Virtual PC 2007 RTM and Free to Download

Microsoft released the freely available Virtual PC 2007 today.  A 64bit and a 32bit version can be downloaded.  From the little of the beta that I saw, anyone used to the 2004 version will not have a big shock.  The big change from 2004 is the added support of Windows Vista.

This product is free.  I will say it again.  FREE!  There is absolutely no reason that anyone working in mdium to large scale IT infrastructure should not have something like this on their PC for testing:

  • AD scenarios
  • Application packaging
  • OS deployment
  • Application distribution
  • Application testing

I will admit that I am hooked to VMware snapshots so that’s the way I’ve gone.  But I have happily used Virtual PC 2004 (in fact I bought it for my team the week it was initially released, way back when).  Virtual Machines have saved my bacon so many times I can’t count them.  In fact, every whitepaper I’ve written and every presentation I’ve given in the last year have been based on virtual machines.  Go to a confenerence like IT Forum, TechEd, MMS, WinConnections and you’ll see almost nothing but VM’s on the big screens.

If you’re not using this software, do yourself a massive favour and download VPC 2007 now and see what it can do for you.

Disable Command Prompt in Windows PE

Bink posted an interesting article last week about a possible security vulnerability in WDS during client deployment.  The issue is that some organisations allow ordinary non-admin users to build their own PC’s using the PXE boot and the WDS client.  The machine builds but the user has no input as to what is installed and has no admin rights.  But, if you press the right key sequence while the Windows PE (WDS) client is running, the user can launch command prompt with complete access on the system so they can do what they want on the system.

There’s a fix at the end of the article to dscribe how you can disable the command prompt for your boot clients in WDS.  It looks like they copied this from a Microsoft KB article.

Credit: Bink

Microsoft Ireland: Dublin Business Intelligence Event

Technet Ireland have arranged an event centred on Business Intelligence using SQL Server 2005 and Microsoft Office System to be held on the 7th of March in the Morrison Hotel in Dublin.  It’s a day long event with some special speakers flying in from MS US:

  • Using Integration Services to solve large scale data integration and transformation challenges.
  • Best practices for upgrading to SQL Server 2005 Analysis Services.
  • Design your Analysis Services objects for enterprise scalability and performance.
  • Best practices for upgrading your reports and the report server to new version.
  • Tips and tricks for running reporting in an enterprise environment.
  • Overview of new Business Intelligence capabilities of Sharepoint and Excel.
  • Interaction of Sharepoint, Excel Services and Excel with Analysis and Reporting Services.
  • Building and managing scorecards with Business Scorecard Manager.
  • Enabling advanced analytics with Proclarity Analytics Server.
  • How PerformancePoint Server will integrate scorecarding and analytics with budgeting and planning capabilities.

A shocking number of people are unaware of the solutions that Microsoft Office System (Office, Infopath, Project Server, Sharepoint, etc) and SQL can provide.  And these are just a small number of the products that Microsoft provides in this huge market space.  I can’t claim to be an expert, far from it, because this is a huge area that requires complete dedication.  Just ask the countless organisations that are spending huge budgets on SAP implementations that never seem to end.

I’ve seen people try to reinvent the wheel because they haven’t done research, e.g. a 2 man team spending 24 man-months to develop an Apache based web server that hosted queries/reports of a SQL 2000 datawarehouse … exactly what the free IIS based SQL Reporting Services does!

If obtaining, making available, reporting and analysing data is important to you then make it a point to attend this event.

Volume Activation Management Tool 1.0

VAMT 1.0 was released by Microsoft last night to help administrators with bulk activation and management o Windows Vista and "Longhorn" Multiple Activation Keys (MAK).  This x86 program is available for download now.  A MAK is a license key where computers are activated one at a time but require only one activation for that build. 

Features include:

  • MAK Independent Activation: Each computer is individually connected and activateed with Microsoft via network or telephone connections.
  • MAK Proxy Activation: One centralized activation request is sent on behalf of multiple computers with one network connection to Microsoft.
  • Activation Status: Monitor  the activation status of Windows Vista and Longhorn Server computers on your network.
  • Remaining MAK activations: The current remaining activations associated with a MAK key.
  • XML Import/Export: Export and import data in an XML format to allow you to activate computers in disconnected environment scenarios.
  • Local reactivation: Enables reactivation of computers that have been rebuilt or reimaged by applying a Confirmation ID.

Microsoft Identifies 5 Security Technologies to Watch

I quickly read through an article on the Microsoft "Midsize Business Center" that lists 5 security technologies that we should watch.  They are:

  1. USB Authentication Tokens: The idea here is that we use USB tokens instead of smartcard to implement a 2-phase PKI authentication solution.  The two phases consist of what you have (physical control of a token) and what you know (a 4 digit PIN).  Smartcards have not worked out so well because vendors have come and gone and it requires buying card readers.  All PC’s have USB slots and new ones make them accesible on the front of the case.  I’ve used an EToken device before for VPN access.  We probably had failures on around 1/3 of them.  Deployment was not so easy.  This technology will probably improve.
  2. Built-In Biometrics: This one keeps coming back.  I think too many people watch bad spy movies.  Biometrics are not secure and are not reliable.  You have to place your hand/thumb print down exactly the same way every single time.  This can be fun when you’re in a hurry.  Then there’s the possibility of faking a print.  It can be done as was shown on the Mythbusters TV show.  There are claims that sensors look for temperature and moisture but this can all be bypassed with a simple thin mould placed over the attackers thumb of the valid users thumb print that is lifted from the reader itself.  I once worked in a place where access to the computer room was only granted by thumbprint.  It usually took several attempts to get in.  Again, maybe things will improve but I doubt it.
  3. Self-Encrypting Hard Drives: The idea is that the hard drive encrypts itself.  Nice idea.  But I would require some sort of software control that allows centalised management of user access and password/pin resets.  can you imagine a phone call from a director or government minister at 03:00 from half way aroudn the world because they can’t boot up their encrypted PC and you couldn’t give them access?  Have a look at Safeboot.  It works nicely.
  4. Security-Aware Web Browsers: Your web browser is supposed to try protect your PC from your mistakes.  IE7 works like this.  The problem is, as the best security experts tell us, most holes in security lie somewhere between the keyboard and the chair.  Until there are only security-aware users, there will always be problems.  IE7 and Windows Vista made great strides in advising users but some people just don’t want to listen.
  5. Mobile Device Security: I’ve been harping on about this one for ages.  If you want to carry out espionage, then you want to get access to devices that are used by senior people, e.g. directors or ministers.  These people usually have only one type of data: e-mail.  They rarely type anything of interest.  Everythign that can be used against them or their orgainisation is sitting in their mailbox.  We may secure access to the mailbox and encrypt their laptops but they often don’t even use them.  I’ve had directors who had computers in several countries and never logged into them, even when they were sat at the desk.  Their device of choice was a PDA or smartphone.  And what happens to be on there completely unsecured?  Everything they hold dear, their mailbox.  Often there’s no pin and there is rarely any encryption.  I’ve seen some talk about encyrpting SD cards but that is not enough.  All internal storage needs to be protected.  PIN numbers and remote wiping should also be implemented.  Check out Safeboot to see what they can do for you.  I’ve tried it out and it worked nicely.

Fundamental Computer Investigation Guide for Windows

Microsoft published a step-by-step guide on how to investigate a suspected computer crime on your network.  I’ve only had time to have a quick glance but it looks pretty good.

Be careful if you are invovled in this sort of thing.  This stuff is a legal minefield.  You cannot go trouncing around stikning your nose in peoples business or retaliating to suspected attacks.  The link I followed to this document dtated this guide was intended for US customers.  The law in the US does appear to be on the side of the company, i.e. the owner of the infrastructure.  Things can be very diffferent in other jurisdictions, e.g. in Ireland there is still a grey and untested (in court) area between the right to privacy for employees and the requirement of the company to apply the law and protect shareholders.  In places like Germany, it’s very clear that you must have solid evidence of a problem before you start an investigation.

To quote an old TV show, let’s be careful out there.