Aidan Finn, IT Pro

You should already be familiar with MSI.  This database is how we often package software for distribution.  Sometimes it comes as is, sometimes we can apply a transform to customise the install and sometimes we repackage the software using something like AdminStudio.  The idea is that we can simply deploy software in a predictable and automated way.

SoftGrid was acquired by Microsoft last year.  The only thing that prevented people from being interested in the solution was the price.  MS cut the price and packaged the solution as SoftGrid for Desktops and and SoftGrid for Terminal Services.

SoftGrid offers you a third layer of virtualisation.  We have the server/desktop, session virtualisation and now we have application virtualisation.  By sequencing and application, we can isolate the application from the operating system, providing it with it’s own copy of system files, registry, etc.  The result is that once incompatible applications can now run on the same computer.  Other benefits include:

• Rapid deployment: you can deploy just the core components of the application via a stream.  Additional components are downloaded as required by the user.
• Integration: SoftGrid can integrate into Active Directory for permissioning of streams and with SMS for deployment and auditing.
• Self-Service: Users can provision their own applications via a self service website which can include a workflow for approval of licensed installations.

It appeared to me that this solution was always better known in the Terminal Services world.  The obvious benefit was that the need for application silos would be less, e.g. traditionally incompatible applications could now be installed on the same terminal server.  The only remaining reasons to separate users or applications would be resource or maybe even security based.  The same benefits also apply to the desktop but the financial savings were greater for the TS world, thus the original pricing was less of a deterrent.

Brian Madden has reported that famed consultants, Login Consultants, have created a free solution to convert MSI package into SoftGrid sequences.  If you’re already using software distribution solutions, e.g. Citrix Presentation Server, SMS, GPO, then it’s likely that you’ve packaged applications as MSI.  You could now rapidly deploy the SoftGrid solution by converting these MSI files.  Brian also points out that you should apply best practices for sequencing as advised by Microsoft.

Credit: Brian Madden.

SP2 for SQL 2005 is now available.  You can check out what’s changed and what’s new in a document that can be downloaded.

The March 2007 issue of TechNet magazine is out and features content on SQL Server:

• New Tools to Diagnose Index Health
• Achieve High Availability for SQL Server
• Simplify Database Maintenance with Table Partitions
• Top Tips for SQL Server Clustering

Dave Northey of MS Ireland has written a 3 part series on virtualisation covering the server, desktop and application.  You should check this out if you’re interested in this technology.  If you’ve been following this blog you’ll know that I’m a big fan of virtualisation.  If fact, if you’ve downloaded any of my docs or browsed my personal website you’ll have accessed a virtual machine.  If you send me a mail then you’re hitting another VM. 

Check out Dave’s series to see what we’re excited about:

• Part 1: Virtualisation – What is it? What’s all the fuss?
• Part 2: Virtualisation – Why should you care?
• Part 3: Virtualisation – What’s Microsoft got to offer?

The results for the Feb 2007 Anti-Virus Comparatives report was released today.  The big news is the poor performance of Microsoft’s OneCare, the home use product.  Faced with the same threats as the other products, it only successfully defended against 82.4% of them.  OneCare is still a fairly new contender in this field.  Given how focused Microsoft is in the anti-malware field right now, I would not be surprised to see them make some serious improvements. 

The performance chart (follow the "Comparatives" link) shows the big names performed as follows:

• GriSoft AVG Anti-Malware: 96.37%
• Kaspersky Labs AV: 97.89%
• McAfee Virus Scan: 91.63%
• ESET NOD32 AV: 86.71%
• Symantec NAV: 96.83%

The top performer was G DATA Security AntiVirusKit (AVK) at 99.45%.  There was no mention of Sophos or Trend Micro.

As you can see, none of them were perfect.  The last report I read had NOD32 at the top end of the charts so we can see that things do change quite quickly.  This makes it very clear and re-enforces that you must have a layered defense.  I’ve come across  organisations that trust their entire anti-malware defense to one vendor.  This report makes it clear that this opens a door into those networks.

E-mail has become the common source of threats.  It is more important than ever to run multiple engines on, at least, your gateways.  Using MS Forefront Security for Exchange (I’m assuming that it’s the same as MS Antigen for Exchange Messaging Security Suite) you could run 4 engines on your gateways and a different 4 engines on your mailbox servers.  To maximise performance but still have layered defenses you could scan mails with 2 engines (of the four) on the gateway at once and 1 at once on the mail box servers.

A second but less common source if you run a proxy filter will be web downloads.  I’ve come across some pretty poor solutions that intercept downloads and pause them until the entire file is downloaded and scanned.  This can break automated downloads, e.g. AV, WSUS, and can annoy users.  Try to pick a different solution than you have on your mail gateways.

A different vendor should then protect your servers.  And you may even consider yet another vendor for desktops but I would normally be happy with one vendor scanning internal servers, applications and desktops and ideally using different engines to those on the gateways.  Personally, I’ve been a fan of Trend Micro and have used it in a few sites.  I know people that I trust who speak very highly of Sophos and NOD32.  I’ve checked out MS Forefront Client Security.  I can’t speak for the engine but I do like how the architecture will work in multi-site deployments and how easy it looks to manage.

Credit: Bink.

Jesper Johansson posted a blog entry discussing the debate about what UAC really is and if it works or not.  Jasper is in a unique position to be able to comment on this because he is a former Microsoft employee and was a senior security expert with them.

Long story short … UAC is not an anti malware defense.  That’s what your anti malware products are intended to do.  UAC is intended to allow people who need to log in as local administrators to run with reduced privs and then be prompted to OK a process that requires elevated rights.  This can reduce the risk of malware executing, i.e. if something executes on your system and wants to use elevated rights then you are in a position to control that.  But as Mark Russinovich pointed out lately, there are ways and means around this, i.e. there are no firewalls between processes running on the same system.  Would you want them?  Probably not … imagine that no process could integrate with any other process.

Give it a read and follow the links that Jesper provides to make up your own mind.

Microsoft Small Business Server is an ideal server/domain solution for the small business.  The latest version is SBS 2003 R2.  It includes Windows Server 2003 R2 (server, active directory, IIS, etc), Exchange (mail), ISA (proxy & firewall), WSUS (patch management) and Sharepoint (web based collaboration).

A new step by step document has been released by Microsoft to guide you through an installation of SBS 2003 R2, including upgrades from previous versions.

A number of news sources published comments by Microsoft’s Mike Neil:

"Microsoft believes the claims made in VMware’s whitepaper contain several inaccuracies and misunderstandings of our current license and use policies, our support policy and our commitment to technology collaboration," said Mike Neil, Microsoft virtualization GM in a statement. "We believe that we are being progressive and fair with our existing licensing and use policies and creating a level playing field for partners and customers. We are deeply committed to providing high-quality technical support to our customers who are utilizing virtualization technology. In addition, we are committed to working collaboratively with industry leaders to foster an environment of interoperability and cooperation that best serves our customers."

“We believe it’s better to resolve VMware’s claims between our two companies so that we can better serve customers and the industry," Neil added in the statement. "EMC is a long-time partner of Microsoft. We’ve extended this courtesy to VMware due to our mutual customers and partnership with EMC. We are committed to continuing to collaborate with VMware as we have been doing on regular basis. Consistent with this, Microsoft believes that we will be able to accommodate a mutually agreeable solution between our two companies and clear up any existing misunderstanding with regard to the points raised in the whitepaper.”

It does read like that either Microsoft is taking the high road on this or that something else is in the works and this was released to keep the media quiet.  You could read more into the comments about being "best mates" with EMC who happen to own VMware but I’ll leave that up to your imagination.

Both make good products in this market.  I’d hope that for their customers, they can work things out like was done with Citrix and MS.

Credit: The Register.

I admit it, I know nothing about Groove.  My cloning hammock broke last Summer so I’ve just not had the time.  I do know it’s a collaboration solution that can integrate into the other Office 2007 system products, e.g. Sharepoint, Office, etc.  The emphasis is on the user being able to work when they want to and being able to work with who they want to.

Microsoft has released a document that describes how they deployed Groove 2007 to 8,000 users across their global operation.  Details of AD integration, Office and Sharepoint are also promised.

ENN is reporting that Dell is looking into providing Novell’s Suse Linux as an option on their complete desktop range.  That’s a big deal.  There is growing unrest, particularly in Europe, with increasing licensing costs which are highlighted by the cost differences between the USA and Europe.  Being able to adopt lower cost and open source alternatives will be attractive to those who need to trim costs to a minimum.

But how in the heck do I manage Linux desktops?  Well folks, you can manage Linux systems using Microsoft SMS 2003 if you extend it with the Quest Management Xtensions for SMS.  And Linux servers?  How do you manage those?  Again, there are third party management packs and agents for MOM 2005 such as Quest Management Xtensions for MOM.  OK, I’ve got one: I don’t want to maintain two accounts/passwords for every user.  Ha!  Not a problem.  There’s plenty of solutions out there for enabling single sign-on between UNIX/LINUX and Active Directory, an example being Vintela Authentication Services by Quest 🙂

You see, you can use AD as your primary directory even in a heterogeneous environment and still take advantage of the excellent management and infrastructure solutions provided by Microsoft.

Credit: ENN.