Windows “Longhorn” Webcasts

Microsoft has posted a series of links for upcoming and on-demand webcasts about the upcoming Windows "Longhorn" product.  I’d recommend that consultants and proactive administrators take a look.

"Learn how the Windows Server code name "Longhorn" operating system helps IT professionals maximize control over their infrastructure while providing unprecedented availability and management capabilities, to deliver a significantly more secure, reliable and robust server environment than ever before".

Using WinRE to Repair Missing File on Vista

The WinRE team have posted instructions on how to repair a boot failure on Windows Vista due to a missing file.  Here’s a quote from the post:

"To repair your computer using Startup Repair follow these steps:

  1. Boot into Vista installation DVD
  2. Choose your language settings and click Next
  3. Click Repair your computer
  4. Choose your operating system and click Next. This should bring up System Recovery Options.
  5. Click on Startup Repair

Startup Repair should now start diagnosing your system to identify the root cause of the failure. Once it has identified the root cause, it would automatically start repairing your computer. If you are curious to know what Startup Repair did, you can click on the details link and see which tests Startup Repair ran to diagnose the problem.

After Startup Repair has finished the repairs, click Finish to reboot your computer.

Your computer should now be able to boot normally into Vista!!"

Biometrics – Pah!

Steve Riley mentions a piece done in the new series of Mythbusters, the Discovery Channel show, on his blog.  We have all heard of security conscious organisations that decide to use thumb/fingerprint readers to secure their computer rooms, etc.  We’ve also heard the urban legends"myths" that said systems can be cracked pretty easily.

Well, it appears they can!  The Mythbusters crew succesfully lifted a fingerprint from the reader and made latex and ballistics gel copies of it.  Using these (the latex sheet needed to be licked to work) they were able to succesfully fool the reader.  This was despite the manufacturer claiming that the reader checked pulse, sweat and temperature.  Worse again, they even beat it with a photocopy of a finger print.

As Steve mentions in his blog, biometrics by themselves are not a secure authentication mechanism.  Secure authentication requires two factors such as "What you have" (biometric, smart card, etc) and "what you know" (passphrase, PIN, etc).  Either one by itself can be easilly comprimised but together they are pretty secure.

So, the lesson here is, if your company uses fingerprint readers then you don’t need to worry about your finger being chopped off by attackers … it’s much easier to lift the print at the scene.

UK Customs & Excise Scanning Laptops

The BBC has reported an interesting story.  It appears that the UK’s Customs & Excise department is scanning the laptops of suspected offendors for illicit materials, namely offensive pornography.  Wanting to prevent the import of offensive materials is an appladable desire.  However, given that certain nations, including some in the EU, have a history of using government agencies to perform industrial espionage to aid their native companies, I do have a problem with this action.

Interestingly, the person who reported this story said their laptop could not be scanned by the agents on hand because it was an Apple.  The agents had no idea what encryption was either.

So, if you do not want company secrets to be stolen by a governement agency of some nation, make sure you encrypt your laptops hard disk.

Microsoft Catches Up With RIM Blackberry

The Register has published a whitepaper that describes how Microsoft has caught up with RIM in the marketing of push email technology.  Until Service Pack 2 for Exchange 2003, no one was able to match up with RIM.  Sure, there were alternatives but RIM had the name: Balckberry.  Every director and senior manager wanted a Blackberry.  This all sounds great but hold one a second… there’s some problems:

  • You have to pay money to subscribe to the RIM network for pushing your mails out.
  • If you use RIM then your mails are travelling across their network and their servers.

That last one is a real stickler.  You may have been able to offer alternative solutions but they still had license costs and you still had to beat the name "Blackberry".  Plus, let’s face it, non-Blackberry devices were a dog to use until recently.  You were probably talking about having to use a brick of a PDA and who really wants to revisit the 1980’s … I prefer to forget that decade happened.

With Service Pack 2 for Microsoft Exchange 2003, Microsoft included a new feature for pushing email out to Windows enabled smartphonnes and PDA’s.  Secure push email from within Exchange was now possible.  You didn’t need to use another companies service or network.  You also could reduce your licensing costs.  Simultaneously, phone manufacturers worked with Microsoft to develop better devices that would be more appealing to the target market.  Now a director can use a feature rich smart phone that is no bigger than a normal mobile/cell/handy phone.

MS Push Email offers other features too.  A PIN policy can be enforced on the devices.  This offers basic security to lenghten the time it takes to access data on a device without the owners permission (real security requires encryption).  Furthermore, if a device is lost or stolen it can eb reported to IT or the security officer.  With this notification, Exchange administrators can send a signal to the device to wipe itself, thus preventing unauthorised access of data.

The message was very slow to get out to the typical sys admin or CIO.  It appears that it’s finally getting out there but the uptake does appear to be slow in Ireland.  That’s a pity because it would be a shame not to use the free and secure solution that Microsoft have provided.

There’s loads of information on the net on how MS push email works and how to deploy it.  Here are some links:

Finally, Nathan Winters (in the UK) has set up the Microsoft Messaging & Mobility User Group UK.  The intention of this group is to share information and to inform people on how to make the best use of the technologies that Microsoft has provided in making the information worker a mobile worker.

Technet Magazine: September 2006

Are you using MOM 2005 or SMS 2003?  Do you want to learn more about how these products can be used to do more while you do less?  If so, I highly recommend that you read the free online edition of TechNet Magazine.  This month’s edition feature articles on SMS 2003 and MOM 2005.

Articles include:

  • Using WMI with MOM
  • Zero Touch Installations
  • Getting to know Windows PE
  • Using MOM for SOX compliant security auditing
  • System Center Operations Manager 2007 (aka MOM 2007)

When correctly deployed and used, MOM and SMS in conjunction with Windows 2003/2003 R2 can really make life simpler for the systems administrator.  I’m speaking from experience here.  In a past job, my team (3 of us) ran a global network of 170 servers.  Most of our time was spent on engineering for new projects/systems instead of firefighting or sneakernet deployments.  This would have been impossible without the solutions we had deployed.

Windows 2003 Service Pack 2 Beta Technical Refresh

Microsoft has released a Technical Refresh of the Service Pack 2 beta for Windows 2003/2003 R2.  The following was posted on Connect.

"Windows Serviceability is pleased to announce the release of Beta Refresh 1 (build 2786) of Windows Server 2003 Service Pack 2 for Windows Server 2003 and Windows XP Professional x64 Edition customers.

This build contains:

  • Roll up of hotfixes released to date
  • Roll up of security updates released to date
  • Fixes for bugs reported by Beta customers and other known issues on previous Service Pack 2 builds

This build should be used for full deployment purposes, including pre-production testing or general compatibility testing. We will review all reported issues in the Release Candidate build. In order to have a stable test environment we strongly recommend un-installation of any previous SP2 builds from your machines before installing build 2786. If you previously installed an integrated build of SP2, you cannot upgrade your system to build 2786 with this refresh; you will need to re-install a released version (RTM, SP1, or R2) of Windows Server 2003 before upgrading to build 2786. Go to to find an evaluation copy of Windows Server 2003 Service Pack 1.

Release notes for this build can be found at

Here is the list of releases; note that there are no integrated releases with this build:

32-bit x86 standalone update: English, German and Japanese
x64 standalone update: English and Japanese
Itanium standalone update: English, German and Japanese
Checked update for English only (debug version)
We encourage you to continue WS03 SP2 Beta testing with this build and provide feedback".

The feature in this Serivce Pack I’m most interested is Windows Deployment Services.  An image based system, WDS is a replacement for RIS and will be one of the deployment mechanisms for Windows Vista.  Any organisation facing a potential deployment of Vista should review this new solution.

Microsoft Forefront Client Security

Back in 2003, Microsoft unoffically notified the world of their intention to venture into the world of anti-virus and anti-malware solutions by buying out Romania-based antivirus firm GeCad.  The world waited but nothing happened.  Then Microsoft bough Giant, an anti-spyware provider.  We waited and then got a limited functionality product called Defender that has been in a never ending beta.  More recently, Microsoft bought out Sybari, the famed e-mail anti-malware solutions provider.  This past July, Microsoft Antigen 9.0 made its debut.  Antigen for Exchange featured a new anti-virus engine that had not ben seen before, one from Microsoft!

Details of what Microsoft was doing on the server and desktop anti-malware world slipped out here and there.  They were definitely developing a solution.  It was rumoured that Windows Update and/or WSUS could be a deployment mechanism, something that many would like as it would simplify deployment systems.

Microsoft recently announced the start of the public beta of Microsoft Forefront Client Security saying that it would provide:

"Unified malware protection for business desktops, laptops, and server operating systems that is easier to manage and control. Built on the same highly successful Microsoft protection technology already used by millions of people worldwide, Forefront Client Security helps guard against emerging threats, such as spyware and rootkits, as well as against traditional threats, such as viruses, worms, and Trojan horses. By delivering simplified administration through central management and providing critical visibility into threats and vulnerabilities, Forefront Client Security helps you protect your business with greater confidence and efficiency. Forefront Client Security integrates with your existing infrastructure software, such as Active Directory, and complements other Microsoft security technologies for better protection and greater control.

Forefront Client Security is currently in development. Microsoft plans to make a public beta of the product available to customers in the fourth quarter of 2006. Pricing and licensing will be announced at a later date.

The benefits offered by Microsoft Forefront Client Security include:

  • Unified Protection: Forefront Client Security delivers unified protection from current and emerging malware, so you can feel confident that your business systems are better protected against a broad range of threats.
  • Simplified Administration: Forefront Client Security provides simplified administration through central management, so you can protect your business with greater efficiency.
  • Critical Visibility and Control: Forefront Client Security produces insightful, prioritized security reports and a summary dashboard view, so you have visibility and control over malware threats".

The solution includes anti-virus and anti-spam prevention mechanisms and mangement.  Based purely on description, this looks like Microsoft will jump straight into competition with Spohos, a leader in this field.  It will be interesting to monitor how things develop.

Best of MMS TechNet Roadshow – Dublin

Microsoft TechNet Ireland has just started advertising a free day of briefings on some of the new System Center products including those available now and those that are coming next year.  It will basically consist of some of a main sessions from the MMS conference that was held earlier this year in the U.S.

This TechNet event will be a very technical covering the following topics:

  • Optimising your infrastructure with Microsoft System Centre
  • MOM 2005 and System Centre Operations Manager 2007 technical drilldown
  • SMS 2003 R2 and System Centre Configuration Manager 2007 technical drilldown
  • Operations Management with System Centre Products
  • Protecting your data with Systems Centre Data Protection Manager

Sessions will cover one or more of the following scopes on a specific topic:

  • Deep drill technical drilldown into current or future of the products and technologies
  • Best practices for common real-world scenarios covering the lifecycle of solutions
  • Comparisons between different solutions available – such as SMS and WSUS patch management
  • Real-world experience (‘Tips and Tricks’) from Microsoft and non-Microsoft consultants and customers