Month: March 2007

Bink is reporting that there are two releases for Sofgrid on the way.  SoftGrid 4.1 will be upgraded by Service Pack 1.  This will include Hotfix and critical updates and increase stability and compatibility.  MS will release the Sequencer, Desktop, Client, Terminal Server Client and Server all at the same time in around April or May.

SoftGrid 4.2 will be a desktop only release, i.e. not for Terminal Server.  It will include Vista support for the sequencer and the client.  Expect to see a release around July.

Credit: Bink.

The April edition of this free online magazine is available to read.  The focus is on infrastructure management and administration.

Administration:

• Disaster Recovery: AD users and groups.
• Windows XP Embedded

Management:

• System Center Capacity Planner: Estimate and plan your infrastructure using modeling.
• Advanced client inventories using SMS.
• SMS 2003 R2 Inventory Tool for Custom Updates (also see my whitepaper).

Bink reported that Microsoft is working on a server version of the BDD 2007 toolkit.  It will be available in Q1 2008.  It will support W2003 and Longhorn.  It will also integrate with Configuration Manager 2007 (note that Windows Deployment Services is integrated with CM 2007 Beta 2 for desktop deployment).

There will be a series of beta releases.  We will see an early release this summer for Longhorn Beta 3 and CM 2007 which should also RTM around then.  Beta 2 will be out around Q4.

My gut is telling me that this will be the successor to the little known Automated Deployment Services (ADS).  I’ve used this image based solution before for deploying servers.  It’s complicated but very powerful if you choose to use the full functionality of the product.

Source: Bink

The Irish Independent is reporting (free sign-up required) that a laptop was stolen from the constituency office of the Taoiseach (the prime minister of Ireland).

This story reinforces how important it is to implement roaming device security.  I’ve talked about this sort of thing over and over before but here we go again …

First, let’s get something out of the way.  Security is the opposite of usability.  You must find the right balance between the two.  This is not usually a one-size-fits-all policy.  I’m not saying that you should treat every person/computer differently.  That’s the sort of madness that only over zealous (in)security offices come up with.  Create a set of polices that cover a reasonable number of scenarios and clearly document and communicate them.

Physical security cannot be guaranteed for roaming devices, even in your own office.  I’ve known a finance company in London where burglars dressed as cleaners walked past a dozing security guard and walked away with every laptop they had time to find.  You can try to use security cables but these can be cut by someone who is prepared.  This might not include the casual burglar but anyone targeting your data will be prepared.  Don’t think this is realistic?  Hah!  Aren’t you naive!  If your business data is valuable to you then it’s way more valuable to your competitors.  I’m not saying you need to lock down every roaming device but you might want to consider it for those with critical data.

Any roaming device with sensitive data that cannot be physically secured should be encrypted.  Let’s look at that sentence:

• A roaming device is not just laptops.  There are laptops, tablet PC’s, PDA’s and mobile/cell/handy phones.  Each of these is capable of storing sensitive data.  We often think of securing laptops and tablets but we rarely consider the device that is most likely to be not only used by directors, government ministers, etc (the mobile phone or PDA) and is also most likely to be stolen or lost.
• Sensitive data … ask a user if they have sensitive data on their PDA or laptop and they’ll say "No … I just use it for email".  That there is the most sensitive data.  Look at the major corporate lawsuits or political scandals these days and what documentation is being used?  Email.  What is the only IT business application that senior management use?  Email.  What is used to share most valuable documentation?  Email.  Anyone using a laptop or PDA for email (which is 99% likely these days) will have a local replica of their inbox and will likely have the attachments (at least the most valuable ones) on local storage..  This must be secured.
• Passwords are not a long term security solution against a determined attack.  If you store files on a machine and secure them or the machine with passwords, PIN’s, etc, then you can gain access with a few easy steps.  Some manufacturers include biometrics but that’s just another password.  A TV show even documented how to bypass this security method.  The only solution is to encrypt the data with a strong algorithm to make it unreadable to unauthorised users.

There’s two approaches to encryption:

• Encrypt the files: Using something like EFS in Windows.  This usually requires some effort on the part of users.  It will not secure mail.  I don’t like it because of the reliance of effort on the part of users.  I prefer things to be completely automated.
• Encrypt the hard disk:  This encrypts the entire contents of the mobile device.  This is my favoured approach.  Access to the device is secured by physical token or a passphrase.  There is no bypass like with traditional password protection because the data itself is encrypted.

There’s plenty of encryption solutions available.  Some versions of Windows Vista include BitLocker for complete disk encryption.  It’s OK if you have the right versions and don’t want to implement a management solution, i.e. for ad-hoc device security.  The downsides are lack of centralised policy, management, passphrase recovery and it requires that you know before you build the machine that you want to encrypt the hard disk because it requires a dedicated partition 0.

I prefer a dedicated solution that will offer centralised deployment, policies, passphrase recovery and cross platform security:

• Centralised Deployment: From a console, you can deploy your agent to targeted devices.
• Centralise Policies: You can deploy a preset collection of well defined and managed policies to devices.
• Passphrase Recovery: What do you do when your boss calls at midnight from Tokyo saying that he forget his passphrase and needs access to his laptop for a business deal?  If you can’t reset their passphrase using  across-verification method then you shouldn’t count on being around for much longer.
• Cross platform support: Remember that you need to secure all mobile devices, not just laptops.  Using a single solution will simplify deployment and management while minimising mistakes.

I like Safeboot for this sort of thing.

Don’t forget document security!  We often focus on device security.  Have you heard of a sales person or manager who is leaving who is caught email sensitive documents to their future employer or a personal email account?  I have seen it personally … a few times.  No amount of folder permissions or encryption will stop this because these people need access to these files to do their jobs.  Could you put them on gardening leave when they hand in their notice?  Sure … but if they’re clever they’ll have copied the data before they told their employers about their intentions.  The solution here is to implement file level encryption or authentication using something like Windows 2003 Rights Management Services.  This solution will use a PKI to place encryption on documents or emails so that unauthorised internal or users cannot read or modify (depending on the security put in place) the document or email.  This secures you against employees copying data externally or deliberate/accidental leaks.

Given enough time with mobile devices on your network, some of them are going to be stolen or lost.  You might have a scenario where a sneaky or unhappy employee tries to copy/leak sensitive data.  If you implement the above solutions then you’ll be able to sit back and watch things, knowing that your organisation is safe.

Microsoft has released a whitepaper that describes how to configure QoS on Windows Vista so that you can prioritise certain network protocols.

There is a new whitepaper from Microsoft, Dell and Platespin.  It discusses using virtualisation technology for disaster recovery.

OM 2007, the successor to MOM 2005, has been released.  I’m a huge fan of MOM 2005.  I haven’t had a look at OM 2007 since early betas last Summer but it’s shaped up to be a worthy successor.

The drive towards Microsoft’s Dynamic Systems Initiative continues with OM 2007.  Features from ITIL/MOF are present in the form of service modeling.  Also of interest, Audit Collection Services (ACS) introduces a new function to centrally gather important security event log entries to a central database.

There’s way more than I can cover in a single blog post.  I’ll save the electronic rain forest and just give you a few links:

• Evaluation Edition Download
• Online Demo
• Features overview datasheet
• What’s new and why upgrade?
• Overview whitepaper
• Audit Collection Services
• Client monitoring

Microsoft has published a free to download whitepaper that discusses the Desktop Optimization Pack and how it can greatly reduce the cost of ownership of a desktop network. 

I covered this package when it was first announced.  It includes some great solutions but Microsoft has really made a huge mistake by only making it available to customers of the extremely unpopular and often uneconomic Software Assurance program.

Sorry about the lack of updates as of late.  Last week was the first week off I’ve had since last May.  I’ve mainly been lazing about the house and out with the camera.  I’ll be doing some updates tomorrow.

It’s six months since I started this blog.  Six months ago I decided to get back into the contracting market and launch myself as an independent consultant.  I left a great company (4sol Ltd) but I felt it was the right thing for me at the time.

This blog was launched with the intention of using it as an extension for my CV/resume.  It’s become way more than that.  I think I’m learning more and more and becoming more aware of the marketplace because of my desire to keep the blog up to date.  For that, I’ve got to thank you, the regular readers and RSS subscribers.  I’ve been keeping an eye on my hit rates which have gone up from a few hits a day to thousands in a week.  That has driven me to keep up with how things are developing.

I truly thank each of you for checking out my blog on a regular basis.  I pledge to keep it up to date as much as I can and I’ll keep adding my own appreciation of how things are going rather than just simply regurgitating RSS and news feeds.

By the way, you may have noticed that my other passion in life is photography.  If you’re interested, I recently started a blog of my photographic efforts and knowledge.  I can’t say I’ll ever be able to keep the updates on that blog coming as frequently but I will add the 2 cents that I have … Windows IT Pro’s surveys do indicate that a significant number of IT pros are into photography!