July 2008 - Posts
I've already talked about how to eliminate UAC for a stand alone Vista machine, now I am going to show you how to set a domain Group Policy to eliminate UAC for all of your Vista workstations. My original post is here. I apologize for the delay in getting this posted, but there were a few pre-requisites that I had to complete first. Mainly, we had to address the schema extensions in a Server 2003 or SBS 2003 domain. You need these schema extensions so the Group Policies know how to manage Vista. Please review, and follow, my schema extension entry here, before you proceed. I am working off of the assumption that your schema is already extended. If you don't have the Server 2008 or at least Vista extensions, the rest of this discussion will not work for you. "No soup for you", says the soup Nazi <smirk>.
If you've reviewed my other two blogs you've probably heard enough of my cautions, but here goes one more. I expect that if you are going to follow these instructions that you have the appropriate skill set, or you are testing these in a lab environment first. Please do not just put this into production without testing. You'll not only be hurting yourself, but you'll also make it harder to provide direction like this in the future. If you need more detail, ping me, but I've intentionally assumed a level of skill in my readers. I've only provided two screen shots, if you don't know how to fill in the blanks, then I'd like you to understand a bit more about Group Policies before you proceed. We have some very good documentation on Group Policies, please take a read before you proceed.
Let's get to it! If you checked out and followed along with both of my prior blogs, the UAC for a Vista workstation and the schema extension discussion, then all you need to do now is ensure that you have the remote server administration tools (RSAT) installed on your Vista desktop. My schema extension discussion covered the RSAT so you should be set.
Let's fire up the mmc, and then add the Group Policy Management snap-in. Choose your Group Policy Objects and then create a new policy.
Edit the new policy and navigate down to \User Configuration\Policies\Control Panel\Printers and then disable Point and Print Restrictions. If you've looked at my original posting, this diagram should look pretty similar.
The nice thing about Group Policies is that there is very little difference between machine policies and Domain Policies, it's just what object you start at :)... Once the policy is configured, then you just need to link it to an object. To apply it to your whole Domain, right click on your Domain (in the Group Policy Management console) and choose Link an Existing GPO... and then choose the new GPO you just created. Once your machines re-load their group policies, you shouldn't be bothered by UAC again.
Like I warned you, this one was pretty short, most of the information you need is in my two prior postings I referenced earlier. This entry is just connecting the final dots.
I hope this helps, and I'd love to hear your feedback.
Until next time!
Rob
I don't have an answer here, but this question has bounced around in my head for years, so I thought I would share the question. When someone says that they are going to only purchase "best of breed" products in each area, how do you decide what is, or is not, "best of breed?" Do you read the trade rags? listen to the vendors? Is it the product with the most features? How do we define "best of breed"?
I've struggled with this time and time again! How do you make this decision? The reason I ask this is that I've had too many customers myopically focused on "best of breed" and sometimes we miss the bigger conversation; "What's the best business decision", or "Which solution provides the best value for your specific configuration / need?" Best of breed was originally defined as the best Dog in a specific breed. I grew up around show dogs and totally "get" the idea of "best of breed". But how did we get to the point of comparing a software solution to a Dog? This is getting pretty "Ruff" isn't it <smirk>.
Best of breed discussions helped create some of the TCO discussions we've been having for a long time now. I really liked these discussions because they were focused on the Total Cost of Ownership (TCO) for your environment, not just the best product in a specific category. As I mentioned, I've had customers myopically focused on best of breed, but that does not mean that their final solution is the "best for their company". A simple example would be running DB2 on Mac's OS X. Of course, I'm not advocating that either of these platforms are best of breed, but anymore, people can spin and product into the best or worst product in a category. Yes DB2 and OS X are both solid answers, but everyone knows that you can't run DB2 on OS X. I know this sounds pretty ridiculous, but stranger things have happened... Next time you feel the urge to choose "best of breed", let's talk about "The best solution for your business" instead.
I'd really like your thoughts on this...
Until next time!
Rob
Network Admin Arrest Puts Spotlight on Insider Threats
44 percent of the 500 respondents identified internal breaches as a key security challenge over the 12 months preceding the survey—up from 42 percent in 2006 and just 15 percent in 2003.
OK, so this is a scary, but not new, thing. The irony is that we work hard to secure our networks and data from outside attackers and sometimes it's the people inside the organization that end up getting us. How often have you struggled with permissions vs. risk? At the end of the day, your network administrators must be trustworthy. I do like the final statement of the article:
"The best practice is to trust but verify," said Yama Habibzai, senior director at Netcordia, a provider of network management tools. "There needs to be some level of trust within the organization, but the organization needs to have the tools in place to verify that employees touching the network are making accurate and approved changes."
I agree that we need to have a level of trust in our network administrators, but I also agree with the verify phase. We all have good and bad days. Let's say you have a very trustworthy and excellent network administrator. The trustworthy people are the standard, the untrustworthy person is the exception, but even your best network administrators can have bad days. What if your best network administrator gets a good review, but not much of a raise? Raises are slowing down, and in the end, network administrators will not be paid as much as upper management. Companies do have to put ceilings on job roles. While every position is valuable, some do have more value than others. Back to your best network administrator; What if they have a very good review, but then get told that they are paid at the top of their job and they cannot receive another raise? Every person has thoughts like; "Hey if they don't value me, just wait till I'm not here", or "Look at the havoc I can create". Most people know better than to take action, but unfortunately, some do know know where to draw that line.
Have you ever felt like you knew of a problem that needed to be solved but no one else listened? Check this one out:
Article (InfoWar): Student arrested for breaking into school computer network
A High School senior was arrested for breaking into the School Districts computers. His whole motive was just to prove that their computers were not as secure as the School District felt they were. While I agree that computers need to be secured, and even tested to ensure they remain secure, I think this is one of the ways to NOT prove your point. This guy broke in, collected "secured" information, and then brought it back to school and presented it to his teacher. This is not the right way... The article goes on to suggest a more appropriate way to handle something like this:
"What he should have done is offer to sit down with the teacher and the administrator and demonstrate the hole with their permission,"
I agree with this suggestion. No one likes to be blown off, but even if you offer to demonstrate your concerns and they say "No thank you", you need to walk away. The struggle is "where do you draw the line?". When is it right to point out an exposure and when does it go too far?
Microsoft has a corporate policy that requires everyone to lock their computers when they are not using them. The good old <CTRL+ALT+DEL> and "Lock this Computer" before you walk away from it. It's a very good practice. If anyone has access to your computer and is logged on with your credentials, they have access to everything you have access to as well. I agree with the rule to keep your workstations locked, but what do you do when a co-worker, or even customer, walks away from their computer without locking it first. Should you lock their workstation for them, or keep your mitts off the keyboard.
I believe that these are some of the ethical dilemmas that we face working in the IT industry, but these types of dilemmas are not unique to our industry. Where do we draw the line? Where is the line between "doing the right thing" and "Crossing that line?"
At the end of the day, we must trust our people, but we also need to verify that people can be trusted. I do not feel a generic administrator account that multiple people have access to is an acceptable security measure. I feel that every network administrator should have two sets of credentials. One set that has no more access than any other typical user, and one that has your domain access. This normal account should be their only email enabled account and they should spend the majority of their day logged in with this set of credentials.
If a network administrator needs to do "administrator" work, they should then log into the server they are going to manage with their personal administrator credentials. Each administrator should have their own administrator account that is assigned only to them. Of course this account should not be e-mail enabled and all actions taken by this account should be audited. If you audit all of the transactions, it should be pretty straight forward to review the audit log if there is any question. Wouldn't it be nice if Windows made it that easy? Server 2003 made it really hard to effectively audit for things like this and this caused a lot of customer frustration. Windows Server 2008 has tons of new improvements and one of them is a revamped audit solution. Now you truly can get granular on the events and people you audit.
We need to keep trusting our people, but the separation of duties is also a very good thing. We need to do a better job of making the separation of roles possible, but we are making progress. Our Group Policy tool does a good job at separating roles, you can allow one person to create a policy, but then require another person actually deploy it. This is a nice check and balance, but trust is still a core requirement.
I hope this helps, if you have any comments or questions, I'd love to hear them.
Until next time!
Rob
I was sitting in a Small Business Server discussion at the WPC and the presenter, Richard Opal, made the statement: "our CIOs are loosing power within our customers." This isn't the first time I've heard this. I've heard it too many times to count, but for some reason, when Richard said it, it really resonated with me. Let's see if we can peel back this onion a bit. Where is this thinking coming from? Is it for real? Are our CIOs loosing influence within their own businesses? You tell me. I don't feel that every CIO is loosing power, but unless the CIO works for an IT company, IT is not their core competency, right? Why would a portion of the business that is not responsible for revenue generation wield much power?
I've been noodling on this for a while, I've listened to numerous analysts and "experts" comment on this, so let me know what you think of the following:
Are our IT decision makers losing influence within their own companies? More and more, the business units within companies are purchasing business solutions that meet their needs; and then they are telling IT to implement the IT portion of the business solution. I'm seeing a trend that IT is not even consulted before a new solution is purchased. This is a concern from a lot of different perspectives. I'm not talking about "protecting our turf". IT is supposed to be a business enabler. IT is kinda like the Marines, we're here to serve at the pleasure of the president, or in this case, We're here to serve at the pleasure of your Business. OK, so if we aren't protecting our turf, why should we care?
How about the reduction of IT complexity? How about the fact that IT budgets are not growing? If you're lucky, you're budget didn't get cut, but far too many budgets are shrinking. It's tough to just maintain status quo in your infrastructure when your funding is declining, you think? Now if a business unit purchases a business solution that does not fit harmoniously within your organization, you now need to spend your declining budget to integrate this "foreign" solution, don't you?
OK, so what if the Business doesn't ask you to integrate the solution? What if, the Business purchases the solution and the installation? That can be a much bigger risk because you now have an outside group doing the work, and their only goal is to prove that their solution meets the expectations. I'm not saying these people want to do us harm, we've all been in that position, but if your goal is to demonstrate the success of your product; are you really concerned with any other aspects of the infrastructure? Right! Your vested interest is in proving the success of your project as quickly as possible. What's the shortest path from point A to point B? What if the existing infrastructure gets in your way? What if the security posture of the infrastructure is too strict? If it's too strict, does the new solution require relaxing the corporate security posture? What next? No matter who installs solution, what compromises have to be made to ensure the success of the new acquisition?
Let's say the integrator comes in and makes needed changes to your infrastructure that ensure the success of their deployment. Now the new product works, but what if some other aspect of your infrastructure doesn't work? Who's responsible for fixing that? Do you really think this external integrator is going to chase your "networking bugs"? Who do you think really gets the blame when some other portion of the infrastructure fails? Let's be honest, if the business made the acquisition and hired someone to deploy the solution within your business, do you really think the business has any confidence in their internal IT organization? I'm not saying that this is a tell tale sign, please don't make that assumption. There are a large number of IT shops that operate in this model. Some of my customers' IT staffs just to keep everything up and running. These businesses accept the IT business model that they will bring in specialists to integrate each new solution. The point I'm trying to make is that someone needs to have a vested interest in the overall success of IT. OK, so I started this discussion with the relevance of the CIO, right?
Here’s a simple test, it’s not 100% accurate, but this does help illustrate the point: How many CIOs within companies still, or ever did, report to the CEO? How many CIOs are reporting up through the CFO? This analogy is not always accurate, but this reporting structure can be pretty telling. Who cares who the CIO reports to? AND if the CIO reports to the CFO, doesn’t that mean that IT is closer to the money?? Nope! Generally, if the CIO reports to the CFO, IT is perceived as a cost center. Worst case scenario is that IT is perceived as the group that always says “No” and continues to cost too much money. Hmm, what do you mean? Think back; how many times has IT been asked to implement a solution for the business? Think of all of these requests, how many times has IT said No to these type of requests? Or, how many times has the deployment taken longer than the business expected it to take? Or cost more than what was budgeted? Or both? It only takes once or twice and the business, like everyone else, will try to work around the obstacle... Right? Now, if IT is perceived as the "no group" or "the group that doesn't 'get' the business", I'll bet that the business units have also learned that they don’t have to go through IT. Let's really think about this, the business grows the company, IT is just the enabler, right?
If your CIO reports to the CEO, there’s a better chance that IT is perceived more as a business enabler and not a cost center, but this is no guarantee. Some CIOs report to the CEO just out of respect until the current CIO retires, or "that's the way it's always been". Once your CIO retires, how many companies have reorganized and moved the CIO under the CFO? If your CIO is higher in the food chain, it’s likely that IT has helped other business units increase their productivity, productivity that can be mapped into generating more revenue for their company. Again, unless our customer is an IT company, their IT is not generating revenue. If you are not a revenue generator, then you are a cost center. How much influence do cost centers really have within a company?
OK, did that help? So if our CIO's are loosing power within the company, how are the business using IT to grow their bottom line. The modern day Golden Rule: "Those that have the gold, makes the rules". So if IT isn't bringing in the revenue, the business group that is bringing in the revenue has more influence when it comes to making business changes, or purchases. If a solution provider can show a business how they can reduce cost, increase production, and / or increase revenue; don't you think the business will want to leverage this new solution? Yes, and that's the risk here. If the business does not feel that IT is a relevant portion of the business, the business will most likely purchase a solution without the involvement of IT. This is big! Our core business directive within our companies is to enable the business to be more successful. If IT is perceived as an obstruction, not an enabler, the end result is that we will end up hurting our business. We are all looking for win-win scenarios, and here, the win-win scenario is to continue to grow IT as a significant contributor and enabler to the business. This is the responsibility of IT, remember, we are there to serve at the pleasure of the business!
There are a number of IT companies that directly approach your business units without the involvement of IT. These new solution providers have learned to follow the money. I think this is an important point. Traditionally, IT companies have demonstrated features and functionality of new products. We try to “sell” our new products to IT and then hope that IT can derive business solutions that will benefit their company. Some of these product companies are now stitching their products and features together into viable customer solutions. These companies are then presenting these solutions to the business units. They are approaching the business units, the people in the company that actually generate the revenue. Remember, the golden rule?
OK, so I've talked about a lot of the things that can cause the CIO to loose control of their IT infrastructure, so how do we avoid this situation? How can IT continue to contribute to the business in a positive way? How can IT continue to grow their relevance? How can IT continue to partner with the business units so that when the business is looking for a solution, the business and IT partner together to make the best decision for the overall business.
I haven't found a simple solution to this situation, but we are working to assist you and our customers with business solutions. Look at Dynamics. It's composed of a number of products, AD, SQL server, Exchange, Sharepoint? If we show this list of products to the business units, not only will your business units glaze over, but they will continue to believe that IT is more about the "cool" technology and not focused on helping grow the business. Let's learn to speak the language of the business. They've already proven that they are not going to learn our language, and they shouldn't. Sometimes these business owners don't respect IT, or even think IT is complicated. They all have home PCs now and they don't have problems. If computers were really difficult, why is it that our children running circles around us when it comes to computers and technology?
These solutions providers present a vision of business a solutions to the business unit. They show the business how their solutions can help increase their capacity to deliver additional value to their end customers. When the people that are generating the revenue within a company ask the business to reinvest in their continued growth, they always have the ear of the CEO and CFO and they get what they want almost every single time. Got that? If the people printing the money ask for more capabilities, they usually get them without too much difficulty. Let's continue to talk about this, but what do you think? Make sense?
Until next time!
Rob
As soon as I read the headline, I thought oh great, so we're the best of the worst...
This is an Information Week article located here. After reading it, it made me laugh more than the headline. So their point is that Windows Update is available more than Apple's or Ubuntu's download sites. It doesn't talk about the number, or quality of fixes, just that Windows Update had better uptime. While this statistic is useful to each vendors operations units, who else really cares?
The one time iPhone users cared was Friday with the release of the new iPhone. Apparently the traffic from the new and original iPhones generated enough traffic that it took their site down. That's a bummer, but it begs the question, do we scale for the average load, or do we scale our sites for maximum load. Good for Apple that they sold 1 Million iPhones, but volume like that does expose other weaknesses.
I think this whole discussion begs another question: When is network / network services availability good enough? 98%, 99%, 99.99% or is anything less than 100% uptime acceptable? Go ahead, pick a number. Let's pick 100% because it's easier math. Is your network considered 100% up if it's up all of the business day or truly 24x7x365. Keeping the whole infrastructure up 10 hours a day is pretty easy, but not realistic anymore, is it? Is 100% uptime measured by unscheduled downtime, or any downtime? And what is availability defined as? If the server responds to ping, is that good enough, or does mail actually have to flow, or does the business application need to be working properly? I know I'm asking more questions than I answer, but this is an important discussion to have. Don't you love it when management says; "I'm not paying for 100% 24x7x365 uptime. That can become expensive in a hurry!". OK, but then management demands that the network always be available when they need it! Gee thanks! That's clear as mud!
This is the type of ambiguity that we in IT struggle with. We want black and white answers, and the business works in shades of gray. How can we define an SLA, or even a target to measure against, if we don't have a firm goal? There are multiple technologies that can help address some of these demands, you've even seen software as a service (S+S) gaining momentum, haven't you? What if S+S could offer 100% uptime? Can we let someone else manage the infrastructure and hold them accountable for downtime? Is that better? Hey if we don't have to spend our time keeping an eye on the hardware, software and applications like email and desktop applications, then can't we raise our focus to delivering the business value the customer is really asking for?
I think we need to spend more time talking about the needs of the business, and less time talking about Servers, software versions, and upgrades. Let's talk about the solutions we can provide to the business. If the solutions they need, or let's say the capabilities they need, can be delivered, the need for upgrades is really insignificant isn't it? We need to define the needs of the business and then determine the value the business puts on these needs. If the value outweighs IT spending, then we do it. Right? This is where we leverage the business owners, not IT, to determine the business value. IT budgets continue to be cut and IT is looking for ways to reduce costs. If we can gain the support of the business groups, then we can work with them to secure funding. Now we're giving IT the opportunity to grow their infrastructure and add business value while not forcing IT into funding everything on their own. Isn't the root of the problem really who pays for the solutions? Why should IT be any different than any other department? If a department needs paper or pens, don't they pay for those? Why can't they pay for IT services the same way? I know a $10 case of paper is on a different level than a $4,000 server, but is it really?
Let's see if we can have more conversations on helping the business run the business on their terms. Helping the business grow the business has always been at the core of IT, but we always had "fun" doing it and sometimes we've all been guilty of loosing site of the business. Let's get back to supporting the business instead of them supporting us (financially), and I'll bet we will all end up better for it.
Until next time!
Rob
During day 3 of the WPC, it was fun to see some of the "new friends" people were making, and some of the "good bye's" that happened all day long. Proof that the networking portion of the WPC was a success. The morning keynote was interesting, I chose to watch the keynote from my hotel room via digitalwpc. Yes, we were out late the night before so it was nice to move a little slower and not miss any of the keynotes.
I enjoyed Allison Watson's messages every morning, so it was nice to see her wrap this up. Kevin Turner was very focused on the partner community and talked about our increase in our PAM (Partner Account Manager) community to provide a higher touch to our partners. I also liked that Kevin encouraged the partners to reach out to him if there are any problems with our growth or capacity. It was reassuring to see Allison and Kevin focused on helping our partners continue to grow and succeed.
Dr. Muhammad Yunus presented during the keynote slot as well. I've heard his presentation before, so I got distracted during his discussion and started working on my schedule for the rest of the day. Dr. Yunus is a great presenter and if you haven't heard about what he's done, it is well worth your time to listen to his keynote and see how it has impacted us all.
Mobile (Windows Mobile Phones) is continuing to grow. I spent a lot of time on the Expo floor looking at some of the solutions built on the Windows Mobile platform. People have been so creative with the type of solutions presented. One company built InfoPath forms for the WM 6 devices. It's great! While they suggest that you define a separate view of the form for the mobile device, to accommodate its' form factor, by leveraging a separate view of a form, the WM device is then able to leverage the same business logic in the original InfoPath form. To me, this is impressive. Maybe it's not a biggie to you, but I do like that we continue to separate the business logic from the UI without creating a lot of additional work for the the extension of our solutions to additional form factors.
The big buzz this week has been Software + Services. Of course, some people have been concerned that they could "lose revenue" if they move to an S+S scenario, but I see a lot more value add in the S+S model AND you spend less time in the car. We'll talk more about S+S in the future, this is a great opportunity to take your level of service to the "next level" and offload some of the mundane tasks to the service provider.
I also attended a Virtualization and Security discussion. This one was interesting! Please keep in mind that just because you have a server within a virtual machine, as opposed to residing on traditional hardware, the machine still needs to be secured just like a normal machine on normal hardware. A virtual solution now not only includes the virtual machines, but you must also secure the host server as well. We need to ensure that the host server is secure. If the host server is compromised, while each virtual machine can still be kept secure, an attacker, at a minimum, could take your host machine offline, thus disabling all of the workload availability for all of the virtual machines on that host. Our development group spent a lot of time working on these additional threat scenarios and I appreciated the openness of the information presented. It looks like they've really done a good job of addressing these new types of threats.
This was my first WPC and I enjoyed the content, and meeting a lot of new partners. I'm looking forward to our WPC next year, I'll be better prepared and will spend more time meeting our partners from all over the globe.
Until next time!
Rob
Day 2 started out with a Keynote that got everyone pretty excited. Before the Keynote though, the day started with our copies of USA today at our doors. There was a full page ad about Windows Vista. It was nice and polite, but as Brad Brooks said, "We've had enough, we're drawing a line.". There has been too much sensationalism in the press around Windows Vista.
Microsoft: The Vista Bullying Stops Here
I've been very pleased with Windows Vista since I was able to upgrade my tablet to support Windows Vista. What I found was that a lot of the hardware on the market prior to the RTM of Windows Vista just didn't cut it. I have a Thinkpad Tablet and it rocks! I'm excited to see these new ads, and I'm excited that we are finally standing up and telling our story.
As Brad said; "You thought the sleeping giant was still sleeping. We've woken up and it's time to take this message forward. This is the true story of Vista". Windows Vista is a great evolution of the Operating System and it raises the bar on the capabilities available to our customers. Not only does Windows Vista provide new capabilities, but it also raises the level of protection of our customers. Windows XP SP2 raised the bar, but Window Vista has set a new standard. If you have concerns about UAC, let's talk about it. If you really have problems with UAC, just turn it off! Yes, I said it. You don't have to use it, but I'm happy to talk with you on why we implemented UAC. I truly believe that once you understand the goal of UAC, you'll be much more comfortable with taking advantage of the value it provides.
I still think that it's pretty ironic that Apple attacks the "security" of Windows Vista... Brad put it best: "Vista has actually had a cleaner security track record in its first year since launch than any other open source or commercial OS in history". This is true! "Any other OS period!" We spent a lot of energy on thinking about how the malicious software writers were taking advantage of XP and we, again, raised the bar.
So you want to wait for Windows 7? Why? Do you think we'll revert back to XP? Read the article; Windows 7 builds on Windows Vista. If you purchase Windows Vista with SA now, you'll be able to upgrade to Windows 7 when we release it. Why not start enjoying the value now and be in the best possible position to continue to take advantage of the most secure operating system ever released?
We've announced our compatibility center. If you want to know if your software is compatible, check out the compatibility center to find out.
Want to start with Application Compatibility, start here. The Windows Vista application compatibility site will be launched here, but it wasn't ready when I wrote this, so hang in there, but it should be available within the next few days.
Check out the Windows Vista Assurance program. We are putting our money where our mouth is and standing behind Windows Vista with no cost support assistance with Windows Vista.
Until next time!
Rob
Well yesterday was day 1 of WPC and since this is my first WPC, I thought I would share a few thoughts and experiences.
One of the great things about this years' WPC is that if you can't attend in person, you can participate via our Digital WPC. You can see all of the keynotes and the individual presentations from the comfort of your own desk! While you won't benefit from the networking, at least you'll be able to view the content and hear all of our announcements real time. Yes, I've done the virutal training thing before, and while its better than missing the whole event, I always has to fight the urge to get distracted by email and phone calls. Virtual participation is the next best thing, but I still prefer being here with everyone else, this helps me "keep my head in the game". We have had some good keynotes and I'm looking forward to the continuation of announcements this week. We've already announced the release of SP1 for Response Point. SP1 has a new feature list, but the thing I'm most excited about with SP1 is the new SIP trunking. This will allow for a complete VOIP experience and / or VOIP within your office connected to standard telephone lines.
Back to the WPC: I mentioned networking, on Monday, I met a partner that came all the way from Egypt. Egypt! that's cool! It was great to visit with him and understand some of the cultural and technical differences between our two countries. His English was Excellent! I'm glad he spoke excellent English since I'm just a country boy who didn't even know English wasn't the only language until I was almost in high school. His name is Fady A. Ghaly and he's the Managing Director of the Al Ghaly Group. He's involved in the family business and he said that his business chooses to do business primarily with other family run businesses in Egypt. Fady was a great person to speak with and he sure got me excited about Egypt and international travel as a whole. If I ever have the opportunity to travel to Egypt, I will look him up. If you ever have the opportunity to travel to Egypt, I'm sure he would be happy to make you feel at home. I walked away from my discussion with Fady feeling that he's never met a stranger, and everyone he meets is a friend from the very beginning! I also met another partner from Ecuador. We had a great visit on the bus ride from the hotel. Not only did i get to learn more about our partners, but I've also had a great geography lesson without leaving the United States! I'm so blessed to work for a company that has such an impact around the world.
I wanted my first note to be brief, so check out the Digital WPC and look at all of the content we've already made available. A lot of the content is being streamed real-time, so I hope you can keep up with all of the announcements and updates.
Until next time!
Rob
They're most often lost at security checkpoints, the Ponemon Institute says
The complete article is here.
Check this out:
Close to 10,278 laptops are reported lost every week at 36 of the largest U.S. airports, and 65% of those laptops are not reclaimed, the survey said. Around 2,000 laptops are recorded lost at the medium-size airports, and 69% are not reclaimed.
The thing that really gets me is that 2/3 of these laptops are not reclaimed!
And then look at this!
About 53% said that laptops contain confidential company information, with 65% taking no steps to protect the information.
Over half of these machines have confidential information on them and no one cares? No one has made any effort to protect this data? What's wrong with this? Why should we be so upset with other companies that loose our data when we don't care about it either? In our society, we look for someone else to blame way too often. If you loose a laptop and compromise confidential data, I'll tell you who to blame; look in the mirror! Each and every one of us should take responsibility for protecting our own data. I would hate it if I lost my machine, and I know Microsoft wouldn't be very happy with me either, but I'd much rather have a discussion with my management that I lost my machine AND I did everything possible to ensure that my data was not compromised. The reality is that I'm much more concerned about my data then my laptop. If someone wants to steal my laptop, they are welcome to it; it's not worth the fight if there's a possibility of someone getting hurt. If someone wants my data though, I have an issue with that! Let's make sure we are proactively ready to keep our data safe! While I don't offer to give my machine away, if someone does walk away with it, I'm confident that they will now have a very good laptop, but not my data.
This article goes on to advocate the recovery of the lost computer equipment. I agree, I'd like to recover my lost hardware as well, but even if I recover it, how do I ensure my data wasn't compromised while it was out of my control? What if the thief had time to clone the hard drive and then attack it offline? Again, let's make sure that even if they have the hardware, they don't have access to the data. With BitLocker, all of the decryption keys do not reside on the hard drive. Even if they successfully clone your hard drive, the only way they can recover your data is through a brute force attack. Basically they have to try and guess your 128 bit or 256 bit encryption key. Good luck! That's man years worth of effort.
As I've said before, I don't travel with an un-encrypted laptop; if someone does get physical access to my machine, they don't get access to my data! If a malicious user wants to try and crack my password, or remotely attack my hard drive offline, I have an answer for that. BitLocker was built to defend from the offline attack, and Microsoft's password policy forces complex passwords to protect from any online attacks. Complex passwords are exponentially more difficult to crack than the typical password. According to the statistics above, it sounds like my tablet is in better shape than the majority of the other mobile machines out there. I'll bet this situation is a lot like the locks on our doors. If we have better locks than our neighbors, the bad guys will be less interested in our machines and more interested in the higher gain for less effort machines.
I don't customarily encrypt my external hard drives, because they only contain my demo content and reference material. As a rule, the only thing I keep on unencrypted drives is information that is publicly accessible, or publicly available items that can be assembled into things like demos.
When you look at the numbers above, and realize that most of our users are more interested in catching their flight than protecting their corporate assets, we must help the company protect their assets without impacting the user community. Let's work on the assumption that our users don't care, so let's make sure that we can "seamlessly" protect their data for them. I know this sounds like Big Brother, but if we're allowing them to store our confidential data on their machines, we need to ensure that they treat this data like confidential information from the beginning to the end of its' lifecycle, even if the user doesn't know it! BitLocker allows encryption of the hard drive with no impact to the end user. That's the best part about it. It's invisible to the user and it does not get in the way of the user doing their job. There's always the balance of "doing my job" vs. "protecting our data". BitLocker does a great job of finding that right balance.
Normally as IT we would now say something like. "We need encryption" or "We must encrypt all of our hard drives!" Or "We will deploy BitLocker right now!". While that's the right plan, the fact is that if we can get the business to buy into deploying BitLocker, getting BitLocker deployed is then easier than you think! How do you get them to buy into it? Show them the article I reference above, show them some of the other articles on recent data loss and lost machines. Heck, show them some of the older NY Times and USA Today articles! There's plenty of public information describing data loss, just get your facts straight. Once you gather all of the public data losses, then assemble a list of your corporate machines that have already been lost; If you really feel that your company hasn't lost confidential information, then your company is WAY ahead of the curve, or you are in the dark! Once you show them the sheer number of data losses every year, show them how many machines within your company have already been lost; AND THEN when you provide a sampling of the confidential corporate data that is already sitting on some of your companies laptops, you will win them over. At this stage, this is now a business decision, not a mandate from IT... Right? Now they buy into solving the problem, not fighting IT because it's trying to act like Big Brother.
The Business will recognize the business risk, not the IT risk. Now we can help the business recognize the business risk and help them do something about it. Most IT organizations are loosing budget, if IT can help the Business understand the risk, and show the Business an easy way to close this gap, the Business will support the need to protect the data on the laptops. Now we can let the Business inform the rest of the user community that their data will now be secured, and the Business will help the user community understand the necessity of protecting their data. It's no longer an issue of budget, the business will ensure that business critical initiatives get funded, and you don't have to beg for the money, you just need to put together the deployment plan!
I hope this helps, I'm happy to discuss any part of this discussion if you have any questions.
Until next time!
Rob
OK, so we shipped Hyper-V and everyone cheered... Right? Now how do we manage it? How do we manage more than one Hyper-V server at a time? How do we remember what that virtual machine we created last week was supposed to do? How do we maintain a library of standard server images so that we can deploy a server solution faster and consistently? System Center Virtualization Manager (SCVMM) will answer all of these questions, but right now I want you to think back a few years ago...
Remember the server bloat of 8 or 9 years ago? Every department in every company had their own "computer expert". Yes the company still had an IT group, but each department felt that IT didn't understand their business needs, so they hedged their bet and grew their own "experts" in their department. During each company re-org, management would try to slowly squeeze out these departmental experts by either consuming them as part of IT, or by pushing them out of the company. Part of the problem back then was that these departmental experts were able to purchase their own hardware. They could order one or two more desktop class machines than they actually needed, and then they would re-purpose these additional machines to departmental servers. Now each business unit had their own server solutions that were not being managed or updated. Remember that? Through these re-orgs and IT partnering with purchasing and receiving, they were able to intercept these departmental servers and put a stop to the server sprawl issue. Unfortunately, IT then became known as the department that was better at saying "No" than the department that helped grow the business. We really blew this one, but it was a tough call for everyone. How do we secure, manage and protect our infrastructure while supporting business growth.
Step one was get control of the sprawl, step two was then to partner with the business units so that IT could deliver scalable and manageable solutions to meet their needs. Long story, but the reason I took the stroll down memory lane was to draw the parallel to what Virtualization is experiencing now. Again, departments and their "departmental IT experts" (yes they are still there) are able to start building departmental server solutions again and they found another way to avoid IT. Here we go again... Right? How do we help "get our arms" around the new Virtual Server sprawl while continuing to support our business units?
So what's System Center Virtual Machine Manager (SCVMM)? It's a lot of very good things, but the one thing in my mind that really makes SCVMM worth a look is that we can now identify other servers within your organization that are hosting the virtual machines. It can identify Hyper-V servers and Virtual Server 2005 R2. Now we can "see" who is creating these solutions and we can "help them" understand how we can partner with them to deploy these new business solutions while maintaining the standard images and the standard processes that continue to support and secure your infrastructure. SCVMM can allow you to manage all of the virtual machines and virtual machine hosts "all together" or "by groups". I'll go into more detail on SCVMM in the future, but the thought I'd like to leave you with is that SCVMM will help you manage your Virtual Machine sprawl before it gets out of control.
SCVMM solves so many problems and answers so many questions that it's really worth a good hard look. We'll dig into more SCVMM detail in the future, but if you're looking for a way to manage more than one server at a time, give it a look.
Until next time!
Rob