Rob’s Ragg…. Tech Talk & Cool Toys for Grown up Boys

Fingerprint Readers... Are they all they are cracked up to be?

Almost every mobile computer that is currently shipping has a Fingerprint Reader on it.  How convenient...  I've had a lot of customers get excited about the convenience of no more passwords when they think that a finger will do.  Well personally, I give those Fingerprint Readers the finger!.  Honestly, Fingerprint Readers are pretty secure for normal things, but anything you really want to secure, a strong password is still the best.

There is plenty of documentation on the Internet about the lack of Fingerprint reader security, but for a typical consumer machine, it's probably good enough.  Today I did a search on the Internet to see what I could find.  Of course Live.com is my search tool of choice, one of the first items it presented was "Gummy Fingers" Fool Fingerprint Readers http://www.extremetech.com/article2/0,1558,13730,00.asp.   Of course, the person that came up with this idea was a Japanese mathematician! I never trusted those "math guys"... Their logic and all of that!  In college I took a math class The fundamentals of Math.  I thought hey, I understand that one + one = 2, that's fundamental... Right?  I needed to raise my GPA, so I decided to give it a try.  Holy Crap was that a rough class!  That's when I decided to never again trust those math guys.   I digress, back to the topic at hand...

This mathematician took a mold of a finger, used the same material gummy bears are made of, and created a mold of a gummy finger.  Now I wonder how many tries it took him to get it right... Did he eat his mistakes???  I agree that molding a gummy finger is considerable effort for someone to expend, but it's a low effort, low tech way to defeat a high tech solution.  Reminds me of NASA creating pens that could write in zero gravity.  The Russians, they just used pencils!  I subscribe to the Keep It Simple Stupid mentality, so gummy fingers are a pretty reasonable solution to me.  The Register http://www.theregister.co.uk/2002/05/16/gummi_bears_defeat_fingerprint_sensors/ added some additional detail to his research. 

Microsoft's corporate policy states that we cannot store our corporate credentials on our laptops.  Finger print readers ask for, and then store, your credentials on your local machine.  [This is really the root of the concern.  If all of your credentials are stored on the same machine, eventually your credentials will be compromised.  It's only a matter of time.  The "time" factor could be 2 days or 2 hundred years.  It just depends on your level of encryption and the attackers level of skill and dedication.]  The authentication process:  When you swipe your finger on the fingerprint reader, the fingerprint reader enters your domain credentials for you.  We've done a good job of opening up the authentication API, this makes it easier for developers to develop alternate authentication methods, but we need to solve the problem of the credentials being stored locally. 

Two factor authentication is a super way to meet this need.  A number of companies have moved to two factor authentication, Microsoft made the move over 6 years ago.  We all carry smart cards; it functions like a typical proximity card that allows me to open our security doors, but it also includes a "chip" that contains my Microsoft certificate.  Whenever I have to connect remotely to the Microsoft network, I have to have my smart card inserted in my machine, and then I have to enter a PIN to allow access to the certificate on the smart card.  Not only do you need the smart card, but a PIN as well.  It all comes down to requiring 1.) What you have; The smart card, and 2.0  What you know; the PIN.  Without both items, you're not connecting to our network.  The PIN is required because the certificate on the smart card is encrypted with the PIN.  Without it, the smart card is just a gold thingy stuck to the back of your ID card.

Now if you really want to protect the data on your computer, let's talk BitLocker.  I'll save that discussion for another time.

Until next time!

Rob

Eliminate UAC for Printer Driver installation

During the IT Pro Conference, someone asked if they could eliminate the UAC (and the local administrator requirements) just for printer driver installations on Windows Vista machines.  Printer Drivers are the most difficult issue when it comes to removing the requirement for local administrator access to a machine.  I've monkeyed with  this a little, I have more research to do, but I think I found a way to solve this predicament.  Point and Print.  This feature was included in Windows XP and in Windows Vista we require local administrator privileges to install these drivers.  There is a Group Policy setting that tells Windows Vista to not require local administrator privileges for printer drivers that are already installed on your servers.  This is the Point and Print functionality... 

Below is a screen capture of the Group Policy setting that disables the local Point and Print Restrictions.  This will allow Windows Vista users to install printer drivers without local administrator permission.  This is a Local Machine policy, but you should also be able to define an AD based Group Policy to do the same thing.  Let me warn you, the reason we require local administrator privileges is to prevent malicious device drivers.  This setting will allow any device driver to be installed.  Now you can define the policy setting Package Point and print - Approved Servers to allow users to install the printer drivers from only an approved list of servers.  This will allow normal users to install any printer driver, once it's been approved and installed on your servers. 

To disable the Point and Print restrictions, you need to get to the screen below, To do that, let's click on Start (or the Vista Perl)  -> and in the Search box, type mmc and press enter. Once the management console comes up, choose File -> Add / Remove Snap in... Choose Group Policy Object and then click Add... If you are defining a local policy, choose local computer.  If you are an AD admin, you should know how to set an AD group policy.  If not, let me know and I'll include those instructions later.  Once you click OK, you should be back to the Local Computer Policy screen like below.  Go ahead and expand the Local Computer Policy, and then choose  User Configuration -> Administrative Templates -> Control Panel -> Printers.  Then you're able to disable the Point and Print Restrictions. 

Once you make this local policy change, you need to either reboot your computer, or go to a command prompt and execute the command gpupdate / force to ensure the local policy gets applied.  Now you should be able to browse to a local server and double click on a shared printer.  Now the printer driver will install without requiring local administrator privileges.

Give this a try and let me know how it works for you.

Until next time!

Rob

Virtual Server 2005 R2 Update for Server 2008 support!

This update provides support for the following additional Host and Guest OS’es

After installing the update:

Product Version: 1.1.629.0

Additions Version: 13.820

KB948515.msp update to Virtual Server 2005 R2 SP1 is now available at:

http://www.microsoft.com/downloads/details.aspx?FamilyID=a79bcf9b-59f7-480b-a4b8-fb56f42e3348&displaylang=en

For more information about the software update and the fixes made in this release, see the KB article at:

http://support.microsoft.com/kb/948515

This is great!  I'm impressed that it will run on Server 2008 core, I'll need to try that one out.  I agree that Hyper-V will RTM soon, but it's nice to have options. 

As always, let me know if you have any questions.

Until next time!

Rob

Virtual PC 2007 SP1 is available

Virtual PC 2007 SP1 is now available for download from the following location:

http://www.microsoft.com/downloads/details.aspx?FamilyID=28c97d22-6eb8-4a09-a7f7-f6c7a1f000b5&displaylang=en

After installing VPC 2007 SP1, the

Product Version: 6.0.192.0

Additions version for this build:  13.820

What is available in this release?

This release provides support for the following additional Host and Guest OS’es

For more information, see the Release Notes at:

http://www.microsoft.com/downloads/details.aspx?FamilyID=9f3d3eb5-5e03-4712-999c-e96f91bdf128&displaylang=en

The Virtual PC website will be updated shortly with this release information at:

http://www.microsoft.com/windows/products/winfamily/virtualpc/default.mspx

Until next time!

Rob

Microsoft Research - What does it research? World Wide Telescope!

Microsoft Research has been around for 17 years, it started in 1991.  I remember reading about it before I came to Microsoft; I was, and continue to be, amazed at how much money Microsoft invests into research every year.  Of course, every year we increase our research budgets, increase our research teams, and even increase the number of research facilities.  This year, we will open our 6th research facility!  Microsoft Research New England opens in July 20008.  It's so great to see some of the innovations that come out of Microsoft Research.  Looking at some of the things we now take for granted. Things like: Tablet PCs, the Junk Mail Filters, Multiple Monitor support.  Speech Server and the enhanced Speech tools that were included in Windows XP and Windows Vista, and now are part of our new Response Point solutions.  Speaking of our newer innovations, Application Compatibility Toolkit, OneNote, and RoundTable, are some of the newer solutions that Microsoft Research has provided to the marketplace.

Check out the MS Research site, and it will give you a lot of insight into the some of the other contributions Microsoft Research has made into not only our products, but the ecosystem as a whole.  One of the latest innovations out of Microsoft Research is the World Wide Telescope.  While the telescope is an incredible technological contribution to the community, it is really cool that it was built with one of our new tools, the the Microsoft® high performance Visual Experience Engine™.  It does install an application onto your machine, like Virtual Earth, but this way it gives you better control over the image management and resolution. 

Please check out the following URL for details on the project:

http://research.microsoft.com/news/featurestories/publish/WorldWideTelescope.aspx?0hp=n1

Or it has its own external URL:

http://www.worldwidetelescope.org/

Get started with the Guided Tours, it will show you some of the things the telescope has in store for you.  The many worlds tour rocks!  Check out the detail... OK, you won't see the dust on the planets, but when you think about the fact that these are the images created by some of greatest telescopes, this is pretty awesome stuff.  Just think about the number of pictures that were taken and stitched together to make these 3-D pictures.  You can even connect to and control your own telescope! 

I hope you see the cool with the telescope project, but I hope you also see the value this type of technology can provide to our day to day business needs.  This type of technology is already being used for 3-D renderings, but the enhanced detail, and the development tools to make this type of functionality available to normal developers.  These tools will enable developers to build these types of applications without having to have the specialized skills in graphics development.

I hope you enjoy the telescope and I'd love to hear about some of the great things you uncover with it!

Until next time!

Rob

IT Pro 2008 Conference day 2

Day 2 started after a long day 1 (and night).  Jeff knows how to put on a party! and one of the sponsors, Response Point, sponsored the party (i.e.  Jeff planned it, they paid for it <LOL>).  It was a super party that started with a parade from our hotel to Bourbon Street.  We had a police escort, Jazz band and everything!  We took over one of the restaurants on Bourbon Street and we even had our own balcony.  Just imagine 200 IT folks and their spouses eating and drinking too much.  Yep!  you got it.  We all got sleepy and headed back early (for Bourbon street).  So the morning of Day 2 started with a smaller crown, but everyone trickled in for the next hour or so, by 11:00 am, we were back up to a full audience. 

So what did I learn in Day 2?

SBS & Migration 

We started out day 2 with Jeff Middleton (http://www.sbsmigration.com/ and the man that put this conference together) and Chris Almida.  Chris is a Microsoft SBS Program Manager and came in to discuss the improvements the SBS team has made in the migration tools to assist with the upgrade to SBS 2008.  Chris' presentation started out at 9:00 am this morning.  Being the first presenter after an evening on Bourbon Street is undesirable enough, but then the hotel lost power for about an hour and the chillers had to be shut down.  It got hot fast, but you know the old motto, The show must go on!  So there we were, sitting on the 12th floor in the hotel conference room, it's getting hotter and hotter.  Let's just say the water pitchers became a hot commodity!  Susan Bradley (http://www.sbsdiva.com/) was in the crowd and I loved her comment at the break.  "It was fun watching the people on stage "glisten" from the heat."  We're men and we just sweat like monsters!  OK I can say it, it was starting to smell like a locker room before the air finally cooled us down again.  The environment also gave our presenters an opportunity to present in adverse conditions and they all did great!  It was all good and the information I learned was well worth the additional warmth for a few hours.

Back to the SBS Migration; Chris had a super presentation about some of the migration tools that will be included in SBS 2008.  Everyone agrees that the SBS team has done a good job of addressing the need for a better migration solution to SBS 2008.  Of course, the SBS team has focused on the needs of the 80% of the SBS community. For the remaining 20% of the SBS Community that have "unique" configurations, more planned will be needed.  While I'm on the subject of planning; any SBS migration to SBS 2008 (or even a new SBS 2008 deployment) requires planning.  Please do not think that this is an upgrade for the uneducated.  Education and Planning are the two best steps to ensure a successful implementation of SBS 2008. 

After Chris' presentation, Jeff followed up to discuss his swing migration process.  Jeff had a very good point, the swing migration leaves your original SBS (2003) server and domain intact.  The migration process Chris demonstrated involved adding the new SBS 2008 server to the SBS domain (yes, you can have two domain controllers in your SBS domain for up to 21 days!).  The great part about what Chris presented was that the migration process the SBS team assembled could be accomplished during the business day with very little end user impact  The swing migration is something that can be accomplished offline without impacting the users.  We'll go into more detail about the various ways to migrate your domain, but there isn't one "Right" answer.  As I mentioned earlier, Education and Planning are your best tools!  As a newbie coming into the SBS upgrade process, it was great to see multiple solutions to manage the upgrade process. 

Data and Collaboration

So are your users still storing all of their files on file shares?  SharePoint 3.0 is included in SBS 2008 and it makes document storage, collaboration, tracking, and recovery of prior versions of a document much easier!  SharePoint will also index all of your content to make searches much easier.  How many times have you said "I know I created that document, but now that I need it, I can't find it!"?  Well SharePoint will allow you, or anyone else within the company that has permissions to the content, to search and access the content with a lot less effort.  Yes, you can add permissions to SharePoint sites so even your very confidential data can be stored in SharePoint.  Just think, the data is still secure, it can now be backed up, and prior versions can be retrieved if needed!  The other nice thing about storing confidential data in SharePoint is that it is super straight forward to add Right Management Protection (RMS) to any document checked into a specific SharePoint site.  No user interaction is needed.  Just image that you can drop your confidential Intellectual Property or PII (Personally Identifiable Information) into a secure SharePoint site and it is automatically RMS protected.  With all of the confidential data disclosures that are happening, don't be on that list!  Let me help you work through the details.

Remote Desktop access

We had some food discussion about the Terminal Services Gateway functionality included in Server 2008, Remote Desktop Functionality, and the ability to use the new Terminal services to access just a specific application from the Internet via a secure Remote Desktop Session (RDP over HTTPS).  From the users' perspective, this can be seamless!  Just imaging placing an icon for Word on a users desktop, every time they open Word, it could actually be running on a Terminal server within your secure network!  This is another way to provide your users access to the tools / data they need without the confidential data ever leaving the confines of your secure network.

Mobile Devices and their value to the information worker

We had some good discussion today about the value of Windows Mobile for the Small Business.  Chris Rue (http://www.chrisrue.com/) had a great discussion on how he leads business value based discussions with Windows Mobile.  That is a very unique approach and he's seeing a super success rate!  The Visual Studio tools make the porting of a custom developed application to the Windows Mobile platform much easier. Check it out!

Windows Vista and UAC

SP1 is out and now everyone is really starting to look at Windows Vista again, let's make sure we give it an honest evaluation and understand the value it will provide to you and your customers.  The impressions are that Windows Vista doesn't add value, but I'd say the impressions are far from reality.  I've run Windows Vista since Beta 2, I've struggled with UAC, application compatibility, and performance issues as well.  Running Windows Vista on current hardware (less than 12 months old) is probably the best thing you can do to ensure your Windows Vista experience is optimal.  Everyone has tuning opinions out there, help yourself, but Vista does do auto-tuning as well.  I use BitLocker on all of my mobile machines.  I have no desire to loose my data, or any of my customers' data.  Could your business survive if you lost all of your data (backups please) OR could your business survive if all of the information on your laptop was publicly disclosed?  BitLocker is straight forward to implement and if it's implemented properly, it's easy to recover the data on an encrypted hard drive in the event of a hardware failure.  I'll go into the specifics of BitLocker in another posting soon, but please ping me if you want the detail now.  I'm happy to discuss this with anyone, we've also published a BitLocker Step-by-Step guide that will get you started.

Susan Bradley did a great job talking about her deployment of Windows Vista within her environment.  Her site (www.sbsdiva.com) even has documentation on how to make QuickBooks 2006 work on Windows Vista.  We still need to improve our ability to educate our partners, so education is still a work in progress, but Windows Vista has been very good to me for the last 18 months. 

Well that wraps up day 2.  Thanks for reading through all of this, I hope you found a few nuggets!

Until next time!

Rob

IT Pro 2008 Conference

WOW!  I'm attending the IT Pro 2008 Conference.  Check out http://www.conference.sbsmigration.com/ for more detail.  It's been great to meet so many of our small business partners.  We've had some great discussion and I'm truly impressed with how these people are able to use our Microsoft products. 

We had a great welcome party last night... The only problem is that the sessions started at 8:00 AM this morning, so the wake up call came way too early. 

What have I seen today? 

SBS & EBS

We've seen a few screen shots of Cougar (SBS) and Centro (EBS), and talked about some of the new features that will be provided at RTM.  Of course, we are not able to discuss a full feature list or release dates yet, but don't worry, more information will come soon.  I agree... "soon" is a relative term, but I truly expect that the wait for more information won't be that much longer...

Response Point

If you have not heard of Response Point, check it out!  We have partners that have been shipping hardware for months now and we already have customers using this in production!  Response Point is a low cost small office VOIP based phone solution.  OK, so VOIP isn't that new, but how about voice activated dialing?  How about caller ID toasts on your workstation when the phone rings?  How about the ability to set special behavior for specific incoming calls?  Just imagine that when your A #1 customer calls, his phone calls cal be routed directly to your phone.  He wouldn't even need to ask for you! 

Now do I have your attention?  I will be talking about Response Point more in the future, but for now, please check out: http://www.microsoft.com/responsepoint/ for more detail.  I have a Response Point demo kit, so I look forward to sharing my demo units with each of you.  Once you're about to see these units and the value they provide, I believe you will see how how this little box and these handsets can change the way you look at your phones going forward.  So I mentioned voice activated dialing... Did I mention voice activated called management?  Instead of asking your callers to press "1" for customer service, and "2" for the operator, how would you like for them to be able to just say "Customer Service" or "Operator", or "Connect me with Rob"?  It's that simple.  Setup is a breeze and new user provisioning is also a breeze.  Again, more detail to come, but I'm excited about this one!

Backups

If you are not doing them now, what's the problem?  I agree that hardware has become more reliable, but we are still attached to the keyboard, so mistakes still happen.  Every now and then hardware still fails, so please get a backup today, before tomorrow's failure happens.  Microsoft has done a lot of great work around the native backup and restore functionality, but we also have partners like StorageCraft and eFolder that take backups to the next level.  These products also give you the ability to deliver these backup services to your customers as managed services.  These solutions give you a great way to take care of your customers' backup needs in an automated, low over head fashion.  If you are doing backups now, are you sending your backups offsite?  What's your DR plan? Are these offsite backups encrypted?  What would happen to your business if your office and all your backups burned?  There are too many economical ways to provide offsite backup storage.  Please feel free to ping me if you would like some assistance in thinking through some of the options available in the backup / restore area.  I'll talk more about backups going forward.

Things on my mind...

Like I said, it's been great to meet so many of our partners, but I'm concerned that no one is talking about the following solutions for their customers:

• Encrypting customer and employee critical data so it doesn't fall into the wrong hands. 
• If your laptop is lost or stolen, would you end up on the cover of The New York Times, News Week, the evening news, <name your biggest media outlet>?
• Securing your Intellectual Property, or your customers Intellectual Property <yikes!>, to ensure an employee doesn't accidentally (or maliciously) email it out of your environment?
• What about allowing your users to have roaming access to critical data while ensuring that this critical data never leaves the confines of your secure network?  Say what? 
• Now that it's May, how would you like to ensure that your sales team cannot continue providing quotes based off of the April price sheets? 

Of course, we have answers for all of these questions... Let's talk!

Tonight's event

Well that's all I have to share today, we're getting ready to head out to a parade to Bourbon Street.  Did I mention we are in New Orleans?  Oh dear...  Our evening mixer is on Bourbon Street tonight, so I'm afraid that for me, it's 5:45 PM and my Friday is only half over <grin>. 

I've been gathering beads all day.  Everyone told me I should stock up on the beads, and that I'll need them tonight.  What's that about?

Until next time!

Rob