James D. Stallardblog

There are any number of reasons why a company would choose to upgrade their environment to Windows 2003 and Active Directory. The reasons I hear most often are "Our Windows NT4 domain is not longer supported" and "We have Netware running on a load of old servers, we're buying new HP servers and we got a licensing deal where the new Microsoft Server OS is virtually free".

Notwithstanding the validity of either argument; they both miss the point - actually several points. Purists will tell you to pick a new Infrastructure Operating System by checklisting your requirements and comparing them to the available offerings. However, for the purposes of this argument I am only interested in the REAL benefits of an OS - Integration with external systems.

I find it eternally odd that the biggest single benefit to a company that implements Windows 2003 Active Directory (or indeed any Directory Services based authentication provider) offers is almost entirely ignored by the vast majority of clients, despite my best efforts! It strikes me that the eminent marketing department at Microsoft has missed a trick here - here's what and why...

Single List
For years prior to Windows 2000, IT Departments have been plagued by dozens of lists of users and machines in different places, managed by different people and with wildly varying levels of accuracy. The holy grail of management in an integrated IT estate is the Single List. The telephone list, the swipe card list, intranet access, payroll, the HR database and a bunch of others are all out there and are all maintained by separate departments in different ways. Windows 2000 and Active Directory gave us the ability to bring them all together and Windows 2003 does it even better.

Consider this scenario:
A new employee signs their contract and returns it. The HR Department enters a new record in their database and at preset time(s), a feed is brought into the Active Directory. The new staff-members' User Account is created (disabled until start date) with a random password, and non-confidential data about that user is used to populate some of the attributes of the new account. Because the employee's manager (and therefore department) is known, the User account gets a default set of groups that grant access and automatically map drives and printers at first logon. The Manager has delegated access to unlock accounts and reset passwords for his staff, so there is no need to call the helpdesk to get the account activated on the day. A new mailbox is created and several new email automatically appear in the inbox, welcoming the new employee to the company and providing links to corporate policies, the intranet, instructions for their voicemail, and perhaps an invite to the next social event planned by that department. Before the employee starts, automatically generated email was sent to the IT and Comms departments and Office services who ensured a mobile phone, computer, desk and chair was provided in the correct department and assigned a desktop phone and number. The new mobile and landline numbers were automatically entered into the Active Directory so that when the user logs their first case with the helpdesk, they can tell straight away who the user works for and how they can be contacted. More importantly, the helpdesk are able to verify the identity of the caller, by speaking to their manager or asking for the answers to security questions posed during induction and also stored in the Active Directory database.

This is referred to as provisioning, and properly designed and implemented will yield huge savings for your client.

The potential for this type of system is exceptional. Not only can we "provision in" new employees, but we can "provision out" leavers, automatically. The system can handle contractors, and because its root is Active Directory, we can also have PC assets and software licenses directly assigned to users - all automatically. Other, less obvious benefits can be provided to make the best use of the single list technology.

Simply by populating the manager attribute and then delegating access to managers and deputies to reset passwords and unlock accounts for the staff they manage, you can reduce your helpdesk calls by as much as 30% and remove the problem of having to identify a user who calls for a password reset/unlock. Password self-service portals now integrate with the GINA on Windows XP and provide a handy button on the logon screen that allows users to sort their own logon problems.

Users that do not login for a period of time or have their corresponding employee payroll records de-activated can be automatically disabled and their data archived to secure storage. These same users will have their SMTP email addresses removed and their entries hidden from the global address list - thus ensuring their old mailboxes do not fill with unwanted or irrelevant email. The same principle can be applied to computer accounts as well.

As the system develops, we tie our provisioning architecture in with SMS2003, which provides highly detailed asset tracking and user and computer management. Very quickly we can ascertain which machines are assigned to what users and what software they are using.

By knowing which users use what software, we can reduce your licensing requirements and even realistically move to a utility model for licensing - so that you only ever pay for what you actually use. Accurate budgeting and forecasting for the IT Department becomes a possibility and your staff spend more time on projects to improve services rather than on reactive support and firefighting.

How about a few of the more "open" possibilities:
As soon as a call is raised with the helpdesk, the user is sent a confirmation email that includes a link to a centrally managed FAQ of the most common helpdesk calls. The email may also include a survey to solicit feedback from the user in question as to the quality and relevance of the service they are receiving. Ok, not that useful if the email system is down!.

Automatic movement of newly created user and computer accounts to the correct part of the OU Structure, to ensure they receive the correct GPOs.

A single logon/logoff and startup/shutdown script run by every user and every computer that never needs editing and whose functions can be controlled by the helpdesk or even departmental managers. (I will be writing a separate article on this solution in the future). Central control of user paths, drive mappings and printer connections, and the ability to decommission old printer connections from users' machines during logon.

Automated configuration of user and machine settings (such as proxy settings) according to the site at which they are installed to ensure that unnecessary WAN traffic is minimised.

Central storage of all data, with central backup and recovery, with local copies of relevant data at remote sites. The ability for users themselves to restore lost files, or even old versions of files, without recourse to the helpdesk.

Consider these benefits:
Totally automated account lifecycle for User and Computer Accounts through creation, enabling, password reset, disabling and eventual deletion. Automated management of associated data until eventual movement to archive storage.

Improved security as a result of automatic disabling of user and computer accounts that have not been used for a pre-defined period.

Improved security by virtue of timely deployment of security patches for Windows, Office, SQL, Exchange, etc.

Assignment of software to a user account by virtue of their membership of a group. Software delivery can therefore be managed by the helpdesk, and as each user account has its associated manager attribute populated, the department can be sent a list of who is using what software and what it is costing. If your firm is still using a cross-charging model, you can present bills or simply justify your budgets more easily next time around.

Accurate information on licenses and assets that includes versions and specifications. This will allow you to run a report that tells you "what computers will need replacing/upgrading next year" or "which users have powerpoint installed, but never use it". The finance department will love the fact that they can now accurately match a computer to a serial number and purchase date.

Up to 30% reduction in calls to the helpdesk as a result of delegating password reset/unlock to the users' manager or providing a password self-service portal. A further 10% reduction in calls by virtue of accounts being created, disabled and deleted automatically. However, some of this capacity is used proving better quality helpdesk services and verification of callers.

No more housekeeping to disable users or archive their data as this is all done for you. A periodic clearout of old and disabled users and their mailboxes can also be automated to predefined rules.

Reduced application development time as developers can use the Active Directory as the security provider. Users benefit from single sign-on of the new application and the access levels can be modified by the support teams or even controlling managers, without needing any knowledge of the application internals.

Systems Integration on this scale is not a simple task and makes use of a number of additional technologies not typically associated with Active Directory Design: SMS2003, VBScript, Transact SQL, Databases, ADAM, MIIS, Identity Management, WMI and ADSI are all necessary skills to do the job properly. While undoubtedly complex to implement, a well designed and well integrated infrastructure will leverage single-list and single sign-on, and create sizeable savings for your organisation.

Now, you really are doing more, with less.

..."I think the GUI on Cisco Works 2000 allows you to right-click and disable a network port", said I, suggesting that unused network ports should be disabled as a security measure.

"Yeah" said the manager of the Server Support Team (somewhat sardonically). "I think the GUI for that looks just like Solitaire".

Quality!

This text was taken from a presentation given by Stirling Goetz of Microsoft.

Between July 1 and December 31, 2004, observed bot network computers actively scanning declined from a peak of over 30,000 per day in late July to below 5,000 per day by the end of the year. The bulk of this decrease occurred in mid-August with a significant drop on August 19. The timing of this drop corresponds closely with the availability of Windows XP Service Pack 2. It is reasonable to assume that this service pack is responsible, along with other mitigation measures, for the decline in identified bot network computers.

The Australian Pink Floyd Show/Experience are an Aussie Pink Floyd Tribute Band. A tribute band is a funny thing as to progress in any real way they must utterly forego any kind of independent glory and tie themselves totally to the original. For the fan, it is also pretty strange as you feel almost like your having an affair just by going to see a facsimile - no matter how much you hear the word "tribute", it still seems somehow a guilty secret.

Anyhow, regardless of that I see why now. The idea being to be to get as close to the original as possible (without breaking the copyrights!) and OMG do they succeed!

I was too young to get off Guernsey and see the real thing when they were touring, so getting to see the Aussie version was frankly brilliant. All the songs are virtually perfect and most are so good, it is impossible to tell them from recorded live version of Pink Floyd themselves. The lights and stage show, while perhaps done on a lower budget are right there in terms of design and effect and any one who saw Delicate Sound of Thunder live will know exactly what I mean. The track "One of These Days" is one of the best live tracks from any band and the Aussies re-produced it perfectly. The audience loved it and the foot-tapping inflatable Kangaroo (in place of the Pig, you understand!) was a top touch!

Much of the expected repertoire was there and in a 2 hour show, there was plenty to hear. There was a little early stuff for the copious quantities of ex-hippies and potheads, but most of the show was taken from the Wall, Delicate Sound of Thunder (itself a live album) and of course Dark Side of the Moon. Some bits of Division Bell were thrown in for good measure and the overall effect was fantastic. Personally, I would have liked to hear their renditions of "Dogs of War", but "Learning to Fly" was there, so "Momentary Lapse of Reason" was covered nicely!

With such an extensive back catalog of material to cover and the fan base never sure what to make of the tracks after Roger Waters there was a lot for all fans and all bases were covered.

I had a top time and the venue was brilliant too (Royal Albert Hall). I recommend The Australian Pink Floyd Show to everyone!

For the purposes of this text, we define Spyware as any item of software that installs itself silently, or that you wouldn't want if someone explained what it does in detail. This of course includes General Malware, Keyloggers, Adware, Trojans and other unwanted hitchikers on your computer. Viruses and Worms are well covered elsewhere, so we will leave those out.

Most Spyware is "semi-legitimate". It has been installed with your consent (yes, really!) and does nothing more than collect information about your browsing habits and return them to the interested party. While this undoubtably invades your privacy, it is not something we have to panic about quite yet.

However, an increasing amount of this Malware is being used for downright criminal purposes. Typically used for gathering personal data (credit cards are the obvious choice), an installed item of Spyware can quickly gather enough information to allow the recipient to easily clone your identity and really mess your life up. Currently available information suggests that a relatively unsophisticated identity theft (and resulting credit fraud) can take a year to expunge from your credit record. During that time you will have difficulty getting credit of any kind, including contract mobile phones, mortgages, credit cards, personal loans and even some utility services among many other services that involve credit checks.

Increasingly, Malware is being used to "drop" commercially available software onto your machine. For instance, there are a number of well known trojans that drop a cut-down version of a commercial session logger. The commercial session logger is a 100% legitimate tool marketed at parents to enable them track their children's online habits and companies to track their employee's computer use. The author of the Malware has shanghai'd the commercial software into service as a criminal tool. Using the commercial session logger a criminal will be able to view all your online banking passwords and gain access to your entire online life.

Most modern Spyware/Malware is installed over a browser session. Typically, the unsuspecting user will wish to get to a portion of a website that is unavailable unless a download is accepted. In some cases, the download is installed silently without ever notifying the user that they are at risk. Regardless, curiosity often over-rides caution and the download is accepted. Many downloads actually include a long and complex license agreement that includes a clause allowing the publishers to install software on your computer without further reference to you! Once you accept the license agreement the Malware can be installed legally, and they pretty much own your computer.

A few points to note:
If the Spyware/Malware has been installed with your consent, there is no legal redress against the publisher UNLESS they use the information collected for criminal purposes. You have to be able to prove criminal intent or action.

If the Spyware has been installed with your consent then it is technically illegal (in the UK and USA) for another firm (such as an anti-Spyware software publisher) to remove it. Claria (formerly Gator) sued anti-Spyware company PC Pitstop on the grounds that their Adware/Spyware is legitimately installed software. New.net sued another anti-Spyware company Lavasoft in US Federal Court. Claria and WhenU have both allegedly threatened leading Spyware researchers with further lawsuits. (Source: ZDNet News: December 1, 2003 and May 24, 2005)

It is interesting to note that Microsoft is now in the anti-Spyware game, having bought Giant. It is likely to be impossible for the likes of Claria and WhenU to sue Microsoft and win – which may create a future precedent in US law making a raft of Spyware/Malware illegal.

AOL owned company advertising.com has been recently responsible for tricking users into installing Adware that came packaged with a tool to block Spyware. (Source: Mediaweek August 3, 2005)

While over 90% of companies have excellent antivirus tools installed, only a tiny fraction of firms have any kind of anti-Spyware policy or protection beyond simply telling users not to download things. Remember, your anti-virus tool will not protect you from most Spyware/Malware (as of August 2005) and given the legal implications of removing Spyware/Malware it is not surprising that the anti-virus vendors have been slow to step into the breach.

It is thought that up to 30% of the computers at a given company will be infected with some sort of Spyware. This Spyware is not only collecting information about browsing habits or identity theft, but also about your Company and its clients. It could be downloading your confidential documents to an unknown internet site whose owners are then selling them to your competitors or the press. Finally, it could be participating in co-ordinated attacks against another company, making you liable for damages.

So, once you have assimilated these unpleasant facts, go and create an anti-Spyware strategy and install some tools to find out how compromised you really are.

Before I write my own personal thoughts, I wanted to extend my sincerest condolences to the people, their families and friends affected by the London Tube and Bus bombings of 7th July 2005.

The first I heard of the bombings was from the support staff at MTV who normally start around 9am. They told stories of being kicked out of the tube and being forced to walk into work, arriving late and confused. Shortly afterwards there was a muffled thud, rather like a thunderclap which we now know was a Bus exploding in Tavistock Place.

Televisions all over the office were switched on and the surreal reports from Sky news were digested.

Mobile phones started misbehaving and no one could call me direct all day, instead they got diverted to voicemail and I was called back by 121 a few minutes later.

At this point (around 10:30am) no one was seriously believing it was anything other than a terrorist attack. I called national rail at 11:30 and asked about services from the main line stations "in the light of this mornings attacks" only to be told that it "was not an attack, but a power surge and all stations were closed for the duration". Odd when every news report and website was lambasting Islamic Fundamentalists as the culprits. I found out later that "a power surge" was the standard term London Underground use for a major incident to reduce the panic.

I was impressed at how quickly the Muslim Association of Britain condemned the attacks, and I truly hope that the Muslim community in the UK will not suffer as a result of the actions of a misguided few. Their condemnation was not just about distancing themselves from the terrorists, but also a powerful show of solidarity with the victims - some of whom were Muslims themselves.

Just think how different the world would be if George Dubya hadn't gone into Afghanistan en mass, but simply surgically and anonymously removed the heads of the regime and its terrorist dependants. Everyone understands the reasons why states sponsored assassination is a bad thing, but...

I left the MTV offices at 1pm and walked from Oxford Circus to Earls Court where I met two very helpful chaps (Kevin and Nick) who not only allowed me to share their cab heading west, but got me to Slough and then on to Bracknell where I met up with my wife and went home. It took me 4 hours to get home and I consider myself very lucky to have made it home at all that night.

One month later and there has been a second, failed attack and the security services are out in full swing. I notice that the Met has started stopping and searching Asian youths with rucksacks and while the liberal in me says it's not fair, it is nevertheless a fact that we are not in danger from white, litle old ladies with shopping carts.

I am pleased (or rather depressed) to report that the Dilbert Principle is alive and well, and disfunctioning to the detriment of all. Herewith, and example of management thinking that is positively elegant in it's dumbness.

Management decide they want a SAN. They decide this without really understanding what a SAN is, but that's ok, because they have people who do and they can take their advice. Or not.

What should happen is this:

The Engineers decide that more storage is needed now, and will be needed over the next 4 years. They investigate a solution that will service current and future needs and will be compatible with the future direction of the corpate IT infrastructure. The SAN will be large, resilient, fast and easy to manage/expand. Most importantly, it will be compliant with and manageable by the company's prevalent windows infrastructure.

What actually happened was this:

The Managers decided that more storage was needed as the Engineers were placing unfair restrictions on the amount of disk-space they were allowed to use for MP3s and their personal porn collection. They looked in an industry newspaper and picked the SAN vendor with the largest advert. The SAN vendor (unable to believe it's luck) promptly invited the Managers to a golfing weekend and the sale was made.

Never mind that the Engineers declared that the proposed solution could not be supported. Never mind that that the new solution took 18 months to install, is not large enough to support current requirements and will not be expanded because the cost per MB is several times what was expected. Never mind that it is only compatible with Windows 2000 and that the servers attached to it cannot be properly, or upgraded to Windows 2003. Never mind that it is piteously slow and unreliable and there wasn't enough money in the budget to cluster the NAS front end. Never mind that it cost several times what it should have cost and doesn't achieve any of its objectives. Never mind that it requires a vendor engineer to attend site if it ever needs rebooting and and 2 working days of twiddling to return it to service after a power-down.

Genius.

The problem with purchasing a lame duck is that you are stuck with it for years. The people in charge of the decision will never admit that they bought the wrong product and the vendor doesn't care, because they have the sale AND a fat support contract. What's worse is the fact that because the original problem wasn't solved, the Engineers have to come up with ever-more creative ways of maximising the available disk space on operational systems to try and spread the load around the LAN and the Managers still have nowhere to store their MP3s and porn.

Oh, the power of the golf course decision.