Virtual PC 2007 Beta

A blank page has appeared on Connect that informs us a Beta for Virtual PC 2007 is on the way.  It will be publicly available on the 11th of October.  No other details are available.

Virtual PC 2004 is now a free product and one that any self respecting sys admin should aim to use.  VMware’s excellent alternative still requires a purchase, giving Microsoft an advantage.  VPC allows you to run virtual machines just like you can with Virtual Server 2005 R2.  In fact, the machines are compatible.

I’ve used VPC before for lab work and for testing.  Where I also see it being useful is where you want administrators to use non-admin accounts for day-to-day office work such as email and browsing and a dedicated account for admin work.  Run-As is painful to use (who wants to keep banging in the password?) so an alternative is to run a VM with only the admin tools installed.  The administrator can log into their physical machine with a non-admin account and into a VM with their admin account.  This isolates their email and internet activity from their administrative rights and provides a layer of defense against viable threats.

Windows Vista Enterprise (requires software assurance) will include a virtualisation solution built into the OS.  I’m guessing now that VPC 2007 will be a solution for those who do not buy Vista with software assurance.


The October edition of TechNet Magazine is out.  You can read the free web edition online.  This months theme is "Connect".  In it you’ll find articles on:

  • Mirosoft Office Groove and Sharepoint.
  • Small Business Server.
  • Automated Deployment Services.
  • Using Windows PE

Microsoft has just launched the beta for Forefron Security for Sharepoint.  It’s Microsoft’s antivirus solution for this key Office System product.  Microsoft aims to launch it at the same time as Microsoft Office Sharepoint Server 2007 and Sharepoint Services 3.0.  This could be relatively soon, i.e. early 2007.  Microsoft says this new product will deliver the following:

  • Protection against the latest threats. Forefront Security for SharePoint simultaneously utilizes up to five antivirus engines from leading security vendors to provide customers with increased protection against malware threats, inappropriate content and dangerous files types. This latest release includes the new Microsoft Antivirus engine.
  • Integration to help optimize server performance.: Integration with Microsoft Office SharePoint Server 2007 and Windows SharePoint Services 3.0, as well as scanning innovations and performance controls, help ensure optimal collaboration server performance.
  • Simplified management control.: Forefront Security for SharePoint provides centralized management control to help ensure organizations can simply and cost-effectively deploy, manage and maintain the security of their collaboration servers.

You can register for the beta on Microsoft’s Connect website.


WSUS 3.0 Whitepaper

I’ve just added a whitepaper on WSUS 3.0 to my website.  I go into the reasons for automated patching, the options, an overview os WSUS 3.0, deploying it and configuring/using it.

Note: the document is based on Beta 1. 

When people think about IT security, they think about firewalls and antivirus. Firewalls are important but only go so far as to protect your network against a direct attack. A firewall will only prevent illegitimate forms of traffic from the internet. It doesn’t stop traffic on legitimate ports or downloads. Firewall defences have been compared to eggs: hard on the outside but soft on the inside. Anti-virus will only protect you against known threats. Many organisations have made the mistake of thinking that firewalls combined with antivirus will give them a complete defence against threats. That’s a nice wish but it’s not true.

Consider the SQL Slammer virus that hit the Internet in early 2003. Within minutes of its release it crippled networks worldwide. How did this work? Surely people had firewalls in place? Yes they did. Was the antivirus up to date? Yes it was. The problem was that once it could easily get past the firewall and it was unknown to antivirus vendors. It also took advantage of a known flaw in Microsoft’s products that Microsoft had previously released a patch for. In fact they released the patch several months before hand and those organisations that had deployed it were protected against the virus. Microsoft had already released a free to use product called SUS that serviced the Windows product range but few had heard of it. In fact, few had any implemented process for regularly testing and deploying Microsoft updates.

In late 2003 a new virus started to cripple networks. Microsoft Blaster took advantage of a flaw in the RPC service. Surely in the time that had passed people had learned their lessons about keeping their machines up to date? It appeared that most had not. Microsoft had previously released an update to protect their products but few had deployed it.

Since this time Microsoft has spent much time campaigning and trying to raise customer awareness about the need to regularly test and deploy updates. A replacement for SUS called WSUS (2.0) was released. WSUS, again a free to use product, services all of the Microsoft product range and makes it easier for administrators or security officers to test and deploy updates on a production network.

My experience working on client sites and speaking with administrators is that both the awareness of this problem/solution and adoption of WSUS have been minimal. Many large organisation and government agencies do not maintain patch updates. This is either because they are not aware the solution exists, despites Microsoft’s efforts, or because they do not sufficiently understand the problem.

With this document I aim to show how you can manage updating your entire Microsoft network with minimal manual effort by using WSUS 3.0.

The document continues …


Microsoft has just announced Beta 1 of the second version of DPM.  DMS offers:

  • Continuous data backup (up to every 15 minutes)
  • Point in time recovery of Exchange, SQL and Sharepoint
  • Integration with Exchange, SQL and Sharepoint
  • Seamless disk and tape integration

Betanews is reporting that, as promised, Microsoft has released an early update to fix the VML vulnerability.  It is available via the usual Windows Update mechanisms.


Office 2007 Versions

Not satisfied with the existing confusion about Microsoft licensing, the company will be releasing 8 versions of Microsoft Office 2007.  A graph breaking down the versions is attached.

Microsoft has posted an updated version of the SMS 2003 Inventory Tool for Dell Updates.  This is necessary in order to download the latest catalogs from Dell.  This free feature pack will enable administrators to report on, manage and update BIOS, firmware and drivers on their Dell servers.  It works pretty simiarly to the SMS software updates engine used to deploy Microsoft secuirty updates.  This is the quote from the Microsoft post:

"SMS 2003 Inventory Tool for Dell Updates is an add-on to SMS 2003 Service Pack 1 (SP1) that enables customers to use the SMS 2003 Software Update Management feature to update their Dell servers. Customers will be able to deploy BIOS, firmware, and driver updates to their Dell servers using the same process that they use for deploying security and other updates with SMS.
SMS 2003 Inventory Tool for Dell Update includes the following components:

  • Setup – Windows Installer based setup that allows SMS administrator to install all required components on the SMS site server.
  • Inventory Tool for Dell update (scan tool) – this tool is being built using SDK components provided by Dell Inc. It scans a Dell server for installed and missing updates, just like MBSA scans the computer for Microsoft security updates.
  • Sync tool for Dell update – this tool downloads a catalog from Dell’s website on a recurring schedule. This catalog describes all published Dell updates.
  • Update to Distribute Software Update Wizard (DSUW) – Setup will install an update to DSUW to show new UI that allows to manually import multiple component updates contained within a single system update.
  • Version 3.0 must be installed to coincide with work with the latest Dell catalog".

All current releases of Microsoft Windows are vulnerable to a new security threat in the implementation of Vector Markup Language.  This threat enables attackers to take control of a vistims computer.  Microsoft is taking this one really seriously.  Not only is there sample explout code on the Internet but Microsoft is also feeling the heat after a percienved slow reponse in recent months.  Microsoft is stating that at the very latest, a patch will be released on October 10th (patch Tuesday) but they will attempt to release an update before then.


Some wil be aware of Google Maps but I suspect much fewer people are aware of Microsoft’s Live mapping service, Live Local.  I am fan of most of what Google has been doing.  Their competitive spirit has forced Microsoft to wake up from the slumber they had fallen into.  One example is how Microsoft has developed their Live service to compete with Google’s web offerings.  As a person who once said to an MS salesman that MS search engines were $h^te, I must admit that Live is pretty good, possibly as good as Google, especilly since it often comes up with different but equally good results.

As someone who likes to get out an about in my car on road trips, for photography, work, etc, knowing where I am going is pretty important.  Earlier this year, I navigated around the backroads and cities of Virginia courtesy of Live Local without gettings lost or making a wrong turn.  I’ve just found (it might have been like this for a while) that Live Local now has Irish and European maps.  A true test of Live versus Google is now possible.  Irish digital mapping is a joke as anyone who has tried to use a GPS in the Republic outside of the main roads or cities can testify.

I’ve taken screen shots of my town from Live and from Google.  Note that Live shows all of the rural roads.  Google stops at the edge of the town.  Strangely, Google does not show any detail at all for the neighbouring town of Newbridge, one of the major towns in County Kildare and it’s a much bigger town than Kildare town.

Live allows you to cleanly right-click on the map to quickly add pushpins, add way points and search for routes.  Google cannot do this at all.  This is pretty important because Google can’t even search the Irish map.  I tried searching for Leeson Street, Grafton Street and Merrion Square and it failed all three.  Live failed with Grafton Street, came close (next street) to Leeson Street (it’s actually shown as N11) and hit Merrion Square bang on.  Another test was to find my family home which is 4 miles from the nearest town.  Live Local had the road clearly marked whereas Google Maps barely even mentioned the aforementioned town, let alon my home area.  WHile I give with one hand I take with another.  Live Local does not show the M1 bypassing Dundalk nor the completion of the M50.  But, like I said, digital mapping in Ireland is a joke.  This might not be the fault of Microsoft because my GPS unit doesn’t show them either. 

Faced head to head, I give Live Local the edge. 

Screen shots are attached.


Yesterday, Microsoft released an updated version of Windows Service for UNIX 3.5.  This suite features a set of tools for integrating a Microsoft network with a UNIX network.

"Windows Services for UNIX 3.5 provides a full range of supported and fully integrated cross-platform network services for enterprise customers to use in integrating Windows into their existing UNIX-based environments".


I recently bought a kit machine with an Intel Duo CPU (64 bit) and an MSI P965 Neo-F motherboard.  I’d put it together with the intention of using it for Photoshop stuff and for running labs in VMware.  I stocked it with 4GB RAM (the motherboard limit) and installed Windows XP x64 Professional.  I went 64bit to limit memory problems and also so I could run 64 bit VM’s for Exchange 2007.

I’d installed the OS, patched it up and then checked it over.  Winver told me I only had 3.2GB of RAM.  Funny, because BIOS told me I had a working 4GB.  I went googling for ages but couldn’t find the correct answer.  It was clear though, that lots of people were having this problem.  Some stuff I found:

  • Add /PAE to the boot.ini string.  No joy there, and I didn’t think there would be on x64.
  • Enable or disable in BIOS – Advanced Chipset the Memory Hole function.  No one was clear on whether it should be enabled or disabled. 
  • Configure in BIOS – Advanced Chipset a function called Memory Mapping.  I didn’t have that setting.

I was beginning to lose hope and starting to believe that 3/4 of GB of RAM was wasted.  I then found some forum posts sayiong that the motherboard was dedicating memory to PCI devices.  What!  I knew graphics cards with no native RAM might do this but I’d bought a good card with native RAM.  The articles claimed other devices could take 3/4 of GB of RAM and nothing could be done about it.

I then went to the source, MSI.  I tried to search their support forum but their search engine is useless.  I tried searching for "MSI P965 x64 RAM 4GB" but was told that was too generic a search.  Rubbish!  I had to manually browse through their forums and eventually found what I wanted.  Someone had raised the same issue I had.  Eventually someone had told them to installed v1.5 of the BIOS update (fairly new).  It’s readme said it "resolved memory issues" but didn’t go into any detail.  But the person posted back saying the problem was resolved by the update.  Excellent.

I downloaded the update.  Now MSI were sending me back to the stoneage.  The installer was a DOS program and required a floppy drive and DOS diskettes.  Luckily, I’d bought a floppy drive (I thought I’d need it for SATA drivers – which I didn’t in the end) but I had no diskettes.  A trip to PC World and luckily the had about 5 boxes tucked away in a dusty, dark corner.  MSI might want to consider an online updater like the one HP use.  Most PC’s don’t come with floppy drive anymore and Microsoft is moving away from DOS towards WinPE.

The instructions were very unclear but I had to copy two files (an exe and a flash image) to one diskette and make a system drive with another.  I booted into DOS amd seitched diskettes.  I ran the exe.  It then asked me in garbled non-English to type in the name of the image file.  It took me 30 seconds to grasp what it was trying to ask me … some English lessons for the programmers please!

One flash update and a reboot later and I was sorted.  Windows reported 4GB RAM was available.  A by result was that the Realtek audio drivers needed to be reloaded.

Now I’ve got a powerful PC ready to run lots of VM’s!


TechEd Videos

The Microsoft Windows Server Division posted a series of links to high quality videos from this year’s TechEd in the US.  TechEd is a great source of information on currting edge Microsoft technology.  I’ve learned more there over the last two years than I did anywhere else.


The Register has an article that claims that 29% of directors say they steal corporate data when they leave a company.  24% of thefts were done using USB devices (sticks, MP3 players) and 18% used email.  There are no excuses for this … this is just plain theft of company data to bring to a competitor so that they have an unfair and probably illegal advantage.

So we’ve identified that USB and Email make up 42% of data theft mechanisms.  What do we do?  The first thing to do is lock down access to resources.  This goes from the basics of controlling data access to controlling device access.

Data access is one of the simplest things to do but is rarely done right.  First of, use Active Directory groups to grant access.  I can’t think of a place I’ve been to where they haven’t granted access to users directly.  That’s just plain dumb and impossible to manage.  Next, define owners of the data.  This should be a number of people who are in a position to grant and revoke access to data.  Only they should give permission to IT to grant access to a user.  People automatically assume that IT know who should have access … how can we?  Data access is a business issue, not an IT issue.  We control the mechanism but not who needs access to the data.  Using a strictly enforce and audtiable procedure will control access and give auditors something to track.  You can do this with paper but I’d look at a Sharepoint Services site and Infopath (from the Office Professional suite), maybe with a SQL back-end.  By tying this with PKI/certificates you can implement a rapid, paperless system with trustworthy signing.

Then there is device access.  How many users really need access to a DVD/CD writer, USB sticks, etc, to carry out business?  It will be less that 10% in a typical mid sized organisation or larger.  For now, the best solution I’ve found is DeviceLock.  This service can be installed on all desktops to put permissions on all interface types, e.g. read only CD/DVD, no access to USB, access to USB printers, no access to FireWire.  Permissioning is done on a group basis so you can allow local administrators full access, restrict access to all normal users and grant specified access to security groups.  For example, I’d have a group called USB-Read and another called USB-Write.  The deployment of the agent would configure these groups with the appropriate permissions on every machine on the network (this can be done during install, from a central console or via group policy).  Then when a user has a manager state they have a business need for a device, e.g. to write to a memory stick, I’d drop them into the USB write group.  Microsoft is promising similar functionality in Windows Vista, managed by Group Policy.

A few years ago I was working in a leading pharmaceuticals site as a consultant.  A manager came up to me and asked quietly to investigate something.  A sales person with access to sensitive data had left the company to go to a competitor and they suspected that this person had forwarded large amounts of data via email.  They asked me what could be done to find out what had happened.  I asked them "what auditing have you" and they responded "none".  They were $£^& out of luck.

Even with restricted access, it’s possible for someone to steal data.  A person with access to company secrets could gain authorised access to a memory stick and everyone has access to email anyway.  So auditing is necessary.

Firstly, enable auditing on sensitive resources such as file shares.  Make sure you audit successful and failed access.  You need to monitor failed attempts but the purpose of this exercise is to monitor theft of data that someone had legitimate access to.

Anyone who has looked at the security event log in Windows knows that you might as well read the Egyptian Book of the Dead … it makes more sense.  And what do you do if you have many servers?  Are you going to look at the log of every server and trawl through the endless events that pop up for each file access or folder opened?  At the moment, you can use a crude tool called EventCombMT.  It is pretty crude and sucks to use with servers spread across a WAN.  Unix and network types are used to Syslog.  There are 3rd party implementations for Windows but here’s the catch.  It costs more money and in the end, it’s just copying the noise that is the security log from every server to one point to create an even bigger amount of noise.  Microsoft have been working on a solution for years called Audit Collection Services.  It’s finally on the way as a part of System Center Operations Manager 2007 (MOM 2007).  It will gather key events, soon after they happened, and store them in a central dedicated SQL 2005 database.  This database can be secured for auditor access only.  It also has a view for reporting so that you have a simple view of the data, presenting the information as if you were browsing the Security Log.

That covers file shares.  Next we need to look at email.  If this is a worry then you need to implement mail auditing.  In fact, in certain regions or industries, you are meant to be doing this already.  My experience is that certain regulations such as IFSRA or SOX are being deliberately misinterpreted or ignored so that IT costs can be minimised.

Commvault provides a compliance solution called DataArchiver for Microsoft Exchange.  This will capture mail traffic and store it in a secure database that only selected people, e.g. auditors, security officers, IT, can access.  This gives you an investigative tool you can utilise to track suspect misuse with.

Your email anti-virus might offer some basic functionality you can use if you don’t need or can’t afford full blown archiving.  Microsoft Antigen has the ability not only to filter certain file types but you can capture attachments.  A past colleague once caught some nefarious activity with email attachments, something that was strictly banned, by using Sybari Antigen (as it was called then). 

At this point , we’ve put all the tool in place.  What’s left?  Nothing surely, because this is an IT problem, right?  Nope.  Far from it.  Like some sensible security consultants tell us, we can put all the mechanisms in the world in place but in the end, the "meat" will be the weakest link.  What do I mean?  Humans who want to advance their career or appear helpful will do what ever they can, including contravening procedures and rules.

A while back, I did some work at a finance company.  A foreign branch manager had been caught on our proxy logs as a heavy and long term browser of unknown (and hence unfiltered) pornographic sites.  We reported this to the the necessary internal authorities but nothing was done.  Strange, because 2 other people had been quietly let go for the same actions over a 2 or 3 day period.  Then late one Friday evening I’m called into an urgent meeting.  The security officer and head of auditing revealed to us that this person had quit with no notice.  They suspected this person had burned a large amount of data onto CD.  But this shouldn’t have happened because the security officer thought he’d changed this persons access rights.  What was the problem in this situation?  Firstly, the company turned a blind eye to this persons activities because they were seen as a strategic asset in a new market.   When this person quit there was a suspicion there would be a problem but IT was not told.  The security officer, who was overr
ated, did not understand how Active Directory worked and had failed to make the necessary changes to restrict access to USB, etc.  Had we known, this person who was leaving would have lost all access in a matter of seconds.  The IT staff in the branch office were completely unaware and actually granted access to the resources for the leaving manager; in fact it was thought that they even helped with burning data onto CD.

One of my biggest gripes in the corporate world is unequal application of company policies.  Internal Audit and Security departments spend the majority of their effort watching and analysing people such as IT administrators when they ignore or turn a knowing blind eye to the activities of their directors.  Consider the risks, an IT administrator with access to company secrets knows he’s being watched/audited and won’t take a stupid risk.  And the chances of an IT administrator even knowing where to start to look for secrets are minimal.  On the other hand, a director or senior staff member knows (a) what secrets there are, (b) where they are kept, (c) has access and (d) no one will even blink if a director shows up in audit logs accessing information … assuming there are logs in the first place!

So what needs to be done?  Together, union representatives, security, auditing, IT and solicitors must define policies.  These policies should dictate how access is granted and revoked.  Unathorised use of data or resources must be defined and prohibited.  Punishment must be detailed for contravening these policies.  The key component is that the directors must publicly back, enforce and comply with these procedures.  A rule is worthless if not applied equally.  I dare any HR person to sack an employee for doing something that managers get away with even though procedures ban it.  They’ll be in an employment tribunal coughing and bleeding up money in a very public and embarrassing manner.

In summary:

  • Control access to data.
  • Restrict access to resources, e.g. USB, CDRW, etc.
  • Audit and track usage and communication of data.
  • Clearly define and communicate policies.  Equally and fairly enforce the policies.

Is it just me or does anyone else think that Microsoft is releasing a 2007 version of every product in their catalogue?  If you are someone who prides yourself in knowing lots of products to be able to do your job then you are going to struggle to keep up.  It might be time to buy on of these 

A word of warning though.  The Homer Simpson theory would tell us that each succesive clone will become dumber and dumber, and hence each would desire to create a clone of itself.


Microsoft has posted a series of links for upcoming and on-demand webcasts about the upcoming Windows "Longhorn" product.  I’d recommend that consultants and proactive administrators take a look.

"Learn how the Windows Server code name "Longhorn" operating system helps IT professionals maximize control over their infrastructure while providing unprecedented availability and management capabilities, to deliver a significantly more secure, reliable and robust server environment than ever before".


The WinRE team have posted instructions on how to repair a boot failure on Windows Vista due to a missing file.  Here’s a quote from the post:

"To repair your computer using Startup Repair follow these steps:

  1. Boot into Vista installation DVD
  2. Choose your language settings and click Next
  3. Click Repair your computer
  4. Choose your operating system and click Next. This should bring up System Recovery Options.
  5. Click on Startup Repair

Startup Repair should now start diagnosing your system to identify the root cause of the failure. Once it has identified the root cause, it would automatically start repairing your computer. If you are curious to know what Startup Repair did, you can click on the details link and see which tests Startup Repair ran to diagnose the problem.

After Startup Repair has finished the repairs, click Finish to reboot your computer.

Your computer should now be able to boot normally into Vista!!"


Biometrics – Pah!

Steve Riley mentions a piece done in the new series of Mythbusters, the Discovery Channel show, on his blog.  We have all heard of security conscious organisations that decide to use thumb/fingerprint readers to secure their computer rooms, etc.  We’ve also heard the urban legends"myths" that said systems can be cracked pretty easily.

Well, it appears they can!  The Mythbusters crew succesfully lifted a fingerprint from the reader and made latex and ballistics gel copies of it.  Using these (the latex sheet needed to be licked to work) they were able to succesfully fool the reader.  This was despite the manufacturer claiming that the reader checked pulse, sweat and temperature.  Worse again, they even beat it with a photocopy of a finger print.

As Steve mentions in his blog, biometrics by themselves are not a secure authentication mechanism.  Secure authentication requires two factors such as "What you have" (biometric, smart card, etc) and "what you know" (passphrase, PIN, etc).  Either one by itself can be easilly comprimised but together they are pretty secure.

So, the lesson here is, if your company uses fingerprint readers then you don’t need to worry about your finger being chopped off by attackers … it’s much easier to lift the print at the scene.


The BBC has reported an interesting story.  It appears that the UK’s Customs & Excise department is scanning the laptops of suspected offendors for illicit materials, namely offensive pornography.  Wanting to prevent the import of offensive materials is an appladable desire.  However, given that certain nations, including some in the EU, have a history of using government agencies to perform industrial espionage to aid their native companies, I do have a problem with this action.

Interestingly, the person who reported this story said their laptop could not be scanned by the agents on hand because it was an Apple.  The agents had no idea what encryption was either.

So, if you do not want company secrets to be stolen by a governement agency of some nation, make sure you encrypt your laptops hard disk.


The Register has published a whitepaper that describes how Microsoft has caught up with RIM in the marketing of push email technology.  Until Service Pack 2 for Exchange 2003, no one was able to match up with RIM.  Sure, there were alternatives but RIM had the name: Balckberry.  Every director and senior manager wanted a Blackberry.  This all sounds great but hold one a second… there’s some problems:

  • You have to pay money to subscribe to the RIM network for pushing your mails out.
  • If you use RIM then your mails are travelling across their network and their servers.

That last one is a real stickler.  You may have been able to offer alternative solutions but they still had license costs and you still had to beat the name "Blackberry".  Plus, let’s face it, non-Blackberry devices were a dog to use until recently.  You were probably talking about having to use a brick of a PDA and who really wants to revisit the 1980′s … I prefer to forget that decade happened.

With Service Pack 2 for Microsoft Exchange 2003, Microsoft included a new feature for pushing email out to Windows enabled smartphonnes and PDA’s.  Secure push email from within Exchange was now possible.  You didn’t need to use another companies service or network.  You also could reduce your licensing costs.  Simultaneously, phone manufacturers worked with Microsoft to develop better devices that would be more appealing to the target market.  Now a director can use a feature rich smart phone that is no bigger than a normal mobile/cell/handy phone.

MS Push Email offers other features too.  A PIN policy can be enforced on the devices.  This offers basic security to lenghten the time it takes to access data on a device without the owners permission (real security requires encryption).  Furthermore, if a device is lost or stolen it can eb reported to IT or the security officer.  With this notification, Exchange administrators can send a signal to the device to wipe itself, thus preventing unauthorised access of data.

The message was very slow to get out to the typical sys admin or CIO.  It appears that it’s finally getting out there but the uptake does appear to be slow in Ireland.  That’s a pity because it would be a shame not to use the free and secure solution that Microsoft have provided.

There’s loads of information on the net on how MS push email works and how to deploy it.  Here are some links:

Finally, Nathan Winters (in the UK) has set up the Microsoft Messaging & Mobility User Group UK.  The intention of this group is to share information and to inform people on how to make the best use of the technologies that Microsoft has provided in making the information worker a mobile worker.


Are you using MOM 2005 or SMS 2003?  Do you want to learn more about how these products can be used to do more while you do less?  If so, I highly recommend that you read the free online edition of TechNet Magazine.  This month’s edition feature articles on SMS 2003 and MOM 2005.

Articles include:

  • Using WMI with MOM
  • Zero Touch Installations
  • Getting to know Windows PE
  • Using MOM for SOX compliant security auditing
  • System Center Operations Manager 2007 (aka MOM 2007)

When correctly deployed and used, MOM and SMS in conjunction with Windows 2003/2003 R2 can really make life simpler for the systems administrator.  I’m speaking from experience here.  In a past job, my team (3 of us) ran a global network of 170 servers.  Most of our time was spent on engineering for new projects/systems instead of firefighting or sneakernet deployments.  This would have been impossible without the solutions we had deployed.


Microsoft has released a Technical Refresh of the Service Pack 2 beta for Windows 2003/2003 R2.  The following was posted on Connect.

"Windows Serviceability is pleased to announce the release of Beta Refresh 1 (build 2786) of Windows Server 2003 Service Pack 2 for Windows Server 2003 and Windows XP Professional x64 Edition customers.

This build contains:

  • Roll up of hotfixes released to date
  • Roll up of security updates released to date
  • Fixes for bugs reported by Beta customers and other known issues on previous Service Pack 2 builds

This build should be used for full deployment purposes, including pre-production testing or general compatibility testing. We will review all reported issues in the Release Candidate build. In order to have a stable test environment we strongly recommend un-installation of any previous SP2 builds from your machines before installing build 2786. If you previously installed an integrated build of SP2, you cannot upgrade your system to build 2786 with this refresh; you will need to re-install a released version (RTM, SP1, or R2) of Windows Server 2003 before upgrading to build 2786. Go to https://connect.microsoft.com/content/content.aspx?SiteID=98&ContentID=1799 to find an evaluation copy of Windows Server 2003 Service Pack 1.

Release notes for this build can be found at https://connect.microsoft.com/content/content.aspx?ContentID=3342&SiteID=98.

Here is the list of releases; note that there are no integrated releases with this build:

32-bit x86 standalone update: English, German and Japanese
x64 standalone update: English and Japanese
Itanium standalone update: English, German and Japanese
Checked update for English only (debug version)
We encourage you to continue WS03 SP2 Beta testing with this build and provide feedback".

The feature in this Serivce Pack I’m most interested is Windows Deployment Services.  An image based system, WDS is a replacement for RIS and will be one of the deployment mechanisms for Windows Vista.  Any organisation facing a potential deployment of Vista should review this new solution.


Microsoft has released a new version of the MOM 2005 management pack for the Windows operating system.  The new release, version 4, includes the ability to manage the features of Windows 2003 R2.  The MP provides support for Windows NT 4.0 and later.


Back in 2003, Microsoft unoffically notified the world of their intention to venture into the world of anti-virus and anti-malware solutions by buying out Romania-based antivirus firm GeCad.  The world waited but nothing happened.  Then Microsoft bough Giant, an anti-spyware provider.  We waited and then got a limited functionality product called Defender that has been in a never ending beta.  More recently, Microsoft bought out Sybari, the famed e-mail anti-malware solutions provider.  This past July, Microsoft Antigen 9.0 made its debut.  Antigen for Exchange featured a new anti-virus engine that had not ben seen before, one from Microsoft!

Details of what Microsoft was doing on the server and desktop anti-malware world slipped out here and there.  They were definitely developing a solution.  It was rumoured that Windows Update and/or WSUS could be a deployment mechanism, something that many would like as it would simplify deployment systems.

Microsoft recently announced the start of the public beta of Microsoft Forefront Client Security saying that it would provide:

"Unified malware protection for business desktops, laptops, and server operating systems that is easier to manage and control. Built on the same highly successful Microsoft protection technology already used by millions of people worldwide, Forefront Client Security helps guard against emerging threats, such as spyware and rootkits, as well as against traditional threats, such as viruses, worms, and Trojan horses. By delivering simplified administration through central management and providing critical visibility into threats and vulnerabilities, Forefront Client Security helps you protect your business with greater confidence and efficiency. Forefront Client Security integrates with your existing infrastructure software, such as Active Directory, and complements other Microsoft security technologies for better protection and greater control.

Forefront Client Security is currently in development. Microsoft plans to make a public beta of the product available to customers in the fourth quarter of 2006. Pricing and licensing will be announced at a later date.

The benefits offered by Microsoft Forefront Client Security include:

  • Unified Protection: Forefront Client Security delivers unified protection from current and emerging malware, so you can feel confident that your business systems are better protected against a broad range of threats.
  • Simplified Administration: Forefront Client Security provides simplified administration through central management, so you can protect your business with greater efficiency.
  • Critical Visibility and Control: Forefront Client Security produces insightful, prioritized security reports and a summary dashboard view, so you have visibility and control over malware threats".

The solution includes anti-virus and anti-spam prevention mechanisms and mangement.  Based purely on description, this looks like Microsoft will jump straight into competition with Spohos, a leader in this field.  It will be interesting to monitor how things develop.


Microsoft TechNet Ireland has just started advertising a free day of briefings on some of the new System Center products including those available now and those that are coming next year.  It will basically consist of some of a main sessions from the MMS conference that was held earlier this year in the U.S.

This TechNet event will be a very technical covering the following topics:

  • Optimising your infrastructure with Microsoft System Centre
  • MOM 2005 and System Centre Operations Manager 2007 technical drilldown
  • SMS 2003 R2 and System Centre Configuration Manager 2007 technical drilldown
  • Operations Management with System Centre Products
  • Protecting your data with Systems Centre Data Protection Manager

Sessions will cover one or more of the following scopes on a specific topic:

  • Deep drill technical drilldown into current or future of the products and technologies
  • Best practices for common real-world scenarios covering the lifecycle of solutions
  • Comparisons between different solutions available – such as SMS and WSUS patch management
  • Real-world experience (‘Tips and Tricks’) from Microsoft and non-Microsoft consultants and customers
Get Adobe Flash player