Rob’s Ragg…. Tech Talk & Cool Toys for Grown up Boys

How many times have we heard...

How many of us have heard things like:  “I don’t have time to learn all the new products that are coming out!”?  How many of us have felt that same way, haven't we?  We can’t keep up with everything Microsoft is creating, do you expect us to keep up with everything the industry is creating?  The traditional Microsoft model is one where Microsoft keeps pumping out new products, features and functionality and then we hope that our partners and customers can derive business solutions from these products, features and functions.  The irony here is that our product teams are getting better at listening and understanding the business needs of our customers, and then building features and functionality to meet those business needs.  So let's get this:  Our product team is trying to listen to customer business needs, and then they are trying to take these business needs and break them down into products, features, and functions.  That must happen.  The disconnect happens when we hear the resulting features and functions that a new product has, not the business needs that the product actually address. 

An article that just came out:

Ballmer focusing on next big thing for Microsoft

http://seattletimes.nwsource.com/html/microsoft/2008023297_microsoft29.html

One task is pushing the idea that "the whole of our technology is bigger than the sum of the parts, particularly around Windows and the Windows experience," Ballmer said in an exclusive interview with The Seattle Times. "It's an area that Bill's been doing for so long and has been so core."

Bingo!  I agree that I’d be pretty dumb if I said that Steve Ballmer didn’t “get it”, but the reality is that there are times when we are the ones that are not “getting it”. 

In my mind, his statement is a key philosophy when it comes to solution selling.   It’s not about the features and functions, it’s about the synergy we can build with our products.  It’s about showing our customers how we can meet their needs without forcing them to figure out how our products can meet their needs.  If we can help the business understand that we can meet their needs, then they can engage IT to make it happen.  Once the business says “I want that!”  We can then help IT understand how our features and functions can make it happen.  This is great!  We give them the answer to the question AND THEN we show them how to get there; Not the other way around.  No more trial and error as they try to create and test various scenarios.  We hear a need and we provide a solution, not an assortment of features and functions!

Our Business customers are now asking for things like:

“I MUST make sure that if one of my people lose their computer, I’m not reading our corporate secretes in the NY Times!”

“I MUST make sure that two days before we release our earnings, someone doesn’t accidentally forward our earnings statement outside of our trusted circle.”

“I want an overall real time view of how many calls my call center is taking”

We hear things like this and then we say things like BitLocker! And RMS!  We are speaking Greek!  We continue to answer our customers’ business needs with screw drivers, not answers!  We MUST speak in their language and we must answer their questions with answers that they can understand!  When we answer with things like Bitlocker and RMS, we then have to explain the business value of these features.  We are already doing it, let’s just answer their questions in their terms first, not last!  Don’t you notice the eyes of our customers as they glaze over when we start describing the technical details of these products?  By the time we get to solution summary statement of “that’s how BitLocker will meet your business need of ensuring that your data will not be compromised”, we have already lost them in the technical maze!

What if we could say:

“We have a way to ensure that if someone losses their laptop, their data will be un-recoverable by a malicious users.”

“We have a solution that will prevent people from accidentally or intentionally forwarding your confidential information out to anyone that you do not approve in advance”

“We can provide a dashboard in simple red yellow and green status indicators of the Key Performance Indicators you define.  Now you can see the high level view of your business, and drill through to any area of concern.”

We do not sell a single product that will meet a business need end to end.  Think about it!  What product do we have that can stand all on its’ own?  If we really expect our customers to stitch numerous products, features and functionality together to build a solution, it just will not happen anymore!  We need to answer business needs in the language that the business understands!  That’s solution selling.  We must stop making our customers derive their solution from our products. 

The goal of solution selling is to help our end customers understand that we can meet their needs.  We do this by eliminating the technical discussion up front.  We must help our partners communicate in the language of the business customer.  Our customers no longer feel that they must learn our language, we must learn to communicate in their language, and we must help our community learn to communicate in the form our customers want to hear. 

If we make it easier for our customers to understand our message, we will make it easier for them to see how we can meet their business needs.  The discussion of which product to use goes away, it's not important to the business answer.  Once the customer understands the business solution, then we just give them a list of products, or better yet, capabilities that will meet their needs.

Until next time!

Rob

Wards didn't tell customers about breach

Hackers captured at least 51,000 credit card numbers

http://www.msnbc.msn.com/id/25415152/

</Rant on>

Didn't we just talk about this?  OK, this happens, but then to not tell your customers that some of their confidential information is in the loose?  Come on!

</Rant off>

Ok, I tried to make the rant short, but the bottom line is that someone else didn't protect our information, and this "someone else" didn't bother to tell us they screwed up!  This is proof that we can define process until we're blue in the face.  We have laws that saw these breaches must be disclosed, but wards chose not to disclose until they got caught!  We have to have people that are willing to understand the intent of the process, not just check the box.  The reality is though, that if we find people that care about our information, they also care about us as consumers.  That's called customer service!

"But in response to fears of identity theft, 44 states have passed laws that generally require organizations holding consumer data to tell people when their information has leaked..."

So where are the other 6 states?  I don't know but the reality is that we need to be more careful with our information, but no one else is and it is our ultimate responsibility.  Of course, every company wants us to use our credit card on their site.  Remember the old days of C.O.D. ?  Now businesses are paid for their product before it's shipped out.  They have our money before we have our product and if we are unhappy with our product, now we have to fight to get our money back!  Credit Cards are convenient, I don't know how I'd get along without one anymore, but we have to use common sense as well. 

This is the last quote of the article, doesn't this make us all feel more confident?

"Probably every one of our cards is up there somewhere now,"  Referring to the fact that most likely all of our information has already been disclosed by now.

In the end, the only way a consumer can prevent a breach of their information by any company is to vote with their feet.  Shop somewhere else!  Businesses, like people respond to pain.  Once the Business pain is so high that they are loosing revenue, due to their lack of commitment, they will either close their doors, or truly get it right.

until next time!

Rob

Hyper-V has RTM'd!

I've been waiting for this day since December 2007!  Effective 6/26/2008 9:00 am PST, Hyper-V for Server 2008 has reached Released to Manufacturing (RTM) status .  I've been using the beta bits of Hyper-V since last summer and I've been very pleased with the progress I've seen over the last 12 months.  I'm running three multi-core machines and System Center Virtual Machine Manager 2008 (still in beta), the combination is absolutely killer!  The thing I really like about Hyper-V is that it runs on normal (64-bit) Server 2008 hardware.  The hardware requirements are a 64 bit chip that includes the virtualization functionality.  Almost every multi-core chip is in this category, but there were some of the initial x64 chips and even some of the dual core chips that do not support virtualization.  Be sure to check your chip.  AMD has a good tool you can run against your CPU to see if it's Hyper-V ready.  Check it out here, the test utility is the third choice down.  It's titled something obscure like "AMD Virtualization™ Technology and Microsoft® Hyper-V™ System Compatibility Check Utility" <smirk>.  Hyper-V also runs on Intel and AMD, one of my three multi-core machines has an Intel Zeon CPU in it.

I think the greatest part about the RTM of Hyper-V is that now more people will start deploying it.  It is an awesome product and it helps to continue to extend your infrastructure in a cost effective way.  The other great thing is that some of our other solutions that have been waiting on the RTM of Hyper-V, can now move towards their RTM.  Two prime Microsoft products are DPM and System Center Virtual Machine Manager (SCVMM).  I'll keep talking about virtualization, but I wanted to make this announcement short and sweet.

How do you get the RTM bits?  Around noon PST today, the Hyper-V bits will be available for download on the Microsoft download site.  I say around noon because we post the bits and then they replicate globally.  The bits will be available via Windows Update on July 8th.  Our plan has always been to ship the Hyper-V bits via Windows Update, so you can get it now, or get it later. 

Until next time!

Rob

Virtualization - What is it?

It sounds kinda dumb to some of us, but I always try to start at the beginning, so let's start with defining Virtualization.  Wikipedia does a good job of defining Virtualization:

In computing, virtualization is a broad term that refers to the abstraction of computer resources. Virtualization hides the physical characteristics of computing resources from their users, be they applications, or end users.^[1] This includes making a single physical resource (such as a server, an operating system, an application, or storage device) appear to function as multiple virtual resources; it can also include making multiple physical resources (such as storage devices or servers) appear as a single virtual resource.

That makes sense, Right?  OK, maybe we need to dig a little deeper, but the bottom line is that Virtualization let's us take one computer or server and give it multiple "personalities".  Why would we do this?  What problems are we trying to solve?  There are multiple ways to virtualize, but right now we're going to focus on hardware virtualization.  We'll talk about the other forms of virtualization at a later time, but back to the questions.  Why? and What are we trying to solve?

1. Most servers today only reach 40-50% utilization; if we're lucky!  Some of our most "critical servers" are only averaging 20% utilization. 
2. Server bloat.  If you run a data center, how many computers do you have?  Do you have enough floor and rack space, Air Conditioning and Electricity?  I have had a few customers tell me that the A/C people will not let them put any more servers in their server room because there is no more A/C capacity. 

If we can find a way to increase the utilization of each server we have, can we have fewer servers?  That's our goal!  If we can add multiple personalities to each server (the hardware), each piece of hardware can get closer to fully utilized.  Multiple personalities???  While that's something that we might have to seek professional help for, but it's actually a good thing for our server hardware if it's managed properly. 

Let's define a few terms:

Host computer - this is the physical computer that you have racked up sucking electricity and generating heat.

Guest Operating system - this is one of "personalities" that can be running on your host computer. 

Workload - I'll refer to workload as opposed to server or server application, because our goal is to separate the workload from the hardware.  We can create multiple workloads, each workload can contain the operating system and the server application. 

Hypervisor - the generic name for the Virtualization architecture.  I'll talk more about the hypervisor below.

System Center Virtual Machine Manager (SCVMM) - With virtual machines, comes the risk of virtual machine sprawl.  Remember that someone has to manage and secure all of these machines.  SCVMM does a great job at managing the host computer and the guest operating systems seamlessly and it even manages VMWare servers AND V-Motion. 

There are multiple server virtualization solutions, VMWare is the most popular, XenServer offered by Citrix is gaining traction, and Virtual Server 2005 offered by Microsoft.  Microsoft has now released our new virtualization solution, Hyper-V.  Hyper-V is built into Server 2008.  While Server 2008 released a few months ago, the RTM bits of Hyper-V are releasing today. 

There has been a lot of debate about the architecture of the virtualization solutions, the term you will hear a lot from all of the virtualization vendors is the HyperVisor.  The big question is "should the device drivers be part of the HyperVisor or not?".  Microsoft's view is that the device drivers should not be included in the HyperVisor itself, but need to be made available to the HyperVisor (of course).  Device drivers are the number one cause of operating system failures.  I'm not saying our plan will eliminate all of these failures, we know better; but our goal is to minimize the risk of a device driver failure impacting the overall host machine.  By removing the device drivers from the Hypervisor, we can also reduce the size of our HyperVisor.  The smaller the HyperVisor, the smaller the attack surface.  The smaller the Hypervisor, the smaller the code base, and statistically speaking, the smaller code bases have fewer bugs.  I agree that this is a bit out there, but the reality is that the larger code bases are more difficult to fully test and debug. 

The Hyper-V team has done a very good job of keeping the Hypervisor small and fast and regression testing it from every angle they could find.  I've seen incredible performance improvements over Virtual Server 2005 R2, but we all expected that... Right?  Performance is so much better than Virtual Server 2005 that I doubt you'll see many serious benchmarks against Virtual Server 2005.  I expect to see more benchmarks against actual workloads.  One nice tid-bit about our confidence in Hyper-V, we've been running all of our MSDN and Technet sites on Hyper-V servers for over two months, and over 25% of Microsoft.com is also running on Hyper-V machines.  I'm very comfortable that this will be a very stable release.  We've got over 250 customers that have been running Hyper-V in production for some time as well, so it's not just us, but some of our largest customers that have helped drive us to our quality bar.  This functionality is now part of Server 2008 and you'll see a lot of our partners continue to enhance and extend their functionality with the use of Hyper-V. 

More about the hypervisor... the Hyper-V hypervisor runs in the most privileged part of the server, so if the hypervisor is compromised, the risk of compromising the contents of the host machine and of the virtual machines increases as well.  Keep in mind that virtualization will allow you to reduce your physical server footprint, but now if a host computer fails, you have more than one workload fail.  I've seen companies consolidate 100's of physical servers down to less than 10 Virtual Servers.  As you plan your virtualization strategies, please continue to think about DR and uptime. 

We spent a lot of time reviewing the architecture and functionality of Hyper-V from a security perspective.  VMWare had the first vulnerability where a compromised host machine also compromised the guest operating systems on that host.  We've put a lot of energy around ensuring that 1.) the hypervisor is not compromised, and 2.) even if the hypervisor is compromised, that does not mean that the contents of the guest operating systems are compromised as well.  We all know this kind of vulnerability was only a matter of time.  This vulnerability occurred about a year ago, so all of the virtualization vendors have had plenty of time to address these types of vulnerabilities.  No promises that these types of vulnerabilities are a thing of the past, but I'll be surprised to see many more of these.

Hyper-V supports all of the Windows 2008 drivers, there is no need to re-write drivers just for Hyper-V.  The good news is that drivers are easier to acquire, the bad news is that anyone can provide a driver that will work with Hyper-V if it works with Server 2008.  The risk is again that these device drivers may not be as stable as they should be.  We have mitigated the stability and security concerns by having these drivers execute in a less privileged portion of the host computer.  If these drivers crash or are compromised, they do not have access to any other portion of the host machine.  This is where pictures are worth 1000 words, but the bottom line is that device drivers are still available to Hyper-V, but they are insulated so if they crash or are compromised, they don't compromise the whole machine, or cause the whole machine to crash.  Some device drivers can still crash the whole machine, but things like video drivers and other less critical drivers should not cause host system failures.  This scenario is driver specific, I still encourage you to test every single change before its deployed in production. 

I'll have more thoughts on Hyper-V as we go forward, but for all of our customers and partners, Hyper-V is a very compelling virtualization solution that is now released and available.

We have some good information on Virtualization on TechNet, check it out.

Until next time!

Rob

Group says Google a top source of badware

According to Stopbadware.org, Google is one of the top five networks responsible for hosting dangerous websites

This comes from:

http://www.infoworld.com/article/08/06/24/Group_says_Google_a_top_source_of_badware_1.html

This is an interesting article.  It says that China hosts over 50% of the badware sites.  WOW!  And for Google to show up in the top five of that list?  Well, I learned a while back that if your primary source of income is click through advertisements, you'll do a lot to make sure people click as much as possible...  The real irony?  Google is one of the sponsors of the site that put them on the bad list!  Here is a quote from the badware.org report. 

"The security community has known about Google's problems for at least a year or two now, and unfortunately Google has not responded with anything other than hand waving," said Robert Hansen, CEO of SecTheory.org, a Web security consultancy.

This is an interesting comment, but in Google's defense, it's hard to know where to draw the line sometimes...  I read the article and the report.  Page 3 of the report lists the top ten offenders.  The report, and the Infoworld article both point out that while Google hosts these badware sites, the majority of the badware sites reside on their blog site.  It is hard to police blogs; Google says that when badware sites are identified, they are taken offline, but again, where and when do you draw the line? 

When you read their definition of badware, the bottom line is that a badware site is a site that installs software without the users' consent, takes data from the users computer without appropriate approval, or the installed software maliciously degrades the computers' performance.  Performance degradation.  That's a good one.  Again, where's that line?  Is it something like Office that consumes more resources and slows your machine down?  Nah, that's why their guidlines are more than just a few sentences, but they define badware as software that you would not want on your computer ... if you really understood everything it did.  I think badware is a good name for what we're talking about.  If you don't want it on your computer, why would you force it on someone else's. 

This is another one of these areas where the defense in depth principle comes into play.  It's hard for one tool to fully police right and wrong, but 1.) blocking the known malicious sites, 2.) incorporating phishing technologies to block known bad behaviors, and 3.) putting your browser in reduced privilege mode creates three barriers that any piece of malicious software must overcome to be successful.  Part 3 does require Windows Vista, but not necessarily IE 7.  The Windows Vista team worked with the Firefox team as well as other browser development teams to help them leverage the same reduced privilege mode that Windows Vista provides for IE 7.  I really like the fact that I have normal privileges for doing the normal machine "things", but when I'm browsing and some site tries to; install an application, harvest my personal data, or take any other unfriendly actions against me or my computer, my browser doesn't have the permission it needs to allow the malicious code to execute.  Of course as the user, you can always allow these types of applications to execute, or explicitly trust certain web sites (internal and external), but for those sites that you don't, or shouldn't trust, isn't it nice to know that your browser doesn't even have the rights to execute these applications without your explicit permission? 

I guess I should end with, the disclaimer that these are my opinions only, no necessarily those of Microsoft or anyone else...  No warranties or any of that other stuff too... OK? 

Until next time!

Rob

Setting up a Computer to use BitLocker Drive Encryption

Now that we've talked about "What is BitLocker", let's talk about how you set it up and use it.  I won't get into the "nitty gritty", but I'll cover the high points of setting up BitLocker on your machine. 

You can use the BitLocker Drive Preparation Tool to configure the boot partition of your computer for Windows BitLocker.  The tool can be found here.  This tool is only needed if you are encrypting the boot partition, if you are encrypting other partitions, I'd encourage you to encrypt your boot partition as well.  Since BitLocker fully encrypts the whole partition, the computer will not be able to read this encrypted partition without a little help.  This tool will shrink the boot partition by 1.5GB, create a new 1.5 GB partition (with the space recovered), and copy the initial boot files that are required to start Windows Vista or Server 2008 to this new partition.  This tool does a great job at setting up this new boot partition, moving the required boot files, and setting the new partition to the active boot partition.  When the computer boots, it will now boot from this new 1.5 GB partition. 

This boot partition contains the initial boot files that contain just enough code to start the boot process and then to read the BitLocker key from the onboard TPM device (or USB key).  Once the BitLocker key is obtained, the encrypted drive is now accessible and the boot can process continue.  The very first thing Windows Vista does when it continues the boot process on the encrypted portion of the drive is to ensure the boot files on the unencrypted partition have not been compromised.  If the boot files have been compromised or altered, the boot process stops and the user is notified that the boot files have been compromised.  Here are a couple of things to note:

1. If you are using a USB key, and not a TPM Chip to store the encryption key, Windows Vista will not inspect the unencrypted files for tampering. 
2. Vista prefers to store the BitLocker key in the TPM chip as opposed to a USB key.  When the USB key is used, there is more risk of the BitLocker key being compromised.  Why is that?  Well the TPM device is made to protect itself from unauthorized or hostile access.  The TPM device is paired to your exact instance of the Operating System. 

If you reformat your drive, reinstall Windows Vista or Server 2008, or boot from an alternate OS, the TPM device will not provide this new instance of the Operating System with the BitLocker key.  Again, BitLocker is paired to your exact installation of Windows Vista, any other instance of any other operating system (Vista or other) is unable to access the TPM chip.  The other reason the TPM chip is more secure than a USB key is that if your BitLocker key is stored on a USB drive, most people tend to leave the USB drive with the computer.  This will totally defeat the value of BitLocker since the decryption key is stored in clear text on the USB key with the computer.  If you use a USB key, you must secure the USB key as well as the computer.

Before you deploy BitLocker to your machines, please ensure that your AD has been extended to support the escrowing of the BitLocker recovery key, and then please deploy a group policy that requires that the recovery key be uploaded to AD before the mobile machines' hard drive can be encrypted.  If you do not update your schema and escrow the recovery key; if there is a hardware failure or any other change that prevents the computer from booting, your data will not be recoverable.  There are no back doors if your AD has not been configured to escrow these keys.  During the process of enabling BitLocker, the user will be able to escrow their keys to a USB drive, printer, or file location, but the schema change and Group Policy setting will make the escrow process seamless to the end user.  You can also deploy a group policy that escrows the BitLocker key to a file share as well as / or opposed to AD, if you choose.  Keep in mind that the location in AD that contains the BitLocker recover key is secured so that only Domain Administrators have the ability to read this key. 

OK, so what do I mean when I say extend AD and deploy the group policy?  If you already have a Server 2008 Domain Controller, your schema has already been extended.  If you don't have a Server 2008 Domain Controller yet, odds are that your schema has not been extended.  I've posted the schema extension discussion here.  I had a machine that didn't have a TPM chip, so I carried my USB thumb drive on my key chain.  With the thumb drive with me, if I was separated from my computer, my BitLocker key would be with me not the computer.  Enabling the USB functionality requires an additional group policy change.  We do not enable the USB functionality by default due to the additional risk, but you can enable the functionality if need be.  We have a good step-by-step guide that goes into the "nitty gritty"of BitLocker deployment here. 

We have updated our recovery tools to support BitLocker so if you need to recover or manage a hard drive encrypted with BitLocker, it only takes a few additional steps to access the BitLocker encrypted volume in an offline mode.  The backup process is not changed by enabling BitLocker, it works the same way, but now you will get a warning when you backup your BitLockered drives.  When you backup a BitLocker partition, the contents of the backup file are unencrypted.  You still need to secure your backup files.  You can store your back up files on another BitLocker volume or back them up to a directory encrypted with EFS.  The reality is that backups have always been a risk, remember my earlier posting Bank Loses Tapes with with data on 4.5M clients.  Backups are important, don't stop doing them, just be sure that your backups are secure.  My hope is that you're actually backing your machine up to a secure backup resource in your data center.  If you are backing up your machine to an external USB drive, just encrypt the folder on your USB drive with EFS if this external drive is at risk of theft.  Personally, I backup my machines before I travel and expect that my backups stored at home will be safe.  I BitLocker my drive to ensure that if my machine is lost, the data is unreadable by the person that finds my machine.  I'd HATE to loose my machine, but the value of my data and possibly any customer data, is much more valuable than my physical hardware.  My number one goal is to ensure the security of my data.  My number two goal is to ensure the security of my machine.

As I mentioned earlier, BitLocker will let you escrow the recovery key in AD. In BitLockers' default configuration, the computer requires a TPM v1.2 module in the computer.  We've documented the group policy settings, but if there's enough interest, I'll post the instructions here as well.  Just let me know.

Until next time!

Rob

Extend your Server 2003 Active Directory Schema for Windows Vista and Server 2008

Windows Vista and Windows Server 2008 include additional group policy settings that give the administrator more granular management of their user's workstations.  To leverage these new configuration items, the schema of a Server 2003 Active Directory forest must be upgraded to a Server 2008 schema.  You can upgrade your schema without installing Server 2008.  We just need to tell the Server 2003 Schema that it needs to be aware of additional objects that Windows Vista can leverage.  All of your Server 2003 DCs must be running at least SP1.  There are a few ways to upgrade the Server 2003 schema, one is pretty lengthy, the other way is a lot easier and more straight forward.  First I'll give you a brief run down on some of the new stuff in store in Windows Vista and Server 2008:

Windows Vista and Windows Server 2008 introduce a new format for group policies. ADMX files are the new file formats and they are stored in xml format.  These new policy settings can only be managed from Windows Vista or Windows Server 2008 based administrative machines running Group Policy Object Editor or Group Policy Management Console. These new policy settings are defined only in ADMX files and as such, are not exposed on the Windows Server 2003, Microsoft Windows® XP, or Windows 2000 versions of these tools.  Here's where it gets a bit dicey.  I'd like you to upgrade Windows Vista to SP1, the upgrade is well worth it, but doing so removes the ability for Windows Vista to manage domain policies.  To add this functionality back to Vista, you need to install the Remote Server Administration Tools to get the management functionality restored.  This is actually a good thing.  The reality is that 99% of your user community should not be modifying domain policies, so it's best to take the bullets out of their gun :).  Here are a few of the highlights:

• The Windows Vista or Windows Server 2008 versions of Group Policy Object Editor and Group Policy Management Console can be used to manage all operating systems that support Group Policy (Windows Vista and Windows Server 2008, Windows Server 2003, Windows XP, and Windows 2000).
• The Windows Vista or Windows Server 2008 versions of Group Policy Object Editor and Group Policy Management Console support interoperability with versions of these tools on early operating systems. For example, custom ADM files stored in GPOs will be consumed by the new tools.
• In the majority of situations, you will not notice the presence of ADMX files during your day-to-day Group Policy administration tasks.

Now, back to the question of how do I upgrade my Server 2003 Schema to support Server 2008 and / or Vista?

First, do not use the schema extensions shipped on the RTM version of Windows Vista.  The version included on your Vista RTM DVD contains the beta version of the Server 2008 schema extensions.  Check out:

http://support.microsoft.com/kb/933585

The article below discusses the details of adding a Server 2008 server to your SBS network.  There are just a few things you need to be aware of, and it also discusses how to prepare the forest for Server 2008.  This will get you ready to manage Group Policies for Windows Vista within your SBS or Server 2003 Forest.

Adding a Server Running Windows Server 2008 to a Windows Small Business Server 2003 Network

I'm going to reiterate this again, to manage all of the new toys in Windows Vista, you need to install the Remote Server Administration Tools for Vista SP1.  Here is a brief run down:

Installing the Remote Server Administration Tools for Vista SP1

Description of Windows Server 2008 Remote Server Administration Tools for Windows Vista Service Pack 1

Once you install the update, you have to enable the new features you added.  This is similar to the way the R2 functionality in Server 2003 was added.  The install just gives you the ability to enable the Admin tools.  Go into the Program and Features applet in Control Panel and add the components. 

If you are running SBS 2003, you can stop here.  If you want to drill into more of the planning for Server 2008, I've included additional information below.

I encourage you to follow this document so that you can fully plan your move to Server 2008.  We both know you'll get there, so let's do it right from the beginning.

Information and resources to use when you plan to upgrade Windows Server 2003 to Windows Server 2008

Please review this article, I'm encouraging you to plan this upgrade before you do it.

http://support.microsoft.com/default.aspx/kb/948070

The process to upgrade your schema to Server 2008 AD DS is located here. This is the actual process to do the upgrade, but I'd really like you to review the information I have provided first.  I'm not saying you need to be afraid of the schema upgrade, but please plan it before you just do it.  One last thing, backup, backup and then backup again.  Please make sure you have a good backup before you do a schema upgrade.  I've never heard of a schema upgrade failing, but if it does, it could force you to rebuild your whole forest.  Please remember that when you have the power to make positive change, you also have the power to mess things up, so make sure you have a good plan.

adprep /forestprep is the command that you will enter at the command prompt, but please read the full instructions.  You need to run this command from your Schema Master FSMO role holder, and you must be a member of the Schema Admins role.

Please start here for the low down on all of the steps you should follow:

Performing the Upgrade of Active Directory Domains to Windows Server 2008 AD DS Domains

http://technet2.microsoft.com/windowsserver2008/en/library/9c91be5f-df14-40b2-b176-2b1852a51e611033.mspx?mfr=true

If you have a copy of Server 2008, it includes adprep and will allow you extend the schema right from the Server 2008 media.  If you do not have the Server media, you can download the evaluation version of Server 2008 here, it will let you use ADPrep to prepare your Server 2003 Schema to a Server 2008 Schema.  The eval version of Server 2008 contains the same ADPrep, so you can use the ADPrep to upgrade your forest even if you do not install Server 2008.  Right now, all we need are the schema extensions, not Server 2008 itself.

We have a whole section on Windows Server Group Policy, so please check out the new power you have at your finger tips.  Please remember that with power, comes risk.  You have the power to deploy a group policy that can render your domain useless.  Let me say that one more time.  If you are not paying attention, and you do not test your changes in a test lab first, you could render your domain useless.  A useless domain will require you to rebuild from the ground up.  My intent isn't to scare you, but I want to make sure you properly plan and test every single change before you deploy your changes into production.  Here is a good run down of the Vista SP1 updates, the Group Policy Preferences and the Planning and Deployment guide. 

http://technet.microsoft.com/en-us/windowsserver/grouppolicy/default.aspx

ADMX Migrator is a snap-in for the Microsoft Management Console (MMC) that simplifies the process of converting your existing Group Policy ADM templates to the new ADMX format and provides a graphical user interface for creating and editing administrative templates http://go.microsoft.com/fwlink/?LinkId=77409.

How to use Group Policy to configure detailed security auditing settings for Windows Vista client computers in a Windows Server 2003 domain or in a Windows 2000 domain http://support.microsoft.com/kb/921469

New and updated features in Group Policy http://www.microsoft.com/technet/windowsvista/library/gpol/a8366c42-6373-48cd-9d11-2510580e4817.mspx?mfr=true

Managing Group Policy ADMX Files Step-by-Step Guide http://go.microsoft.com/fwlink/?LinkId=60363

Step-by-Step Guide to Controlling Device Installation and Usage with Group Policy http://go.microsoft.com/fwlink/?LinkId=72206

How's that for a little bit of information.

Until next time!

Rob

Bill Gates Last Full Time Week at Microsoft

Well if you haven't heard, this is the last full week for Bill Gates at Microsoft.  Bill has been transitioning for the last two years, but starting in July, Bill will move to a part time role.  He will now dedicate the majority of his time to the Bill and Melinda Gates Foundation.  Bill will continue to maintain a part time involvement with Microsoft, he says that he will continue to stay involved in a few projects.  One of Microsoft's strengths has always been to grow leaders from within.  We have also been very good at recruiting leaders from outside of Microsoft as well.  Ray Ozzie, our Chief Architect, and Kevin Turner, our Chief Operating Officer, both came from outside of Microsoft and both have made impactful contributions to Microsoft's long and short term direction. 

I've seen Bill speak numerous times and I've always enjoyed his forward looking views on technology and our global society.  Yes when your company develops software you can influence the future of IT, but businesses and users provide the true direction of IT.  I was using Microsoft software years before I came to work at Microsoft.  I think one of my first Microsoft purchases was actually Microsoft Fortran for CP/M, for my Heathkit computer.  Initially, Microsoft's biggest contributions were in the development tools area.  I took Fortran in college and it dictated that I use the campus mainframe.  If you remember back in the 80's, the mainframes had rooms full of terminals, and you had to trudge across campus at all hours of the day and night if you were not fortunate enough to have your own computer and modem.  If you had to walk to the computer terminal room, you then stood in line to wait your turn for a terminal.  I was fortunate, I had my own computer, modem, and Fortran compiler.  I was able to do the majority of the work on my computer and then just upload it to the mainframe.  It reduced my mainframe time and gave me the opportunity to learn more about Fortran and computers as a whole.  As a college student, way before I came to work at Microsoft in 1997, I was appreciating the software and innovations that came out of Microsoft under the direction of Bill Gates.  We've taken our developer tools like Fortran and migrated them into our Visual Studio tools.  With the standardized tools and Operating Systems, we've been able to build an eco system that makes it easier for students to use computers at school and at home. 

Microsoft helped standardize many programming languages and development platforms, and we continue to contribute in these areas as the development tools continue to evolve.  I never owned a Heathkit Hero Robot, but I was able to "play" with one from time to time.  The Hero came out in the 80's and it was very revolutionary for its time, but developing code to make the Hero "more intelligent" was tedious.  The funny thing is that robots have not evolved that much since the Hero.  You can actually purchase a robot today that uses the same style of frame, but now these robots come with normal PC motherboards installed, and they run Windows.  Microsoft has developed the Microsoft Robotics Studio.  I really like that we can provide specialized development tools like the Robotics Studio to help developers focus on the larger robot development tasks.  We try to eliminate the simpler tasks like left, right, backwards and forward.  Microsoft continues to lead the way with our development tools, as well as our operating systems and information worker tools.  We have plenty of best of breed technologies, as well as other technologies that are still emerging.  Take search for example, we are still refining our customer base, but I believe that our search engine is as good, if not better, than the other search engines.  Now it's a matter of winning more mind share as we continue to extend search beyond its current evolution.

I appreciate that the Bill and Melinda Gates Foundation spends so much of their energy on global health.  The Gates foundation was not built to promote Microsoft, it exists to give back to the global society.  As you've probably seen, Jeff Raikes is joining the Gates foundation as their new CEO.  For both Bill and Jeff, I think they will appreciate the change of scenery and the new missions.  The Gates foundation was formed in 1994, and since then has continued to focus on improving health, reducing hunger, and reducing poverty on a global basis.  The foundation contributes in other areas as well, but global health is their contribution that stands out in my mind.

I look forward to seeing how Bill Gates continue to contribute to the global society.  I feel that his insight and leadership with the Gates Foundation will continue to benefit society, and influence our products of the future.  I hope Microsoft will receive insight from Bill on how we can have a more direct impact on reducing poverty and continuing to raise the quality of life.

Bill Gates, thanks for all you've done, and I look forward to hearing more from you in the future.

Until next time!

Rob

2008 WPC

If you are attending the World Wide Partner conference, hopefully we'll get to meet.  I'll be there this year, this will be my first conference.  In an effort to be prepared for the conference, I took a look at the following article. 

Take a Seat at WPC

http://redmondchannelpartner.com/features/article.aspx?editorialsid=2488

Two of their top selections stand out to me (below).  For those of you that don't know me very well, Virtualization is one of my ultimate passions.  I think this technology has so much potential and we have only scratched the surface.  I've watched virtualization evolve over the past 5 years and I feel it will continue to evolve to the point that there will be no difference between a physical and virtual machine.  I'm looking forward to the dynamic management of host resources. 

Back to the WPC.  Below are the two sections that stand out to me, please check out the article for your personal preferences.

6. Growing Your Core Infrastructure Business through Virtualization Opportunities
Virtualization is one IT area that's growing, dovetailing as it does with the current twin impulses to save money and make infrastructure greener. In recent years, Microsoft has been busy with technological development and acquisitions; currently, the company has about as much virtualization technology on the market as anyone between its own brand and those of close industry partners such as Citrix Systems Inc. This session combines virtualization with infrastructure optimization (IO), another Microsoft pet project (for more on IO, see "Optimize Sales," February 2008).

11. Business Intelligence: 'Ask the Expert' Panel Discussion
With the new version of SQL Server 2008 released on top of the business intelligence (BI) capabilities built into Microsoft Office 2007 and Microsoft Office SharePoint Server, BI is top-of-mind for many partners. Given the generally longer adoption cycles for databases and BI technologies, there's still time for partners to think about exactly how they'll get in on the SQL Server opportunities before the market erupts. This panel discussion builds on the basics outlined in another WPC session titled "Business Intelligence: The Fundamentals of Building Your Practice."

I still think "Business Intelligence" is still somewhat of an oxymoron though.  LOL!  BI has so much potential. Just think about how many decisions used to take days to make because of the data that had to be collected and reviewed.  Now these decisions can be made in less than a day because of the faster hardware and the better organization of the data.  BI has already made such a difference, I'm excited to see how BI will continue to evolve. 

I hope to see you there.

Until next time!

Rob

Other Forms of Encryption You Need to Consider...

We've already talked about BitLocker, but I wanted to provide an overview of the other encryption solutions for Windows Vista, Windows XP and Server 2003 / 2008.  If there's interest, I'll drill into more detail on any / all of these, so please let me know.

RMS - allows you to encrypt your data while it is in transit.  With RMS, your data can circle the globe on the open Internet with little or no risk of compromise.  I say little because if someone has physical access to your encrypted data, and enough time and resources, most encryptions can be compromised.  Usually we're talking 10's or 100's of man years to break, but it is possible.  The best way to protect your data from malicious users is to prevent their physical access to your data.  Gee doesn't that make sense :)?  Again, that's part of our defense in depth.  Of course, this is a balancing act, how secure can we make the data while still making it available to the authorized user.  BitLocker, and EFS can both be 100% invisible to the end user.  RMS has scenarios that are invisible to the end users as well,  but usually the best RMS implementation also includes some end user education as well.  If you are focused on securing your data, you also need to provide user education to ensure your users know how and when they need to take additional steps to protect their data.

EFS - Encrypting File System allows you to encrypt files while they reside on a hard drive or File Server.  The glory of EFS is that a user can store encrypted files on their local machine or a file server and no one but the authorized user can access the file.  Even network administrators cannot access EFS files.  The network administrator can backup and restore files from the file server, but they cannot read the contents of the encrypted files.  There are methods to recover encrypted files if the owner of the encrypt files is no longer able to access them, or if the owner of the encrypt files leaves the company.  I'm happy to dig into EFS recovery in the future, but you have the ability to recover data if need be, while ensuring that there is no unauthorized access to the data.

IPSec - While IPSec is in a different category than EFS and RMS, IPSec is another form of encryption that is being used to encrypt data as its being transmitted over your network.  IPSec ensures that any unauthorized computers cannot "see" the actual data being transmitted.  The malicious computer does not have the appropriate certificates to decrypt the data being transmitted over the network.  This ensures that if your data is important enough to be encrypted, it can stay encrypted throughout its journey on the network.

Wow, Encrypt is more than just "encryption" isn't it?  Remember my earlier blog when I said:

You don't know how many times I've heard "We need encryption".  What does that mean?  There's more to it than just encryption, we need to understand what needs to be encrypted and why?

That's why I've provided brief descriptions of the different forms of encryption.  I know this isn't as simple as just "deploying encryption", but that's why we need to understand what type of data needs to be protected and what type of attacks we are trying to mitigate.  There is no "one size fits all" when it comes to encryption.  Personally, I use BitLocker on my mobile machines and RMS on any data I need to protect while it is in transit.  BitLocker and RMS on a secure corporate network provides the best all around solution from "outside" attacks.  Deploying EFS and IPSec will help protect your data from "inside" attacks.  I'm defiining "inside" attacks as those from other machines connected to your physical corporate network.  "Outside" attacks are those that are coming from the Internet or attacks from someone that has physical access to your (stolen) computer. 

The down side to deploying EFS and IPSec is that you need to acquire certificates for both of these to function.  BitLocker and RMS handle their own encryption and certificate like management.  Certificate like functionality does not mean less secure, it just means that they take care of the process end to end.  EFS and IPSec can utilize commercial certificates, or certificates generated from any PKI, including certificates created by Server 2003 or 2008 Certificate Authorities. 

The more I discuss, to more worms I find in the can.  For now, I'm going to call it a night, but I'll continue to talk about the items that are of interest to each of you.  Please let me know where you still have questions and I'll keep flushing out the details.

Until next time!

Rob

What is BitLocker? What does it do? What does it not do?

What is BitLocker?

BitLocker lets you encrypt the hard drive(s) on your Windows Vista Enterprise, Windows Vista Ultimate or Windows Server 2008 computer.  BitLocker will not encrypt hard drives for Windows XP, Windows 2000 or Windows 2003.  Only Windows Vista and Server 2008 include BitLocker.  BitLocker drives can be encrypted with 128 bit or 256 bit encryption, this is plenty strong to protect your data in the event the computer is lost or stolen.  BitLocker protects your hard drive from offline attack.  This is the type of attack where a malicious user will take the hard drive from your mobile machine and connect it to another machine so they can harvest your data.  BitLocker also protects your data if a malicious user boots from an alternate Operating System.  With either attack method, BitLocker encrypts the hard drive so that when someone has physical access to the drive, the drive is unreadable.  Now if you are a network admin and you need to harvest data from a hard drive when a machine fails, our tools include the functionality to prompt the admin for the recovery key so the hard drive can be accessed.  We've done a good job at ensuring the data does not end up in the wrong hands, while making it easy for authorized users to access the data in the event of a failure.

What does BitLocker do?

Again, BitLocker encrypts the hard drive(s) to protect the Operating System from offline attacks.  Server 2008, Windows Vista Enterprise, and Windows Vista Ultimate all include BitLocker functionality.  Windows Vista Business Edition and the Home Editions do not include BitLocker.  The RTM versions of Vista only allow BitLocker encryption of the C: drive.  SP1 for Vista includes the ability to encrypt all of the hard drives belonging to the Vista machine.  Server 2008 includes the ability to encrypt all of its attached hard drives as well.  BitLocker on a Server 2008 server might not make sense for your servers in the Data Center, but using BitLocker on servers in remote offices makes a lot of sense.  How many remote offices have their servers in secure Data Centers?  They don't!  If you're lucky, your server sits in a locked closet.  If you're unlucky, it sits under someone's desk.  Deploying BitLocker to these machines makes perfect sense because if those machines are stolen, their data is encrypted and protected from the types of attacks that they would be exposed to.  Another piece to protect these remote servers is the Read Only Domain Controller functionality.  I won't go into it here, but it gives you the ability to provide fast logon experiences for your remote users while ensuring that all of the domain credentials are not stored on these remote office servers. 

What does BitLocker not do?

BitLocker does not protect the computers contents while the operating system us running.  Again, BitLocker is built for offline attacks, once the operating system is up and running, Windows Vista will protect your data from unauthorized access.  When Vista is up and running, unauthorized access can come in the form of:

1. A malicious user trying to log onto the local computer.  Windows Vista can protect itself by enforcing strict password policy and complexity.  Please ensure that if your data is important enough to encrypt, that you also require complex passwords and/or two factor authentication.  Two factor authentication takes the simple passwords or easy to guess passwords out of the equation so that they are no longer a risk. 
2. A malicious user connecting to the computer over the network to harvest data from the local computer.  If the user has access to your physical network, the malicious user can try to connect to your machine over the network.  Again, strict user permissions on the local machine and on your network as a whole, will prevent malicious users from accessing your network. 

Other ways to protect your data:

RMS, EFS, IPSec.  I'll give you more detail in my next post.

Until next time!

Rob

Microsoft's Social Presence at Bonnaroo

I'm on vacation this week, but I was at Bonnaroo last week and wanted to drop everyone a note to let you know that Microsoft did a great job at connecting to the Bonnaroo crowd.  Microsoft had two big tents and one small tent.  The small tent was located in the market near the main square, not far from the fountain.  This is where all of the vendors and organizations setup so they could interact and sell their items to the attendees.   The "small" Microsoft tent was actually two tents connected and it hosted some of the charities we sponsor with our "i'm connected" campaign.  Check this out.  When you send mail with Windows Live hotmail or IMs with Live Messenger, we donate to one of the listed charities.  All you do is signup and keep IM'ing.  You can pick the charity that benefits, it's easy to setup, and it's all for doing the same things you do today!

The two big tents were each air conditioned and had plenty of Zunes to listen to, XBox 360's to play with, and laptops to connect the attendees to the Internet.  The attendees could check their mail and sign up for the i'm connected campaign.  I liked that Microsoft and our charities had plenty of give-away's.  We gave away practical items that people actually used.  We gave out XBox 360 frisbees, I saw a lot of people playing frisbee.  We gave out cloth grocery bags so we can stop using disposable grocery bags that fill our land-fills.  We also gave away sun screen.  This was a hit!  It was plenty hot and there was plenty of sun.  People were touching up their sun screen throughout the day, so the Microsoft sun screen fit the bill nicely.  It's super to see Microsoft connect with the attendees like we use to connect with people in the past.  It makes us more human and less corporate. In the "i'm connected" tent, you were even able to have your picture made on the "big stage".  Check out my ugly mug! 

OK, so maybe I need to work in my guitar skills some, but half the battle is just doing it...  Right?

I have a personal blog where I posted my thoughts during Bonnaroo, but I want to be clear that these are my opinions, not the opinions of Microsoft.  You can find my personal blog here. 

Until next time!

Dynamics Partner Events

I wanted to make sure you were aware of these great events.  This is a super way to help meet customer needs with a much shorter sales cycle. 

Build your business with Microsoft Dynamics solutions!

Get useful tips and product information that will help increase your sales of Microsoft Dynamics CRM 4.0. This latest version will help your customers:

•Stay connected and make more informed decisions.

•Reduce sales cycles and increase marketing effectiveness.

•Ensure effective targeting and deploy sales resources efficiently.

We’ll also outline customer service strategies that can help you deepen customer relationships and stay competitive.

6/17/08 – Cincinnati, OH

6/19/08 – Pensacola, FL

6/24/08 – King of Prussia, PA

6/26/08 – Colorado Springs, CO

Register now at www.MicrosoftDynamicsEvents.com!

Until next time!

Rob

Bank loses tapes with data on 4.5M clients

Connecticut AG blasts BNY Mellon for failing to notify victims for three months

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9091318&source=NLT_PM&nlid=8

May 30, 2008 (Computerworld) Bank of New York Mellon Corp. officials last week confirmed that a box of unencrypted data storage tapes holding personal information of more than 4.5 million individuals was lost more than three months ago by a third-party vendor during transport to an off-site facility.

Can you believe it?  This has to stop!  How can we have faith in any organization that cannot protect our personal information??  The scary part is that these disclosures always come in groups.  What's next?  Of course it's easy to criticize someone else's mistakes, but how do we put a stop to this?  If you don't know by now, Microsoft has a backup solution that allows you to encrypt tapes, and we have a solution to encrypt the hard drives on mobile machines and servers.  We've been able to provide encryption solutions for a very long time.  The technology has been available for a while.  There are plenty of other companies that can also encrypt your hard drives and your data.  It's not about encryption, it's about process.  People, Process, and Technology... Remember all three.  The technology exists, but we need to educate the people and we need to define clear process! 

You don't know how many times I've heard "We need encryption".  What does that mean?  There's more to it than just encryption, we need to understand what needs to be encrypted and why?  What data is important and what data is not?  I'm not trying to throw sand in the gears of progress, but we need People to think about what needs to be protected.  Once we define what needs to be protected, then we need to define Process to ensure that we can consistently encrypt that information without adding additional burden to the business.  If encryption is deployed the right way, only the users that have no business accessing your data will encounter encryption problems.  Encryption can truly be seamless to your users.  Yes I said it!  Encryption can and should be something that your users do not "have problems" with.  EFS and BitLocker can be deployed with no user knowledge at all!  RMS can also be seamless in conjunction with Sharepoint, but it is also ok for the users to know they are encrypting data.  It's hard to automate everything that should be encrypted.  We still need users with common sense to make decisions on what is and what is not worthy of encryption. 

Remember we have always had the ability to secure our data so securely that our business can never disclose it, but they also have to be able to use the data or it will be worthless.  There must be a reasonable balance between securing the data and being able to use it.  That's the trick.  As you start investigating the plan to encrypt your data, please keep this in mind.  What is your tolerance for risk, vs. agility?  There is a very secure happy medium, and it's not hard to find if you'll spend some time understanding your data and how it needs to be used and protected.

I'll talk more about the solutions we offer, from encryption of your data while in transit (RMS) to the encryption of your data stored on a file server (EFS), to full drive encryption with BitLocker.  BitLocker is part of Windows Vista and Server 2008.  BitLocker allows you to encrypt the hard drives on your computers or servers.  If your hard drives are lost or stolen, the data cannot be recovered or compromised.

My point isn't to say that you must deploy RMS, EFS or BitLocker tomorrow, but if you have not had the data encryption discussions yet, please start those tomorrow!  Do it in phases...  If you have sensitive data on your servers that only a few people should have access to, EFS might be a quick and easy first step.  We even have a Solution Accelerator for mobile PCs that discusses encryption with EFS and Bitlocker.  Please check out our Data Encryption Toolkit for Mobile PCs it will get you started.  Just as an FYI.  I run Windows Vista on both of my tablets and both use BitLocker to encrypt their hard drives.  BitLocker is totally transparent to me as an end user, very easy for me to implement (as a user or admin), and gives me 100% recovery if I have a computer failure.  Of course, if my hard drive fails, my data is just as lost on a drive encrypted with BitLocker as it is on a drive without BitLocker.

For those hard drives that "partially" fail, we offer tools that will let you recover data off of drives encrypted with BitLocker.  The process is very straight forward and very secure, please don't that that hold you back.  If you have questions, ping me, I'm happy to help with the BitLocker and your encryption discussions.

Until next time!

Rob