ronaldg's ramblings

MAC vs PC, the “unlevel playing field”

ronaldg — Tue, 23 Jun 2009 16:57:41 GMT

Well, as you know, I frequent the ZDNet blogs from time to time, especially the Ed Bott and Ryan Naraine ones. Because of that, I also come across some other blogs on ZDNet that, for my money, are far too opinionated with far too little objectivity and/or factual basis or knowledge for those opinions – one of those is the Adrian Kingsley-Hughes’ blog, Hardware 2.0, which is theoretically supposed to be focused on hardware, but he seems to digress a lot and talk about Windows OS, and most of the time it’s a pretty negative spin. But recently, I was attracted to this one post:

Snow Leopard and Windows 7: Two flavors of the same GUI?

As usual, within the first few paragraphs he showed his normal bent toward denigrating Microsoft technology, but then, much to my (pleasant) surprise, he came up with the following observation.

“But there’s another, far more important reason why Windows and Mac OS will never be on a level playing field. It’s because Apple tightly controls the hardware that Mac OS runs on, while Microsoft is at the whim of every OEM out there. While the Mac OS runs on a selection of systems, and can accept a small selection of hardware upgrades, people expect Windows to run on anything and everything, and then to be able to add any and all hardware they can find to the system. While it’s true that the Mac OS is more stable than Windows, much of this stability is down to a smaller, more controlled hardware and software ecosystem. People complain that Windows crashes, but more often than now it’s not Windows that’s responsible for the crash, but a driver or some dodgy bit of hardware. But Windows gets the blame.”

Wow, except for one slight phraseology issue (that I’ll speak to later), this is one of the best expositions of the basis for one of the key pillars of the MAC vs PC perception issue that I have ever run across – wish that I had come up with it myself, so I’ll do the next best thing and call out Adrian’s observation here. I suspect that vast majority of my partner audience is already very familiar with the point made above, so I’m pointing this out, not so much for the “aha” factor as for the fact that he has done such a good job of addressing this issue in such a succinct, yet clear and comprehensive manner.

So, why is this important to you, my partner friend? Well, in the coming days (months/years?) as Apple continues to make inroads with its mobile technologies, it’s certainly possible that your customers will come to you with ideas about using the MAC platform for their business computing. There’s (currently) 2 major reasons why a business would be drawn to the MAC platform, the perception (and I mean perception, again, we’ll get to that shortly) of better stability and the perception of better security.

If you ever need to have the stability perception discussion with a customer, then I highly recommend you cut/paste the K-H blurb above into OneNote and save it for future reference. It’s all the better because it would come, not from you or me, but from a professional technology blogger syndicated by ZDNet, which gives him (sometimes undue) credibility. The small but crucial clarification point, regarding the perception of stability, that I’ve been threatening to get to is this: Windows actually can be as stable as MAC when it’s run within the context of the same hardware and software control as the MAC platform routinely enjoys. So I take issue with Adrian “while it’s true that the MAC OS is more stable than Windows”. Take DataCenter, or any of the 2003 or later Server products -- DataCenter with its tightly controlled hardware and software requirements is capable of, and even certified for, 5-9’s level of stability and reliability (and this is the SAME essential kernel code and architecture that runs the desktop OS). By the same token, you’ve seldom heard about stability problems with 2003 or later Windows server products, and again, I point out, since the 2003 code base, the kernel for server and client are the same. So, my point here is that, the apparent difference in the platform stability between MAC and PC, is largely based on perception supported by the fact that MAC OS can ONLY be run in a highly controlled hardware/software paradigm. If the customer is willing to accept those same kinds of hardware and software limitations (e.g. using only signed drivers, and/or logo’d software) for their PC platform, there’s ample evidence to show that they should expect the same level of stability as the MAC platform. And, even though I obviously can’t guarantee every case, most of you already know this is, by and large, the case from your own experience.

Before I sign off here, I know this is already long, I did want to quickly address the other major pillar, security. If you haven’t already, I would ask you to peruse some of my recent posts around this pillar, specifically the post I did yesterday and the one on May 31st around how MAC maintains most of its security “halo” by virtue of security by obscurity. In pure fact, the MAC OS X has had significantly more vulnerabilities reported than Vista and the PWN2OWN stuff that I related in the 5/31 is pretty compelling in my opinion since it comes right from the “hacker’s mouth”. Here’s an except of that: “…the Mac is easier to exploit. The things that Windows do to make it harder (for an exploit to work), Macs don’t do. Hacking into Macs is so much easier. You don’t have to jump through hoops and deal with all the anti-exploit mitigations you’d find in Windows.” The real point to make with this is that the Windows platform is the best security bet going forward. Thanks to our SDL programming Initiative, we are constantly getting better around security (again, lots of evidence for that). On the other hand, as we see by PWN2OWN results and comments, as well as things like the 50+ Safari patches; Apple lacks the formal, predictable, and successful security approach that Microsoft brings to the table with AutoUpdates, Patch Tuesday, and the SDL and our world-class Security Response system. All of this would point to more risk, from a security standpoint, on the MAC platform going forward as their security by obscurity protection starts to wane in the face of potential increasing market share. So even though MAC currently has the benefit of the perception of being more secure at this juncture, if someone is making a strategic platform decision in the near future, they need to understand the whole story and the ramifications of relying on that perception moving forward into an increasingly sophisticated and worsening security environment.

Hopefully you’ve stuck with me through this lengthy post and picked up some useful messaging for having the “MAC” discussion with your customers or others.

more security stuff and a shout out to ZDNet

ronaldg — Mon, 22 Jun 2009 18:44:37 GMT

most of you who follow this blog know that I’ve recommended articles by Ed Bott on ZDNet from time-to-time in the past and would recommend his blog as a good source of technical and other info on Windows. In fact, I would encourage you to read his blog on 6/18 around the launch of the “Morro” beta, aka Microsoft Security Essentials if you aren’t already familiar with that.

Ed Bott’s Microsoft Report | ZDNet.com

But this post isn’t really about Ed or Morro, but about a couple of other posts on the ZDNet that I ran across lately.

Besides Ed, one of the other bloggers that I think puts out some good stuff is Ryan Naraine, who does a security focused blog, also on ZDNet.

Here’s the three posts I wanted to highlight. The titles should be self-explanatory.

Microsoft patches 31 Windows, IE, Office security holes,
Apple Safari jumbo patch: 50+ vulnerabilities fixed,
Adobe patches 13 critical Reader, Acrobat vulnerabilities

As you should also remember, I recently did another post on “Security by obscurity…” where I highlighted the results of this year’s PWN2OWN event, where once again the Apple products proved to be much easier to exploit than the Microsoft ones. But mostly it was supposed to be about reminding you that Microsoft, in recent years, has made a deep commitment to security and that this should give you confidence in this aspect of our software. What got my attention about these 3 was that even though there were 31 vulnerabilities fixed by Microsoft, they ran across a gamut of products from AD (2) to Print Spooler (3) to Works, including IE (8). So here comes a Safari update with 50+ fixes for vulnerabilities on a single product, some rated extremely critical – WOW. It was interesting to read a few of the “talkback's” and see how some MAC folks are still in denial that their platform is not the bulletproof bastion they have always thought it to be. One of the questions that crossed my mind, and why this was interesting to me in my context of security by obscurity, is not so much that Safari had so many holes, but that it would appear that Apple doesn’t feel the need to release these patches until so many have built up including some extremely critical ones. It all goes back to the point I was hoping to make in the security by obscurity post, I’m hoping that you understand and can articulate the platform value proposition around the Microsoft commitment and approach to security.

Another point of interest to me was the third post around the Adobe patches. Here’s an excerpt from Ryan’s blog: “Adobe has issued its first ever scheduled quarterly update for its Reader/Acrobat product line, a mega-patch covering 13 documented security vulnerabilities. The patches address “critical vulnerabilities” in Adobe Reader 9.1.1 and Acrobat 9.1.1 and earlier versions. “These vulnerabilities would cause the application to crash and could potentially allow an attacker to take control of the affected system,” Adobe warned in an advisory. The company also acknowledged it has silently fixed several security problems that are not being publicly documented.” If you followed the PWN2OWN, you know that Adobe products have historically been used as exploit gateways, and now, finally, Adobe had deemed it worthwhile to issue “scheduled quarterly updates”. But as with Apple, the main point here is to show you indicators of how little priority security seems to have at some of the leading software companies and to point out, in contrast, how Microsoft’s embracing of the SDL (Secure Development Lifecycle, part of the Trustworthy Computing Initiative) should be something that you should make sure your customers understand is an advantage of the Microsoft platform that you are providing and supporting for them.

Speaking of the strategic advantage of moving to newer software…

ronaldg — Fri, 05 Jun 2009 15:12:47 GMT

I did another post recently around helping customers realize the “latent pain” (potential risk) of staying on legacy versions of the OS, here’s a follow up to that that shows there are risks with staying on legacy versions of other apps, such as Office, as well.

In the last couple of weeks, we’re finding that attackers are using doctored PowerPoint files to exploit an unpatched vulnerability in that app. Although the attacks are described as “limited and targeted” so far, this points out the potential for exposure and risk associated with the attack. FYI, the exploit is a Trojan dropper embedded within certain .ppt or .pps data files.

The main point I want to make here though is that Microsoft Office PowerPoint 2007 and Microsoft Office for Mac 2008 are not affected. Which speaks to a couple of the points I’ve been trying to make: 1) that our newer software, developed under the Trustworthy Computing Initiative, is more secure than previous versions, and 2) that there is an increased risk associated with staying on legacy versions of any software

Now that I’ve brought it up, here’s a list of the affected software:

Microsoft Office PowerPoint 2000 Service Pack 3
Microsoft Office PowerPoint 2002 Service Pack 3
Microsoft Office PowerPoint 2003 Service Pack 3
Microsoft Office 2004 for Mac

Also know that Microsoft has activated its security incident response process, and the company will issue a bulletin with patches, but this could take some time. In the meantime, Microsoft recommends that Office users avoid opening or saving files, even from trusted sources because those could be spoofed.

On a related note, if PowerPoint usage is heavy in your business, then you should consider implementing MOICE, a tool that uses the 2007 Microsoft Office system converters to convert the Office binary format files into the Office Open XML format. And, of course, you can download and use the Office Compatibility Tool to allow legacy Office versions to work with Office 2007 XML-based file formats.

FYI, admins could also use the Microsoft Office File Block policy to block the opening of Office 2003 and earlier documents from unknown or untrusted sources and locations.

Windows 7 XP Mode (XPM) update

ronaldg — Fri, 05 Jun 2009 15:07:11 GMT

In previous posts, I’ve mentioned the new XP Mode is coming with Windows 7. There are several important things about XPM that I think are worthy of clarification, so I’m adding this post specific to XPM.

One of the first things that has come to light is that XPM is apparently not planned as an out-of-the-box (OOB) component of Windows 7 but rather a free download for those with the qualifying versions of Windows 7 (which should be Professional, Enterprise, and Ultimate). XP Mode will apparently be based on the next version of our host-based virtualization technology, VirtualPC, now to be called Windows Virtual PC (WVPC).

It is also important to note that WVPC will require processor-based virtualization support (known as Intel-VT or AMD-V) to be present and enabled on the underlying PC, just like Hyper-V. In a previous post, I alluded to this and also that one should not assume that “VT” is included with all current Intel processors. It will be important for you and your customers to do due diligence here and insure that your desktops have this capability, or factor in the upgrade to it as part of the decision equation.

One of the key benefits of XP Mode is that it will incorporate a fully licensed copy of Windows XP SP3 in a downloadable VM. Additionally, this VM (running in WVPC) has out-of-the-box integration with the local PC. This is huge, and, just to clarify, what it means is that XPM does not require you to run the virtual environment as a separate Windows desktop (although you certainly can). If you like, you can actually have the applications you install inside the virtual XP environment published directly in the host (Windows 7) OS as well. (e.g. shortcuts placed in the Start Menu.) With this option users can run Windows XP-based applications right alongside their Windows 7 applications under a single desktop and have them appear to be native apps. Moreover, this integration means that local desktop drives are automatically mapped and show up in the VM. And you can drag/drop between the VM and local desktop. And, if that’s not enough, WVPC now includes the ability to leverage USB devices beyond the normal mouse and keyboard – this has not been possible in any previous version of our virtualization offerings.

It’s also important to remember that this solution is what I call stand-alone, in that it’s not managed OOB, and is thus aimed primarily at small businesses, which is also why it will be available in the Professional version (and above) not just as an Enterprise feature like BitLocker-to-go. With that in mind, it should not be considered an alternative to more scalable solutions, such as MED-V and/or VDI, for larger businesses who normally want more control over things like who can install programs on their machines and other management issues.

My point in this post was to hit (and refresh) some of the key things you should know about Windows 7 XP Mode. For those who need this to overcome compatibility, or other, issues that have kept them or their customers from making the transition to a “modern” OS (from our perspective, a modern OS would be one like Vista that has been developed under the SDL for enhanced security – see my recent post about this for more info if you want); to coin a take-off on an election theme – hopefully, “now you can”.

Thrive redux

ronaldg — Fri, 05 Jun 2009 15:04:36 GMT

Back in February I did a post called “Helping Partners Help Themselves…". The first part of that was around something called Skills Week and the second part was around something called “Thrive”. Well, the Skills Week has come and gone, and hopefully you were able to take advantage of it, BUT in case you’ve forgotten, THRIVE is an on-going scenario. Without making you have to go back and read the old post, here’s a recap in a nutshell: “Visit the Thrive site and learn how to enhance your skills, advance your career and elevate IT as the business leader. Go ahead - find out how YOU can Thrive!”. As I pointed out before, although it appears to be oriented toward IT Pros, partners need the same skills and knowledge of technology in many cases. With virtualization being such a hot topic these days, I thought this would be a good time to do a redux on Thrive since it features some new offers around virtualization. Check out #2 below – even if you don’t take the exam, here’s $160 worth of virtualization training for FREE!

Here’s a rundown of the current offers and a link: Thrive offers

Career Assist Package: Register for Second Shot and get any Microsoft E-learning collection for just $35.00(US)

In today's challenging economic times, how do you stand out from the crowd, stay up-to-date with relevant technologies, and get the top jobs? Becoming a Microsoft Certified Professional (MCP) is a great start. Until June 30, 2009, as a part of Second Shot, we are offering a Career Assist Package. Along with enjoying the benefits of Second Shot, you can access a collection of Microsoft E-Learning courses, which provide 8 to 20 hours of on-line instructional content to help you master a product and prepare for a certification. Normally priced up to US$350, these e-learning collections are just US$35 when you register for Second Shot.
Prepare for Exam 70-652 (TS: Windows Server Virtualization, Configuring) for Free ($159.99(US) value)

This collection of five 2-hour courses helps you develop the skills necessary for implementing and managing Hyper-V in an IT environment, as well as creating and managing virtual machines and hosts in a virtual environment.
Get Certified Through Exam 70-652 (TS: Windows Server Virtualization, Configuring) with a 25% Discount

Once you’ve taken the preparation course, you can take the certification exam at a reduced price. This exam will test your skills in installing, configuring, and optimizing Hyper-V; and in deploying, managing, and monitoring virtual machines using System Center Virtual Machine Manager 2008.
FREE E-BOOK: Understanding Micrososft Virtualization Solutions

Understanding Micrososft Virtualization Solutions - Mitch Tullock provides a thorough look at the capabilities, features, and operations of Microsoft virtualization technologies from the desktop to the datacenter, and how to plan, implement, and manage virtual infrastructure solutions.

note: if you are interested in any of the above the best way is to use the Thrive link at the top vs the direct links in the bullets; if you should go direct and have any issues, try going thru the main Thrive link.

Microsoft announces future online desktop management service

ronaldg — Mon, 01 Jun 2009 20:19:36 GMT

Some weeks back (in late April), at the Microsoft Management Summit in Las Vegas, Microsoft unveiled System Center Online Desktop Manager, the first online service built on our System Center line of management tools. Even though this isn’t “news” at this point, I wanted to post this since it’s an important new capability coming to support our Software+Services solution stack with some cloud-based management.

The initial version of Online Desktop Manager (ODM) will provide desktop management capabilities that are focused on software updates, spyware and malware protection, system monitoring, group policy, configuration management, and asset management. ODM was demonstrated in the Day 2 MMS keynote, and below are links to some of the first screenshots of the ODM interface (from the blog of John Fontana, writing for Network World).

System Center ODM shows Host Protection info
ODM shows malware cleanup info
ODM shows update status
ODM shows update information

The new ODM service leverages our Windows Update technology, which has been protecting literally hundreds of million of PCs around the world for years, and is now a very mature technology. And the ODM console itself is based on Microsoft's Silverlight browser plug-in, as you might expect, which runs on Internet Explorer, as well as Firefox, Google Chrome, Safari and other browsers.

It was revealed that we are planning to launch a private beta of ODM in the near term, and that there will then be a public beta sometime before the end of this calendar year. Of course the “live date” will be some months after that, so don’t expect to see this service available until sometime in 2010. Of course, this just another step, or milestone if you will, in our strategy to provide Software + Services solutions to our customers and partners which involves being able to offer not only online, but on premise solutions across a range of technology. Most of you are already familiar with Microsoft Online Services, including BPOS, which provide infrastructure software via online services for those who want to leverage the capability. But, as you know, it’s all about choice with our strategy, so if you’d rather rely on an on-premise infrastructure, at least with Microsoft solutions, you have that option too.

Back to ODM, once the service goes live, Microsoft plans to do updates at least every six months. And, according to Brad Anderson, general manager of the management and services division at Microsoft, ODM will eventually include software distribution functionality (ala System Center Configuration Manager), as well as federation with Active Directory identity features, and delegation of authority capabilities.

It is expected that the service will be most popular in the small and medium business space which is typically made up of businesses without major investments in System Center tools which would be run on premise. I’m thinking this also be very good news for many of our SMB partners as well, since they can now leverage these cloud services to provide robust management for their customers’ desktops.

Bada BING, fagedaboutit to old-style searches, try this new “decision” support search solution from Microsoft

ronaldg — Mon, 01 Jun 2009 19:31:15 GMT

Microsoft announced this new search service at the D7 conference last week and although it wasn’t scheduled to go “live” until June 3rd, it’s actually up and running today. So check it out at http://www.bing.com/

Also, check out this page for lots more info on BING: Bing info on Microsoft PressPass site (includes links to press releases and reviewers’ guides and fact sheets)

If any of you had heard about our project code-named Kumo, this is basically the release version of that. One of the most interesting things here is that Microsoft is not looking to launch just another search engine, but rather a “decision engine” that provides more than just a list of web pages that you have to sort thru many times to find what you’re really looking for. In fact, research shows that a significant number of people actually use web search to find answers to questions or to get specific information, not just look for web pages that might have related info. This research also showed that it took on average 3-4 sequential searches to finally get to the information they were looking for. This is the limitation of current search engines that we are looking to address. For sure, BING will still return Web results, but it also has built-in helper tools for searches that go beyond just finding Web pages, particularly when it comes to travel, shopping, health, and local info.

The big deal here is that BING will increase the chances that you’ll get the answer you need right on the results page, without the need to click to another site, which, in the old search paradigm still may not even have what you're looking for. One the key new features that facilitate this goal is the "quick-page preview," which displays text from pages in the results when you hover the mouse over the right side of a result's entry. I think this is going to be a killer feature, I’ve seen others already write that it's one of those "why wasn't that always there?" features that you quickly become dependent on. But wait, as they say, there’s more - Bing has other features to help you get the answers you want directly on its results page such as “deep links” (e.g. you can search inside large sites without having to click into it, like track a package using a text box right in the results of searches on UPS or FedEx). And there’s Quick Previews (look for the orange diamonds to the right when you hover over the search result descriptive text). There’s also a feature called “Best Match” designed to make the “best” result stand out from the others and highlight the most potentially useful info. And, also Instant Answers (type NWA 1420 or Samsung and see what you get right off). Plus, Bing groups top search results into categories known as Web Groups. For more of the features coming to you in Bing, check out the reviewers guide in the PressPass link above.

One of the things you’ll notice right away that set it apart is the sidebar on the left that you could also call a “nav bar”. Starting with the first search page, the consistency of this new interface begins: The left sidebar is always there to offer options, categories, and filters to fine-tune your search results. Thus, it lets you quickly get at relevant subsets of the topic you searched for. The results are also localized, but know that you first have to tell it your location, which is one of the initial settings you can configure. And, btw, the home page itself is also much more interesting than the plain white Google or Ask.com (note: if you click on the arrows at the bottom right, you can cycle thru previous daily home pages). For instance, here’s today’s home page, note the informational “hotspots”:

Here’s a couple of screen shots of searches…

Well, I just wanted to let you know about this and encourage you to go take a look at http://www.bing.com/

Security by obscurity is one option, but I’d rather have SDL working for me

ronaldg — Mon, 01 Jun 2009 01:19:40 GMT

For those of you who may not remember, SDL stands for Secure Development Lifecycle and represents the foundation for the great strides in security that the Windows platform has made since the early 2000’s. In fact, of all the knocks about Vista you may have heard, I’m willing to bet that not being secure wasn’t one of them (unless you turned of UAC <grin>). You may recall from one of my early posts over a year ago, that Vista had far fewer vulnerabilities posted in its first year in production than any other desktop OS. And a lot of that is due to the fact that Vista is the first Microsoft OS developed entirely under the SDL paradigm, aka the Trustworthy Computing Initiative, at Microsoft.

I don’t know how I missed this article when it first came out -- I did post about the PWN2OWN hacking competition, but somehow missed this. At any rate, this is one of those articles that deserves some exposure even after the fact IMHO. Those of you who follow or have an interest in computer security, already realize that a big part of the Apple security “halo” is that they effectively have the advantage of what is known as “security by obscurity” (e.g. generally they “appear” more secure as a byproduct of reduced exposure, another phrase that I often use is, “it’s easy to be bulletproof when no one is shooting at you”). It’s interesting to me, like I blogged last year (the PWN2OWN 2008 competition), that the headlines will read “Vista falls” even though the Mac was the first to go by a significantly margin. But to have me blog about this, as a PC person, doesn’t have nearly the impact that it would coming from the actual exploit generators (aka hackers). So, when I read this article a few things jumped out at me and I thought I would share them. Of course, the link is below, so please read the entire article, I thought it was pretty interesting to get this insight right from the source. In case you don’t want to read the whole thing, let me call out a few of the more interesting comments that I found in the article that I think go to support my contention that the Windows platform is as secure, or possibly more secure, than even the Mac which many folks think is “inherently secure” primarily because of what I call their security “halo”. Here’s some excerpts that I think are noteworthy from Questions for Pwn2Own hacker Charlie Miller: (btw, the parenthetical elements after some of the excerpts are just my thoughts and are not to be associated with the article itself)

“I came to CanSecWest last year with two bugs but only one exploit. Last year, you could only win once so I saved the second [Safari] bug. Turns out, it was still there this year so I wrote another exploit and used it this year.” (hmmm)

“What’s the ballpark value of that Safari bug? … It’s much less than the IE 8 vulnerability (exploited separately by Nils) by about a factor of ten.” (which indicates that IE is a much more lucrative and sought after target)

“It’s really simple. Safari on the Mac is easier to exploit. The things that Windows do to make it harder (for an exploit to work), Macs don’t do. Hacking into Macs is so much easier. You don’t have to jump through hoops and deal with all the anti-exploit mitigations you’d find in Windows.” (wow, to me this is the ultimate validation of the SDL implementation at Microsoft. I could also infer that Apple is likely still relying on the halo of obscurity to protect their platform which is where I came up with the title of this post).

“It’s clear that all three browsers (Safari, IE and Firefox) have bugs. Code execution holes everywhere. But that’s only half the equation. The other half is exploiting it. There’s almost no hurdle to jump through on Mac OS X.”

“It’s hard to find a good bug these days and even harder to exploit and deal with all the mitigations.” (except apparently on Apple where it was indicated above that there were almost no mitigations to have to deal with)

“On a scale of 1-10, how impressive was the Nils’ sweep of exploiting all three main browsers? I was surprised. For IE 8, I’d give him a 9 out of 10. For Safari, maybe a 2. It’s just too easy to pop Safari. For Firefox on Windows, I give him a 10...It’s really hard to exploit Firefox on Windows.” (but notice IE got a 9, so it’s not that far behind FF compared to the 2 for Safari)

but notice what he said about FF on Mac, “With Firefox on Mac OS X, you can do whatever you want. There’s nothing in the Mac operating system that will stop you...For the amount of time he spent to do what he did on IE and Firefox, he could have found and exploited five or 10 Safari bugs.”

and lastly, “People said five years ago that buffer overflows would be solved by now. Well, they’re not. Bugs will always be there so it’s a smart move to work on mitigations and (anti-exploit) roadblocks.”

Hopefully, you’ve picked up some potential ammo here to use when you hear folks who are still living (technologically) in the 90’s continue to express the outdated notion that the Microsoft platform lacks the fundamental security of some other platforms. Btw,you could also refer to my recent post on how XP is able to meet the security needs of the USAF. And remember, Vista is the first MS OS that was developed totally under the SDL. So what I’m saying is, you have now seen the effects of the implementation of the SDL paradigm in place at Microsoft (comments above from a real hacker as well as data that shows that VIsta is 60% less susceptible to malware), and you can expect that our code will continue to reflect an ever improving security record as we move forward. I wonder if you can expect that from other platforms that have not instituted such a secure coding paradigm. You make the call.

more Windows 7 info and resources

ronaldg — Sun, 31 May 2009 22:22:43 GMT

As Windows 7 continues it's run (pun intended) to RTM, here’s some links to resources on the Partner Portal as well as other sites to help get you ready for the coming release of Windows 7 which is coming sooner than many of you might be expecting – will you be ready? Btw, when is sooner than you expect? I would point out that there is only scheduled to be a single RC of Win7, and that an RC typically lasts anywhere from 3-5 months, so if you consider that Win7 literally breezed thru the beta stage with very few issues, and do the math (RC released in early May), then you should realize that you might be seeing Win7 RTM as early as mid to late summer. And if that’s the case, you can expect it hit store shelves well before the end of this calendar year. I would hope all of you are already starting to ramp up on it, but in my events and other partner gatherings I find that there’s still a fair number of you who haven’t, so…

WIndows 7 was included in your APR Action Pack update, so you don’t even have to download it.

Main link to Partner Readiness Resources on the MS Partner Portal Windows 7 Online Readiness Kit

More links to additional resources on MS Partner Portal (also in Online Readiness Kit above)

More links to additional resources on other web sites.

Springboard series on Windows 7 for IT Pros (TechNet)
Windows 7 Home on OEM Partner Center (see additional links on this page for Learn it, Build it, and Sell it)
Windows 7 for VARs and Distis
Windows 7 Home on Microsoft.com
Windows 7 Team Blog
Windows 7 Security Blog
Windows 7 Experience Blog (check out the articles of Preparing for Windows 7 with Upgrade Advisor, A Look at the Improvements to Windows Easy Transfer, and Burn ISO Images Natively in Windows 7)
Engineering Windows 7 Blog (check this out for articles on Graphic performance, media streaming, search federation, and many others)
Windows 7 on Paul Thurrott's SuperSite for Windows (one of my personal favorites and a wealth of interesting information)

OK, I think those should last you for a while. Also, I’ll be doing a lot more coverage on this blog as we move forward, including posting some vidcasts and docs to help you with demos.

While some of your customers may choose to wait for the release-to-manufacturing version and migrate straight from Windows XP, others may find compelling economic reasons to take the Windows Vista migration path. Be ready to support them as necessary, so here’s some VISTA resources around that just in case.

YMTC - Interesting article on how the US Air Force has locked down Windows XP

ronaldg — Sun, 31 May 2009 17:21:51 GMT

This really is an interesting article, so I’m recommending a read, but too bad it has to be colored (as usual) by press bias, so I can’t really let that pass without a bit of explanation. Once again, per my YMTC series, here’s an article title I consider a little bit specious (somewhat misleading). OK, so the article title proclaims that '"Microsoft Offers Secure Windows … But Only to the Government”. Well, if you do read the read the article, you’ll find that this is basically a highly locked down version of standard XP; nowhere does it state that the XP code base was modified to produce a more secure (USAF proprietary) version. In fact, here’s what it said was delivered: “secure configuration of Windows XP out of the box”, notice it refers to configuration. The article title reflects an underlying anti-MS bias IMHO, since the more accurate title would be “Microsoft helps USAF make Windows XP a great defensive system”. And the idea that the capability to do an extreme lockdown of XP is somehow limited to only “government” agencies is just plain wrong. OF course, the government has their own standards and criterion, and it’s particular implementation of this lockdown may be proprietary, but that would not be because Microsoft’s intent is to limit this capability to public sector use. Accurate title or bias – YMTC.

A little more on the article though…

Couple of things that were called out. (Are you doing these in your environments that require high security?)

“one of the most important and simplest [configuration changes] was an obvious fix to how Windows XP handled passwords [ensured that administrative passwords were unique]”

“install automated tools to update patches and to detect and prevent someone from altering the configuration”

“Having a single configuration across the network greatly reduced the time it took to patch systems”

“An added benefit of the new configuration was a 40 percent drop in the number of calls to Air Force help desks” (did this one catch your attention, 40% is almost half, imagine what that could do for your IT bottom line if you have a help desk scenario in play)

“Most importantly, security of the system improved…85 percent of attacks were blocked after the configuration was installed”

Microsoft Offers Secure Windows … But Only to the Government

In closing, I would reiterate that this was done via configuration changes to XP, albeit probably more comprehensive, and potentially more sophisticated than many of you do now, but still the point here is that with due diligence even XP can be brought up to a very high level of security. Now, given that most folks out there don’t have the expertise or in other ways are not ready to enforce this level of security on XP,wouldn’t it be worthwhile to consider how some of the security improvements in Vista (e.g DEP and ASLR) could add some value to your infrastructure security.

Here’s an interesting article on XP Mode hardware virtualization requirement

ronaldg — Sun, 31 May 2009 16:50:44 GMT

I don’t care too much for the title, and would put a bit of my YMTC (you make the call) to it, but nevertheless, this article brings out some key facts about hardware vitualization that i think you should know about and will find interesting.

Microsoft, Intel goof up Windows 7's "XP Mode" (ars technica)

So right off the top I would take some issue with his statement in the subtitle: “…But now we learn that Microsoft and Intel have contrived to make XPM unavailable to many Intel users.” I consider that an unwarranted negative spin, so let me throw a little YMTC on this. Well, I don’t know about you, but after what we know about the “Windows Capable” debacle, I’ll be really surprised if we find out that MS did, in fact, conspire with Intel to “limit XPM availability to many Intel users”, just to help Intel upsell some CPUs. in fact, Jon (the blog author) makes the point at the very end that he isn’t sure why Microsoft is requiring VT support for XP Mode -- so, I guess it’s OK for him to make up his own reason, thus, I take issue that his subtitle and article imply it’s a marketing conspiracy - YMTC. But in that vein, I don’t know myself (yet), but I’m thinking that it’s more likely that VT is required for the updated version of VPC not just for the XP VM, and that this is less about a marketing conspiracy and more about Microsoft’s platform virtualization strategy for desktop virtualization.

Here’s some other points of interest (IMHO) in the article…

“The vast majority of AMD's lineup, except for Sempron, has AMD-V and will work”. But, from Jon’s point of view, the fact that Intel doesn’t include VT on many of its procs should apparently dictate that MS not require it for XPM. The fact that Intel segments their procs around Intel-VT, for marketing (revenue) purposes, is too bad IMHO. In fact, Jon characterizes it as a “boneheaded move on Intel's part” (to not include VT on more or all CPUs). But to imply that MS has goofed up XPM for requiring VT, again without more specific knowledge of what the decision was based on, is indicative of the bias (and “small picture” perspectives) that I see so often in the blogosphere. (And why I do these YMTC bits from time to time. Of course, some might claim that I have my own bias <grin>.)

One interesting technical piece of information he shares is that “Intel's VT-x and AMD's AMD-V work by introducing a set of instructions that make x86 fully virtualizable without the use of binary translation.” This is a great nutshell definition of what the hardware virtualization technology does. Jon goes on to say that “VT is the way to go if you're rolling out a new x86-based virtualization package, like Microsoft's hyper-V.” But, he then states that XPM is a binary translation solution (which I’ll assume is true), so as alluded to above he wonders “why did Microsoft mandate VT support for XPM”. Well, even though a reason may not be obvious, I can only say that in my 11+ years at MS, I have found that there is ALWAYS a reason for why things are done in our software the way they are, and I have to say that from the times when I’ve been privy to the decision process, that invariably, if you were presented with the same set of decision criterion (or if you had the same kind of “big picture” view), you would make the same decision. Perhaps some more information will come to light about “why VT” in future whitepapers or engineering blogs.

In the meantime, it is important for all our partners to understand that XPM does have the Intel VT/AMD-V requirement, for whatever reason, and that there are a significant number of Intel CPUs that do not have it, including some fairly recent ones. Ed Bott has a list of the supporting CPUs on his blog.

On a related note, I find it almost amusing that many of the posts and articles I’ve seen around this subject whine about the fact that the Atom processor doesn’t have VT -- like one would want to use a 1-2gb RAM netbook to host VMs. I guess they have to find fault with something.

In closing, I would also remind you that XPM is a stand-alone (unmanaged) solution (vs some of the enterprise focused virtualiztion solutions such as MED-B and VDI) and intended for the small business space, thus it is slated to be available in the Professional (and higher) versions of Windows 7.

Microsoft Action Pack Quarterly Webcast 5/26/09

ronaldg — Fri, 08 May 2009 14:43:56 GMT

As always, well as usual at least, I’ll be hosting another quarterly MAPS webcast in a couple of weeks. If you’re an Action Pack subscriber, make plans to join me. Here’s the signup link: https://training.partner.microsoft.com/plc/details.aspx?publisher=12&delivery=266982

Highlights for this quarter include an overview of Windows 7 as well a closer look at the upcoming Digital Distribution transition for the Microsoft Action Pack.

These webcasts are for Action Pack subscribers to know what’s new in the current MAPS quarterly update. I’m assuming the vast majority of my readership is either already subscribing, or aware of Action Pack (Cert and Gold partners are not eligible since they get the MSDN subscription). Just as a reminder, if you have any questions about MAPS check out the MAPS page on the partner portal, or if you are having any issues with or specific questions about your subscription, then call 1-866-668-1215 or email MAPS-NA@microsoft.com for that.

WOW, speaking of Windows 7, here’s some late breaking news – Windows XP Mode is coming!!

ronaldg — Sat, 25 Apr 2009 22:46:56 GMT

Not sure why they chose to push this out on a Friday, but what the hey. As you should already know there’s some pretty compelling new stuff coming in Windows 7, but I have to say this previously undisclosed feature may well be the, or at least one of the, most impactful of any of them. Direct Access is way cool, to be sure, and the Problem Step Recorder is my odds-on favorite for the Windows 7 killer app (like Snipping Tool was for Vista – too bad more folks didn’t get to know about it). But, the new Windows XP mode directly addresses one of the key legitimate reasons that prevented many businesses from adopting the Vista technology – app compatibility (specifically the need for the business to run incompatible legacy apps). Now, you should also know (if you’ve watched my webcasts or come to an SB2 event) that we’ve done plenty to try and help partners (and IT) mitigate these apps, but some of the more robust tools (e.g. Application Compatibility Toolkit) were either not known or not used for various reasons (e.g. complexity). Also, some of you may be familiar with our really strong virtualization story that includes technologies and solutions such as App Virtualization, VPC/Virtual Server, Hyper-V, MED-V, and now DVI which can also be used to mitigate app compat. (If you’re not familiar with those acronyms, I’ll encourage you to listen to one of the Virtualization 360 webcasts where those are discussed.) But, some of those technologies required volume licensing (software assurance) or a sophisticated and current (as in Windows Server 2008-based) IT infrastructure which, unfortunately, not everyone has. So, now, here comes Windows XP mode with Windows 7. I’ll not go into a significant amount of detail in this post, but know that it’s similar to what we’re already doing in the MED-V solution which is available thru the MDOP (Microsoft Desktop Optimization Pack) which itself is a technology we acquired thru the acquisition of Kidaro just over a year ago. In a nutshell, what the Kidaro/MED-V technology does is to allow enterprise data and applications to run within a virtualized machine (known as “workspace”) that’s managed at the corporate level. The key here is that even though the solution is leveraging a virtual machine, the VM OS is transparent (no additional desktop window – similar to the remote app capability in terminal services) and, if desired, the user interacts with the app just like any other app without even knowing that it’s running in a separate (virtual) OS. So now, with XP Mode, you’ll be able to accomplish essentially the same thing, you can launch an app in a (transparent) VM by doing the same essential steps you would normally do to run the app vs having to launch the VM as a separate process and then launch the app within the VM. Is this cool or what! Of course, MED-V is still better because it provides for more robust management and control of the VM environment and infrastructure, but if MDOP is not a player for your customer, then at least you can leverage this technology now at the individual desktop level. Below are some key links.

Check it our more fully on “The Windows Blog” at: The Windows Blog (screenshot below)

Also, as you might expect, Paul Thurrott, whom I’ve referenced here in the past, has also already put out some pretty good info on this at his “Supersite for Windows”: Paul Thurrott's Supersite blog (Secret no more post), and here’s a direct link to some screen shots on his site: Windows XP mode screen shots.

Windows 7 virtual Partner Readiness Day

ronaldg — Sat, 25 Apr 2009 22:11:08 GMT

Windows 7 virtual Partner Readiness Day (vPRD)– Registration is now open!

The Windows 7 virtual Partner Readiness day is set for Thursday, May 7^th, and it will run from 8:00 am to 2:45pm (PST). Of course all the training on vPRD is free for our partner community.

Registration is now open at: www.WindowsPartnerReadinessDay.com.

As you can see from the screen shot below, at this site you will find event details including track information, keynote speaker bios, and some cool Windows 7 resources such as “Tips and Tricks”, and more information on how to obtain richer application and driver experiences (altho these are developer focused resources, I know there’ll be some good technical background info in there that partners can use as well). And the bottom Windows 7 link will take you directly to the Windows 7 product and solutions page on the partner portal where you can get even more partner information.

And, never fear, if you can’t make it on the 7th, all the sessions will be recorded and made available for partners and field to access if they cannot attend the live online event – so for those of you in Austin, Jacksonville, and City of Industry (CA) don’t miss the TS2 and SB2 seminars there on the 7th, those are not recorded.

Solution Selling webcast series coming up

ronaldg — Tue, 14 Apr 2009 19:29:00 GMT

Since I referred to “solution selling” in my recent post around device drivers, it seems like fortuitous timing that the Partner Learning Center should be launching a new Solutions Selling Series. So, for those of you who may not be up to speed on this, here’s a way to develop your skills in that area. Nowadays, as I’ve made the point before, it isn’t enough to just offer up the “latest and greatest” and expect folks will flock to your door; especially in these difficult economic times, you’ve got to really provide the “value” message. Folks will ALWAYS buy if the value is there, solution selling will help you understand how to find that value by understanding the concept of customer “pain” and how to find it and leverage it to grow your revenue.

Here’s the synopsis of the series: Solution Selling® is the industry standard for sales execution process and the preferred sales methodology of Microsoft. This five-part webinar series presented by Sales Performance International will introduce you to the philosophy and key concepts of the Solution Selling process. As a special bonus, the fifth webinar in the series, Controlling the Elevated Risk of Buyers in this Economy, has been especially created to offer tips as to how to sell to your potential buyers in this difficult economy.

PLC ID	Event Title	Date	Time	Dur	PLC Registration URL
266314	Solutions Selling Series: No Pain, No Change	4/22/2009	10:00 AM Pacific Time	90 min	https://training.partner.microsoft.com/plc/details.aspx?publisher=12&delivery=266314
266315	Solutions Selling Series: The Solution Must Equal the Buying Vision	4/29/2009	10:00 AM Pacific Time	90 min	https://training.partner.microsoft.com/plc/details.aspx?publisher=12&delivery=266315
266316	Solutions Selling Series: Make Yourself Equal Before You Make Yourself Different	5/06/2009	10:00 AM Pacific Time	90 min	https://training.partner.microsoft.com/plc/details.aspx?publisher=12&delivery=266316
266317	Solutions Selling Series: Don’t Close the Deal Before It is Closable	5/13/2009	10:00 AM Pacific Time	90 min	https://training.partner.microsoft.com/plc/details.aspx?publisher=12&delivery=266317
266318	Solutions Selling Series: Controlling the Elevated Risk of Buyers in this Economy	5/20/2009	10:00 AM Pacific Time	90 min	https://training.partner.microsoft.com/plc/details.aspx?publisher=12&delivery=266318