Tim Long

Farewell, VBScript

(sentiment mine).

With Windows Powershell finally released, I hope I never have to use VBScript ever again. If you haven't tried Windows PowerShell yet, you have a treat in store for you. Download Windows PowerShell now and say goodbye to those tedious VBScripts. Subscribe to the PowerShell Blog for the latest news and information. There is a handy archive of script examples, including a guide to converting VBScript to PowerShell equivalents.

In case you're in any doubt about the strategic importance of PowerShell, Microsoft is building the administration interfaces for its next-generation server products on it. The administration interface will be implemented as PowerShell Commandlets, with the GUI interface built on top of that in MMC. The first of these will be Exchange Server 2007, which will ship any day now. Microsoft is putting PowerShell technology at the heart of its platform.

At last, a sensible alternative to VBScript.

(see also: More Power to your Shell)

Pirated software - what's the risk?

In a post on the Windows Genuine Advantage blog, there is a graphic and conclusive example of what can happen when you obtain 'hacked' software. Be sure to watch the video - if it doesn't play on the first attempt, click the video control then refresh the page and try again.

A high proportion of hacked software conceals a malicious payload of some sort. Don't go there!

Ban on MP3 transmitters is lifted

SBS with ISA vs. Hardware Firewall

A discussion that comes up over and over again on the IT Pro newsgroups is whether a hardware firewall device is better than ISA Server, or whether ISA Server is good enough on its own or needs to be backed up by a piece of hardware. Considering the difference in cost between Small Business Server standard edition (which does not include ISA Server) and SBS Premium Edition (which includes ISA and SQL Server), small business users are getting ISA for maybe a hundred pounds or so. What kind of firewall appliance can you buy for that? I was reading an entry on Kim Cameron's Identity Blog where he refers to the following quote by Bill Barnes:

And Information Cards have it worse. They’re not just new, they’re different, and different is harder. You don’t just have to learn, you have to unlearn. This helps explain why security experts often take the longest to grasp what we’re doing – we’re forcing them to go back to first principles, and for many of them that’s a long way back.

I suddenly had an 'ah-ha' moment. I've never understood why people think that a hardware firewall out on the end of a piece of wire is more secure than ISA Server (i.e. SBS Premium with a 2-NIC configuration). It seems to me that this approach to security relies on the distance from the server and/or making a smaller aperture through which undesirable traffic can enter the network. The latter certainly helps to catch the most blatant attacks but the fact is most attack vectors these days involve attacking an application that would otherwise be considered legitimate traffic. For me, the concept of an impenetrable wall into which holes are poked at strategic places is long outdated.

I suspect the reason people don't care to rely on ISA server is because tradition is hard to forget; they don't really understand it's true potential. A firewall works thus; ISA Server is a firewall; therefore, ISA Server works thus.

Well, ISA Server is so much more than just a firewall. Aside from all the benefits of the monitoring and reporting, there is the ability to perform deep inspection of application layer protocols. A perfect example was when the VML vulnerability was discovered a little while back. I was able to configure ISA to look inside those HTTP packets (which a "normal" firewall would pass through) and detect when VML was being used and reject just those packets. ISA allows a very forensic approach to controlling what comes in and out of the network. Like Bill says, ISA server is not new, it is different. I think undersatanding this power requires one to un-learn how a firewall is supposed to work.

I'm nailing my colours to the mast. I have used ISA for about 6 years and in that time I have come to love and trust it. And when did you ever see a hardware firewall produce a report like this?

Maybe I'm wide of the mark - what do YOU think?

Windows SharePoint Services 3.0 available

Hot news - Windows SharePoint Services 3.0 is available for download (news broken by Wayne Small on his SBS-FAQ site a few hours ago) and also by Susan Bradley. TiGra Networks has an intranet site up and running and I'm extremely pleased with how well the install went - much easier than the Beta 2 version. Everything worked flawlessly. Nice one, Microsoft. I'm looking forward to tinkering with all the new features, like workflow, RSS feeds, blogs and Wikis, to name but a few.

Wayne links to a paper explaining how to install WSS 3.0 on a Small Business Server to run side-by-side with the existing Companyweb site (upgrading the SBS Companyweb is not supported and breaks some of the SBS administration tools).

I chose not to install on my small business server, mainly for performance reasons but I also wanted to maintain the SBS server in as clean a condition as possible. These days whenever practical, I try to install new technology on a virtual machine. So here's what my installation looks like:

This is not the simplest of installation scenarios (installing stand-alone on the Small Business Server would be much simpler) but I try to use my Virtual Server to keep different applications isolated. The SQL Server in this diagram also hosts my CRM database and my Community Server database (i.e. this content) plus a few other things, so it does take quite a load off my ageing Small Business Server and of course I can easily move virtual machines to new hardware with absolutely minimal disruption.

More Power to your Shell

Vijay from iQubed has blogged about the new Windows Powershell ('WSH'). The point he makes is that Microsoft has always accused Linux of being 'difficult to manage' because of its command line driven interface and now, suddenly when Windows finally gets a decent command line shell, it's the best thing since sliced bread.

To be fair, Vijay, I really think you might want to spend some time with WSH before you compare it to the various flavours of Linux shell. Windows Powershell is a long way ahead of traditional text-based shells such as csh, ksh and so on. The important difference is that Windows Powershell operates fundamentally on .Net objects, not text. In traditional shells, a lot of the complexity was around getting things into the right format, passing the data along a pipe from one command to the next in text format. The things we need to manage on our computers are pieces of software composed of components and objects. WSH deals with these objects directly, passing objects (not text) along the pipeline. The results are not converted into text unless they actually need to be displayed. Dealing directly with objects is very a very powerful concept and gives you the full power of the .Net framework at your command. The power is not immediately obvious because WSH's command line interface belies its true abilities for managing, configuring and automating things.

So why does this make for increased productivity? Consider Exchange 2007. Like all software, exchange is software consisting of a collection of objects and interfaces. These objects can be directly manipulated by WSH – Exchange 2007 can be completely configured by WSH on the command line. Exchange also has a graphical user interface built on Microsoft Management Console. Anything that can be done in the GUI can also be done in WSH. Previously, the MMC snap-in would communicate directly with the software being configured, but in exchange 2007, things are different. The GUI, instead of talking directly to exchange, actually generates a WSH script, which WSH then executes and you can watch it doing this. That script can be captured, saved and edited for later use in similar situations and applied on many computers or across the entire enterprise! Administrators can try things out in the GUI, which writes a script for them that they can save and adapt.

Microsoft to cripple Windows installations that fail WGA?

In my post Software Piracy: Carrot or Stick? a few days ago I discussed the ways that Microsoft is tackling counterfeit and improperly licensed versions of its products. I was in a sales & marketing session at Microsoft's UK headquarters today where WGA and related matters were discussed in relation to the launch of Windows Vista. It was suggested that over time, Microsoft would begin to disable some features of Windows installations that fail WGA validation in an attempt to widen the differentiation between legitimate and illegetimate installations. It appears that this will get easier for Microsoft to do in the Windows Vista era, because all Vista installs are a full install of everything, but the correct licence key is required to unlock the chosen feature set. I'm not certain I understood this point correctly and perhaps a Microsoft person would care to drop a comment here to clarify - but the understanding I have is that Microsoft would begin to actively disable features in illegetimate installations.

I welcome this increased incentive for users to get and stay legitimate, but I believe that Microsoft needs to take care not to make the stick too big. The current approach of continually offering a bigger carrot seems to work well and doesn't damage Microsoft's reputation. If the emphasis begins to shift towards punishing the offenders rather than rewarding the legitimate users, I think no-one will come out of that better off. As someone who makes (a little) money from selling software, I do not condone software piracy in any way. However, I also believe that a pirated copy is not necessarily a lost sale and in some cases can be a useful bit of free marketing. If Microsoft starts to break installed copies, then I think that will only have a negative impact on the reputation of Microsoft and Windows.

I like the current "softly softly" approach to tackling software piracy. What worries me far more is that you can buy an OEM version of Windows over the counter or online, which results in well-intentioned users purchasing invalid licenses from resellers who just don't care.

Small Business partners keeping Microsoft honest

There's a lively debate going on in the small business community in response to the Exchange/Vista/Office launch. Vijay and Susanne in particular have been letting Microsoft know exactly what they think and Dave Overton has stepped up to the plate to engage in the conversation. I really like to see this sort of conversation happening because I think it is a credit to everyone. Small business partners are standing up to Microsoft and letting them have it 'between the eyes'. On the other hand, it's good that someone from Microsoft is prepared to engage with us in this way to have the debate.

The reality is that small businesses don't like spending their money. I am going to a customer this afternoon that still has Windows 2000 and Office 2000 on some of their PCs and at least one of their computers is failing WGA because it's been purchased with XP Home and badly upgraded to XP Pro. This is what small businesses do, because they don;t know any better. The truth is: what they have is good enough for what they need. They will likely upgrade when the computer dies and they buy a new one loaded with all the new OEM versions. This is how small businesses evolve. I can tell them until I'm blue in the face how wonderful Office 2007 is, but until Office 2000 fails to do what they need, they'll keep using it.

The trick is to get partners involved with these customers at an earlier stage. In order to do that, Microsoft has to start telling small businesses about us - the SBSC qualified partners, from the very first opportunity when the customer buys a retail product. Instead of making gimmicky leaflets on how to install small business server in 12 clicks (I'm paraphrasing) start doing what you promised us when you set up the SBSC programme. Start telling customers about Small Business Specialists. Start putting the blue logo on business related applications, desktop and server OSes and in particular, Windows Small Business Server. Give us a special package that we can market to our customers as Small Business Specialists. Stop high-street names like PC Wold, Insight Direct and eBuyer from selling OEM and educational versions at knock down prices. Go after the eBay traders who are blatantly flaunting the license agreements. Encourage customers to come to us for advice on how to do IT the right way. That way, we can get a foot in the door much sooner, before bad habits have a chance to develop. We can get them on to volume licensing instead of letting them fall into the OEM trap. If you really want your small business partners to begin making a difference, then give us what you promised instead of recycling the same old marketing bullshit.

Blog by email

Home and Business Users Alike Need Good Security Practices

Most computer users - particularly home users but even many business users - log into their computer with Administrative rights. In the case of home users, often no passwords are used and family members may all share the same default login account. While it seems like an easy option, this is an ill-advised way of working.

In today's episode of the BBC's technology magazine 'Click', Rob Freeman has an interesting, easily-digestable story on why you should use a seperate limited user account for each person who uses your computer. This will be particularly interesting to home users but is also useful for business users who wonder why it is necessary to have individual logins at all. The crux of Rob's article is this:

Limited users can surf the web, they can send and receive email, they can run most software which has been installed on a computer. But they cannot change important system settings or install most software programs.

This is the important bit: if a limited user cannot do those things then a virus, or Trojan, or any other nasty bit of software that gets onto your computer, cannot do them either.

I've seen small businesses in which everyone knows each other's login details and they regularly log in to each other's computers. The understanding of what user accounts are for gets lost and people generally think that a login belongs to a computer, not a person. People mistakenly think that to access another person's files, you need their login details.

The truth is (as we IT professionals have always known) that a login belongs to an individual and they should always use their own login and should never share it with anyone. This ensures accurate auditing and that everyone gets appropriate permissions.

Does this describe your small business? Do you and your workers share each other's login details to accomplish daily tasks? If so, then perhaps you should take a look at why people need to do this. It is insecure, destroys your audit trail and engenders an environment where security is generally overlooked. As a business storing data about your own business, employees, customers and suppliers, security should never be overlooked. Consider having your security reviewed by a professional (such as TiGra Networks) and putting in place a policy that describes appropriate use of login credentials, minimum password requirements and how often they should be changed. If you don't have a network server, then you should let us show you the benefits of Microsoft Windows Small Business Server 2003, which solves many of a small business' IT problems at a stroke. In particular, it will allow you to set up a secure computing environment while enhancing your ability to share information and work together as a team.

Software Piracy: Carrot or Stick?

I've long held the belief that a pirated copy of software is not necessarily a lost sale. In many cases, it is actually an opportunity for some free marketing. Many software companies are too quick to equate software piracy with lost sales and get caught up in elaborate software protection schemes. In fact, I think this extends into the world of entertainment - just look at the mess Sony got themselves into with XCP copy protection! (See Mark Russinovich's blog for the gory details). What companies fail to realise is that no technology is proof against tampering. If a human being can make it, a human being can break it. Like a lock, software protection keeps honest people honest, but it will not keep out a crook. Many companies put so much effort into protecting their intellectual property that they cause considerable inconvenience to their honest legitimate customers. When that happens, both the company's reputation and the end user's rights are damaged.

The way to avoid pirated software is to make it really desirable for your genuine customers to own legitimate product. In the past, one way this has been achieved was by having top quality printed documentation that was just too much trouble to copy. Nowadays hardly anyone supplies printed manuals anymore, so that incentive is all but gone. At the moment, I think the one company that is getting this balance right is our beloved Microsoft. Since introducing Windows Genuine Advantage, Microsoft has effectively denied users of pirated versions access to security updates and free add-ons. Recent examples of major free upgrades to Windows XP are Internet Explorer 7, Windows Media Player 11 and Windows Defender, all of which require the user to validate their copy of Windows before they are allowed to download or install the software. Meanwhile, users of non-kosher copies are gently prompted to purchase an upgrade kit while the software continues to run. I believe that Microsoft has got it right on this one. They use a very large carrot in combination with a very small stick. Genuine users are never inconvenienced and feel that they are getting benefits from having properly licensed software, while the "bad guys" are left out in the cold, denied access to all the goodies but gently reminded that they can come back from the Dark Side and all will be forgiven. Microsoft uses all the illegal copies of Windows out there, in effect, as a vehicle to market genuine Windows.

One area I think Microsoft is too soft is where retail outlets blatantly flaunt the licensing rules - for example, it's not difficult to find educational licenses or OEM versions of Windows XP for sale at knock-down prices. The rules for OEM versions, for example, state that OEM versions of Windows may only be sold pre-installed on a fully assembled computer system, so clearly it should not be possible to buy OEM versions over the counter. Microsoft seems happy to allow this to carry on but it's to the ultimate detriment of end users, who just don't unserstand or care about the licensing implications until it comes back to bite them later. Neither do the retailers make any attempt to point this out to purchasers. To most people, owning a CD-ROM is the same as owning the software. Just as when you buy a spanner from the DIY shop, you can use that spanner to work on multiple projects and to do up as many nuts and bolts as you like, end users tend to think that once they bought the software, it is theirs to do with as they please. Unless a new more palatable way can be found to sell software to end users, I think Microsoft, particularly in the UK, needs to be much more aggressive about shutting down sellers of incorrectly licensed product. While these activities are tolerated, the incentive to go legal is diminished, both for the end user and for Microsoft's partners.

Proliferation of SQL instances

A lot of application software these days is taking the easy option of installing a new SQL Express (formerly MSDE) instance. At one point, I had 7 SQL instances on my Small Business Server in addition to the SQL Server that's included in the premium edition. There was SharePoint, Veritas Backup Exec, Firewall Dashboard, SBS Monitoring, ISA logging and a few others. Now there's Small Business Accounting and I have to choose between bogging down my workstation with an extra SQL instance or adding another instance to the server. It's just not funny how much resource that can consume just to keep those instances loaded and doing nothing. Now that I've bitten the bullet and made a clean install of SBS R2, I have a policy of moving databases onto a second server dedicated to hosting SQL Server (in fact it's a virtual machine). SBS R2 lets me do that without having to buy any additional CALs and it's a load off my aging server hardware. Some applications are making it really hard, though.

I can understand why software developers want to dedicate a SQL instance to their software – it provides isolation from other applications and makes for a clean deployment scenario. However, I'm not convinced that's what is best for customers. We've invested in SQL servers, so that our databases are consolidated on a server where they belong and we don't have to eat up the resources on our workstations and small business servers. What's the point of a dedicated SQL server if every application we install also installs its own SQL Express instance locally on the workstation? At least give us the option of installing our databases on our servers, where we'd like them. Don't force us to use yet another SQL instance just because it suits you. Let us make the decision.

IE7 and Microsoft India

Ive just had a bad experience with Internet Explorer 7 and I've learned a number of important things in the process of resolving it. My IE7 problem left my primary workstation unusable so I invoked my Business Critical Phone Support, which I am entitled to as a Small Business Specialist, on my own behalf. This is really designed for IT professionals to have top quality support backup in case one of their customers has an support incident that significantly affects their business productivity or output. It isn't clear whether this support extends to problems on our own systems or only to those of our customers. Arguably, I am my own best/worst customer and I always 'dogfood' new products on myself. Well, it turns out that Microsoft does extend BCP support to my own systems. That's the first important thing: Small Business Specialists can use BCP support for themselves as well as clients.

The next thing is what happens once you call support. There has been a lot of negativity expressed around the fact that Microsoft's first line support is handled from call centers in India, so when my call was answered by a lady called Kamini with an Indian accent, I got that sinking feeling in my stomach. However, my expectations were exceeded. Kamini was very professional, smart, courteous and worked methodically through my problem to a successful resolution. No escalation necessary, no complaints here at all. In fact I was so delighted that I asked to speak to her manager and gave her a very positive feedback. Also, only now after the event, I've realised that I didn't have to wait at all. My call was put straight through with no delay whatsoever. So I'm left wondering why there is all this negativity about Indian call centres. Sometimes the Indian accent can be a little difficult to understand, but with a little patience and a few repetitions, it's really not a big deal. I wonder if most of the negativity really derives from a preconception that the service is going to be bad. Susan B just blogged on a similar theme about having the right attitude when calling support. It can be frustrating if you let it, but a little patience gets you a long way quickly.

So what's up with IE7? Well, 3 out of 4 systems I've installed it on have not survived the process.

1. Manual download and install over IE6, on my Acer tablet PC. This worked fine.
2. Manual download and install over IE6, on a newly-imaged Acer Travelmate laptop, this appeared to work but an hour later the system blue-screened and never recovered. This could be a case of 'post hoc ergo propter hoc' so we'll have to give IE7 the benefit of the doubt on this one.
3. Manual download and install over IE6, on a desktop PC on my SBS domain. Computer failed to reboot after installation, blue screen with 'checksum' error on several of the system DLLs. I was able to recover this system by copying older versions of the DLLs from the original installation CD. One I had a bootable system I was able to ignore all the errors and use System Restore to roll back. I used System File Checker to make sure everything was as it should be, then re-applying XP SP2 and finally re-installing IE7. Problem resolved, but after much grief and a few hours.
4. My primary workstation on my SBS domain was running IE7 RC2 then it received IE7 from WSUS (I had approved it for installation - big mistake!). Woke up this morning to find my screen showing the wallpaper and nothing else. Could only use task manager to cause a reboot. On rebooting, the system would get to the login screen and allow me to log in, then complain about missing DLLs (iertutil.dll and newdev.dll are two that come to mind). No desktop, no start button, no Windows Explorer. Any attempt to launch programs results in "DLL not found" type messages. We eventually found a way to uninstall IE7 and functionality was restored, including the missing DLLs, which begs the question: Why were those DLLs removed? Why, when the system was already running IE7 RC2 quite happily, did the RTM update from WSUS comprehensively break the system?

One thing that Microsoft recommends is to turn off any antivirus or antispyware products when installing IE7. I don't think that was the issue here, because I'm running Windows Defender and currently no antivirus software on this particular workstation. However, that recommendation doesn't sit very well with the concept of Automatic Updates. If the update comes from WSUS and gets installed automatically, there's no easy way to turn off any antivirus software during the install. I'll bet a lot of people are going to run into this sort of problem with automatic WSUS installs.

As a result of my experiences to date, I'm advising my customers to hold off installing IE7 until I can get a better handle on these install issues I'm seeing. I will not be approving the update on their WSUS servers for the time being. I need to see a few successful installs and see how others are getting on with it.

Bellagio, eat your heart out!

I've just seen this video that really rivals the display at Bellagio on the Las Vegas Strip and uses no electricity!

http://video.google.com/videoplay?docid=-274981837129821058

This has to be the most wonderful and spectacular waste of time I have seen for ages. Well done lads.