Aidan Finn, IT Pro

Microsoft has published some documention on WSUS 3.0.  There is a step-by-step guide and a deployment guide.  Don’t forget my whitepaper/guide on WSUS 3.0 that I wrote last year.

VAMT 1.0 was released by Microsoft last night to help administrators with bulk activation and management o Windows Vista and "Longhorn" Multiple Activation Keys (MAK).  This x86 program is available for download now.  A MAK is a license key where computers are activated one at a time but require only one activation for that build. 

Features include:

• MAK Independent Activation: Each computer is individually connected and activateed with Microsoft via network or telephone connections.
• MAK Proxy Activation: One centralized activation request is sent on behalf of multiple computers with one network connection to Microsoft.
• Activation Status: Monitor  the activation status of Windows Vista and Longhorn Server computers on your network.
• Remaining MAK activations: The current remaining activations associated with a MAK key.
• XML Import/Export: Export and import data in an XML format to allow you to activate computers in disconnected environment scenarios.
• Local reactivation: Enables reactivation of computers that have been rebuilt or reimaged by applying a Confirmation ID.

This guide on the Exchange Load Generator descibes how to install the tsting tool and how to use it.

Proving once again that the wheels never stop turning, Bink has reported on a blog post that discusses Microsoft’s plans for service pack 1 for Exchange 2007.  Lots of new functionality will be included as well as "Longhorn" support.  You can expect it sometime after "Longhorn" is released.

Credit: Bink.

This guide looks like it’s quite good.  It’s a detailed look at how to implement ISA 2006 to get the very best performance possible.

And if you start looking at how the document says ISA scales, you can forget the line that "ISA is not an enterprise solution".

I quickly read through an article on the Microsoft "Midsize Business Center" that lists 5 security technologies that we should watch.  They are:

1. USB Authentication Tokens: The idea here is that we use USB tokens instead of smartcard to implement a 2-phase PKI authentication solution.  The two phases consist of what you have (physical control of a token) and what you know (a 4 digit PIN).  Smartcards have not worked out so well because vendors have come and gone and it requires buying card readers.  All PC’s have USB slots and new ones make them accesible on the front of the case.  I’ve used an EToken device before for VPN access.  We probably had failures on around 1/3 of them.  Deployment was not so easy.  This technology will probably improve.
2. Built-In Biometrics: This one keeps coming back.  I think too many people watch bad spy movies.  Biometrics are not secure and are not reliable.  You have to place your hand/thumb print down exactly the same way every single time.  This can be fun when you’re in a hurry.  Then there’s the possibility of faking a print.  It can be done as was shown on the Mythbusters TV show.  There are claims that sensors look for temperature and moisture but this can all be bypassed with a simple thin mould placed over the attackers thumb of the valid users thumb print that is lifted from the reader itself.  I once worked in a place where access to the computer room was only granted by thumbprint.  It usually took several attempts to get in.  Again, maybe things will improve but I doubt it.
3. Self-Encrypting Hard Drives: The idea is that the hard drive encrypts itself.  Nice idea.  But I would require some sort of software control that allows centalised management of user access and password/pin resets.  can you imagine a phone call from a director or government minister at 03:00 from half way aroudn the world because they can’t boot up their encrypted PC and you couldn’t give them access?  Have a look at Safeboot.  It works nicely.
4. Security-Aware Web Browsers: Your web browser is supposed to try protect your PC from your mistakes.  IE7 works like this.  The problem is, as the best security experts tell us, most holes in security lie somewhere between the keyboard and the chair.  Until there are only security-aware users, there will always be problems.  IE7 and Windows Vista made great strides in advising users but some people just don’t want to listen.
5. Mobile Device Security: I’ve been harping on about this one for ages.  If you want to carry out espionage, then you want to get access to devices that are used by senior people, e.g. directors or ministers.  These people usually have only one type of data: e-mail.  They rarely type anything of interest.  Everythign that can be used against them or their orgainisation is sitting in their mailbox.  We may secure access to the mailbox and encrypt their laptops but they often don’t even use them.  I’ve had directors who had computers in several countries and never logged into them, even when they were sat at the desk.  Their device of choice was a PDA or smartphone.  And what happens to be on there completely unsecured?  Everything they hold dear, their mailbox.  Often there’s no pin and there is rarely any encryption.  I’ve seen some talk about encyrpting SD cards but that is not enough.  All internal storage needs to be protected.  PIN numbers and remote wiping should also be implemented.  Check out Safeboot to see what they can do for you.  I’ve tried it out and it worked nicely.

Microsoft published a step-by-step guide on how to investigate a suspected computer crime on your network.  I’ve only had time to have a quick glance but it looks pretty good.

Be careful if you are invovled in this sort of thing.  This stuff is a legal minefield.  You cannot go trouncing around stikning your nose in peoples business or retaliating to suspected attacks.  The link I followed to this document dtated this guide was intended for US customers.  The law in the US does appear to be on the side of the company, i.e. the owner of the infrastructure.  Things can be very diffferent in other jurisdictions, e.g. in Ireland there is still a grey and untested (in court) area between the right to privacy for employees and the requirement of the company to apply the law and protect shareholders.  In places like Germany, it’s very clear that you must have solid evidence of a problem before you start an investigation.

To quote an old TV show, let’s be careful out there.

Brian Madded posted an interesting article on how to use a tool to enable users to mount USB drives while logged into Citrix.  Basically, the tool allows the drive to be mounted as a folder within the client file system which is redirected to the server.  I can see how that might be useful for other tasks.

Credit: Brian Madden.

The exxhange team has posted a step-by-step on how to run the DST update tool for Exchange.  Given the trouble this is causing for owners of servers in North America, I recommend it to anyone who is affected.

Microsoft just released the Transporter Suit for Lotus Domino.

Transporter Suite configures Directory and Free/Busy interoperability between Lotus Domino 6 or 7 and Exchange Server 2007 and Windows Server 2003 Active Directory and migration of users, mail and applications from Lotus Domino 5, 6 or 7 to Active Directory, Exchange Server 2007 and Windows SharePoint Services 3.0.

Some release notes were also released.

The Microsoft Transporter Suite for Lotus Domino Release Notes contains up to date information that is not included in the Transporter Help file. The Transporter Release Notes augments the Transporter Help.

The Exchange team were quick to post a blog entry.