoftMVP and Small Business

Server expert Andy Goodmanheads this one-hour SBS

troubleshooting chat on March 21

REDMONDMAG.COM

Want More of What You Read in Redmond? Visit the TechLibraryon Redmondmag.com!The TechLibrary section of Redmondmag.com is yourresource for more in-depth information for the topicswe cover here in Redmond. For example, right now inthe TechLibrary you can download a free, expandedcopy of this month’s cover story on p. 28, “The 800-

Pound Gorilla” (FindITcode: GORPDF), in whichauthor Doug Barney offerseven more on the chal-lenges Microsoft faces in the future. And since weknow you can never have too much disaster recoveryinformation, we’ve also just posted a PDF featuring anexpanded version of last month’s cover story, “WorstCase Scenarios” (FindIT code: WCPDF).

All PDFs in our TechLibrary are free, although aone-time registration is required. Get these resourcestoday and find out more about what our TechLibrary has to offer (FindIT code: TechLibrary).

2 | March 2006 | Redmond | redmondmag.com |

REDMOND COMMUNITY

Redmond Newsletters • Redmond Report: Delivered to yourinbox three times a week—featuring newsanalysis, context and laughs. By Redmond’sEditor in Chief Doug Barney.FindIT code: Newsletters

• Security Watch: Keep current on thelatest Windows network security topics.This newsletter features exclusive,online columns by Contributing EditorRuss Cooper of NTBugTraq fame.FindIT code: Newsletters

Discussion and Forums Post your thoughts and opinions underour articles, or stop by the forums formore in-depth discussions.FindIT code: Forum

Your Turn The interactivity center of the Redmond universe, where you get toexpress your views.FindIT code: YourTurn

OTHER 101COMMUNICATIONS SITES

RCPmag.comWinning the Linux WarsCan you sell against free? Get the partnerperspective on taking on open source.FindIT code: RCPLW

ENTmag.comUpgraded Backup Tool Restores to ‘Dissimilar’ HardwareUBDR Gold restores files to a machinenot physically identical to the one thebackup was performed on.FindIT code: ENTUPT

CertCities.comForcing Group Policy ApplicationDerek Melber on ensuring Group Policyconfigurations you set up stay that way.FindIT code: CCGPA

TCPmag.comQ&A: Are You Experienced?Break into the networking field.FindIT code: SMExp

Throughout Redmond magazine,you’ll discover some stories containFindIT codes. Key in those codes at Redmondmag.com to quickly accessexpanded content for the articles containing those codes.

Just enter the code in the box at the top-right corner of any page on Redmondmag.com. Note that allFindIT codes are one word, and arenot case sensitive.

FindITCodes

M A R C H 2 0 0 6Redmondmag.com

Office Servers? ReadMike Gunderloy’s takeon MCPmag.com.

FindIT code: GORPDF

FindIT code: WCPDF

0306red_OnlineTOC.v6 2/14/06 10:53 AM Page 2

www.redmondmag.com

www.redmondmag.com

www.redmondmag.com

www.redmondmag.com

www.redmondmag.com

www.redmondmag.com

www.redmondmag.com

www.mcpmag.com

www.mcpmag.com

www.mcpmag.com

www.rcpmag.com

www.entmag.com

www.certcities.com

www.tcpmag.com

mailto:[email protected]

WE FIND THEM

BEFORE THEY FIND YOU.

© 2006 Websense, Inc. All rights reserved.

Web Security

Web Filtering

Endpoint Security

Websense® Security Labs

You can’t afford to sit around and wait for the next attack, and neither can

we. Websense® Security Labs™ scans over 350 million websites a week,

discovering spyware, viruses and other web-based threats before they get

to you. Get proactive. www.websense.com/security

TM


www.websense.com

Linux (and theMac) Aren’t Even Trying

THE INDEPENDENT VOICE OF THE MICROSOFT IT COMMUNITYRedmond

Group Publisher Henry AllainRedmond Media Group

Editorial Director Doug BarneyRedmond Media Group

Group Associate Publisher Matt N. MorolloRedmond Media Group

Editor in Chief Doug [email protected]

Editor Keith [email protected]

Executive Editor, Reviews Lafe [email protected]

Editor at Large Michael [email protected]

News Editor Scott [email protected]

Managing Editor, Wendy GoncharWeb Editor [email protected]

Editor, Redmondmag.com, Becky NagelCertCities.com [email protected]

Editor, MCPmag.com Michael [email protected]

Editor, ENTmag.com Scott [email protected]

Associate Editor, Web Dan [email protected]

Contributing Editors Mary Jo Foley

Don Jones

Greg Shields

Joern Wettern

Art Director Brad Zerbel

Senior Graphic Designer Alan Tao

Director of Marketing Michele Imgrund

Senior Web Developer Rita Zurcher

Marketing Programs Associate Videssa Djucich

Director of Print Production Mary Ann Paniccia

President & CEO Jeffrey S. Klein

Executive VP & CFO Stuart K. Coppens

Executive VP Gordon Haight

Senior VP & General Counsel Sheryl L. Katz

Senior VP, Human Resources Michael J. Valenti

Redmondmag.com

The opinions expressed within the articles and other contents herein do not necessarily express those of the publisher.

Postmaster: Send address changes toRedmond, P.O. Box 2063, Skokie, IL 60076-9699

MARCH 2006 ■ VOL. 12 ■ NO. 3

Barney’sRubbleDoug Barney


It ultimately didn’t work (Citrixowns the thin client space and they allrun Windows!), but they gave it theirbest shot.

Today’s XP rivals consist of a dozen ormore flavors of Linux clients, and theMac. The programmers building Linuxtake it seriously—but none of the com-panies selling (or giving away) this stuffreally seem to care aboutdesktops and laptops.

Right now the LinuxPC market is fragmentedworse than a champagneglass at a Jewish wedding.

Meanwhile, we’ve neverbeen called by Apple ask-ing us to review its latestmachines (and the company neverthanked me for a recent gushing edito-rial or two), nor is it telling us whyApple is such a great alternative for theenterprise. In love with its iPod success,the company barely seems to care aboutthe Mac—unless it is to gain a couple ofhome market share points.

Linux is a newer entrant and its failureis more egregious. For more than a yearI tried to put a major Linux exec on thecover. Every time I had something linedup with Novell, its leader would quit orget the boot. At least Novell gave us thetime of day.

Red Hat is another story. For thatsame year I pestered the company seek-ing an interview with the CEO—with

no response. I’ve never seen such a PR black hole. Finally, after calling hisoffice directly, Red Hat got back to me, and in no uncertain terms told methat Linux at this point is not an alter-native to Windows clients, and it isn’tcompeting with Microsoft in thisspace. Shocked? So was I! Linux is analternative, if companies like Red Hat

want it to be.A unified Linux with easy

installation, application sup-port, and a decent array ofdrivers could be a worthyalternative—could. And RedHat—more than anyone—could make this happen.

This is all pretty funny.Redmond magazine serves the Windowscommunity, yet we’re interested in pre-senting alternatives to Microsoft. Butthe alternatives aren’t interested in pre-senting themselves! That’s why it’s easyto say they aren’t serious about com-peting with Microsoft.

In this market, if you play dead, youare dead. What do you think about theso-called alternatives to Microsoft? Tellme at [email protected].

See You in Orlando! Later this month Redmond magazinewill be in Orlando for our TechMentorconference. There’s still time to registerat http://techmentorevents.com. If youshow up, make me buy you a beer.—

ay what you will about Larry Ellison and ScottMcNealy, when they tried to topple the Microsoftdesktop monopoly with thin clients, they put their

hearts into it. Like you, I got pretty sick of the speeches,grandstanding and pithy quotes, but at least they were outthere mixing it up.

S

Enabling Technology Professionals to Succeed

0306red_Rubble4.v6 2/13/06 3:14 PM Page 4

http://techmentorevents.com

www.redmondmag.com

www.redmondmag.com

www.redmondmag.com

www.certcities.com

www.mcpmag.com

www.entmag.com












Project6 1/13/06 3:53 PM Page 1

www.redhat.com

Roundup RebuttalBy reviewing an older version of Cam-tasia Studio (“Allow Me to Demon-strate,” February 2006), Redmond hasdone a disservice to its readers. Theywere led to believe that Mr. Jones wasreviewing the latest version, when infact he reviewed the 2003 version. Thecurrent edition of Camtasia Studio issignificantly different.

This is a disservice to TechSmith, butmuch worse, to Redmond readers wholook to the magazine as a resource fortheir purchasing decisions. If the review-er had called TechSmith or visited theWeb site, he would have learned aboutthe current version. I look forward to see-ing a review of Camtasia Studio 3.1 inyour magazine so your readers can learnabout its new features. Troy Stein

TechSmith

Contributing Editor Don Jones responds:I was very clear about which version Ireviewed. I realize new versions of productsare continually released, but publicationdeadlines are often far in advance of actualpublication date and we can’t delay publica-tion until every company involved hasreleased their latest and greatest. The 3.1version of Camtasia came out in January

2006. The Redmond Roundup had been inthe works for months and came out in theFebruary 2006 issue (the completion of whichoccurred in mid-January).

I’ve used Camtasia for several years andgenerally like it. I’ve produced about 14 hoursof training videos with it and I understand itpretty well. Sometimes the ratings encompassthings that aren’t easy to make clear in thenext. For example, I felt Camtasia is indeedeasy to use, but for tasks like adding annota-tions, editing annotations and modifying cap-tured video, I felt Captivate was easier. Lookfor a follow-up review of the 3.1 version ofCamtasia coming up on Redmondmag.com.

Busted Stuff[In reference to Barney’s Rubble, “ATangled Web of Services,” January2006] The reason for fatter clients ispretty obvious—disk space is a cheapcommodity, and shows every sign ofgetting cheaper.

But, there are many vested interestslimiting effective net bandwidth, and nota lot of real competition in most places.Oh sure, one day we’ll all be on fiber orsecure 100GB wireless, but until then,best keep your valuable stuff on yourpluggable USB drive. Owen Gilmore

San Mateo, Calif.

Every Rose Has Its ThornAfter reading the December 2005 col-umn, “Rose-Colored Google Glasses,” byDoug Barney, I feel his portrayal ofGoogle as a dime-a-dozen, Web-basedInternet company is all wrong.

Although Open Office has next to nomarket share, it doesn’t mean that theprograms are useless. For a small businessthat can’t afford steep license fees, itwould truly be a great alternative. It’s alsogreat to repair corrupt office documents.Open Office could very well be a threatto Microsoft Office if Google couldimplement it correctly.

Barney also claims “Google isn’t somuch an innovator as it is an imitator.”I haven’t seen anything that has come out of the Microsoft machine that’s truly innovative for 10 years. Using“Microsoft” and “innovation” in the samesentence makes me nauseous. However,Google as a search engine was the firstfull-text search engine. I would catego-rize this as “an act of doing somethingdifferent,” which is Barney’s definitionof innovation. Seeing the reaction fromMicrosoft in response to anything thatGoogle does is very entertaining, anddownright pathetic. Marc Read, MCP

Nevada, Iowa

Stand Up I’m stunned that Redmond’s advice to those threatened with software audits is to roll over for these thugs [“Software Raids: Sur-viving an Audit,” January 2006]. The BSA and SIIA are shakedownorganizations, lacking the force of law. The proper response to suchgross intrusions of privacy is to fight them tooth and nail. If the soft-ware audit blackshirts start harassing you, quickly move to opensource software. Better to have an open source transition plan readyto go the moment a threatening letter appears in your mailbox, thanto have to deal with the likes of the BSA and SIIA marauders. Makeit as costly as possible for them to audit you, and ensure that youmove to products whose vendors are respectful of the fact that violated customers don’t buy twice. Micah B. Haber

Nashua, N.H.

[email protected]


0306red_Letters_6.v4 2/13/06 2:30 PM Page 6

www.redmondmag.com

www.redmondmag.com


Introducing a version of the futurethat’s compatible with the present.

It’s easy to add a mobile email solution when it works with

your current email solution. The Palm®

TreoTM

smartphone

is compatible with multiple email servers and vendors.*

Plus, it’s easy to manage, deploy and secure. With

integration this simple, the future is looking bright.

Try the Treo smartphone with GoodLink enterprise

email free for 30 days. Find out more today at

palm.com/business.

Wireless service plan required. Wireless coverage may not be available in all areas and is subject to interruption. Email and web require wireless data services and ISP,

additional charges apply. *Third party software may be required, sold separately. Screen image simulated. ©2006 Palm, Inc. All rights reserved. Palm and Treo are among the

trademarks or registered trademarks owned by Palm, Inc. Other brands are trademarks of their respective owners.

The Treo smartphone is now available on Windows Mobile® and Palm OS

® platforms.


www.palm.com

Your weapon: CounterSpy Enterprise.Centralized spyware eradication.

SPECIAL OFFER: Evaluate the FREE trial and get a“HIT SPYWARE. HARD.” t-shirt: www.sunbelt-software.com/csered

Spyware: the new number one enemy

for IT. Recent surveys of IT specialists show thatspyware infections have reached epidemicproportions and that existing antivirus tools are notenough to fight the war on spyware. Spyware is oneof the most serious security threats and productivitykillers today. For the enterprise, common antispyware andantivirus can’t cut it.

CounterSpy Enterprise: Knock out spyware

from one centralized location. Company-widespyware management requires a real enterprise productwith centralized management. CounterSpy Enterprise isjust that: a scalable, policy-based, antispyware tool builtfrom the ground up for system and network administratorsto kill spyware quickly and easily.

Real-time protection. Active Protection™ Monitorsdeliver real-time desktop protection to workstations toreduce the chance of spyware infection. From the Admin

Console, you have the ability to centrally controlwhat actions are taken when these monitors detectchange on the desktops.

The best spyware database in the

industry. Period. CounterSpy Enterprise’sdatabase has been independently validated as the bestantispyware database in the industry. Why? It benefits frommultiple sources for new spyware definitions, includingSunbelt’s Research Team, information collected fromconsumer users through Sunbelt’s ThreatNet™, andMicrosoft. No other antispyware product can claim that!

Free trial. Find out how many machines in

your organization are infected NOW. Scan themachines in your enterprise for free.

Download the trial at www.sunbelt-software.com/csered.

Sunbelt Software Tel: 1-888-NTUTILS (688-8457) or 1-727-562-0101 Fax: 1-727-562-5199 www.sunbelt-software.com [email protected]© 2006 Sunbelt Software. All rights reserved. CounterSpy and ThreatNet are trademarks of Sunbelt Software. All trademarks used are owned by their respective companies.


| redmondmag.com | Redmond | March 2006 | 9

BY MICHAEL DESMONDOutgoing Microsoft executive JimAllchin has been stumping hard forWindows Vista, as the much-anticipat-ed client operating system enters itsstretch run. By the time you read this,the nearly feature-complete beta 2 ofVista should be in testers’ hands. Butwhile Vista offers a host of improve-ments over Windows XP—includingthe touted Aero Glass GUI—the mostcompelling reason to step up to Vistacould be security, Allchin argues.

He has a point. Windows XP SP2patched a lot of holes in the Windowsfoundation, but it clearly did not finishthe job. Internet Explorer remains a busyroute for malware infection, and Win-dows’ user privileges structure ignoresthat most basic tenet of security—thoushalt not run as root.

One look at the list of security-centricimprovements in Vista, however, showsthat Microsoft is working to plug theremaining holes. Among the changes:

Windows Service Hardening: Pre-vents compromised Windows services,which run silently in the background,from making changes to key file systemor Registry settings.

Internet Explorer Protected Mode:IE7 will run on Windows XP, butunder Vista it gains the benefit of “protected mode” operation, whichdenies the browser the right to changeuser settings or data.

Hardware Level Data Protection:The new BitLocker secure startup fea-ture provides full volume encryption,

locking up Windows system files and thehibernation file. Hardware hooks for theTrusted Platform Module (TPM) 1.2chip should ease management.

Bi-directional Firewall: The Win-dows Firewall will finally assess and fil-ter both inbound and outboundapplication traffic. The client firewallcan be managed via Group Policy.

Network Access Protection: OnceWindows Server “Longhorn” getsdeployed, client-side agent softwarewill enable servers to assess the securitystate of client systems and prohibitentry to those that fail.

Perhaps most important is UserAccount Control (UAC): It allows userswith restricted system rights to enter apassword and gain administrative privi-leges for a specific task, such as installinga device driver (see Figure 1). Today,such a task requires logging out of thelimited rights account and logging backin as an administrator. No surprise, manyusers simply log on as administrators allthe time and leave their PCs wide opento manipulation by uninvited malware.UAC finally applies a model that hasbeen employed in the Linux world for years.

It’s an impressive list, but GartnerInc. Vice President and DistinguishedAnalyst Neil MacDonald contendsthat it remains incomplete. While con-sumers and small businesses should bewell-served, the new security tweaksfall short for most enterprises. Mac-Donald singles out service hardening,which prevents malware from hijack-ing background processes.

“Microsoft is late putting it into theoperating system and they are only doingit for Windows services. It’s another one

that’s a great step in the right direction,but if I want full functionality, I am goingto look at a third-party product,” Mac-Donald says, citing Symantec’s CriticalSystem Protection as an example.

He also voices concerns about gaps infeatures such as BitLocker full volumeencryption, which can house keys onUSB dongles. “The drawback is, if Istick those keys on the USB dongle,and I leave the dongle in the laptop …then I’ve just blown my protection,”says MacDonald, who wonders why theencryption won’t extend to devices likeUSB hard drives. “There are bits andpieces Microsoft is tackling here.”

Windows Vista could create new secu-rity concerns, as well. The powerfuldesktop search feature is a vast improve-ment over the clumsy facility in Win-dows XP. One possible enhancement isthe ability to search on metadata key-words input by users. But MacDonaldthinks the feature may compound along-standing problem with MicrosoftOffice and other files.

“The issue is the inadvertent disclosureof metadata,” MacDonald says. “Nowyou can take a file and add even moremetadata to it, and you have layers ofmetadata as it were.”

Microsoft has released client-side toolsfor Office that let users strip metadata

RedmondReportMarch 2006

INSIDE:Windows vulnerabilities

sold on Russian black market.Page 12

Vista Security: Worth Paying For?Why the latest version of Windows may not be as secure asyou think.

Figure 1. Making a change that requiresadmin privileges? You’ll be challenged toprovide a password each time.

0306red_Report_9-12.v4 2/13/06 3:07 PM Page 9

www.redmondmag.com

Seeing desktop management problems everywhere?

Fig. 1a

The solution is here.See back for details andFREE t-shirt off er.


© 2006 ScriptLogic Corporation. All rights reserved. The ScriptLogic and Desktop Authority logos are registered trademarks of ScriptLogic Corporation in the United States and/or other countries. All trademarks used are owned by their respective companies. T-shirt offer valid while supplies last. Allow 4 to 6 weeks for delivery.

Desktop Authority®

Triumph over your worst desktop management phobias.

Script writing stress syndrome? Compliance access issues? Deep-seated spyware phobia? Now there’s a comprehensive,

award-winning solution that relieves these conditions — and more — by centralizing desktop management for you.

With Desktop Authority®, you can gain control over desktop management and break through to heightened productivity.

www.scriptlogic.com/inkblotDownload the FREE 30-day trial now and get a FREE T-shirt!


RedmondReport


such as author names, company data,and hidden revision marks from docu-ments, but no such tool has beenannounced for metadata applied tofiles within Windows Vista. And thelack of a managed solution—such as ametadata scrubber at the gateway—means IT managers could face anotherhard-to-manage conduit for informa-tion leakage.

“It’s a problem now and Vista’s features only make it worse,” says PhilipBoutros, chief technology officer of Bitform Technology, a firm that special-izes in scrubbing metadata from docu-ments. “There are client side products,but they create no defense in depth andthere is no global management. There isno commercial server side solution that Iknow about.”

Windows Vista brings important and effective improvements to Windows security. The question is,are those enhancements really com-pelling enough to prompt a switch?

“It’ll raise the bar. But again, I don’tthink people will race out and buyVista,” says MacDonald. “We got a lotof the goodness in XP SP2, in termsof security.”

BY MICHAEL DESMONDWhen former Massachusetts CIOPeter Quinn resigned his post on Jan.9, it looked like the months-longeffort to require open, standards-based file formats in state governmentmight fail. The initiative has drawnstrong opposition from Microsoft,which has thousands of copies ofMicrosoft Office installed on systemsin the state government.

In his resignation letter, Quinn citedpolitical pressure and difficult workingconditions created by the high-stakesstandoff. The conflict hit a low point lastNov. 26, when The Boston Globe pub-lished a front-page article detailing astate investigation into improperly man-aged travel by the CIO. Those allega-tions were quickly discredited—Quinn’smanager Eric Kriss approved all thetravel—but the damage was done.

Now it appears the format push could get a second wind,with the appointment of LouisGutierrez as CIO of the InformationTechnology Division (ITD) on Feb. 6.A statement released by MassachusettsAdministration and Finance SecretaryThomas Trimarco specifically notesthat “Gutierrez will be responsible foroverseeing the final stages of imple-mentation of the state’s new OpenDocument format proposal, to go intoeffect in January 2007.”

But even if the state mandates standards-based file formats, it doesn’t

mean Microsoft’s goose is cooked. InJanuary, Trimarco’s office lauded anannouncement that Microsoft wouldsubmit its XML-based Office schemato standards body Ecma International.“If Microsoft follows through asplanned, we are optimistic that Office

Open XML will meet our new stan-dards for acceptable open formats,”Trimarco said in a statement.

In short, we could end up where westarted—with Microsoft Office firmlyensconced on tens of thousands of government PCs in Massachusetts.

Next Chapter Opens for Open FormatsMassachusetts reaffirms its open format vision with new CIO.

Microsoft almost indisputably spends more money, time and effort on security thanany other company. That’s not really a compliment, however—if its products weren’tso laden with security holes, the company wouldn’t have to dedicate so manyresources to the issue.

However, all that attention hasn’t shortened the cycle between a critical vulner-ability being found in one of its products and a patch being released for that vul-nerability. Washingtonpost.com IT security reporter Brian Krebs recently didsome digging and found that the “critical vulnerability/patch” cycle actually takeslonger than it did several years ago.

Stephen Toulouse, a security program manager at Microsoft, verified the fig-ures. He told Krebs that the longer cycle starting in 2004 is likely due to extradiligence on Microsoft’s part, making sure the patches work across the breadthof the network, and that they don’t break anything else.

It’s also worth noting that there hasn’t been an appreciable rise in critical vulnerabilities in the last three year (a “critical” vulnerability is general regardedas one that will give a successful attacker full control of a system). Krebs’ articlecan be found at http://tinyurl.com/8un7f.

— KEITH WARD

Year Number of Average No. of DaysCritical Patches from Report to Patch

2003 33 902004 29 1342005 37 133

BytheNumbers

Critical Patch Intervals Increase


http://tinyurl.com/8un7f

www.redmondmag.com

www.Washingtonpost.com


www.netapp.com

BY MICHAEL DESMONDMicrosoft has changed the way itdelivers pre-release versions of Win-dows Vista to testers. Rather than shipoccasional beta versions for review,the company has opted for more fre-quent test releases under the Commu-nity Technology Preview (CTP)Program. In effect, the switch breakslarge beta releases into a series ofsmaller CTP releases.

“Our partners and customers request-ed regular access to builds so that they

can more frequently test the code,” saysMichael Burk, product manager for theWindows Client Division at Microsoft.

Microsoft has employed a CTP pro-gram before, for instance in the runup to SQL Server and Visual Studio2005. The up-tempo testing is work-ing with Vista—Burk says the lastVista CTP produced “double theamount of feedback” compared to thatfrom the beta 1 release.

A feature-complete CTP release inFebruary corresponded to the planned

release of Vista Beta 2. From thatpoint forward, Microsoft plans toeliminate full beta and release candi-date milestones. It’s quite possiblefuture product launches could adoptthe same methodology.

“The development goals and needs ofevery team at Microsoft are different,”Burk says. “But we’ve seen evidencethat more frequent releases of code canlead to better end results, so it’s likelythat CTPs or similar programs will beused more often.”—

RedmondReport


BY MICHAEL DESMONDWhen the WMF zero-day exploitemerged for a previously unknownWindows flaw, it prompted a lot ofconcern. After all, the lack of advancewarning meant that PC owners wereunable to harden their PCs against theattack. That concern took on a newtenor when researchers at Kasper-sky Lab discovered that hackershad been selling the exploit onthe black market for as muchas $4,000.

For Shane Coursen, seniortechnology consultant forKaspersky, the discovery ispart of a larger trend. “We reallystarted seeing [this activity]ramp up early last year. To some-body in our field, it comes as nosurprise whatsoever.”

According to Kasperky spokespersonDerek Lyons, hackers in Russia start-ed working in early December todevelop an exploit against a flaw in

the graphics handling engine of Win-dows. Within a week or so, the groupcrafted WMF files that would allowcode to execute on Windows PCs.The exploit turned up for sale from atleast two different groups around themiddle of December.

Security firm F-Secure reported theexistence of the WMF exploit on

Dec. 27. Microsoft produced apatch for the flaw on Jan. 5, afew days ahead of the sched-uled Patch Tuesday release.

The timeline underscoresan undeniable trend in mal-

ware activity. “What these guysare doing is writing these little pro-grams to be used for little morethan Internet crime and financialgain,” Coursen says.

Spyware and adware companiestap the secretive market for black-market malware to spread their wares,Coursen says. The WMF exploit, forinstance, was used to install a variety

of spyware packages, including onethat posed as anti-virus software. Thedemand makes for a thriving blackmarket in code exploits.

“These adware companies are hiringprofessional programmers to write pro-grams that are able to bypass securitymeasures, and they are paying prettytop dollar for their skills,” saysCoursen, who calls the $4,000 price tagfor the WMF exploit “a steal.”

Microsoft is striving to combat theissue with initiatives like TrustworthyComputing and the Secure Develop-ment Lifecycle (SDL), which employsrigorous security planning and reviewin the code design process. The goal isto eliminate flaws such as the oneexploited by the WMF malware.

Coursen lauds the Microsoft effort,but he’s not getting his expectationsup. “I think we can look forward toless exploitable code, but somethingthat is completely unexploitable? No,we’ll never see that.”

Windows Vulnerabilities for SaleHackers sold the WMF zero-day exploit for as much as $4,000 onRussian black market Web sites.

Microsoft Banishes BetaSmaller, faster Vista test cycles already improving feedback.


www.redmondmag.com


ProductReviewKill Two Birds with One StoneNetChk Protect combines the functionality of Shavlik’s patchingand anti-spyware tools in a single console.

BY CHAD TODDThere are two ongoing andinescapable tasks that anynetwork administrator mustface—patch managementand spyware prevention.Both are as essential as theyare incessant.

If you aren’t diligentabout applying softwareupdates, you open your network to security vulner-abilities on out-of-datemachines. Waiting a fewmonths to patch a machinecan mean the differencebetween being hacked andbeing secure. Last year,Gartner Inc. predicted that90 percent of all Internetattacks during 2005 wouldbe against previouslypatched security holes.

You could set your machinesto automatically install allupdates from the Windowsupdate site, but that maycause more problems than itsolves. This approach doesn’tallow for testing, which isessential—especially in largerenvironments. It’s one thingto have a “bad” patch takedown 20 users. It’s quiteanother when that samepatch takes down 2,000 users.A tool that automates patchmanagement and facilitatestesting is a must.

Keeping a diligent eye onspyware is just as critical astimely patch management.Spyware that sneaks ontoyour systems can gather per-sonal information about yourusers’ Internet habits, andrelay that to advertisers whobombard them with targetedpop-up ads. It can also killproductivity due to computerinstability and unbearablyslow network performance.

Most anti-spyware prod-ucts manage one machine ata time. You install the clientand configure locally oneach machine, then check incontinually to make sure

updates and scans are occur-ring as they should. Manag-ing spyware this way willwork, but it’s inefficient tosay the least. In larger envi-ronments, it’s virtuallyimpossible. Shavlik’s NetChkProtect gives you a centralconsole with which to man-age both patching and spy-ware prevention for all ofyour machines.

Patch Management NetChk Protect works sim-ply and automatically. It willscan your Windows-basedmachines and determinetheir patch status. Then itgenerates a status report foreach machine, which can besent to you automatically viae-mail notifications.

Once you know whichpatches need to be applied,you can push them out

immediately or schedulethem for later—during theevening or weekends. Afterpatches are applied, you canreboot your machines auto-matically or manually.

NetChk Protect uses XMLand cabinet (CAB) filesmaintained by Microsoft todetermine the patch state ofa machine. It compares thefile versions on the comput-er it’s scanning with theXML file versions. Depend-ing on the type of scan beingperformed (quick scan or fullscan), it may also comparethe file checksums.

NetChk Protect copies allpatches to the targetmachines and usesMicrosoft’s Qchain.exe toinstall them all at once. Thislets it deploy all patches withonly one reboot. All scan-ning and patching takes

NetChk ProtectPricing starts at $35 per set

Shavlik Technologies LLC

800-690-6911www.shavlik.com

Figure 1. From the NetChk Protect console, you can choose whichmachines to scan and whether you want to scan for spyware orpatch status.

Documentation: 15% ____ 8Installation: 10% ________ 9Feature Set: 35% ________ 9Performance: 30%_______ 8Management: 10% ______ 9

Overall Rating: 8.5__________________________

Key:1: Virtually inoperable or nonexistent5: Average, performs adequately10: Exceptional

REDMONDRATING

0306red_ProdRev13-21.v6 2/14/06 2:32 PM Page 13

www.shavlik.com

www.redmondmag.com

ProductReview


place behind the scenes. Theonly thing your users willnotice is whether or not areboot is required.

The software offers fourlevels of patching, dependingon which version you select:

• NetChk Patch, BasicEdition: This supports up to500 machines, provides lim-ited reporting and can runup to 13 different scanningthreads at once.

• NetChk Patch, AuditEdition: This provides all ofthe functionality of NetChkPatch, Basic Edition. It sup-ports an unlimited numberof machines, provides morerobust reporting and can runup to 256 different scanningthreads at once.

• HFNetChkPro: Thisprovides all of the function-ality of NetChk Patch, AuditEdition. It supports theSafeReboot feature, givesyou access to differentschedulers, auto-deploymentfeatures and pre- and post-installation scripts. You canexport reports in a numberof different formats.

• HFNetChkPro Plus:This provides all of the func-tionality of HFNetChkPro.It also lets you deploy cus-tom patches, supports aMicrosoft SQL database forstoring those patches andcan preserve bandwidth overWAN links by using distri-bution servers.

Spyware Scanning You have two general optionsto scan for spyware withNetChk Protect—console-based scans and machine-based scans. Console-basedscans run over the networkfrom the console machine.This can cause a lot of net-

work traffic, but it workswithout having to copy any-thing to the target machine.A machine-based scan copiesan instance of the spywarescan engine to the targetmachine and runs the scan“locally.” This improves thescan speed, as each machineis responsible for running itsown scan. Machine-basedscans also dramatically reducenetwork traffic.

NetChk Protect identifiesand categorizes instances ofspyware based on its per-ceived level of threat. Thesoftware will kill any destruc-tive or invasive processesassociated with the spyware.It then deletes all associatedfiles, folders and registry data.

You can also have the sus-pected spyware files quaran-tined in a secure area if youwish to inspect them later.This also provides rollbackfunctionality. If a necessaryprogram or file is inadver-tently removed, you can easilyrestore it from the quarantinearea. Removing spyware mayor may not require that youreboot the target machine,but if so you can do it manu-ally or automatically.

The interface for NetChkProtect is very straightfor-ward and easy to navigate.For example, first it will askyou what you want to scan.After completing the scan, itdisplays a summary report ofwhat it found. Click on detailsand then right click on themachine, group or domain

that you want to patch andchoose “Deploy patches.” Youcan select to deploy all patch-es or certain patches based ontheir criticality level. At thispoint all of the patches arepushed to the selectedmachines.

Simplified Scanning-Whether scanning for patchstatus or spyware, you canscan computers by name, IP

address, domain name orActive Directory Organiza-tional Unit (OU) structure(see Figure 1). You can alsocreate machine groups andtarget your scans towardthese groups. This lets youestablish a test group forsafely and securely testingpatches before rolling themout to your entire network.

NetChk Protect supportsnetwork scanning of the fol-lowing clients:

• Windows NT 4.0 • Windows 2000• Windows XP (although

you’ll have to disable simplefile sharing for the scan towork properly)

• Windows Server 2003To scan a machine—any

machine—you’ll needadministrative rights to thatmachine (which shouldn’t bea problem). You’ll also haveto start the Server serviceand the Remote Registryservice, and enable file andprint sharing. Finally, you’llneed access to the remotemachine over TCP ports 139and 445, and the %system-

root% share (i.e. C$) mustbe accessible.

Installing NetChk Protect isa breeze. If your system does-n’t have all the requisite soft-ware components, it willautomatically download andinstall the missing pieces dur-ing setup. The readme filesays that you won’t have toreboot after installation, but Iwas prompted to reboot mylaptop after installing NetChkProtect. It’s always a goodidea to do so anyway.

When I first started usingNetChk Protect, I thoughtI might be doing somethingwrong because using it wasso easy. Within an hour ofinstalling the software, Ihad already scanned alleight of my machines forspyware and missing patch-es and deployed all the up-to-date patches.

I was also pleasantly surprised to learn thatNetChk supports updatesfor more than justMicrosoft products. In mytesting, I was able to updatemy Adobe Reader andRealPlayer software as well.

NetChk Protect does agreat job of keeping yourmachines clean of spywareand up to date with the latestpatches. If you’re responsiblefor patch management andspyware control for yournetwork, you owe it to your-self to give it a try.—

Chad Todd, MCSE:Messaging,MCSE:Security, MCT, CEH,is the co-owner of Training Concepts (www.trainingconcepts.com), which specializesin Windows, Exchange, ISA andCisco training and consulting.You can reach him [email protected].

Within an hour of installing the software, I hadalready scanned all eight of my machines for spyware and missing patches and deployed all theup-to-date patches.


www.trainingconcepts.com

www.trainingconcepts.com

www.redmondmag.com



www.specopssoft.com


Schedule Jobs the Easy WayThe latest version of SmartBatch helps you centralize and streamline Windows job scheduling.

BY BILL HELDMANThere’s an endless array ofjobs you must run to managetoday’s intricate, multi-plat-form environments. Youmight have one batch filethat routinely deletes temp.files from your servers,another that periodicallyextracts data from a main-frame, and a script file thatperforms a whole series ofcomplex tasks.

Most of these jobs connectto a host of different sys-tems, manage just aboutevery type of file, run on avariety of schedules and haveall sorts of outcomes. So how

do you rope all these activi-ties into a single frameworkthat you can easily managefrom a central location?

That’s where SmartBatch2006 comes in.

Getting StartedThe folks at OnlineTool-Works clearly get what itmeans to be a busy Windowsadministrator. They know thethings you’ll need and—justas important—the things youdon’t need. There is a “quick-up-and-running” sensibilitybuilt into SmartBatch. Theinstallation process is simple.You can be fully functional invirtually no time. It comes in a Standard and Enterpriseedition. The primary differ-ence between the two is that the Enterprise edition supports agent-based opera-tions across your entire fleetof servers.

SmartBatch has an elo-quent interface (see Figure1). It’s easy to understandand navigate and still comeswith plenty of tutorialscreens to help you along

the way. I particularly likedthe SmartBatch multimediaoverview because it lets youwatch the keystrokesrequired to assemble yourjobs into a cohesive group.

SmartBatch doesn’t helpyou craft your own batch filesor scripts. The assumption isthat you’ve already done thatwork up front. When youhave assembled a collection ofpre-scripted tasks that you’reready to run, SmartBatchhelps you generate numerous different schedules and tie them to your job schedul-ing operations.

The idea is relativelystraightforward: First youcreate your computer groupsand schedules. Then set upyour operations—these arethe batch files, scripts or pro-grams you need to run. Next,you’ll want to group similaroperations into a single step.

Then group multiple stepsinto a single job. When you’refinished, you’ll have multiplejobs running, all workingfrom different calendars, andconfigured to notify you oranother designee (the Enter-prise edition has differentuser designations that allowfor more granular securitycontrol) of operational status.

Scheduling RoutineSuppose you want to free updisk space on your fileservers by periodically purg-ing unnecessary files andunused data. The data sits onthree different computers,and you have a variety ofuser and database files occu-pying the space on thoseservers. Here’s how youmight work out a Smart-Batch job scheduling routine(note that you’ll need theEnterprise Edition of Smart-

ProductReview

SmartBatch 2006Standard Edition: $695 per single- or dual-processorcomputer, $295 for each additional processor

Enterprise Edition: $1,295 per single- or dual-processorcomputer, $495 for each additional processor

Remote agent: $595 per computer

Online ToolWorks Corp.

503-297-0609www.onlinetoolworks.com

Figure 1. The SmartBatch interface is easy to navigate and includesplenty of options for specifying job parameters.

Documentation: 15% ___ 10Installation 10%________ 10Feature Set: 35% ________ 9Performance: 30%_______ 8Management: 10% ______ 9

Overall Rating: 9__________________________

Key:1: Virtually inoper-able or nonexistent5: Average, per-forms adequately10: Exceptional

REDMONDRATING


www.onlinetoolworks.com

www.redmondmag.com


ProductReviewBatch 2006 and a remoteagent for each computer):

• Create a group thatincludes the computers onwhich you need to work.

• Create a calendar with thedays and times you want torun your jobs.

• Set up each operation (seeFigure 2) so it initiates a sin-gle maneuver you wish toperform. For this example, Icall a command window andpass in the command todelete all temp files from thevolume’s C drive.

• You’ll need a secondoperation to purge the Ddrive. You could also create abatch file with the necessarycommands and call it fromthe operation instead.

• Create an operation thatcalls stored procedure(s) togroom your database files.

• Once all operations are in place, link them togetheras steps.

• Create a job that ropes in all your file-server groom-ing steps.

• Repeat the process forother automation operations.

• Assign an operator tomonitor your jobs and selectnotification options.

You can perform the sameoperations on either a com-puter group or a single com-puter, especially when it’s aglobally applicable opera-tion. For example, you coulddo the above temp file deleteoperation on a pre-definedgroup because it’s almost agiven that every computerhas a C drive with .TMPfiles to delete.

ShowstoppersWith the SmartBatch Stan-dard Edition, the idea is that

you’re only going to use iton the machine upon whichit is installed. With theEnterprise Edition, you getextensibility, which lets yourun SmartBatch operationson multiple computers,each of which has to havean agent installed.

If there are any showstop-pers or problems with Smart-Batch, it is the agent issue.Many administrators are hesi-tant to install an agent com-

ponent on a server because itmay introduce new problems.Agentless management soft-ware is often weak in theknees, so I can see whyOnlineToolWorks felt itcould only provide sufficientperformance by usingonboard agents.

The Enterprise Editionalso lets you use SQL Server as the database for the SmartBatch jobscheduling data. However,by default, both the Stan-dard and Enterprise edi-

tions use MSDE, which is ahuge plus.

Both editions of SmartBatchsupport notification, nativeWindows and Web adminis-tration interfaces, dependen-cies, error recovery, .NETprogramming interfaces, anda “Runbook”—a place where you can detail instructions forthe folks who will run andtroubleshoot the jobs you’veestablished. This last elementis a very mainframe-like capa-

bility to carefully monitoryour operations. The Enter-prise edition includes a Dia-gram View (similar toMicrosoft Operations Man-ager), fault-tolerance andload-balancing, as well as remote agents.

Finding Free TimeIf you’re an administratorgrappling with numerousjob-scheduling opera-tions—whether they’rescripts, batch files or executables—SmartBatch

can be a big help. The sim-plicity and centralization iswell worth the price ofadmission. With carefulplanning and attention todetail, you can set up a job-scheduling environmentthat will free up your timefor more important tasks.

If you’re just beginning touse batch files and scripts tolasso in those infernal manu-al operations, get them readyand then try SmartBatch. It

was designed and written bya long-time Microsoft-friendly company that trulyunderstands the needs ofWindows administrators.—

Bill Heldman is an instructor atWarren Tech, a career and tech-nical high school in Lakewood,Colo. He is a contributor to Red-mond and several other technolo-gy publications. He has alsoauthored several books for Sybex,including the CompTIA ITProject+ Study Guide. Reachhim at [email protected].

Figure 2. The operational schedules and procedures set the parameters within which your jobs will run.


www.redmondmag.com


B

Supr

While Exchange is down, employees can’t communicate, salespeopledon’t sell, compliance can’t be kept, reputations are at risk, andcustomers can’t do business with your company.

Lucid8’s ESP Suite combines two powerful disaster preventionsolutions—GOexchange and DigiVault—at a savings of 20% offthe individual programs. Prevent disasters with GOexchange anddepend on minute-to-minute data protection with DigiVault. Protectyour vital E-mail system with a comprehensive solution that deliversDisaster Prevention, Optimization, and Recovery for MicrosoftExchange.

These are just some of the organizations currently enjoying thebenefits of ESP...shouldn’t you?

– Tiffany’s– Welch Foods– Blue Cross/Blue Shield– Mellon Financial Corporation– American Eagle Tanker– NATO

At Lucid8, we go beyond the sixth sense.

To save 20% on ESP for Exchange, visit www.lucid8.com/espsuiteto download a trial version or call 425.456.8479.

on ESP Suiterefer to offer code 8479

With the Enterprise System Protector (ESP)Microsoft Exchange disasters... you will

Most People Don’t Have ESP.


www.Lucid8.com

P)l

P. But You Can...

Suite from Lucid8, you won’t just recover fromprevent them from ever happening.

Customer Perspectives

“We knew we had issues, however, the number of errors and warnings that existed in the database was far morethan we would have suspected. GOexchange worked as expected, solved every problem, reduced the databases by48%, automatically notified us, and even provided a great report upon completion. Excellent product and people!”

Joshua Nunes, IT Director, Perseus Group

“When I first downloaded your product I was very skeptical of your promises for improvements on my Exchangeserver. After the first maintenance run, I’m now a true believer of your product.”

Raul Ramos, Director of Information Systems, The First Tee

Analyst Perspectives

“Microsoft Exchange Server, like any complex database system, slowly degrades over time. Without routinemaintenance, decreasing performance, increased warnings and errors accumulate and database fragmentationtranspires, leading to Exchange disasters. Given the significance of email in today’s business environment, it isimportant that businesses proactively address server degradation before it occurs.”

Ray Paquet, Vice President & Distinguished Analyst with Gartner

“Companies often overlook their e-mail infrastructure as an area where minor adjustments can deliver significantROI. Solutions such as Lucid8’s GOexchange help Microsoft Exchange administrators reduce the time they spendsupporting Exchange, lower overall IT costs and improve end user productivity by proactively managing andmaintaining Exchange servers, thereby, increasing the likelihood that minor server problems are resolved beforethey culminate into a major disaster.”

Rebecca Wetteman, Vice President of Research, Nucleus Research


www.Lucid8.com

ProductReview


Manage the Forest and the TreesAdminister your entire Active Directory domain from one location.

BY RICK A. BUTLERWhile the tools that comewith Windows Server workjust fine for most ActiveDirectory managementtasks, they aren’t really setup to manage your entireenterprise from a single spot.You have to at least connectto a domain and look at itsproperties or connect to alocal system to see the GPO.You don’t really have a cleaninterface for all-encompass-ing GPO management rightout of the box. Usually, youhave to customize theMicrosoft ManagementConsole to build an interfacethat pulls in the entire forest.

Active Administrator fills that gap by taking atop-down approach toadministering your entireAD domain. ScriptLogichas taken some major stepsforward with the 4.0 release

of Active Administrator,which is poised to be a solidenterprise AD managementtool. (You can read thereview of Active Adminis-trator 3.0 in the November2003 review archives atRedmondmag.com.)

The new version has a hostof improvements. My person-al favorite on the new featurelist is AD Object Restore. Ifyou’ve ever done somethingas boneheaded as wiping outthe CEO’s user account orblowing away an entireorganization unit (OU), youwill love this one as much as Ido. AD doesn’t have any sortof object level recovery toeasily fix this problem, and asyou know, you can’t justrecreate an object or objectsyou’ve accidentally deleted. Ifyou’ve found yourself in thissituation, you know it usuallymeant making the walk ofshame to the tape vault.

After finding the correctbackup tape, you’d have torestore a domain controllerand do an authoritativerestore in Directory Services Restore Mode(DSRM)—all the whilepraying there haven’t beenmany changes to AD sinceyour inadvertent delete.With Object Restore, you

can easily restore a singleobject in AD—whether asingle account or an entireOU—without the usualmadness. Life hasn’t beenthis good since single mail-box restores in Exchange.

Active ManagementActive Administrator 3.0introduced Active Templatesas a means of delegating andmanaging the permission lev-els in AD—without providingunnecessary privileges. Thesetemplates are really cool ifyou absolutely need to knowwho has what level of permis-sion. You can create a tem-plate defined by permissions.Users are assigned roles basedon an AD task, so you can dothings like provide users“almost” administrative access

to their machine or give jun-ior administrative rights to ahelp desk technician. TheActive Templates let you pro-vide the right amount ofaccess your users need to gettheir jobs done without pro-viding too much access. If youneed to customize the tem-plates for specific tasks andpermissions, you can certainlydo that as well.

In version 4.0, these templates are actually self-healing, using a service thatfixes anomalies within thetemplates. If a setting werechanged in the policy, a serv-ice in Active Administratorwould revert that settingback to how it was originallyspecified in the template. Itwould also alert you to thechange.

Active Adminstrator 4.0$12 per user

ScriptLogic Corp.

561-886-2400www.scriptlogic.com

Figure 1. Active Administrator’s Object Restore window lets youspecify object and attributes to restore.

Documentation: 20% ____ 9Installation: 20% ________ 9Feature Set: 20% ________ 8Performance: 20%_______ 8Management: 20% ______ 9

Overall Rating: 8.6__________________________

Key:1: Virtually inoperable or nonexistent5: Average, performs adequately10: Exceptional

REDMONDRATING


www.scriptlogic.com

www.redmondmag.com

www.redmondmag.com

This is a cool upgrade from ActiveAdministrator 3.0, where you wouldhave to review your templates regularlyto ensure compliance.

In short, when you set role-based usersecurity to a specific standard, it staysthat way. With some GPO settings, asavvy user can make certain changes tothe GPO, whether or not he is author-ized to do so by IT management. ActiveAdministrator keeps the settings as spec-ified in the template.

Auditing Made EasyIf you have to monitor AD security andyou have multiple domain controllers,you have to visit each DC and scrollthrough each log to find the eventsyou’re hoping aren’t there. ActiveAdministrator’s AD Auditing (which hasbeen part of Active Administrator sinceversion 3.0) is cool because you can nowcheck these event logs from one location.

You can also configure the logs tosend alerts for certain events. For exam-ple, if one of your administrators on theother side of the country goes messingaround with your “Computer’s” con-tainer or users, you’ll know about itright away—not after something hasalready gone wrong.

Get a Handle on GPOsActive Administrator gives you easyaccess to solid GPO management fea-tures. You can look at each policy in

your forest, figureout where it’slinked, review sta-tistical information,copy to anotherdomain and adjust itaccordingly. It alsokeeps a historicalrecord of yourGPOs so you’llknow who changedwhat and whenthose changes weremade. If any changeyou make doesn’t

work out the way you or one of youradmins had intended, just roll it back.

Another of Active Administrator 4.0’snew features that applies specificallyto GPO management is the OfflineRepository. If you frequently have tochange your GPOs, this repository isvery helpful because you can isolateyour GPO, make your changes offlinewithout affecting your productionenvironment and publish it back whenyou’re ready for it to go live.

The Offline Repository also has acheck-in/check-out managementstructure that lets you control who’sauthorized to make changes and howfrequently they can do so, should youhave multiple administrators manag-ing GPOs. There’s even a nifty report-ing tool you can use for review or toproduce a maintenance record book(for you old school techies out there).

I like this tool and I think ScriptLogicdid well with the additions andenhancements to the 4.0 release. ActiveAdministrator is simple to get up andrunning and easy to use. If you needsome serious configuration manage-ment for your AD forest, you’d do wellto consider it.—

Rick A. Butler, MCSE+I, is the Directorof Information Services for the UnitedStates Hang Gliding Association. You can reach him when he lands at [email protected].

Figure 2. In the Group Policy Offline Repository, you can select,edit and report on GPOs.

IT Education online froman accrediteduniversity.

Master’s degreespecializations include:

• Project Managementand Leadership

• Information Security

• Network Architectureand Design

• Business Administration(MBA)

• IT General

You may be closer than you think.You can apply to earn creditfor the technical knowledgeand skills you have gainedfrom real-world experience,training, certifications (suchas CCNP,® MCSE, CISSP,® andPMP®), and previous education.

1-888-CAPELLA ext. 22041www.capella.edu/redmond

Capella University is accredited by The HigherLearning Commission and a member of the North Central Association of Colleges and Schools, 30 N. LaSalle Street, Suite 2400, Chicago, IL 60602-2504, (312) 263-0456; w w w.ncahigher learn ingcommis s ion.org.Capella University, 225 South 6th Street, 9th Floor, Minneapolis, MN 55402.© 2006 Capella University



www.capella.edu

www.redmondmag.com



Now, thanks to cheap, off-the-shelfcomponents (COTS), new Intel- andAMD-based HPC servers make sensefrom both a financial and technologicalperspective. For example, you can pickup a four-way, 2.2GHz AMD Athlon64server with 4GB of RAM for about$4,000. As far as the technology goes,the point of HPC these days is to relyless on a single massive machine andmore on compute clusters—groups ofinterconnected machines that dividethe workload among themselves.

In fact, universities and research insti-tutions have been using Linux-basedsupercomputing clusters for years. TheBeowulf Project (www.beowulf.org) cangive you some guidance on building clus-ters of Linux-based servers.

It’s little wonder that Microsoft islooking for a piece of the HPC action. Igot a good look at Windows ComputeCluster Server 2003 (CCS2003) at arecent Microsoft briefing. Rememberthat the “C” in COTS stands for cheap.CCS2003 (which is based on WindowsServer 2003, hence the name) will actu-ally cost less per socket than other edi-tions of Windows. This won’t be a

bargain-basement version of Windows,however. It’s being put together specifi-cally to address HPC concerns.

As a result, you won’t be able to installthis special version of Windows on anycomputer that isn’t part of a dedicatedcomputational cluster. It’s also onlyavailable in an x64 edition—the theorybeing that nobody would want to builda computational cluster out of legacy32-bit hardware.

What Is a Compute Cluster?A compute cluster is a single-head nodethat accepts computing jobs and distrib-utes the workload across at least twoattached nodes. CCS2003 won’t supporthigh availability for the head node, somake sure it’s already running on highlyavailable hardware. This is the brains ofyour HPC operation, so it has to stay up.

You can have as many attached com-pute nodes as you can afford. As we’velearned from distributed computingprojects like SETI@home (which is anexcellent real-world example of howyou would use a compute cluster), themore compute nodes, the merrier.

To avoid bottlenecks that can limit thenumber of nodes in your compute clus-ter, you’ll want to use switched gigabitEthernet as a minimum—a 10 gigabitEthernet or Myrinet network is evenbetter. CCS2003 includes WindowsSockets Direct Interface, which is specifi-cally designed to take advantage of thesetypes of high-speed connections.

You’ll have to tune your applications torun on a cluster. To give you an idea ofthe old-school, hardcore nature of thistype of computing, look at the program-ming languages that CCS2003’s compo-nents support out of the box: Fortran77,Fortran90 and C. Yikes. Configure thesystem to submit applications to the clus-ter’s scheduler on the head node, and torun completely unattended using onlydata files (and not keyboard commandsor mouse clicks) for input.

You’ll also have to be fluent in severalnew acronyms if you’re going to set up acompute cluster. MPI (Message PassingInterface) is an industry-standard appli-cation programming interface designedfor rapid data exchange between com-pute nodes in HPC environments.Microsoft’s MPI (MSMPI) is a version ofthe Argonne National Labs Open SourceMPI2 implementation that supportsmore than 160 function calls. Applica-tions submitted to CCS2003’s job sched-uler need to support this.

As you might expect, CCS2003 makesheavy use of Microsoft’s infrastructurecomponents. For example, all nodes haveto belong to the same Active Directorydomain so you can manage them as aunit and share security information.

What It Isn’tCCS2003 is not the same kind of clus-tering as Windows Cluster Service.While CCS2003 is designed to haveseveral computers interconnected,those computers work together to solvecomputationally intensive problems,rather than provide failover or fault tol-

Windows Goes High Performance

hat was once old is new again. High-performancecomputing (HPC) has returned as one of the biggest trends in computing—with a big

difference. Back in the day (the early 1990s) you could drop $40 million on a Cray Y-MP supercomputer.


W

BetaManDon Jones

Windows Compute ClusterServer 2003

Version Reviewed: Beta 2

Current Status: Beta

Expected Release: 2006

The software described here is incompleteand still under development; expect it tochange before its final release—and hope itchanges for the better.

BETAMAN’S ROUTINE DISCLAIMER

0306red_BetaMan22-23.v7 2/14/06 10:42 AM Page 22

www.beowulf.org

www.redmondmag.com

erance. You won’t run Exchange Serveron CCS2003. In fact, unless you havesome heavy-duty number crunching todo, CCS2003 probably isn’t for you.

The thought of deploying and man-aging a dozen or so compute nodessends a chill down my spine, and notjust because the data center housing

them is going to need heavy-duty airconditioning to avoid a meltdown. Inan era when everyone’s downsizing thedata center, CCS2003 heads in theopposite direction.

Microsoft feels your pain. CCS2003includes a command-line interface tohelp you to create and submit jobs.You can use Remote Installation Ser-vices (RIS) to deploy compute nodes,

so deployment to bare-metal machinesis easier (CCS2003 includes RIS).Standard backup and restore tech-niques apply, so whatever you’realready using should work fine. Ofcourse, the usual MMC snap-ins willlet you control the entire cluster. Thesetup process for Compute Cluster is

also straightforward, using a standardWizard-based interface.

CCS2003 loves networks and wants toconnect to as many as possible. A privatenetwork for administrative traffic, theMSMPI network for exchanging clustercommunications and data, and a publicnetwork like your corporate intranet.This last conduit also lets applicationslike Systems Management Server (SMS)

and Microsoft Operations Manager(MOM) get into the compute cluster’shead node for management purposes.So you could have each CCS2003machine connected to as many as threenetworks at once.

Too Much Horsepower?Unless you have to do some seriousnumber crunching, such as simulatingnuclear explosions, modeling fluiddynamics or assessing potential oildeposits, CCS2003 may not be for you.Still, CCS2003 makes HPC accessibleto organizations that never would haveconsidered it before.—

Don Jones is a contributing editor for Redmond and the owner of ScriptingAnswers.com, a Web site for automatingWindows administration. His most recentbook is Windows Administrator’sAutomation Toolkit (Microsoft Press).Reach him at [email protected].

BetaMan

DB Audit Expert addresses key MS SQLServer security concerns that include databasesecurity and vulnerabilities assessment,database access and user activity auditing,business and regulatory compliance.

MS SQL Server security requirements giving you

a headache?

DB Activity Tracking • Data-Change Tracking • MultipleAuditing Methods • Centralized Control • Real-time Alerts

Audit Trail Monitoring and Alerting • Robust ReportingAudit Storage Performance Management

Protect Your MS SQL Datawithout the headaches!

For more information visit us at http://www.softtreetech.com/no_headaches

Unless you have to do some serious number crunching, such as simulating nuclear explosions, modeling fluid dynamics or assessing potential oil deposits, CCS2003 may not be for you.

0306red_BetaMan22-23.v7 2/14/06 10:42 AM Page 23

www.softtreetech.com

www.ScriptingAnswers.com

www.ScriptingAnswers.com



www.crossteccorp.com

YourTurn

BY JOANNE CUMMINGSWhen it comes to enterprise applicationintegration (EAI), Microsoft’s BizTalkServer is tough to beat. For most Win-dows shops, its ease-of-use, resiliencyand performance are giving even Webservices a run for its integration money.

In some cases, BizTalk can also be easi-er and less expensive to implement thanWeb services. Erickson RetirementCommunities in Baltimore, Md., usedBizTalk Server 2004 to build a systemthat integrates 10 separate applicationsto create a resident demographic man-agement system (DMS). David Clausen,systems architect at the company, andhis colleagues ultimately determinedthat they wouldn’t have been able to cre-ate a Web service for all their systems ontime and within budget. BizTalk was

equipped with the level of integrationfunctionality they needed to get up andrunning quickly. For example, it couldalready communicate with flat files, FTPand HL7 (Health Level 7— a healthcare networking protocol).

Others still consider Web services theeasier option for both development andmanagement, but that’s not always thecase. Most users can build something rel-atively quickly, but they often haven’tthought through the problems of main-taining a Web service to ensure its con-tinued resiliency and performance.

That’s frequently the case withJonathan Summers’ clients, who oftenexpress an initial preference for Webservices. “For them, it’s a speed to

market issue,” says Summers, enter-prise architect at Software Architects, aconsulting firm in Dallas. After think-ing about building that level of corefunctionality into a Web service withlimited management capabilities, theyoften opt for BizTalk. “After some con-sideration,” he says, “the conversationwill shift to BizTalk.”

Vertically ChallengedMicrosoft has a variety of BizTalk vertical accelerators ready to supportnumerous industries, like retail, finan-cial services and healthcare. Theseaccelerators are intended to ease inte-gration with applications that adhere toindustry-specific protocols.

BizTalk’s HL7 support sold Clausenand his colleagues at Erickson Retire-

ment Communities. “That was really thekey for us,” Clausen says, adding that hiscompany spent $70,000 in software andhardware on its BizTalk implementation.He says it was money well spent.

Before deploying BizTalk, saysClausen, integrating with an HL7application meant writing code fromscratch and parsing out complex proto-cols. The HL7 accelerator treats theentire protocol as XML schemas, andlets Clausen use the BizTalk map toconvert outgoing data to HL7. Then heconfigures the map and accelerators toconvert incoming data to whicheverformat he requires for his internalstructure and database. “It reallystreamlined the whole process,” he says.

Using BizTalk and the vertical acceler-ators as integration points also helps tiein key business processes, Clausen says.For example, Erickson’s DMS, based onBizTalk Server 2004, now includes an“eventing” system whereby any con-stituent system can post an “event” andmake that information available in realtime to any other integrated system.

When DMS receives a new resident,for example, it publishes an event. Thatbecomes a message in the BizTalk Mes-sage Engine, explains Joe Schneebaum,senior software engineer at Erickson.There are about four other applicationsthat subscribe to that event, he says,because new residents need immediateaccess to certain services when theymove in. “The residents need to be ableto get fed in our dining halls, request ashuttle to the mall and so on,” he says.

Before Erickson started using BizTalk,it took a day or so for the IT staff toensure that each system had access to theproper data when a resident arrived. Thereal-time “eventing” system helps themensure that an incoming new resident’sdata is populated throughout its systemsalmost immediately. “Within one minuteof becoming a resident,” Schneebaumsays, “you can eat your first meal here.”

Redmond’s readers testdrive the latest products.

BizTalk Server: Getting Better All the TimeUsers say Microsoft BizTalk Server 2004—and the 2006 version—significantly ease enterprise application integration.


Using BizTalk and the vertical accelerators as integration points also helps tie in key business processes.

Microsoft BizTalk Server 2004

Enterprise Edition: $24,999 perprocessorStandard Edition: $6,999 per processor

Microsoft Corp.

800-426-9400

www.microsoft.com

0306red_YourTurn_25-27.v6 2/14/06 11:28 AM Page 25

www.microsoft.com

www.redmondmag.com

Power at a PriceWhile BizTalk scores high on the application and process integrationscale, that comes at a price. BizTalk’sinstallation, configuration and deploy-ment mechanisms can be cumbersome,time-consuming and unforgiving, sayClausen and other BizTalk users.

Software Architects’ Summers pointsto the need to properly configureaccounts and accurately establish data-base permissions—and to get it rightthe first time. “If you get anythingwrong, the whole thing gets rolledback,” he says. “The product doesn’tmake many allowances for errors.”

Others have had a similar experienceduring deployment. “BizTalk is anightmare to deploy,” says YitzhakKhabinsky, software architect atOdimo Inc., an online retailer based inSunrise, Fla. He uses BizTalk 2004 tointegrate with applications fromOdimo’s trading partners, such asMSN, Amazon, Yahoo! and Google.

He says BizTalk requires a multi-stepmanual deployment process.

Configuration and deployment does gofaster with practice, others say. TheBizTalk 2004 configuration and setupguide is a very specific three-page docu-ment. “You have to follow it exactly,” saysErickson’s Schneebaum. He eventuallyhad to supplement the process with hisown steps customized for his organiza-tion. In his three-tiered infrastructurethat includes development, test and pro-duction environments, he claims he canwipe it out and rebuild it within an hour.

For a product with such a convoluted

configuration and deployment process,users say, the documentation is fairlysparse. Fortunately, there are numerousonline resources to fill that void.

Summers agrees with that assessment.He called the documentation “bare,” andsays the one book about BizTalk Server2004 he knows of didn’t come out untilthe summer of last year. He found whathe needed online. “There was a grass-roots effort put together by one of theBizTalk MVPs, who compiled help filesfrom blog entries, called the BloggersGuide to BizTalk,” he says. “That wasone of the key sources of information.”

Still Under ConstructionBizTalk 2004 is missing some key features, such as a strong administrativetoolset and robust encryption capabili-ties. For example, Erickson needed to build its own encryption into itsBizTalk implementation for communi-cating with two of its external tradingpartners. “BizTalk only supports S-

YourTurnYourTurn

©2006 LearnKey, Inc. All Rights Reserved. Source Code #4141-717 LK120705AUTHORIZEDCisco® Training

LAUNCH YOUR CAREER THROUGH THE ATMOSPHERE!Wireless Network Certification training is on us this time! Be among the first 20 to purchase Microsoft MCSE Training and get LearnKey’s CWNA training free!visit: www.learnkey.com/redmondmag

LearnKey Career Tracks guide you through the courses you’ll need to get the career you want.

Download your Career Tracks guide atwww.learnkey.com/redmondmag to get on track and begin your career journey.

Increase your salary potential . . .

1.800.865.0165learnkey.com/redmondmag

Read more about what to expect inBizTalk 2006, and see the full list ofavailable vertical accelerators.

FindIT code: BetterBiz

GetMoreOnline

redmondmag.com

0306red_YourTurn_25-27.v6 2/14/06 4:12 PM Page 26

www.learnkey.com

www.redmondmag.com

MIME, which really didn’t suit ourpurposes,” Clausen says. “It would benice if they offered better encryption.”

While BizTalk 2004 is well integrat-ed with Microsoft SQL Server, theoverall level of integration could betighter, says Clausen. Fortunately forhim, his SQL Server administrator atErickson was able to take on BizTalkadministrative duties as well. Clausen

also feels the administrative toolscould be improved, especially for server health monitoring.

One reason users appreciate a toollike BizTalk is that enterprise applica-tion integration can be one of the moreboring tasks facing an IT professional,says Erickson’s Schneebaum. “Onething Microsoft did really well withBizTalk was make the rote, mundane

tasks of data interchange more appeal-ing to a developer by giving them richtools for development and good, fastschema editors. You might still notwant to do it at seven in the morning,but it’s less painful.”—

Joanne Cummings is a freelance technologyjournalist based in Massachusetts. You caneach her at [email protected].

YourTurn

Here are some key features users arelooking forward to in the forthcomingBizTalk Server 2006:Better documentation. A better

effort has been made to provide real-world help in the documentation for 2006.Easier installation, configura-

tion and deployment. BizTalk 2006will offer a raft of changes, including amore modular approach that lets usersinstall and configure only the features

they need, when they need them. Con-figuration mistakes will no longer affectthe entire package.Administrative capabilities. The

new version will include server healthmonitoring and a new “applications”concept that significantly eases admin-level deployments.Business Activity Monitoring

(BAM). BAM now lets users access aWeb portal to identify and track key per-formance indicators from within BizTalk-integrated applications.

Flat file wizard. A new wizardeases the building of flat file schemasto the point where they can beoffloaded to business analysts, withoutfurther burdening developers.Data interchange processing.

BizTalk 2006 offers a new recoverableinterchange processing capability. Encryption. Users would like to see

stronger encryption than the S-MIMEsupport in BizTalk 2004. Early testers of 2006 say this issue may not beaddressed until future versions. — J.C.

Up Next

0306red_YourTurn_25-27.v6 2/14/06 11:28 AM Page 27

www.nsisoftware.com


Win

dow

s a

nd O

ffic

e e

ach d

om

inate

the

landscape, lik

e K

ing K

ong o

n S

kull Is

land.

What w

ould

it take to s

hoot th

is m

onkey

dow

n

and g

ive o

ther specie

s a

fig

htin

g c

hance?

0306red_F1Gorilla.v6 2/14/06 10:47 AM Page 28


Whe

n it

com

es to

clie

nts,

Mic

roso

ft is

in th

e ca

tbir

d’s

seat

.D

espi

te th

e M

ac,t

hin

clie

nts

like

Sun

Ray

s,an

d do

zens

of it

erat

ions

of d

eskt

op L

inux

,Win

dow

s is

on

at le

ast

nine

out

of 1

0 cl

ient

s.A

nd a

lmos

t eve

ry o

ne o

f tho

se is

runn

ing

som

e ve

rsio

n of

Mic

roso

ft O

ffic

e.M

icro

soft

cri

tics

clai

m th

at th

ere’s

com

petit

ion

and

viab

le a

ltern

ativ

es,b

uton

ly th

e tr

uly

pass

iona

te a

mon

g th

em b

uy M

acs,

or lo

ad d

eskt

op L

inux

and

open

sou

rce

Off

ice

alte

rnat

ives

like

Ope

nOff

ice.

Wha

t con

ditio

ns w

ould

be

nece

ssar

y to

turn

the

frin

ge in

to th

e m

ains

trea

man

d en

d M

icro

soft

clie

nt d

omin

atio

n fo

reve

r? I

s th

ere

a pe

rfec

t sof

twar

e st

orm

that

cou

ld w

ash

away

Off

ice

and

XP

like

so

muc

h flo

tsam

?A

key

to u

nder

stan

ding

Mic

roso

ft’s

exal

ted

posi

tion

is to

rea

lize

that

Offi

cean

d W

indo

ws a

re m

utua

lly su

ppor

ting

entit

ies:

Win

dow

s cam

e fir

st,t

hen

shep

-he

rded

Offi

ce a

pplic

atio

ns in

to it

s hea

lthy

mar

ket s

hare

,sta

rtin

g w

ith E

xcel

and

Wor

d.T

hrou

gh a

n ab

solu

te c

omm

itmen

t to

expl

oitin

g W

indo

ws,

Offi

ce h

asbe

com

e m

ore

and

mor

e en

tren

ched

.Now

Offi

ce is

par

t of t

he W

indo

ws e

cosy

s-te

m,a

nd it

s pop

ular

ity li

kew

ise

mak

es W

indo

ws i

ndis

pens

able

,cre

atin

g du

alan

d in

timat

ely

conn

ecte

d m

onop

olie

s.T

hus,

anyo

ne h

opin

g to

uns

eat o

ne h

asto

dea

l with

the

othe

r.

The M

icro

soft Q

uilt—

Dom

inatio

n T

hro

ugh In

tegra

tion

And

that

pos

itio

n is

fort

ified

by

an a

rray

of a

ncill

ary

prod

ucts

,inc

ludi

ng

Win

dow

s Se

rver

s; A

ctiv

e D

irec

tory

; Out

look

; Exc

hang

e; S

QL

Ser

ver

and

so o

n.Fo

r be

tter

than

a d

ecad

e,M

icro

soft

has

bee

n bu

ildin

g an

el

abor

ate

tech

nolo

gy q

uilt

that

mak

es it

diff

icul

t to

brea

k aw

ay fr

om th

efa

mily

.Eve

n if,

for

exam

ple,

anot

her

data

base

or

e-m

ail s

yste

m w

orks

bet

ter,

IT u

sual

ly o

pts

for

the

Mic

roso

ft s

olut

ion

due

to it

s ti

ght i

nteg

rati

on w

ith

the

inst

alle

d ba

se.

ILLU

STR

ATI

ON

BY

GER

AD

TA

YLO

R

Th

e 8

00

-Po

un

d

Go

rill

aT

he

80

0-P

ou

nd

Go

rill

aC

an

An

yth

ing

Th

rea

ten

th

e M

icro

so

ft D

es

kto

p E

mp

ire

?BY

DOU

G BA

RNEY


www.redmondmag.com

“As a corporation we’ve standardized on Active Directoryand Exchange, XP, Office and, soon, SharePoint. And it tookyears to get to this point,” says an IT pro who asked not tobe identified. “Individual offices might go off the reservationabout one application or another, but it would never changethe monoculture. Decisions are firmly top-down.”

In order to compete, non-Microsoft Office suites and PCoperating systems have to offer the same level of integra-tion. That is perhaps one reason the European Commis-sion is trying to force Microsoft to fully document itsWindows interfaces, giving competitors the same ability tointegrate as Redmond itself.

Politics of Switching No level of integration will matter, however, unless the decision makers give the green light. And entrenched man-agement thinking will keep Microsoft solidly in place,according to Edward Bailey, with HVAC distributor CarrierGreat Lakes in Livonia, Mich. “The top management hereare e-mail users only—nothing more. [The issue is] mostlycost more than anything else. We are using AD and Group

Policy for control of the environment and Windows Server2000 and 2003 are working very well for us. We also useExchange—again working wonderfully well,” says Bailey.

Sydney McCoy says management at his company couldbe persuaded to switch—with hard numbers. “If it can bedemonstrated that necessary functionality and full compat-ibility exists, with no demonstrative impact to productivityor processing overhead, then potential open source licens-ing cost savings and broad-based support and acceptancewould likely be overwhelmingly welcomed throughoutmanagement,” says McCoy. “I’ve been dabbling with thepotential substitution of a SLES [SuSE Linux EnterpriseServer] file and print server, but the biggest obstacle is ourinexperience with the platform, rather than any potentiallicensing costs vs. savings. As go the bean counters andlawyers, so follows the entire staff.”

All About the BeansAh yes, the beans. Open source fans tout the cost savings:after all, it’s pretty hard to beatfree. Even in this arena,


Tony Bove has written the book on gettingoff of Microsoft—literally. His book, aptlytitled Just Say No to Microsoft, talks abouthow and why you should look at alterna-

tives. Bove talked to Redmond magazine about poten-tial Windows/Office tipping points.

What events or factors could cause the Microsoft XP and Office monopoliesto crumble?

Tony Bove: It’s happening now. The company as it istoday just wasn’t made for these times. As Gates him-self pointed out in his recent memo to Microsoft execu-tives, a “services wave” of applications is about to reachmillions of users, and Microsoft needs to catch up. Butthe move to offer a services platform for developersputs Microsoft between a rock and a hard place withregard to its existing software business models. SoMicrosoft has to start over.

The latest Gates memo indicates that Microsoft facescompetition on all fronts—not just Windows; not justOffice. Open source software threatens everythingfrom server and client systems to e-mail clients andservers, databases and applications. Mac OS X is athreat to Microsoft’s entire computing experience.Even though the vast majority of everyday computerusers are stuck in Windows XP, the cutting edge ofinnovation is happening elsewhere.

What wouldcause amass moveaway fromMicrosoft toalternatives?

More bad pressabout viruses and mal-ware. It amazes me thatthe industry and press stillrefer to new outbreaks as “computerviruses” and “computer adware and spyware,” ratherthan what they really are: Windows, Outlook, IE andOffice viruses and malware.

Office has matured to the point that it’s not only easyto clone but easy to improve upon. Windows is underconstant attack from Linux and Mac OS X. The reasonpeople give for needing to use Windows—becausethey need to run certain applications—is quickly erod-ing. To use the new Internet services, all you need is acomputer that runs a browser.

I think [potential] missteps by Microsoft in the comingyear—with Vista, and with advertising-supported software—will reduce the Microsoft monopoly enough to enhancecompetition and spark more innovations. At some point alow-cost, non-Windows computer will be very popular forthe consumer market, and so will Apple Macs on the“high end.” It’s only a matter of time. — D.B.

Is Microsoft Losing Its Grip?

The 800-Pound GorillaThe 800-Pound Gorilla

Tony Bove


www.redmondmag.com


www.tntsoftware.com

though, open source contenders still have to prove them-selves, as costs other than the software must be considered.“Any consideration of a replacement to Microsoft productswould have to entail administration, deployment, securityand upgrades, at a minimum,” says JC Warren, a networkmanagement specialist for a high tech company. “I’d haveto be dramatically dissatisfied with our current productsuite to even begin to consider alternatives. If an alternateproduct suite could be found that would improve user pro-ductivity, I’d then have to consider the costs of deploy-ment, administration, etc., in order to get a handle on thetotal cost to switch. Then we’d need to factor in the learn-ing curve for users to attain their previous functional state.Any time lost is money lost to my employer.”

Tech Support Downtime also costs money, and tech support is a hugetipping point factor. “I’ve had former colleagues relatethe horror stories of being forced to switch to an opensource product by misguided management, only to stripit out after it proved totally unsupportable in a corporateenvironment,” says Warren.

For Microsoft challengers to makeinroads, it’s clear that tech support

will need to improve. Fortunately for them, Microsoftmay have provided an opening. “For some products,Microsoft has stopped having higher-level support avail-able during evenings and weekends,” laments Karl W.Palachuk, of KPEnterprises Business Consulting Inc. “Soa call might get escalated during the week, but you’reback to Tier-One [support] on Friday night and all week-end. In other words, the highest level of support for thebiggest problems is only available during business hours,during the week. In what universe does this make sense?I’m not ready to make the switch today, but I find myselfsurprisingly open to the possibility.”

Even with some level of dissatisfaction, though, theMicrosoft Quilt concept continues to give it an advantage,says Jason Thompson, a consultant architect in Arlington, Va.“My network has three players; Cisco, Dell and Microsoft.All software is from Microsoft, so we know that it works welltogether. If we do have problems, we only need to call oneplace. For me to leave Microsoft, a single vendor would needto support database, e-mail, Web, etc., from a single, highlysupported platform. IBM is the only vendor I currently knowthat can accomplish this, but [it isn’t] competitive in price.”

Another aspect of support working in Microsoft’s favor isthe army of IT pros trained on its software. “Businesses


By David R. Bayer

As network admin-istrator for a smallpart of a very

large heterogeneous network,I’ve had to weigh the pros and

cons of alternate OSes for my cor-ner of the world. Even in my small area of

responsibility—250 workstations, three servers and onevirtual server—we’re running various versions of Win-dows and Macs, along with Windows and Linux servers.This is all part of a large Active Directory network(30,000-plus nodes). There are several things that pre-vent me from really migrating away from Windows.

The first, and most important, reason is the remote con-trol capabilities we get with AD and Group Policy. Con-trolling logins, software updates and distribution andvarious other items are a big plus for us. I haven’t heardof a good way to do that on Linux yet, and haven’t gottenbuy-in from management for Apple’s Open Directory.

Another biggie is user education. The best users Ihave are now comfortable running Windows and makingsome tweaks, things like video resolution changes andother such tidbits. In a network the size of ours, those

users are heavily relied on to help nearby users witheasy-to-solve problems, leaving LAN admin and desktopsupport to handle more involved issues. Most users stillfall into the category of “if it’s not obvious and easy, Ican’t find it or do it.”

Another reason we stay with Windows is for messag-ing solutions such as Exchange. Entourage on the Macdoesn’t do nearly as good a job interfacing with anExchange server as Outlook does on the PC (althoughEntourage is much better in Office 2004 than earlier ver-sions). Exchange is very convenient and streamlined forcombining messaging and calendaring, and other solu-tions don’t do as good a job or have as nice an interface(at least the ones I’ve seen).

Microsoft Office is available on the Mac, and Sun’sOpenOffice is available on Linux. Both options seem tohave very good compatibility with the ubiquitous Win-dows versions of Microsoft Office. I enjoy getting towork with Macs and Linux boxes, but at this point it justdoesn’t seem practical, on multiple levels, to migrate toanother option.

Bayer is LAN manager, Divisions of Hematology/Oncology and Nephrology at Vanderbilt UniversityMedical Center.

Why I’m Sticking with Windows



www.redmondmag.com

would not go to alternatives such as Linux or OpenOfficeunless the support staff were readily available to resolveissues. Currently, Linux and Unix professionals are in shortsupply and thus command higher wages. Just look at thedemise of Novell,” says Allen Thomas, systems engineerwith Lockheed Martin in Baltimore, Md.

Given these factors, it’s clear it will take more than just management buy-in, cost savings which may or maynot appear and improved, across-the-board tech supportto loosen the Microsoft desktop stranglehold. The prod-ucts and platforms have to be comparable (or better) inquality. Are they?

Big Mac AttackIn the case of Apple, the answer is clearly yes. If Redmondreader response is indicative of the industry, the Mac has aclear client edge over Linux as a Windows alternative.Many readers hype their switch to the Mac, while almostno one mentions moving to Linux PCs.

Perhaps the Mac has an edge because it has the polish ofan OS with two decades’ worth of evolution, is backed by acommercial company and has solid application support,including an official and up-to-date version of MicrosoftOffice. And because there’s less malware, troubleshootingand help desk tasks are less onerous.

But even with those advantages, the Mac hasn’t madesignificant inroads into the Wintel space. That may bechanging, however, with Apple’s switch to Intel proces-sors. The Intel machines could be cheaper in the longrun (the early units have premium pricing), perhapspushed by low-cost marketing powerhouse producerslike Dell. Macs that could compete with PCs on the costand speed side would certainly be a cause for concern in Microsoftland.

Another advantage Intel processors will provide, andwhich could prove significant, is the ability to run Win-dows alongside the Mac OS. “If the future generationMacs (the ones using Intel processors) can run Windowssoftware effectively, I’d switch in a heartbeat,” says JerryKoch, chief technical officer for WebNow1 LLC. “I’msick and tired of Microsoft getting rewarded for its fail-ures, like selling anti-spyware software because its OShas so many holes.”

David Cantrill, a London-based Redmond reader,echoes that sentiment. “What have I discovered in mytime with a Mac? It works. No viruses, no spyware andconsequently no AV software to constantly update. I canstill do everything I did on my PC and don’t need toworry that I’m going to lose all my information by hav-ing to reformat the thing. Microsoft better hope Vista


By Rob Hughes

Idid a basic cost-benefit analysis when considering amigration, as my network was then mainly Windows,with one Linux box and two Solaris boxes for test-

ing. It had reached the point where I was mostly runningaround trying to fix various problems with Windows,both at the server and on the client. I needed to add sev-eral boxes for a new project and looked at the cost ofdoing it on Windows vs. Linux, as what I needed couldbe done on either platform. I found that in that situation,with Linux, I could get by with two fewer systems [anddecided to move to Linux]. Since the migration, I spendvery little time doing administration on my network, andmost of my time doing research. I’m using Linux, BSDsand Solaris as both client and server OSes.

Two of the main advantages of KOffice [the office soft-ware that runs on the KDE Linux desktop environment]and OpenOffice are Opendoc/XML compatibility andcross-platform support. KOffice doesn’t currently runeasily on Windows, but KDE can be compiled undercygwin if you’re fairly patient (big package, long compiletime). And there’s a lot of talk of porting KDE/QT (QTbeing already available) to Windows when version 4 ofboth products are released.

XML, being text,is pretty easy tomanipulate pro-grammatically.Opendoc alsodoesn’t use anybinary “blobs” withinthe XML schema likeMicrosoft Office 2003does, which makes trying touse Office 2003 files with anythingother than Office nearly impossible.

Another advantage is that I can read and write mostother file formats, including Microsoft formats, giving megood compatibility with whatever someone sends me. I find these tools offer really good performance and flexibility—and, being open source software, integration/extension possibilities are limited only by the amount oftime and effort one is willing to put into a project. At theend of the day, what I’m talking about here is openness.Not just in the published sense (open standard format),but in the true sense of an Open Standard format.

Rob Hughes is an escalation engineer with a technology company.

Why I Ditched Windows


www.redmondmag.com

creates a whole new ball of momentum, or this mag willbe retitled Cupertino sometime in the next three years,”says Cantrill.

Desktop Linux—Untapped PotentialLinux PCs are much rougher around the edges than Macs,no doubt about it. They’re still much more difficult toinstall and use than Windows and Macs, often lacking any-thing but the most basic instructions. That leaves a dedi-cated group of hard-core, tech-savvy consumers, hobbyistsand geeks to tweak and improve it, just as they did withAltairs 30 years ago.

But these pioneers are small in number, and on the cor-porate side, things are even worse. The few widespreadadoptions are almost all among the Linux vendors them-selves—companies like IBM, which has more than 10,000desktops running Linux. Peruse the Red Hat Web site, andyou’ll find 38 case studies, only two of which mentionLinux desktops to any degree.

One bright spot, which could portend a tipping point, isin a market not yet dominated by Microsoft, or any othervendor for that matter: those who are too poor to even haveconsidered a computer in the past. Nicholas Negroponte,of the MIT Media Lab, and his team have designed Linuxlaptops for the third world. For about $100 the machinescome with a range of applications, 1GB RAM, peer-to-peercapabilities and wireless connectivity. Negroponte hopes

that as many as 150 million units willbe built in the next two years.

That’s a lofty goal; but even if only a tenth of those getbuilt, it still means 15 million Linux laptops will be inuse. At that price, and with that kind of base, it becomesan interesting and proven proposition for lots more folks.Add some polish and some apps and you may just have apopular, new portable platform.

Whither Office?If Windows on the desktop could be toppled, what aboutKong’s other arm—Microsoft Office? Much as with desktopLinux, the potential is there, but the open source competi-tion still has a way to go.

One user tried OpenOffice, but the performance simplywasn’t there. “Upon reading benchmarks of the new


Linux has 3 percent desktop market share and will have 6percent two years from now(2008), IDC says. Meanwhile,the Mac is generally thought to have slightly less than 3 percent market share.

>> A unified or dominant Linux client – such aclient could have better driver and apps support>> Intel-based Macintoshes – cheaper Macs running XP or Vista alongside Mac OS X could appealto Windows shops >> Third-world $99 Linux laptops – a huge baseof Linux clients could jumpstart the apps markets>> Dell selling Macs or solid, reliable andusable Linux PCs – a trusted low-cost suppliercould give these machines corporate cachet>> A bug-laden, insecure Vista – if Vista is a huge pain to secure, and requires loads of training,an alternative may not be viewed as altogether disruptive>> A bug-laden, insecure Internet Explorer – if IE7 is no better than today’s browser, corporationscould move in droves to Firefox, which already hasabout 10 percent market share

>> Major change in Office 12 causes disruption –interface and file formats (if native XML is really sup-ported, are file formats still a lever?)—like with Vista, theOffice suite, code-named Office “12,” could be as toughto move to as Office rivals>> Dramatically improved Windows interoper-ability with Linux or the Mac – if Linux and the Macbecome a seamless part of the Microsoft Quilt, ITobjections will be answered>> Brand new computing paradigm/architecture –just as the PC killed off the Apple II, a compelling newapproach could sweep away legacy Windows and Office>> Web services take over and bring back the Network Computer – if Web services becomedominant, fat client PCs won’t be necessary>> Open Source becomes a broad corporatemandate – if open source offers a compelling ROI,CEOs could mandate a move away from Microsoft

Top Tipping Points


Market Share

0306red_F1Gorilla.v6 2/14/06 2:14 PM Page 34

www.redmondmag.com

Whether you choose Training or Certification, Citrix Education offers you

peace of mind by providing you with the knowledge and skills to achieve the

following benefits:

• Ensures skills and knowledge are current and can be applied on the job

• Increases value and productivity of IT professionals

• Improves reliability and efficiency of the Citrix environment

• Exposes IT professionals to new products and functionality

• Helps IT professionals troubleshoot problems without the help of

technical support

Visit www.citrix.com/edu/redmond to find out which training courses and

certifications are right for you!

©2005 Citrix Systems, Inc. All rights reserved. Citrix® is a registered trademark of Citrix Systems, Inc. in the United

States and other countries. All other trademarks and registered trademarks are the property of their respective owners.

Peace of Mind...

Offered by Citrix Education


www.citrix.com/edu/redmond

StarOffice/OpenOffice versions that have up to 10 timesthe processing overhead compared to the Microsoft prod-ucts we already license, there’s just no way to justify con-sideration in a shared environment,” says Sidney McCoy.

On the other hand, critics claim that Office suffers seriousfeature bloat, perhaps providing an opening. “I wouldabsolutely move away from Office and XP for the majority ofmy users, if I could have a solid desktop and office suite with

similar core functionality and interactions as XP and Office.That seems to be a rather broad stroke until you evaluatewhat “core functionality and interactions” really means to agiven set of users, and the respective business processes. Inmost cases, Office and XP are overkill in function and cost,”says Yusuf F. Abdalhakim, of Abdalhakim & Associates, an ITconsultant with 20-plus years of experience.

In addition to the footprint, interoperability is anotherpotential tipping point away from Microsoft. OpenOfficecracked the door open for the OpenDocument file format,an XML format derived from StarOffice that may be ableto break Microsoft’s deathgrip on productivity file formats.If these file formats become open, Office suddenlybecomes less necessary.

Microsoft has responded by proposing its own XML-based format others can support, but that Redmond ultimately controls. That makes it less appealing to many,and, ironically, may lead to a move away from Office. “TheXML stuff and the Open format specification of Open-Document is extremely relevant for any organization thatconsiders control over its data a priority, rather than givingthat control to a single vendor via proprietary formats

and forced upgrades in order to maintain supported status,” says Rob Hughes, an escalation engineer with a technology company. “The fully documented nature of OpenDoc would also play on the enterprise develop-ment side, as things like integration with various sorts of database back-ends and so forth are all greatly eased.”

From Hunter to HuntedThere’s no doubt that right now, Microsoft is sitting pretty. But there’s accumulating evidence that its place on the perch could be getting more precarious. In fact,according to author Tony Bove, who’s written a book on how to swear off of Microsoft completely (read thesidebar, “Is Microsoft Losing Its Grip?” on p. 30), thepossible seeds of its demise can paradoxically be found inits overwhelming success.

“Microsoft is essentially held back by its monopoly and thecomplexity of its products, and can’t innovate fast enoughwithout hurting its existing business,” Bove says. “Thatwasn’t always the case—in the early days of the monopoly,Microsoft was invincible. There was so much activity onso many fronts that the company was a moving target.

Now … the company has become a big fat target.”—

Doug Barney is editor in chief of Redmond magazine. Contacthim at [email protected].


>> The Microsoft Quilt – XP and Office aren’t stand-alone but work closely with other Microsoft tools>> The sheer number of applications – no one canmatch the volume of Windows programs>> Custom Corporate Client Code – internal appli-cations developers have written billions of lines of Win-dows code that would have to be re-crafted>> Active Directory – the standard corporate directoryworks best with Microsoft tools>> Exchange – Exchange works with Outlook, whichworks with Office, which works with XP ...

>> Office training – as tough as it can be to use, noprogram has more training muscle behind it than Office>> Office file formats – many shops use Office justso they can share files with partners >> OEM lock-in – PC vendors unanimously supportWindows, not Linux or the Mac>> Price/Performance – competition has pushed PC prices to an all-time low>> The Groove factor – Ray Ozzie, one of threeCTOs, is planning to bring rich collaboration technologiesto the Office suite, code-named Office “12,” and Vista

In Microsoft’s Corner:Keeping Windows Large and in Charge


Code Weavers(www.codeweavers.com) has atool, called Crossover Office,which is a version of WINE thatlets Linux run key Windows apps.WINE essentially implements theWindows API set on Linux.

Cool Tool


www.codeweavers.com

www.redmondmag.com


NTAVO Thin Client TerminalStart Your Virtual Office Weight Loss ProgramNTAVO Thin Client TerminalStart Your Virtual Office Weight Loss Program

© 2004 Devon IT, Inc. NTA Virtual Office is a trademark of Devon IT, Inc. All other products and trademarks referred to are property of their respective owners.

75% Lower TCO Than Standard PCs

Starting at $149

Secure thin client access to any application. NTA Virtual Office™

advanced thin-client terminals are ICA, RDP, and PXE capable and

support server-centric computing in any enterprise environment.

Access Windows, Linux, UNIX, and mainframe applications.

No client applications to load and no hard drive to fail. More

options at lower costs than competing products. Used by

leading companies worldwide. From Devon IT.

Visit ntavo.com 1.888.524.9382 [email protected]


www.ntavo.com


www.redhat.com


e all know spyware is bad stuff, the real question is: How to getrid of it. To find out, we went to the experts—you, the Redmondreader. Dozens of you responded to our pleas. Here are the bestbits of spyware removal advice, sprinkled with a healthy dose ofanger and frustration.

Removing AuroraAurora is a nasty bit of adware/spyware that can be a real pain to root out.Redmond reader and IT Specialist Robert Butler knows. “I’ve discovered thatAurora changes the file names of the files it uses to re-infect the host. Auroraalso apparently hijacks some legitimate running processes,” Butler explains.

Butler has spent hours trying to clean Aurora out of sytems. “I’ve found that oneneeds to boot in command prompt safe mode and delete the file c:\winnt\ceres.dll.The file will not delete in normal mode and will regenerate the software if not

Many programs block spyware, but few know how to get rid of it.Redmond readers offer some cleverways to banish these nasties.

BY DOUG BARNEY

W

0306red_F2SpyTips.v6 2/13/06 3:18 PM Page 39

www.redmondmag.com

deleted. No anti-spyware software willdelete the file either.”

Aurora also seeds confusion, says Butler. “Aurora is part of a group from Direct Revenue that includes:ABetterInternet, ABI Network, Ceres,Aurora, WinFixer, Direct Revenue andSearch Assistant.”

The confusion extends to AuroraNetworks, a technology company thathas nothing to do with the spyware,but finds itself mistaken for the male-factor. The firm has gone so far as topublish helpful updates and links formanaging the Aurora spyware threaton its Web site.

That site includes a link to the Auro-ra authors’ own removal tool. It wouldseem foolish to trust such a tool, but atleast one reader, Scott Davidson,owner of ARX Computers, had goodluck with the Aurora-built fix.

“In the effort to stay ‘legal,’ many spyware purveyors offer uninstall pro-grams. They don’t make it easy tofind, but they’re out there on a regu-lar basis,” says Davidson. “You may

be leery of using it, but I figure thiscompany has already had its way withthis computer, so going back formore shouldn’t do additionaldamage. The uninstall pro-gram for Aurora workslike a charm. However,remember the best toolfor fighting spywarein general is System Restore.”

Matt Yeager also triedthe Aurora removal tool,after seeing positive feedback on a number of forums.He says the tool removed the perni-cious spyware.

“A malware company you cantrust? I don’t think so,” Yeagerwrites. “A malware company that’s worried about prosecution isprobably more like it.”

More Aurora HorrorJoey Heape ran into trouble after giv-ing his 13-year-old children their own

PC. The kids recently complainedabout slow performance, and Heapediscovered the system was riddledwith malware. Heape, who is director

of media & technology forthe South Carolina Bar, rana host of free spyware killers,

as well as MicrosoftAntiSpyware, but to

no avail.“I learned about killing

processes, HijackThis, etc. I triedCounterSpy (home version, I actu-ally use the enterprise version atour office), Ad-Aware (I own a copy

of this for my workstation), you nameit, I tried it,” Heape recounts. “Needlessto say, I ended up reformating.”

Stuffing Surf SidekickAnother tough customer is Surf Side-kick, which can seem impossible todispose of. But for the patient andtechnically adept, there is a removalprocedure that can help you. (Go toRedmondmag.com and use FindITcode: SpyTips for a direct link to theprocedure.) This heads up comes cour-tesy of Ryan Carrier, ISA CCST III,and an IT pro at Fraser Papers Inc.

“My worst experience with spyware?How about spyware (or maybe it was avirus) that replaces the host file so youcan’t go to Microsoft, Symantec andother sites you need to remove it. If yourepair the host file, it gets replacedagain! Shuts down the browser whencertain words are typed in Google (like‘virus,’ ‘spy,’ etc.). And it disables TaskManager and any [other] program thatlooks like a task manager. I was eventu-ally able to find one that wasn’t recog-nized by the spyware,” recalls Carrier.

“The fix ended up being a combina-tion of spyware detection tools, a taskmanager not recognized by the virus,going into safe mode and a pinch ofluck!” Carrier says.

Prevention Through PrivilegesMany spyware problems result fromusers running Windows with fulladministrative privileges, says readerRick Lobrecht. He urges IT managersto set up accounts with normal user


Reader Tips: Do Away with SPYWARE

By Kevin Jordan

ow can IT professionals hope to put an endto the malware scourge? Kevin Jordan, of

Belfast, Ireland, offers an idea.“Here in Belfast we have a shop called B&Q and it’s a

hardware/home/garden improvement type of place. Now in there they sellnice, handy lengths of timber. Sand one end until it’s rounded and provides anice tight grip, allowing both hands to hold roughly four feet of 6x4. Find outfrom the local authorities who the onion is that wrote the spyware code. Goaround to his/her (you never know) workplace or home using transport ofyour choice—preferably low-budget airline or bus because you’re already outthe price of the lumber. Apply the said piece of timber several times to thebody of the numpty who’s responsible for causing this irritation. Beforehe/she loses consciousness, try to find out anything about his/her contactsand pass this info on to like-minded people you know.

Hopefully this will mitigate the cost of the timber and transport byspreading it about and eventually these people will give up their activitiessince it’s hard to type with broken fingers.

Incidentally, in order to comply with health and safety legislation, it maybe prudent to wear some form of protective gloves and visor, just in casesome loose splinters are flying about.”

Kevin Jordan is a presales IT consultant.

H

A Bloody Irish Answer

Kevin Jordan

Joey Heape


www.redmondmag.com

www.redmondmag.com


privileges. “Your spyware problems willdisappear,” he says.

Paul Witting is emphaticin his agreement. “DONOT RUN WITHLOCAL ADMIN PRIV-ILIGES,” he writes. “Iknow it’s a pain, as way toomuch stuff still insists on hav-ing admin rights, but thedifference this one littlepiece of preventativemaintenance makes isnight and day.”

Witting describes his company ashaving to deal “with the most nefari-ous corners of the Internet day in andday out.” And yet, none of its PCshave suffered an infection. He creditsrestricting administrative privilegesfor the difference.

The Microsoft Way Microsoft offers a number of tools,including spyware blocker WindowsDefender (formerly known asMicrosoft AntiSpyware). It also has anew tool to protect computers used by more than one person, which reader Byron Hynes is a fan of. Hynessuggests downloading the Microsoft

Shared Computer Toolkit for Windows XP.

The free software helpskeep users from chang-

ing settings andinstalling software, and it

defines what changescan be made to

hard drives. This tool islargely aimed at sharedcomputers in public places

such as waiting rooms and kiosks, butcould be just the trick for the spywaresponges in your shop.

There’s a similar third-party tool, aswell, called Deep Freeze. This toolallows users to make whatever mis-chief they can get away with, afterwhich the admin can restore the orig-inal system state. Some labs have thesystems automatically rolled-backevery night, to make sure everythingwill be working in the morning,” saysa senior systems engineer who askednot to be identified.

A Virtual SolutionSeveral readers suggested virtualiza-tion as a solution. “I use Virtual PCwith undo on,” says Dave Cline. Hedescribes how “all changes to the vir-

tual hard drive are dumped each timeI reboot the machine,” erasing infec-tions from the previous session.

Reader J.D. Norman, who is CTOof PCS Enterprises Inc., says virtual-ization simplifies his life. “Turn onsnapshots, and if there is a problem,roll back to a previous snapshot,” hesays. “Makes it easier to move the userto a different PC, too.”

Charles Hodgkins uses what youmight call manual virtualization tokeep his kids’ surfing from messingup his system. He describes twotricks: “One is to use a removabledisk tray like those from Addonics.This way I keep a separate drive forthe kids, which I can reformat asneeded, and keep a drive for myselfthat I keep locked way from the kids.Another is once I get the machine setup the way I like, I create an imageusing Acronis True Image that I writeonto several CDs or DVDs. Thatway, I can easily re-create a drive asrequired,” Hodgkins explains.

“Of course, I also disable every serv-ice I can, as well as keep my comput-ers behind a NAT router and enablesoftware firewalls on all of them. Thisdoesn’t stop everything, but it helps.”

Here is my standard removal procedure, up-to-dateas of the new year:

1System Restore—ask how long the problem hasoccurred and whether the user made any major

changes to the system since then. If it’s a new problemsurfacing in the last few days, roll it back two weeks. Thisfixes some of the nastiest problems cold. Explain that Sys-tem Restore does not affect data like documents andmusic, but any programs installed in the last couple weekswill need to be reinstalled. This is an overlooked and veryuseful tool for all problems, not just spyware.

2Boot into Safe Mode w/Networking, go to ControlPanel then Internet Options. Delete temporary Inter-

net files, cookies and clear history. Set Internet zonesecurity back to Default if it’s on “Custom.” Check“Trusted Sites” zone and make sure it’s clear (some-times spyware will add their sites to it). Check Cookiessetting, make sure it’s Medium, not “Accept all cookies.”

3Uninstall all known spyware programs you see inControl Panel Add/Remove Programs. Sometimes

they demand Internet access to remove themselves,which is why we’re using Safe Mode w/Networking.Make sure the user is not using these programs. I hada customer who was annoyed that I removed hisAlexa toolbar.

4Run the latest CWShredder, owned by Trend Microfor the moment. Takes one minute, can help.

5OPTIONAL, only for severe infestations: Install andupdate Ad-Aware. Scan and clean. Install and

update Spybot, without using their TeaTimer or activeprotection. Scan and clean.

6Run HijackThis and take out all suspicious-lookingitems, looking them up on Google if needed to make

sure they’re not legitimate programs.

7Reboot in normal mode and install Microsoft Anti-Spyware, update, scan, clean.

Spyware Removal: The Unabridged Version By Scott Davidson

Continued on p. 42

Rick Lobrecht


www.redmondmag.com


Handy Tools Today’s anti-spyware tools usually doa great job blocking the nasties, and assuch, you should have plenty of thissoftware on hand (and installed!).Here’s a few of the tools Redmond readers enjoy.

John Richardson, it seems,has used them all. Heapplied HijackThis,Spybot S&D [Search & Destroy], Ad-Aware, Microsoft AntiSpyware andBullet Proof Soft on a customer’sPC infected with more than 20 differ-ent Trojans and numerous spywareinfections. Richardson, an MCSEBCNTS and BCCTS who is owner ofAustin, Texas-based computer supportfirm BrainWerkz, also singles outEWIDO as an important tool.

“This was a slow process (takingthree-plus hours to complete) that ranexclusively under Safe Mode andworked wonders. As there were twoseparate accounts on the WindowsXP Pro system, I made sure to run theapps under both profiles to catch anylurking bugs,” he says.

A good rule of thumb is a layeredapproach, just as with firewalls, anti-virus, and anti-spam. IT SpecialistCharles Olin has a set of tools he likesto use when combating threats. “Igenerally use three or more spyware

removal tools: SpyBot Search& Destroy, Lavasoft’s Ad-Aware Plus, and Trend Micro’s

Anti-Spyware. I also useavast! antivirus software,

which also finds mali-cious spyware. The

company alsohas what they

call their BART CD(Bootable Antivirus &Recovery Tools CD),”explains Olin, who also

suggests switching to the FirefoxWeb browser.

“It is so much easier to keep spywarefrom ever entering the box thancleaning it up afterward,” says Sys-tems Administrator Eric Wallace. Heurges people to use Javacool’s Spy-wareBlaster, which uses the ActiveX“kill bit” to lock-out known spywareprograms. He also tells users to neverlog on as an Administrator unlessinstalling software.

“It’s not a panacea,” he says, “but justthese two steps will probably make ahuge difference in anyone’s spywarearrival. Prevention is the key!”

Wallace goes a few steps further. “Ionly browse with Firefox with AdBlockextension and Filterset.G, which pre-vents ads and spyware-type contentfrom loading. Then I run a couple of

other anti-spyware programs, includ-ing Lavasoft Ad-Aware and SpybotS&D, both of which have some pre-ventive measures as well. And I’m look-ing into downgrading my IE and Firefoxprocess privileges, since I’m usuallylogged in as an administrator—anddomain privileges—when at work.”

Bill H. has also been hit with spy-ware, though to be fair, Bill deflectsthe blame. “It was my wife whocaused the trouble ... lots of tensionfollowed, of course!” Bill usedHiJackThis and posted the results toa Web forum on the TomCoyoteForums Web site. “There are somevery generous souls who patrol theseforums and look to help the novice,spyware-infected unfortunates.”

Joanna Lovett, IT support managerwith Cambridge Systematics Inc. inCambridge, Mass., says that ZoneAlarm can help as well. “I just upgrad-ed my home computer to the latestversion on Zone Alarm. It has a spy-ware detector and real-time protectorthat work pretty well. The spywarescanner found things that Ad-Awaremissed on my computer,” she says.

Anti-Spyware Not Yet PerfectWhile most readers run one or severalanti-spyware tools, they are not a per-fect solution. Stephen Nichols, IT

Reader Tips: Do Away with SPYWARE

8Reboot and browse the Web for a couple minutes,going to a few different sites, and see if you get

repeated adware-style popups still. If you do, go back toHijackThis and be more heavy-handed, you probablymissed something.

9While doing this, explain to the user how to avoid thisproblem in the future. “Be very skeptical of free pro-

grams, especially toolbars, search bars, shopping helpers,music download programs, bargain finders, screensaverprograms, security applications, etc. Be wary of official-looking security warnings.” List the legit anti-virus and anti-spyware programs and explain that for every legit one,there are 25 charlatans. “The same scumbags who put thespyware on your computer in the first place are the onestrying to sell you a bogus antivirus/anti-spyware program.”

Some of the worst kinds of spyware regenerate them-

selves. I’ve had to boot into Recovery Console to get ridof the root .DLL file, which regenerates the adware.Most should show up in HijackThis.

If the cause does not show up in HijackThis and noneof the free programs remove it, odds are it’s one of thenastier kinds that are not removable without diggingdeep and spending too much time. I spend about onehour on spyware removal. Back up data, format, reinstallif it’s not removable in that timeframe. What you want toavoid is spending three hours trying to remove a partic-ularly nasty bug buried deep in the registry and thenhaving to spend two to three hours backing up data,formatting, reinstalling because it’s buried too deep.

Davidson, owner of ARX Computers just northwest of

Chicago, Ill., squishes spyware for a living.

Spyware Removal: The Unabridged Version continued ...

John Richardson


www.redmondmag.com


analyst for International Truck andEngine Corp., Engine and FoundryDivision, says that spyware packageslike Ad-Aware often struggle to pullout spyware by the roots, in partbecause viruses and other graywarekeep restoring the spyware. The abili-ty of some malware to cripple virusscanner software complicates matters.

How can you clean out tough infec-tions? Nichols plays a game ofswitcheroo with the malware. “I sim-ply pop the case off the PC, plug in ahard drive of at least 4GB, make it thefirst bootable drive in the BIOS, andinstall a fresh copy of XP. After itcomes up, I just need network driversand then I can use Trend Housecalland download a fresh copy of Ad-Aware,” Nichols explains. “I can get99 percent of the junk off the systemthis way. After that I just remove thehard drive and voila, clean PC!”

Nichols takes the clean drive idea astep further, by preparing a BartPEboot disc with Ad-Aware and AVGAnti-Virus included. “I can just bootfrom CD to clean the hard drive,”Nichols explains. “The only caveatwith this is that I have to keep updat-ing the patterns. I could pull it off thenetwork or off of a floppy or flashstick. It will still be faster than clean-ing the PC manually or popping thecover, and I will probably be able toupdate the pattern, even from aninfected PC.”

Spyware Silver Bullet?A growing problem is malware thatrestores itself. Reader Greg Larasays you can sometimes break thecycle with a bit of preparation andquick click-work.

“Once I’ve identified the executablefile that needs to be deleted, I openthe Task Tanager and find it in theprocess list. In another adjacentExplorer window, I navigate to the filein question, highlight it, then pressthe Delete key. With the delete con-firmation dialog box up, I move overto the task manager and end theprocess. Now I move the end processconfirmation dialog box next to the file

delete confirmation dialog, and inquick succession, click OK in the filedialog and then in the process dialog,usually with a combination of mouseclick in one and the space bar in theother. With the timing just right, thefile is deleted before the process cankick off again, and the cycle is bro-ken,” Lara says. “This won’t work inevery case, but it can jump start acleaning session when the frustrationlevel has reached a fever pitch.”

Safe Mode, Safe HarborMCP Eric Hanner takes no chanceswith his clients’ machines. “I havetaken the approach of blast ’em and see what comes back. If I haveany indication of an infestation, Istart by booting into Safe Mode,update the files and run MicrosoftAnti-Spyware and Ad-Aware. WhileI’m in Safe Mode, I also run a virussweep. I have never had a case where I scanned later and I was stillinfected. I’m not saying there aren’tsome files lingering somewhere, butthey apparently are not activated or are idle if they are there at all,”Hanner says.

The Manual ApproachMike Matteucci constantly sees spy-ware-infected PCs in his work withPC-Network Services in Bakersfield,Calif. “As an end user, I hate spyware. Asa technician, I love spyware,” he says.

Matteucci claims an over 90 percentsuccess rate in removing spywarewithout having to wipe the drive. Thecost, however, is time. “I advise my

clients/customers that it is a minimumof three days for me to have theirmachine. I run my in-house anti-virusalong with several free spyware utili-ties, plus use the Internet to trace the.EXEs and .DLLs that are causing theproblems,” he explains.

Matteucci offers some useful advicefor PC users, including a switch to theFirefox or Netscape Web browsers,and setting up Windows Update sothat it automatically kicks off in themorning, when the PC is most likelyto be running, rather than at 3 a.m.

“Another thing I advise customers isto manually once a day use the Nortonor McAfee auto update service fortheir anti-virus,” writes Matteucci. “Itseems that these companies—if theupdate is not a major threat—delayposting it on the scheduled updateWeb site for two to five days, andthat’s when you get hit.”

Windows on Live CD:Solution or Illusion?One reader would like to change theway that OSes, apps and data are inter-twined. “Just an idea that nobodyseems to be doing anything about—how about booting a live CD of Windows, and using that as your bootvolume. All data could be stored on thelocal hard drive, but the OS and neces-sary apps would reside on the CD,where they couldn’t be harmed,” sug-gests Dennis Barr, manager of Infor-mation Technology for the LarkinGroup Inc. in Kansas City, Mo.

It’s not a bad idea. Many Linux distros are available in “live”versions, which run entirely from aCD or DVD. The portability makeslive distros a staple among IT pro-fessionals who use Knoppix andother live Linux packages as a systemrescue and recovery platform. So,Barr asks, “if the penguinistos can doit with their OS, why can’t it be donewith Microsoft’s?”—

Doug Barney is editor in chief of Redmond magazine. Share your spyware-fighting tips and tricks with himat [email protected].

Log on to Redmondmag.com for easyand direct access to the products andtools mentioned here. Plus, you’ll beable to download a full-length versionof this story, complete with additionaltips and tricks from the trenches forfighting spyware.

FindIT code: SpyTips

GetMoreOnline

redmondmag.com


www.redmondmag.com

www.redmondmag.com

www.redmondmag.com


desktopstandard™

manage with standards.© 2005 DesktopStandard Corporation. All rights reserved.

LEAST PRIVILEGE COMPLIANCEIS NOW IN YOUR HANDS

In today’s corporate environment, it’s not an option. DesktopStandard’s Group Policy extensions

take you beyond built-in Windows security management, giving you the power to limit rights and privileges to

the least required for authorized tasks. Reduce the complexity of managing your distributed desktop environ-

ment while increasing security and compliance. Find out how at www.desktopstandard.com.


www.desktopstandard.com


NEVERAGAIN

They go by many names: CLEs (Career Limiting Events); Murphy Moments; Blue Screen Memories; RUAs (ResumeUpdating Actions). What they all have

in common is disaster.Most IT folks have at least one tale of woe, of that time

when their career flashed before their eyes (those in thebiz for a long time often have more than one—some-times many more). It often starts when the help deskphones start lighting up like a Vegas casino. Users can’tconnect to the network or Internet. Servers aren’t talk-ing to each other or to you. Then your mouth goes dry,as you realize you haven’t tested your backups for—well,you can’t remember for how long. And where is thatbootable CD now that you need it?

Chances are you also found a solution, recovered fromyour error and got things shipshape again. Otherwise, youprobably wouldn’t be reading this article, because yournew job at the local car wash demands your total commit-ment. You learned a lesson, gained experience and wisdom,and have become a better IT pro as a result.

But wouldn’t it be nice to learn those lessons without thenear-death experience? Our new continuing column,called Never Again, aims to do just that. Each month, we’llpresent the most compelling story in print, and others willappear online. If you have a tale of technical terror you’dlike to submit for this column, send in a 300- to 800-word,first-person write-up of your scariest IT moment on thejob to Keith Ward at [email protected].

Now, let the nightmares begin.

BY KEITH WARD

0306red_F2NeverAgain45-48.v6 2/14/06 12:26 PM Page 45

www.redmondmag.com


Out of ServiceBY RON STEWART

Iwork at an IT services company. Recently, we movedthe servers of a rapidly growing client from their ownoffice to a data center. We’ve performed similar server

moves several times in the past, and the first few tasks wentoff without a hitch. We shut down the servers late on Fri-day afternoon, packed them up and had a bonded carriermove them to the data center. Once there, we racked theservers, reconnected them and booted them.

Our server technician watched the monitor as the firstserver booted, preparing to log on to each server and per-form some basic tests. He waited patiently for the familiarWindows Server logon screen to appear.

After several minutes went by, it became clear that some-thing was very wrong. “Applying computer settings,” thescreen read—for more than two hours, before a logon dia-log box finally appeared. Logon itself took an hour tocomplete. When the GUI appeared, it responded extreme-ly slow. In addition, no network connections were listed.

The server and network techs double-checked all con-nections and settings, verifying that they were correct.They formed a theory that the servers needed to boot ontoa network that used the IP addresses from the office LAN,with which they were still configured. The techs reconfig-ured the network components and restarted the servers.More than an hour later, as the servers took their sweettime booting yet again, this theory was thrown overboard.

It was now well past midnight. The team phoned theservers’ manufacturer for assistance. Discussion soonfocused on how the servers’ network cards were configured

to function together as a team; the vendor’s support techsuggested disabling this so the network cards could operateindependently. But after doing this, the problems continued.

At this point, the vendor’s support tech basically threw uphis hands, telling our guys to wipe the servers clean andrebuild them from scratch.

The exhausted and bleary-eyed server tech looked out ofthe data center’s windows, saw the dull glow of dawn onthe horizon, and retained just enough good sense toinform the support tech that no, he wasn’t going to dothat. He hung up, and our guys called it a night (not thatmuch was left of it). They would return to take anothercrack at things the next day.

The following afternoon, our CIO called me (I shouldnever leave my cell phone on during weekends.) Hebriefed me on what was going on. “A fresh set of eyesmight help,” he said. Could I get down to the data centeras soon as possible? After making the usual apologies tomy long-suffering wife, I went to ground zero.

Progress was slow and frustrating. Each server hadnumerous issues in addition to the brutally slow boot time:No network connections were listed; the GUI was slug-gish; services couldn’t be stopped or started.

Because the servers were able to boot into Safe Modequickly, we figured the cause of the problem must havebeen one of the non-essential services. So we went aboutdisabling all these services, then booted the servers nor-mally (which now only took the usual couple of minutes)and gradually started only the non-essential servicesrequired for each server’s functionality.

By midnight, all the servers save one were operational.Everyone else went home, leaving me to work on the lastnon-functioning computer—an intranet Web server. Asthis server had been designated a low priority, we hadn’tused Safe Mode to reconfigure its services, and as thehours passed, it had eventually become accessible.

With the pressure now gone, I finally had the time toanalyze the services. I went through the list, and spottedthe culprit behind our lost weekend. The APC PBE Agentservice, after six hours, was “Starting.” I disabled that oneservice, rebooted, and all the problems went away.

I’m pretty sure I screamed.We made some mistakes here. First, the data center had

its own huge, shared UPS, so the APC software wasn’tneeded and should have been removed. Second, (we dis-covered this later), the digital certificate used to sign theAPC software had expired just the week before. (To addinsult to injury, a Microsoft Knowledge Base article onthis very problem appeared the following week, just afew days too late to help us.) And third, we should haveperformed this analysis several hours before, but we’dbeen too focused on restoring functionality.

Many of the lessons here are specific to this incident, butthe two reminders I took away from it are: A) When itcomes to technology, no change is simple, no matter howmany times you’ve done it before; and B) You can savetime if you take the time to work the problem, rather thanletting it work you.

Ron Stewart is a senior technical consultant at Syscom Consulting in Vancouver, Canada. He has worked in IT for more than 10 years, far too much of it on evenings and weekends.


NEVERAGAIN

The vendor’s support tech basically threw uphis hands, telling our guys to wipe the serversclean and rebuild them from scratch.


www.redmondmag.com


www.neverfailgroup.com


NEVERAGAIN

That’s a WrapBY RYAN WILLIAMS

I’m a consultant, so I’ve seen a lot of issues in data centerswith my clients. One of the most memorable involved aclient that had all their data center servers go down

during some renovations. Imagine the surprise of the personsent in to check the server room when he found that theremodeling contractors had shrink-wrapped the racks ofservers to keep dust out! The contractors neglected to mention that they would be doing this, so all the servers wereon when they wrapped them up. Naturally, the servers over-heated and shut themselves down. Luckily, none of theservers were fatally damaged.

The moral of this story: When remodeling your data center, make sure the contractors are closely supervised.

Ryan Williams has more than nine years in the network integration and the professional services field. He has extensiveexperience in implementing and supporting Active Directory,Exchange and collaboration technologies.

Disappearing DNSBY ERNEST FRANZEN

One of my worst experiences was finding out theramifications of deleting our main ActiveDirectory-integrated DNS zone.

We had to move one of our domain controllers to a newIP subnet, so I changed the IP address of the DC andrebooted. After the reboot, everything looked good—exceptfor DNS, which had a big red “X” through the zone.

So, knowing that the DNS is replicated from other DCs,I deleted the zone and recreated a new zone with the samename—my thinking was that it would populate within afew minutes from one of the other DCs.

Instead, the phone started ringing with users having alltypes of connectivity problems: Web pages wouldn’t

load; e-mail was down; file and print services were down.The problem was affecting the whole corporation.

Things got louder when a support tech came in while we were starting to troubleshoot the problem.“You did what?!” he screamed. “You can’t do that! DNS is integrated within AD; that’s why it’s called an Active Directory-integrated DNS zone!” Thatexplained what was happening. By deleting DNS at theremote site, it deleted DNS from all the sites. So when Irecreated the zone, it replaced our existing 15,000records with a new zone—a zone containing only theDNS record of the DC and the file and print server atthe remote site.

Luckily, we had a tape backup from another DC andwere able to perform an authoritative restore and getback most of the original DNS records. But several others were missed and had to be created manually (let’sjust say that it was a very long night).

Since that experience, I’ve had another problem withDNS corruption on a single DC that required a call to Microsoft support. I was dismayed during the trou-bleshooting process when the technician told me to“delete the zone.” Needless to say, I argued against this course of action—this was one lesson I learned the hard way.—

Ernest Franzen is a senior network architect for a Fortune 500company. He holds MSCA and MSCE certifications.

Redmond magazine wishes to thank ThomasHaines and AOPA Pilot magazine for allowingus to use the title of this column without getting bent out of shape.


www.redmondmag.com


www.winternals.com

Automation for the Harried Administrator | by Don Jones

Let me be perfectly clear right upfront—this isn’t just a scripting column.Sure, I’ll turn to scripting when it’s theright technique for the job at hand (as Ihave this month), but this column isprimarily about the job. More specifical-ly, this column will focus on tools andtricks for getting the job done.

Sometimes that will mean aResource Kit tool, other times a freetool from someone else, or occasional-ly even a script. I’ll always try to giveyou some additional tips on how youcan tweak or extendthe script, tool orwhatever so you canuse it for other pur-poses. My primaryfocus each month,though, will be onusing the tool or script to automate aWindows administrative task and helpyou get the job done faster and easier.

This month, I’ll focus on an oftenannoying task that’s hard to do withoutusing a heavy-duty solution likeMicrosoft Systems Management Serv-er: figuring out which service pack isrunning on a specific set of computers.First, I have to offer a few caveats. Mysolution uses a tool that you will run onyour computer.

It will use your network to contactwhichever computers you specify,meaning you need to have those com-puters turned on and connected.You’ll also need to either turn off theWindows Firewall (or whatever localfirewall you may be using) or config-

ure it to allow remote administrationtraffic (specifically, the tool connectsto the Windows Management Instru-mentation service on each computeryou target).

This script should work with NT-based computers all the way back toWindows NT 4, including Windows2000, Windows XP and WindowsServer 2003. The account you use torun the tool needs to have localadministrator permissions targeted foreach computer, which means you’ll

probably need to runthe tool as a domainadmin (launch the toolusing RunAs if youneed to specify alter-nate credentials).

I wrote this tool as aVBScript, but it’s written in the WSFformat, meaning you can just run it asa command-line tool. Its name is ListServicePack.wsf, and it accepts a few command-line arguments(including /?, if you need help with it) that tell it what to do. For example,if you have a text file that contains

the computer names you want tocheck (one computer name per line inthe file), run:

ListServicePack /list:computers.txt

(or whatever the filename is). If you justwant to test it with a single computer, run:

ListServicePack /computer:MyComputer

instead. Or, if you want to try and hitevery computer in an Active Directoryorganizational unit, run:

ListServicePack /container:Sales

specifying the appropriate Organiza-tional Unit (OU) name instead of“Sales;” tack on “/recurse” to processsub-OUs as well. You can also specifythe “/output:filename” argument, whichwrites the tool’s output to the specifiedtext file, rather than just displayingeverything on-screen. If you run thescript on an XP or 2003 machine, spec-ifying the “/ping” argument will helpreduce the wait time for computers thataren’t available.

The tool has some other goodies, too.Run it with “/?” to get a completebreakdown of what it can do. This is agreat, easy-to-use tool for quicklychecking the service pack level on anumber of machines. If you’re aVBScript fan, feel free to crack it openand play with it. Otherwise, just use itas-is to help make your administrativelife a little bit easier. Domo arigato.—

Don Jones is a columnist and contributingeditor for Redmond magazine, and thefounder of ScriptingAnswers.com. His latestbook is Windows Administrator’s Automa-tion Toolkit (Microsoft Press). Reach Don [email protected].

Service Pack It Up

elcome to Mr. Roboto! Most of you know me as Beta Man, but I’ve taken on a new role at Redmond. I’m strapping on a tin helmet and

diving into the world of Windows automation.


W

Mr. Roboto

Download this month’s tool fromwww.ScriptingAnswers.com/roboto/col1.zip.

Please keep this URL. That way, ifproblems occur, I can update the posted file more easily.

DownLoad

What Windows Administrator’s task

would you like Mr. Robototo automate next? Send

your suggestions [email protected]

0306red_Roboto50.v5 2/14/06 10:55 AM Page 50

www.ScriptingAnswers.com/roboto/col1.zip

www.redmondmag.com




www.AdminScriptEditor.com/redmond

WindowsInsiderGreg Shields

Down the Winding InfoPath

Not long ago I decided I’ll never useWord 2003 forms again. So, when hand-ed yet another project that needed them,I chose to look into Microsoft’s least-understood Office tool: InfoPath 2003.

Offered as a stand-alone product orbundled with Office Professional Enter-prise Edition, InfoPath is an XML-based forms design tool with tightconstraints on how your form conformsto an established XML schema.Whether you submit your form to adatabase or save it as an XML file on afile share or SharePoint server, starting aproject in InfoPath is a lot like MicrosoftAccess. Before you ever begin designing,you must understand the data you’recollecting and how you want it stored.That being said, here are six quick tips Ilearned that’ll come in handy as you cre-ate your first InfoPath project.

1. Create Your Data Source FirstFor simple forms that won’t submit to adatabase, creating your XML schema iseasy. As an example, open InfoPath andchoose to design the sample Status

Report form. You’ll see that text boxesin the form map to fields in the DataSource. This is a key factor in formsdesign. Before you create any text orcheck boxes on your form, you mustalready have an existing entry in thedata source where that box’s data willbe stored. In forms that don’t attach todatabases, you create new fields in thedata source by selecting the foldergroup and then clicking the Add… button (see Figure 1).

2. To Database or Not to DatabaseWhere it gets harder is when you wantto submit your forms to a database.InfoPath supports direct database con-nections only to SQL Server andAccess databases, and won’t allow youto submit your forms if the database hasa many-to-one relationship betweenrelated tables. Forms that submit to adatabase seem more difficult becauseyou can’t directly add or remove fieldsin the data source from withinInfoPath. Fields in your data source arecompletely constrained by the columns

in your database. Need a new field inyour form? Create a new column inyour database and update the SQLquery in your Data Connection.

If you’re using SQL Server as thedatabase for your form, consider link-ing the form to a SQL View rather thandirectly to a table. This makes it easierto manipulate the view if you need tomake a change, as well as making it eas-ier to apply security to your database.

3. Drop and Give Me 20!Drop-down list boxes can be a littletricky. There are three ways you canpopulate a drop down list box:

• Manual entry in the drop down’sproperties

• Use a lookup table stored inside theform’s code

• Use a secondary lookup to a database Of these, the lookup to the database

is the most useful, and also the mostcomplicated. To populate a drop-down list from a database table,you’ll want to create a SecondaryConnection to a lookup table in yourdatabase and populate the entriesfrom that Secondary Connection.

What’s not immediately obvious—andannoying—is InfoPath’s inability torestrict that lookup to just a singleinstance of each entry in your second-ary lookup. If you’re seeing doubles inyour drop down list box, you’ll need tocreate an XPath filter expression thateliminates the duplicates. Do this withthe following expression:

not(. = ../preceding-sibling::*/@<Col-umn Name>)

4. Donning Your Input MaskIf you’re used to Access, you’re probablyfamiliar with the friendly input mask feature that forces data into a pre-determined structure—like when youwant to force phone numbers be storedas (XXX) XXX-XXXX. InfoPath doesn’tnatively have that capability, but you can

hate forms in Microsoft Word. I really do. You know whatI’m talking about—those nasty little grey boxes that maketext hard to read, jump around when you hit the Tab key,

and sometimes delete too much when you try to Backspace.I

Figure 1. The singleName text box in the form design maps to the singleName field in theform’s Data Source.


0306red_Winsider50-52.v8 2/14/06 2:28 PM Page 52

www.redmondmag.com


www.ibm.com


WindowsInsider

cheat it using Data Validation. ThoughInfoPath Data Validation won’t pre-populate the field’s mask characteristics,users will be forced to enter data in thecorrect format or the form will reject it.

You can do this by double-clicking on atext box in your form, selecting DataValidation…, and then Add…. In theData Validation dialog box, select DoesNot Match Pattern from the seconddrop-down box and Select a Patternfrom the third. You’ll be given a fewexample patterns, like our phone numberexample above, or you can create yourown by using /d to represent any digit or\p{L} to represent any letter. Make sureto enter in an error message to alert userswhen an entry doesn’t match the pattern.

Because InfoPath doesn’t pre-popu-late the mask characteristics, you’llprobably want to inform your users ofthe correct pattern for that text box. Dothis by entering your pattern as a Place-holder on the Display tab of the textbox properties, as shown in Figure 2.

5. Trust MeWhile simple forms that lackVBScript- or Jscript-coded eventsdon’t require certificates, any formthat interfaces with a computer’sWMI (Windows Management Instru-mentation interface) does. For exam-ple, if you want to store the ActiveDirectory username of the person filling out the form to a field in yourform, you can create an OnLoad event that does this with the followingsnippet of code:

Sub XDocument_OnLoad(eventObj)Set wscNet =

CreateObject("WScript.Network")XDocument.DOM.selectSingleN-

ode("/my:<group>/my:<field>").text =wscNet.UserNameEnd Sub

InfoPath’s strict security model won’tallow the form to interface with thelocal computer’s WMI unless the formis considered Fully Trusted. To do this,you’ll need to sign your form with atrusted code signing certificate:

• If you don’t already have one, builda Certificate Server and generate itsroot certificate.

• Then, create a Group Policy thatadds that certificate to the TrustedRoot Certification Authorities contain-er on your machines.

• Create a code signing certificatewith an exportable private key.

• Finally, in the Design View of yourform, select Tools | Form Options |Security, sign the form with your codesigning certificate and set the securitylevel to Full Trust.

Users will be prompted with a win-dow requiring them to trust the certifi-cate when they first attempt to loadyour signed form.

6. Feels Like the First TimeSometimes, even a complete install ofOffice 2003 won’t properly configurethe client machine to make it easy fornew users, who will get a dialog boxasking them if they want to save the fileor open it from its current location.

To eliminate the dialog box, you canuse Group Policy to configure yourmachines to automatically open theform. Do this by creating a Group Policy startup script that calls regedit /sGPStartupScript.reg. Then, create aGPStartupScript.reg file with the following syntax:

Windows Registry Editor Version 5.00[HKEY_CLASSES_ROOT\InfoPath.Solution.1]

@="Microsoft Office InfoPath FormTemplate""EditFlags"=dword:00010000"BrowserFlags"=dword:00000008

Even with this startup script, youmay still have some client require-ments for your InfoPath forms towork. Make sure that all your clientshave a recent version of both the.NET Framework and the MicrosoftData Access Components installed.

Diamond in the RoughAlthough it’s still a little rough aroundthe edges and its GUI has someannoying quirks, InfoPath gets highmarks as a useful tool for creatingXML-based forms for both small business and the enterprise. Unfortu-nately, in trying to be everything foreveryone, it ends up with a prettyhefty learning curve.

My advice: Start small. It’s incrediblyeasy to build forms that don’t integratewith SharePoint, SQL, Access or Webservices. Once you’re familiar with thebasics of InfoPath, you can add a littlescripting and a database back-end andnever again experience the pain ofWord’s grey boxes. —

Greg Shields, MCSE: Security, CCEA,is a senior systems engineer for Raytheon Co.in Aurora, Col. He’s a contributing editor toRedmond magazine and frequently speaksat TechMentor events. You can reach him [email protected].

Figure 2. Use InfoPath Data Validation to display an error when users enter data in anincorrect format.

0306red_Winsider50-52.v8 2/14/06 2:28 PM Page 54

www.redmondmag.com


• Perform data migrationsof Excel, Word, Access,PowerPoint, AutoCAD,HTML, PageMaker,InDesign and PDF files,in batch, without causingbroken links.

• Automatically fix brokenlinks in files that havealready been moved.

• Generate broken linkreports and detailedparent and child filereports.

Advanced Features:

LinkFixerPlus™ is the first softwareapplication that automatically fixesbroken links in Excel and other files

caused by data migrations!

Are you performing a datamigration due to serverupgrades, server consolidations

or new storage servers? Or are youperforming folder reorganizations orserver name changes? Are youconcerned about broken links caused bythese changes? What if there was away you could find and fix broken linksautomatically, eliminating the extratime and cost associated with manuallyfixing them?

Well with LinkFixerPlus you can!LinkFixerPlus is the first application thatautomatically maintains links in fileswhen conducting a data migration.With LinkFixerPlus, you can move orrename Microsoft Excel, Word, Access,

PowerPoint, Autodesk AutoCAD,HTML, Adobe PageMaker,, InDesignand PDF files, in batch, including thefiles they point to, and the links tothose files are automaticallymaintained! You can even find andrepair broken links in batches of filesthat have already been moved.Imagine not having to manually findor fix broken links due to datamigrations ever again!

LinkFixerPlus is the solution youneed to report, find, manage andrepair links in many different types offiles whether you are working withdozens of files on a desktop computeror thousands of files during a datamigration.

Concerned about broken links in files during data migrations?

Copyright © 2006 LinkTek. All rights reserved.LinkFixerPlus is a trademark of LinkTekCorporation. Patent-Pending. All otherproducts mentioned are trademarks of theirrespective holders.

Request your free 30-day evaluation copy ofLinkFixerPlus from: www.linkfixerplus.com. E-mail usat [email protected] or call +1-727-442-1822.


www.linkfixerplus.com

Real-World Training» Integrate Linux into your Windows environment.» Improve your network security.» Diagnose and repair common network problems.

Peer Networking» Problem solve with peers during networking events.

Certification Prep» Upgrade your skills to Windows 2003 with the MCSA and MCSE tracks.» Broaden your knowledge of network operations with the CCNA track.

Group Discounts» Send your team and save up to $500 per person.

Network and CertificationTraining forWindowsProfessionals

TechMentorEvents.com

Orlando, FLMarch 20-24, 2006

Register Today!TechMentorEvents.com


www.TechMentorEvents.com


SecurityAdvisorRoberta Bragg

A Matter of TrustChances are that your current net-work consists of the main internalnetwork, and one or more demilita-rized zone (DMZ) networks. Maybethere are a few tightly controlled net-works with limited access, such as onethat connects the research depart-ment’s computers. In addition, youmight have branch office networksconnected over WAN links, but com-puters on them have full access toyour internal network, so they reallybelong to the internal network from asecurity point of view.

When we analyze the security func-tions of a network, physical infrastruc-ture becomes secondary. Instead, weoften think about security zones andagonize over which zone network shouldcontain a network resource, or how tobest control traffic between these zones.We know that the Internet is entirelyuntrustworthy; even in our wildestdreams, we wouldn’t connect a serverdirectly to that malware playground.

If we need to allow someone to accessa server from the Internet, we routinelyplace the server into a DMZ and use afirewall to tightly control and monitor

access to it. We trust the DMZ morethan the Internet, but not enough toallow unrestricted communicationsbetween it and our internal network. Ifsuch connections are required, we useanother firewall to further restrict andmonitor them, because we only want toallow network packets that we trust onour internal network.

This trust seems to be justifiedbecause, in addition to using firewalls,we make sure that only legitimate usersget access to this internal network. Wetry to keep intruders out by authenti-cating users, using selective permissionassignments on file servers, and requir-ing an employee badge for entering abuilding with network taps. Figure 1illustrates this type of network design,which allows any computer consideredpart of the internal network to commu-nicate with any other computer—because the internal network is trusted.

This philosophy of network segmen-tation has been the de facto security

That Isolated Feelingraditional IT security relies on assigning different levels of trust to different network zones. A moreeffective solution is to rely on trust between

computers, instead of trusting the networks they’re connected to. Domain isolation and server isolation leverage Windows capabilities to reach this goal.

T

SecurityAdvisorJoern Wettern

Internet(No Trust)

Firewall Firewall

DMZ(Partial Trust)

InternetNetwork

(Full Trust)

Figure 1. On a typical network, computers on the internal network alltrust each other. This can be a problem when an outside, possiblycompromised computer is introduced to this network segment.

0306red_SecAdvisor57-60.v5 2/14/06 11:21 AM Page 57

www.redmondmag.com


SecurityAdvisor

standard for a long time, and most cor-porate networks rely on it. Looking atthe network as a set of security zonescan be useful, but relies on the often-unrealistic assumption that access tothe network is tightly controlled.Instead, many internal networksinclude a variety of computers: managedclients at corporate headquarters; homecomputers connected over a VPN; thelaptops of outside consultants or visitingcustomers; a kiosk computer in thelobby; wireless users inside the buildingand in the coffee shop across the street;and so on. Because all computers on atypical network like this shouldn’t betrusted equally, it’s a dangerous a practiceto trust based on zones.

Divide and ConquerOne way to restore the trust in your net-work is to further divide it. For example,you could create a separate network forthe accounting department and disallowaccess to it for VPN and wireless clients.Readily available tools for such segmen-tation include firewalls, routers andVLANs (virtual LANs), but each of thesetools has its own shortcomings:

• Large-scale, effective VLAN deploy-ment requires all switches to supportthis type of segmentation.

• Routers make decisions based on IPaddresses and ports.

• Firewalls can be expensive and diffi-cult to manage.

And none of these solutions can pro-tect you against an employee who plugsa virus-infected personal laptop com-puter into the corporate network.

802.1x: Not Just for WirelessA better method for ensuring trust inyour network is to require computerauthentication when connecting toyour network infrastructure, thenrestricting which authenticated com-puters are allowed to connect. This iscommonly done for wireless clients byusing 802.1x-based access control.

The wireless clients need to be con-figured with a certificate or some type

of shared secret before the wirelessaccess point (WAP) allows any networkpackets to be transmitted across thenetwork (note that 802.1x can also beused for regular wired connections.)Windows supports this out of the box,and many recent switches have 802.1xsupport built-in. 802.1x can be an effec-tive method for ensuring that onlyauthenticated computers and devicescan send and receive packets on yournetwork—if an employee plugs a per-sonal laptop into a hub, or a visiting

sales representative plugs a computerinto the conference room’s network tap,they’ll be stopped at the switch. 802.1xcan be an effective solution, but theresulting administration work, the needfor an existing PKI (Public Key Infra-structure), an the scarcity of devices thatsupport it often put and end to any plansto implement 802.1x company-wide.

Domain IsolationDomain isolation tries to accomplish agoal similar to 802.1x, but with a differ-ent method. Instead of preventing

untrusted computers from sending andreceiving network packets, it relies onyour trusted computers to ignore suchtraffic. You’re essentially treating yourentire network as if it’s untrustworthy,and letting your trusted computers makedecisions about whether to trust comput-ers with which they’re communicating,independent of the network. This createsa security domain of trusted computerswhich can securely communicate across anetwork that may not be entirely trusted.Figure 2 shows how only computers in

this trusted domain can talk to eachother.

Using domain isolation instead ofnetwork-based security models has sev-eral advantages:

• It’s much more flexible.• It can be rolled out incrementally, at a

pace that works for you.• It will probably require no addi-

tional hardware.If you have an existing Active Direc-

tory infrastructure and most of yourcomputers are running Windows 2000or higher, you already have the two

Internet Network(Domain MembersOnly Talk To OtherDomain Members)

Figure 2. Using domain isolation, trusted computers ignore communications from untrustedcomputers, no matter which network segment they’re on, or which security zone they’re in.


www.redmondmag.com

The Windows IT Pro Readers’ Choice Winner three years in a row, iHateSpam for Exchange lets you control spam according to the needs of your company and users — not to mention your needs. Spam detection 98.5% out of the box: You can “configure it and forget it” for easy, effective “hands-off” spam management.

And setup takes minutes, not hours or days. Low false positives:Control aggres-siveness of spam detection with simple threshold settings. Set serveror user-level whitelists.

And end-users always get email from the people in their own Contacts folder. Constantly updated dual spam engines:Field-tested, powerful spam detection. Filtering based on tunable parameters:Use our default engine or customize

with your own rules or blacklists. Customizable treatment of spam:Delete it, route it to a designated mailbox, put a custom message in the subject, or even quarantine it to a spam folder in the end-user’s mailbox. Filter at the server — no client software needed: Set flexible

server-level policies for groups or single users.

Sunbelt Software Tel: 1-888-NTUTILS (688-8457) or 1-727-562-0101 Fax: 1-727-562-5199 www.sunbelt-software.com [email protected]© 2006 Sunbelt Software. All rights reserved. All trademarks used are owned by their respective companies.

Your life shouldn’t.

for Microsoft Exchange 5.5, 2000 and 2003

D o w n l o a d t h e 3 0 - d a y F R E E t r i a l a t w w w . s u n b e l t - s o f t w a r e . c o m / i h r e d



SecurityAdvisor

tools you need for domain isolation:IPsec and Group Policy. IPsec, whichtakes care of the authentication, is builtinto all versions of Windows sinceWin2K. Group Policy, which allowsyou to implement domain isolationacross a large number of computers, is acore component of AD.

IPsec to the RescueIPsec is a versatile network securityprotocol (for a refresher on IPsec, seethe sidebar “The Many Uses of Ipsec”).IPsec authentication occurs much earlier than resource access authentica-tion. When a computer authenticates a user who wants to access a sharedfolder, a network connection hasalready been established. But IPsecauthentication occurs even before thefirst network packets, excluding theauthentication traffic itself, can be sentor received.

IPsec authenticates computers and notusers. When used as part of domain iso-lation, an IPsec policy on each computerdetermines how it will communicate

with other computers. For example,you can require that two computersauthenticate each other beforeexchanging any network packets. Thepolicy can also include exceptions basedon ports or IP addresses.

The most basic form of domain isola-tion uses an IPsec policy that instructsclient computers and servers in your ADdomains to process network packetsonly from computers within the sameAD. IPsec can use shared secrets, certifi-cates or Kerberos. Of these options,Kerberos is the clear choice if yourinfrastructure is Windows-based. Sharedsecrets aren’t secure, and certificates canbe difficult to deploy and administer.Kerberos, on the other hand, can beused by domain members to authenti-cate each other without any additionaladministration or configuration.

Configuring IPsec separately on eachcomputer is a waste of manpower.Instead, configure a Group Policy forall your clients that includes the IPsecpolicy designed to accomplish yourauthentication goals. You can apply this

policy to all computers in a domain orOrganizational Unit (OU), but you canalso easily configure exemptions forcomputers that should accept unauthen-ticated connections, such as connectionsfrom non-domain members. Designingsuch exemptions will probably requirethe most work during the planningphase; but unless all your computers arerunning Windows and are AD members,there will likely be times you’ll have toallow non-authenticated connections,like allowing a consultant to connect toa server from a laptop, or enabling usersto access corporate resources over aVPN from home.

Next Time: Isolating ServersKeeping unauthenticated computers offyour network is only the first step.Malicious actions can originate fromauthenticated computers, and I oftenfind that I want to tightly restrict whichcomputers can connect to criticalresources, such as servers that containpayroll data. Also, when the accessinvolves confidential data, and theapplication I’m using has no built-inencryption, I often want to encrypt thedata at the network layer instead. Serv-er isolation is an IPsec-based scheme toaccomplish these goals by building onthe principles of domain isolation andgoing several steps beyond it. Nextmonth I’ll show you how to use serverisolation by itself or in conjunctionwith domain isolation to increase secu-rity. I’ll also provide more details onusing IPsec and group policy to achieveyour security goals. —

Joern Wettern, Ph.D., MCSE, MCT,Security+, is the owner of Wettern Network Solutions, a consulting and training firm. He’s written books anddeveloped training courses on a number of networking and security topics. In addition to helping companies implementnetwork security solutions, he regularlyteaches seminars and speaks at conferences worldwide. You can reach him at [email protected].

IPsec (IP Security) is a standard for securing IP communications at the networklayer. Unlike Secure Sockets Layer (SSL), which secures application data, IPsec

was designed to be completely independent of the application and handle all IPpackets at the network layer. IPsec has many security uses: Virtual Private Network (VPN) tunnels: This is the most common use for

IPsec. It can provide encryption and packet integrity checking for a VPN tunnel, eitherfor client connections or site-to-site tunnels. Many vendors have implemented IPsecin their VPN solutions.Authentication: Microsoft is one of the few vendors that has fully supported

the use of IPsec for any type of network connection, and not just VPN tunnels. TheWindows IPsec driver, part of the network stack, can perform authentication of aremote computer before IP packets are further processed by the stack. Microsoftsupports shared secrets, certificates and Kerberos for authentication.Encryption: IPsec can be used to encrypt network traffic (but this isn’t

required—you can require authentication without encryption). Encrypting packetsprovides confidentiality for all network traffic, and you get this even if the applica-tion you use doesn’t provide encryption itself. IPsec has a built-in mechanism fornegotiating encryption algorithms and exchanging encryption keys.Integrity: Packet integrity ensures that a network packet hasn’t been altered

since it was sent. IPsec can detect such alterations and automatically drop pack-ets that have been changed in transit. — J.W.

The Many Uses of IPsec


www.redmondmag.com


By day threeJack was finally

enjoying his IT training

,

.

• Microsoft

• Cisco

• Oracle

• Sun

• Linux

• CISSP

• C EH

• CompTIA

• UNIX

• Forensics

Unfortunately, you can’t dream your way to certification.

Our accelerated programs, featuring our exclusive 31/2 step method,TM

makes learning fast and effective. In less than two weeks, you’ll

return to your job empowered with the knowledge, confidence

and certification you need to advance your career…and your life.

To find out more about our all-inclusive certification programs,

call 800-698-5501 or visit www.trainingcamp.com.

Enter the special promotion code “HELP” and receive a 20%

discount on select courses.


www.trainingcamp.com

Brought to you by:

Visit: Redmondmag.com/techlibrary/webcasts

FreeWeb

Seminars

Now Available On-Demand

� Expect the Unexpected: Disaster Recovery for your MicrosoftServer Environment

� Demonstrating Compliance for Multiple Regulations in a Complex,Heterogeneous System Environment

� Microsoft Virtualization and Data Protection — How the TwoTechnologies Meet

� Best Practices for Windows Applications on iSCSI

� Strategic Storage: Exchange Management Strategy that MakesEveryone Happy


www.redmondmag.com/techlibrary/webcasts

This index is provided as a service. The publisher assumes no liability for errors or omissions.


RedmondResources

EDITORIAL INDEXCompany Page URL

Acronis Inc. 41 www.acronis.com

Apple Computer Inc. 29, 30, www.apple.com32-34, 36

Bitform Technology Inc. 10 www.bitform.net

Cisco Sytems Inc. 32 www.cisco.com

Code Weavers 36 www.codeweavers.com

Dell Inc. 33 www.dell.com

Faronics Corp. 41 www.faronics.com

Google 40, 41 www.google.com

Grisoft Inc. 43 www.grisoft.com

Javacool Software LLC 42 www.javacoolsoftware.com

IBM Corp. 32 www.ibm.com

Kaspersky Lab 12 www.kaspersky.com

Lavasoft 41, 42 www.lavasoft.com

Novell Inc. 33 www.novell.com

Online ToolWokrks Corp. 16 www.onlinetoolworks.com

Safer-Networking.org 41, 42 www.safer-networking.org

ScriptLogic Corp. 20 www.scriptlogic.com

Shavlik Technologies LLC 13 www.shavlik.com

Sunbelt Software 40 www.sunbelt-software.com

Sun Microsystems Inc. 29, 36 www.sun.com

Trend Micro Inc. 41 www.trendmicro.com

Zone Labs LLC 42 www.zonelabs.com

ADVERTISING SALESMatt Morollo Associate Publisher508-532-1418 phone508-875-6622 [email protected]

Corporate Headquarters: 9121 Oakdale Ave.,Suite 101, Chatsworth, CA 91311www.101com.com

Media Kits: Direct your Media Kit requests toMatt Morollo, Associate Publisher, 508-532-1418 (phone), 508-875-6622 (fax),[email protected].

Reprints: For all editorial and advertisingreprints, contact PARS International at 212-221-9595 (phone), 212-221-9195 (fax); e-mail:[email protected]; online:www.magreprints.com/QuickQuote.asp

List Rentals: To rent REDMOND’s or other101communications’ publications postal, telemarketing or e-mail lists, please contact ourlist manager: Worldata, 3000 N. Military Trail,Boca Raton, FL 33431-6375, 800-331-8102,www.worldata.com

CONFERENCESTechMentor Conferences: contact Al Tiano,Sales Manager, 818-734-1520 ext. 190,[email protected]. The Data WarehousingInstitute: contact Diane Smith, Exhibit Sales,206-246-5059 ext.108, Denelle Hanlon, Publica-tion and Sponsorship Sales, 206-246-5059ext.102, [email protected]. FCWEvents and Conferences: contact Lucy Cooley,Events Director, 703-876-5081, [email protected]. Syllabus Conference and Exhibition: contact Anne Morris, Exhibit Spaceor Sponsorship, 818-734-1520 ext.219, [email protected].

© 2006 by 101communications. All rightsreserved. Reproductions in whole or part prohibited except by written permission.

Mail requests to “Permissions Editor,” c/o REDMOND magazine, 16261 Laguna CanyonRoad, Ste. 130, Irvine, CA 92618. The informa-tion in this magazine has not undergone any for-mal testing by 101communications and isdistributed without any warranty expressed orimplied. Implementation or use of any informa-tion contained herein is the reader’s soleresponsibility. While the information has beenreviewed for accuracy, there is no guaranteethat the same or similar results may be achievedin all environments. Technical inaccuracies mayresult from printing errors, new developments inthe industry and/or changes or enhancementsto either hardware or software components.

REDMOND magazine (ISSN: 1553-7560,USPS: 0015-657) is published monthly by101communications LLC, 9121 OakdaleAvenue, Ste. 101, Chatsworth, CA 91311.Periodicals postage paid at Chatsworth, CA91311-9998, and at additional mailing offices.Annual subscription rates for U.S. $39.95(U.S. funds); Canada/Mexico $54.95; out-side North America $64.95. Subscriptioninquiries, back issue requests, and addresschanges: Mail to: REDMOND, P.O. Box2063, Skokie, IL 60076-9699, [email protected] or call 866-293-3194 for U.S. & Canada; 847-763-9560 for International, fax 847-763-9564. POSTMASTER: Send address changes to REDMOND, P.O. Box 2063, Skokie, IL60076-9699. Canada Publications Mail Agree-ment No: 40039410. Return UndeliverableCanadian Addresses to Circulation Dept. orDHL Smart & Global Mail, 2-7496 Bath Rd., Mississauga, ON, L4T 1L2, Canada.Copyright 2006 by 101communications LLC.All rights reserved. Printed in U.S.A.

Northwest

No. CA, OR, WA, Alberta, BritishColumbia, Saskatchewan

Bruce Halldorson Northwestern Regional SalesManager209-473-2202 phone 209-473-2212 fax [email protected]

West/Mid West

AK, AR, AZ, So. CA, CO, HI, ID, IA, IL,IN, KS, MI, MN, MO, MT, ND, NE,NM, NV, OH, OK, SD, TX, UT, WI, WY,Manitoba, Pacific Rim, Australia, NewZealand, India, Pakistan

Dan LaBianca Western Regional Sales Manager 818-674-3417 phone 818-734-1528 fax [email protected]

ProductionKelly Ann SmithProduction Coordinator818-734-1520 ext.164 phone818-734-1528 [email protected]

East

AL, CT, DE, FL, GA, KY, LA, MA, MD,ME, MS, NC, NH, NJ, NY, PA, RI, SC,TN, VA, VT, WV, Quebec, Ontario, Europe

JD Holzgrefe Eastern Regional Sales Manager804-752-7800 phone253-595-1976 [email protected]

IT Certification & Training—USA, EuropeAl TianoAdvertising Sales Manager, ITCertification & Training818-734-1520 ext.190 phone818-734-1529 [email protected]

ENTmag.com &TCPmag.comTanya EgenolfAccount Executive760-722-5494 phone760-722-5495 [email protected]

AD INDEXAdvertiser Page URL

2X Software C2 www.2x.com

Capella University 21 www.capella.edu

CrossTec 52 www.crossteccorp.com

Citrix 35 www.citrix.com/edu/redmond

DesktopStandard 44 www.desktopstandard.com

Devon IT 37 www.ntavo.com

ESP by Lucid8 18,19 www.Lucid8.com

GFI Software C3 www.gfi.com

iTripoli 51 www.AdminScriptEditor.com/redmond

IBM 53 www.ibm.com

LearnKey, Inc. 26 www.learnkey.com

LinkTek 55 www.linkfixerplus.com

Network Appliance 11 www.netapp.com

NSI Software, Inc. 27 www.nsisoftware.com

Palm, Inc. 7 www.palm.com

Quest Software C4 www.quest.com

RedHat, Inc. 5,38 www.redhat.com

Softtree Technologies 61 www.softtreetech.com

Special Operations Software 15 www.specopssoft.com

Sunbelt Software 8,59 www.sunbelt-software.com

Softtree Technologies 23 www.softtreetech.com

TechMentor 56 www.TechMentorEvents.com

TechLibrary 62 www.redmondmag.com/ techlibrary/webcasts

The Neverfail Group 47 www.neverfailgroup.com

The Training Camp 61 www.trainingcamp.com

TNT Software 31 www.tntsoftware.com

Websense 3 www.websense.com

Winternals Software 49 www.winternals.com

0306red_Index_63.v1 2/14/06 4:12 PM Page 63

www.2x.com

www.capella.edu

www.crossteccorp.com

www.citrix.com/edu/redmond

www.desktopstandard.com

www.ntavo.com

www.Lucid8.com

www.gfi.com

www.AdminScriptEditor.com/redmond

www.ibm.com

www.learnkey.com

www.linkfixerplus.com

www.netapp.com

www.nsisoftware.com

www.palm.com

www.quest.com

www.redhat.com

www.softtreetech.com

www.specopssoft.com

www.TechMentorEvents.com

www.redmondmag.com/techlibrary/webcasts

www.neverfailgroup.com

www.trainingcamp.com

www.tntsoftware.com

www.websense.com

www.winternals.com

www.acronis.com

www.apple.com

www.bitform.net

www.cisco.com

www.codeweavers.com

www.dell.com

www.faronics.com

www.google.com

www.grisoft.com

www.javacoolsoftware.com

www.ibm.com

www.kaspersky.com

www.lavasoft.com

www.novell.com

www.onlinetoolworks.com

www.safer-networking.org

www.scriptlogic.com

www.shavlik.com

www.sunbelt-software.com

www.sun.com

www.trendmicro.com

www.zonelabs.com

www.101com.com

www.magreprints.com/QuickQuote.asp

www.worldata.com

www.redmondmag.com

















But with the advent of this month’sMicrosoft Mix ’06 event in Las Vegas,I’m starting to wonder. WhileMicrosoft doesn’t mention “Web 2.0”explicitly in its conference materials,the company is undeniably jockeying tocash in on the hot Web 2.0 themes:AJAX development, RSS Monetization;“Conversations” as opposed to “Con-ferences,” and so on.

That sinking feeling in my stomachgot a bit stronger when I read somerecent remarks by Gary Flake, the headof Microsoft’s newly unveiled LiveLabs. And according to Nathan Wein-berg who runs the “Inside Microsoft”blog, Flake is prone to use terms like“macro-ization” of computing; “Inter-net singularity”; and (the dead giveawayof too much 2.0-ism) The Long Tail.

It’s tough to accuse Microsoft of Web2.0 pandering without providing amore complete definition of Web 2.0.Many have tried, but few have latchedonto something tangible.

O’Reilly Media founder Tim O’Reillyattempted a concise definition thatgoes like this: “Web 2.0 is the networkas platform, spanning all connecteddevices; Web 2.0 applications are those

that make the most of the intrinsicadvantages of that platform: deliveringsoftware as a continually updated serv-ice that gets better the more people useit, consuming and remixing data frommultiple sources, including individualusers, while providing their own dataand services in a form that allowsremixing by others, creating networkeffects through an ‘architecture of par-ticipation,’ and going beyond the pagemetaphor of Web 1.0 to deliver richuser experiences.”

(And yes, for those of you counting—that was one sentence. So much forbrevity.)

All I can say is, I know Web 2.0shucksterism when I see it. It’s almostalways promoted by vendors sportinginane names and venture capitalists and

journalists who happily rode the lastInternet Bubble wave. It’s fraught withcompanies with half-baked ideas andflimsy business plans.

Now that you know how I really feel,you can see why I am loath to watchMicrosoft become a big Web 2.0 backer.

I don’t think Microsoft can or shouldignore the Web. Microsoft made amajor mistake in the early 1990s whenJim Allchin trumped Brad Silverberg,who had urged Microsoft to openWindows to the Web. With theannouncement of the Microsoft Liveinitiative last year, the company isfinally recovering from Allchin’s effortto preserve the Windows franchiseagainst all threats.

But being Web savvy doesn’t meanjumping on every Internet scheme thatfloats down the pike. There has to bediscernment between fly-by-night fadsand real technology changes that affectthe future of computing. Microsoftneeded to integrate its evolving servic-es platform with its shrink-wrappedsoftware, as it plans to do via the Livestrategy spearheaded by Chief Tech-nology Officer Ray Ozzie. But it does-n’t need to swallow any Web 2.0 snakeoil in the process.

What say you, readers? Is Microsoftin danger of succumbing to the sirencall of Web 2.0 and its backers? Or doyou think Microsoft could benefit froma little more Web 2.0 thinking? Writeto me at [email protected] let me know what you think.—

Mary Jo Foley is editor of Microsoft Watch,a Web site and newsletter (Microsoft-Watch.com) and has been covering Microsoftfor about two decades. You can reach her [email protected].

Foley on Microsoft

Sometimes, it pays to be a follower. That’s what Ithought, at least when it came to Microsoft and Web2.0. Microsoft has been slow to jump on the latest

Internet bubble bandwagon, which offers up utopianvisions of the emerging Internet as a vastly integrated and self-improving platform. I had high hopes that thecompany could avoid being caught up in the web of hypearound Web 2.0.

By Mary Jo Foley

Is Microsoft Buying into the Web 2.0 Hype?

Learn more about Web 2.0 by followingour links to additional resources,including O’Reilly’s definition and theMicrosoft Mix ’06 blog.FindIT code: Foley0306

GetMoreOnline

redmondmag.com

0306red_Foley64.v2 2/14/06 10:51 AM Page 64

www.redmondmag.com

www.redmondmag.com



��

��

�� !��!�!� "!� !"�#��$��!�!� "!� �%��#��&��#��

�'(��)*+�,'+-�+-��.��/)0��(�+,) 1�/�2* '+3�/24((�

��

)��5�!6�� '7�895�6"6��6��'7�8

:�'�04(��(��;�/��/��<(�/�/�=�� !�!��"!#��$

% &�� % �� '�� ()% *��% &��'�� )

% *�� +��,!-��% *��.�� !�!��


www.gfi.com

© 2

005

Que

st S

oftw

are,

Inc.

All

right

s re

serv

ed.Q

uest

and

Que

st S

oftw

are

are

trad

emar

ks o

r reg

iste

red

trad

emar

ks o

f Que

st S

oftw

are.

All

othe

r bra

nd o

r pro

duct

nam

es a

re tr

adem

arks

or r

egis

tere

d tr

adem

arks

of t

heir

resp

ectiv

e ho

lder

s.11

/200

5/C

4 4 Re

dmon

d

Application Management | Database Management | Infrastructure Management

See your e-mail.Send your e-mail.Get your e-mail.Quest Availability Manager for Exchange eliminatesthe evils of Exchange outages.Quest Software has addressed the evils of outages with a solution for fast, reliable,always available e-mail. Switch users rapidly and automatically to a definedExchange server. Provide users ongoing access to historical messages. Move usersback to their original server without data loss after the failed server/store hasbeen restored.

No more fooling around with e-mail when outages occur. Keep your critical communi-

cations flowing with continuous access to e-mail with Quest—Microsoft's 2004 Global

ISV Partner of the Year.

Learn how to ensure critical send/receive e-mail availability. Get your free white

paper titled: Exchange High Availability: Patterns and Practices.

——————————————————————————————————————————

Visit www.quest.com/getyouremail for your free white paper!

——————————————————————————————————————————


www.quest.com

0306red cover.v2 2/14/06 10:45 AM Page 1pdf.1105media.com/RedmondMag/2006/RED_603DG.pdf · 7125274...

Documents

Transcript of 0306red cover.v2 2/14/06 10:45 AM Page 1pdf.1105media.com/RedmondMag/2006/RED_603DG.pdf · 7125274...