Aidan Finn, IT Pro

ENN is reporting that an EU court has ruled that monitoring a users usage of company communications resources at work for private purposes is illegal.

The alleged offense took place in Wales, a UK jurisdiction and the ruling body was the European Court of Human Rights.  This landmark decision will impact jurisdictions that did not protect employee rights, e.g. Ireland, where our laws are pretty similar to those in the UK.

Anyone who was running pan-European infrastructure should already be aware of differing local legislation.  In Germany, you can’t monitor web usage or connect to a user’s PC in any fashion without their permission.  In Italy, everything is considered private.

In Ireland, we’ve had two contradicting laws.  The employees right to privacy is defined.  But so is the corporate requirement to monitor usage to protect company interests.  Some industry regulations absolutely require it, e.g. it’s not unusual to see phone recording in place in trading houses to record oral contracts, many organisations record email, etc.

Now we’ve got a ruling from the EU to muddy things up.  What’s to be done?  I’ve seen one organisation plan an "Internet cafe" on a different network where users could use it for private, unmonitored and unrestricted usage.  Is this going to become common practice for every form of electronic communications where there are regulations demanding monitoring that contravenes an employees right to privacy as defined by this ruling?  Will all employees end up with two phones on their desks?

It’s all pretty nuts if you ask me.  I could be considered pretty liberal but my thinking is that if you are using company resources communications then they should have a right to monitor them so that they don’t get used or prosecuted for illegal activity or negligence.  If you want to do something that you don’t want monitored then do it on your own phone or at home.

There is, however, an interesting line in the ruling from the court:

"The applicant in the present case had been given no warning that her calls would be liable to monitoring, therefore she had a reasonable expectation as to the privacy of calls made from her work telephone. The same expectation should apply in relation to the applicant’s e-mail and Internet usage."

Does this mean that if you have informed employees prior to giving them communications resources that they will be monitored then everything is OK?  I’ve always been in favour of combining an Internet/email/phone access form (with information about monitoring) with the employee contract.  The logic of the above quote would imply that this would protect the employer.

As always … consult the necessary legal experts for the jurisdictions you must cover.

Credit: ENN.

The WSUS team has announced that the release candidate program for WSUS 3.0 is winding down.  This means that the release to manufacturing will be pretty soon.

Check out the guide that I wrote beased on the initial public beta release.

Patch Tuesday has just passed.  The following updates are available from Microsoft Update:

Critical

• MS07-018: Vulnerabilities in Microsoft Content Management Server Could Allow Remote Code Execution (925939) – Content Management Server 2001, Content Management Server 2002
• MS07-019: Vulnerability in Universal Plug and Play Could Allow Remote Code Execution (931261) – Windows XP Home Edition, Windows XP Professional, Windows XP Professional 64-Bit Edition
• MS07-020: Vulnerability in Microsoft Agent Could Allow Remote Code Execution (932168) – Windows 2000 Server, Windows 2000 Professional, Windows 2000 Datacenter Server, Windows 2000 Advanced Server, Windows XP Home Edition, Windows XP Professional, Windows XP Professional 64-Bit Edition, Windows Server 2003 for Small Business Server, Windows Server 2003, Datacenter Edition, Windows Server 2003, Enterprise Edition, Windows Server 2003, Standard Edition, Windows Server 2003, Web Edition, Windows Server 2003 Datacenter Edition for Itanium-based Systems, Windows Server 2003 Enterprise Edition for Itanium-based Systems, Windows Server 2003 Datacenter x64 Edition, Windows Server 2003 Enterprise x64 Edition, Windows Server 2003 Standard x64 Edition
• MS07-021: Vulnerabilities in CSRSS Could Allow Remote Code Execution (930178) – Windows 2000 Server, Windows 2000 Professional, Windows 2000 Datacenter Server, Windows 2000 Advanced Server, Windows XP Home Edition, Windows XP Professional, Windows XP Professional 64-Bit Edition, Windows Server 2003 for Small Business Server, Windows Server 2003, Datacenter Edition, Windows Server 2003, Enterprise Edition, Windows Server 2003, Standard Edition, Windows Server 2003, Web Edition, Windows Server 2003 Datacenter Edition for Itanium-based Systems, Windows Server 2003 Enterprise Edition for Itanium-based Systems, Windows Server 2003 Datacenter x64 Edition, Windows Server 2003 Enterprise x64 Edition, Windows Server 2003 Standard x64 Edition, Windows Vista, Windows Vista x64

Important

• MS07-022: Vulnerability in Windows Kernel Could Allow Elevation of Privilege (931784) – Windows 2000 Advanced Server, Windows 2000 Datacenter Server, Windows 2000 Professional, Windows 2000 Server, Windows XP Home Edition, Windows XP Professional, Windows Server 2003 for Small Business Server, Windows Server 2003, Datacenter Edition, Windows Server 2003, Enterprise Edition, Windows Server 2003, Standard Edition, Windows Server 2003, Web Edition

You can see virtualistion on Windows Longhorn Server in action in this webcast.

Credit: Microsoft TechNet Ireland.

Bink is reporting that there are two releases for Sofgrid on the way.  SoftGrid 4.1 will be upgraded by Service Pack 1.  This will include Hotfix and critical updates and increase stability and compatibility.  MS will release the Sequencer, Desktop, Client, Terminal Server Client and Server all at the same time in around April or May.

SoftGrid 4.2 will be a desktop only release, i.e. not for Terminal Server.  It will include Vista support for the sequencer and the client.  Expect to see a release around July.

Credit: Bink.

The April edition of this free online magazine is available to read.  The focus is on infrastructure management and administration.

Administration:

• Disaster Recovery: AD users and groups.
• Windows XP Embedded

Management:

• System Center Capacity Planner: Estimate and plan your infrastructure using modeling.
• Advanced client inventories using SMS.
• SMS 2003 R2 Inventory Tool for Custom Updates (also see my whitepaper).

Bink reported that Microsoft is working on a server version of the BDD 2007 toolkit.  It will be available in Q1 2008.  It will support W2003 and Longhorn.  It will also integrate with Configuration Manager 2007 (note that Windows Deployment Services is integrated with CM 2007 Beta 2 for desktop deployment).

There will be a series of beta releases.  We will see an early release this summer for Longhorn Beta 3 and CM 2007 which should also RTM around then.  Beta 2 will be out around Q4.

My gut is telling me that this will be the successor to the little known Automated Deployment Services (ADS).  I’ve used this image based solution before for deploying servers.  It’s complicated but very powerful if you choose to use the full functionality of the product.

Source: Bink

The Irish Independent is reporting (free sign-up required) that a laptop was stolen from the constituency office of the Taoiseach (the prime minister of Ireland).

This story reinforces how important it is to implement roaming device security.  I’ve talked about this sort of thing over and over before but here we go again …

First, let’s get something out of the way.  Security is the opposite of usability.  You must find the right balance between the two.  This is not usually a one-size-fits-all policy.  I’m not saying that you should treat every person/computer differently.  That’s the sort of madness that only over zealous (in)security offices come up with.  Create a set of polices that cover a reasonable number of scenarios and clearly document and communicate them.

Physical security cannot be guaranteed for roaming devices, even in your own office.  I’ve known a finance company in London where burglars dressed as cleaners walked past a dozing security guard and walked away with every laptop they had time to find.  You can try to use security cables but these can be cut by someone who is prepared.  This might not include the casual burglar but anyone targeting your data will be prepared.  Don’t think this is realistic?  Hah!  Aren’t you naive!  If your business data is valuable to you then it’s way more valuable to your competitors.  I’m not saying you need to lock down every roaming device but you might want to consider it for those with critical data.

Any roaming device with sensitive data that cannot be physically secured should be encrypted.  Let’s look at that sentence:

• A roaming device is not just laptops.  There are laptops, tablet PC’s, PDA’s and mobile/cell/handy phones.  Each of these is capable of storing sensitive data.  We often think of securing laptops and tablets but we rarely consider the device that is most likely to be not only used by directors, government ministers, etc (the mobile phone or PDA) and is also most likely to be stolen or lost.
• Sensitive data … ask a user if they have sensitive data on their PDA or laptop and they’ll say "No … I just use it for email".  That there is the most sensitive data.  Look at the major corporate lawsuits or political scandals these days and what documentation is being used?  Email.  What is the only IT business application that senior management use?  Email.  What is used to share most valuable documentation?  Email.  Anyone using a laptop or PDA for email (which is 99% likely these days) will have a local replica of their inbox and will likely have the attachments (at least the most valuable ones) on local storage..  This must be secured.
• Passwords are not a long term security solution against a determined attack.  If you store files on a machine and secure them or the machine with passwords, PIN’s, etc, then you can gain access with a few easy steps.  Some manufacturers include biometrics but that’s just another password.  A TV show even documented how to bypass this security method.  The only solution is to encrypt the data with a strong algorithm to make it unreadable to unauthorised users.

There’s two approaches to encryption:

• Encrypt the files: Using something like EFS in Windows.  This usually requires some effort on the part of users.  It will not secure mail.  I don’t like it because of the reliance of effort on the part of users.  I prefer things to be completely automated.
• Encrypt the hard disk:  This encrypts the entire contents of the mobile device.  This is my favoured approach.  Access to the device is secured by physical token or a passphrase.  There is no bypass like with traditional password protection because the data itself is encrypted.

There’s plenty of encryption solutions available.  Some versions of Windows Vista include BitLocker for complete disk encryption.  It’s OK if you have the right versions and don’t want to implement a management solution, i.e. for ad-hoc device security.  The downsides are lack of centralised policy, management, passphrase recovery and it requires that you know before you build the machine that you want to encrypt the hard disk because it requires a dedicated partition 0.

I prefer a dedicated solution that will offer centralised deployment, policies, passphrase recovery and cross platform security:

• Centralised Deployment: From a console, you can deploy your agent to targeted devices.
• Centralise Policies: You can deploy a preset collection of well defined and managed policies to devices.
• Passphrase Recovery: What do you do when your boss calls at midnight from Tokyo saying that he forget his passphrase and needs access to his laptop for a business deal?  If you can’t reset their passphrase using  across-verification method then you shouldn’t count on being around for much longer.
• Cross platform support: Remember that you need to secure all mobile devices, not just laptops.  Using a single solution will simplify deployment and management while minimising mistakes.

I like Safeboot for this sort of thing.

Don’t forget document security!  We often focus on device security.  Have you heard of a sales person or manager who is leaving who is caught email sensitive documents to their future employer or a personal email account?  I have seen it personally … a few times.  No amount of folder permissions or encryption will stop this because these people need access to these files to do their jobs.  Could you put them on gardening leave when they hand in their notice?  Sure … but if they’re clever they’ll have copied the data before they told their employers about their intentions.  The solution here is to implement file level encryption or authentication using something like Windows 2003 Rights Management Services.  This solution will use a PKI to place encryption on documents or emails so that unauthorised internal or users cannot read or modify (depending on the security put in place) the document or email.  This secures you against employees copying data externally or deliberate/accidental leaks.

Given enough time with mobile devices on your network, some of them are going to be stolen or lost.  You might have a scenario where a sneaky or unhappy employee tries to copy/leak sensitive data.  If you implement the above solutions then you’ll be able to sit back and watch things, knowing that your organisation is safe.

Microsoft has released a whitepaper that describes how to configure QoS on Windows Vista so that you can prioritise certain network protocols.

There is a new whitepaper from Microsoft, Dell and Platespin.  It discusses using virtualisation technology for disaster recovery.