Mark Minasi's Windows Networking Tech Page
Issue #57 Late October 2006
To subscribe, visit http://www.minasi.com/nwsreg.htm.
To unsubscribe, link to http://www.minasi.com/unsubs.htm.
To change e-mail address or other info, link
to http://www.minasi.com/edit-newsletter-record.htm.
Visit the Archives at http://www.minasi.com/archive.htm.
Please do not reply to this mail; for comments, please link to www.minasi.com/gethelp. Document
copyright 2006 Mark Minasi.
What's Inside
- News
- New Two-Day Seminar "Supporting Vista" Comes to DC, NY, Dallas,
Seattle in December
- Well, Actually, Supporting Vista Comes to Iceland Next Week...
- Mastering Windows Server 2003, Upgrade Edition for SP1 and R2
is
$19.95 until the end of October
- Tech Section
- Conferences
- Bring a Seminar to Your Site
News
Hi all --
Microsoft will be finished with Vista next week, so it's time to ask:
Vista yes or Vista no? We'll take that up in this newsletter.
I hope to offer some insights on the good and bad to save you some time
but, first, a word from our sponsor...
New Two-Day Seminar "Supporting Vista" Comes to DC, NY, Dallas,
Seattle in December
Now that I've finished writing my upcoming book Administering
Vista Security: the Big Surprises, I finally had the time to
put together my two-day "Supporting Vista" seminar, and I'm bringing it
to New York, the DC area, Seattle and Dallas. In
two days of lecture and demonstrations, I'll show you how installing,
configuring, managing, securing and troubleshooting Vista is different
from doing the same things for XP... and you'll learn all that without
falling asleep.
You can see a course outline for the new Vista class at
www.minasi.com/vista/vsupport.htm and you can find the links to sign
up for Mahwah (November 30/December 1), Dallas (December 4-5), Seattle
(December 7-8), or DC (December 11-12). Even if you're not
planning on rolling out Vista any time soon, come to this seminar to
find out about the pains and gains of Vista!
Well, Actually, Supporting Vista Comes to Iceland Next
Week...
Microsoft will almost certainly release Vista to manufacturing next
Wednesday, 25 October... what better way to celebrate it by attending my
"Supporting Vista" class in Reykjavik?
My good friends at EJS have asked me to bring Supporting Vista to
their location and so I'll be doing it 25/26 October. Their
Web site is in Icelandic, but fear not; after much internal debate, I've
decided to do the class in English rather than Icelandic. To find
out more, contact Sverrir Hákonarson at
sverrir@ejs.is and I hope to see some of my European readers at
Smoky Bay next week! (And sorry for the short notice, my fault.)
Mastering Windows Server 2003, Upgrade Edition for SP1 and R2
Available for $19.95 Through the End Of October
You read in the last newsletter that I'd finished my follow-on volume
to Mastering Windows 2003 Server, the new Mastering Windows Server 2003, Upgrade Edition for SP1 and R2.
As I explained, this new 744-page volume covers all of the new features in 2003 SP1,
covers the major downloadable 2003 modules (SharePoint, Unix
integration, Active Directory Application Mode), and the handful of
features that are only available on 2003 R2 (DFSR, the new quotas and
file filters, the Printer Management Console and more). This book
is intended to enhance your skill set whether you're using the original
Windows Server 2003 with SP1 added, or if you're running Windows Server
2003 R2. You can read more about it at Find out more at
www.minasi.com/sp1r2book.
Okay, that wasn't news. But this is:
Bookpool's special
price of $19.95 for this $40 book only lasts until the end of October.
Apparently they made some deal with Sybex and that's how they got the
good price, so if you're thinking about picking up the SP/R2 book,
please consider doing it before the end of the month, and save a few
bucks. Thanks!
Tech Section
This month, we take up the big question of the month.
Vista Yes or Vista No?
In about a week, Microsoft will release the final "release to
manufacturing" or RTM version of Vista or, rather, versions of
Vista. Should you upgrade, or should you stay with XP? In
this newsletter, I hope to briefly offer some advice on the salient pros
and cons of the new version of Windows. Bear in mind that I'm just
expressing my opinions about what will be good or bad, and so I may not
even mention some feature that someone else would find essential.
Vista Pros
I think that you'll see that Vista's biggest pluses are, in brief and
in no particular order:
More group policy settings mean easier central control
I've written elsewhere that in my opinion, Windows will not be
complete until everything that you can control from the GUI you can also
control from the command line and group policies, and vice versa.
As with every version of Windows, and even every service pack, Microsoft
has gotten a bit closer to my wishes with more group policy settings.
Vista's no exception, with nearly 700 new group policy settings.
Some, like power configuration settings, let you finally control items
that have existed for years but were previously only configurable from
the command line. Others, like the nifty new Plug and Play
controls, let you do things that you couldn't with any previous version
of Windows -- in this case, to block certain kinds of hardware from
installing altogether.
Microsoft has also completely revamped the underlying mechanism of
group policies, improving its reliability, its logging capabilities,
reducing its burden on your domain controller's Sysvols, and improving
group policy support for VPN users. Group Policy Management
Console is promoted from a download to an in-the-box tool, we finally
get a 64-bit version of GPMC, and you can have multiple local user group
policy objects, all in Vista. But that's not all -- Microsoft's
promised even more group policy goodies around the time of (believe it
or not) Vista SP1!
Better "baked in" security means an OS that's harder to attack
As far as I can see, the two biggest changes that Vista bring to
Windows is yet another GUI (yawn) and some seriously improved security
infrastructure, including
- a new Internet Explorer that contains features to sniff out
phishing and that includes a "protected mode" that will slow down
Internet-borne malware by exploiting another new Vista feature
called Windows Integrity Control
- a User Account Control feature that will help users and admins
become more aware of when they are exposing their computers -- and
data -- to danger
- PatchGuard, a piece of the x64 version of the OS that makes life
tougher for root kit creators
- Address Space Layout Randomization, a process that scrambles the
addresses of system components so as to make writing one worm
that can attack all copies of Vista -- something quite easy
to do under XP and 2003 -- an order of magnitude harder
- two new features that let you dial down the amount of privileges
that a service has, and restrict heavily what resources that service
can modify, making service lockdown a lot simpler
- a vastly improved Windows Firewall (although I doubt that WF
will ever become extremely powerful ... who'd buy ISA Server
if it did?)
- a 64-bit Vista requirement that all boot programs, drivers and
kernel apps must be digitally signed
- a group policy feature that allows admins to lock out classes of
hardware, like USB sticks
- BitLocker volume encryption lets you ensure that when you lose a
laptop, you don't lose its data
- the Administrator account is disabled, removing a common attack
point
- Windows Defender installs automatically on Vista... so maybe I
won't have to fix friends' computers as often!
There are others, but those are the ones that come to mind
immediately. Bottom line: there's a lot more armor in Vista.
Search folders, stacks, tags and ratings will make organizing huge
hard disks easier
The world's different from when we had 100 MB drives on our
computers. Soon we'll be walking around with laptops with terabyte
drives. But how do we organize that data? With folders.
And folders inside folders inside folders...
Vista makes adding "metadata," things like keywords (Vista calls them
"tags") and ratings that help us organize and re-organize our files in
many different ways. A new notion called "search folders" lets us
take the same data and chop it up in different ways. I'm already
using to greatly, greatly simplify managing my digital photos.
Where I once had folders named "sunsets," "moon," and "beach," and had
to puzzle where to put the picture of the Moon rising over the ocean
while tinged with the color of the sunset on the other horizon, now I
just tag the picture with "sunset," "moon" and "beach," and I needn't
play the which-folder-does-it-go-into game at all.
UAC will be annoying but will help us put pressure on application
vendors to make better apps
I mentioned UAC before; it's "the Vista feature that everyone loves
to hate." Basically it pops up a dialog box every time you're
about to do something that would require administrative powers, and asks
you to click "Confirm" to continue. It sounds annoying and it can
be, but I think it'll be useful overall. I won't describe it in
detail because I've written about how it works in brief at
http://www.microsoft.com/technet/community/columns/secmvp/default.mspx
and then I've argued why it's worthwhile at
http://www.windowsitpro.com/Article/ArticleID/93358/93358.html.
I suspect, however, that UAC's greatest strength will be in
empowering us to beat up on software developers who are still coding
Windows applications as if it were still 1991. Far too many
applications require administrative credentials to run for just one
reason: their developers are lazy. Microsoft enumerated how
to properly create normal applications like word processors, personal
financial programs and games so that they could be run by standard user
accounts way back in April of 1992, but mysteriously many apps of that
type still unnecessarily require administrative credentials to run.
With UAC, people will probably continue to run their systems as local
administrators, but that UAC prompt will remind them when they're doing
something administrator-ish. That'll lead to raised eyebrows as
those users realize that their personal finance program or digital photo
processing program won't run without admin credentials... and maybe
that'll cause those users to either switch brands, or send a nasty email
to those apps' developers. UAC may accidentally turn out to be a
great "warning! junk app!" alarm.
Transaction-based NTFS and Registry will make for more stable
patching
I covered this a
couple of
newsletters back so I'll spare you the re-run. You've got to
love the notion of an install it all or just roll-back patch install,
though, and Vista offers that promise. Unfortunately, Microsoft
removed that neat transaction.exe command that I demonstrated in that
newsletter. Bummer.
Most PCs purchased nowadays are laptops, and BitLocker makes great
sense for laptops
BitLocker is a Vista Ultimate feature (I'll grumble about that later)
that lets you encrypt the entire drive that holds your operating system.
(I refuse to call it a boot drive, dagnabbit -- the operating system's
on it, it's a system drive!) The 128 or 256 bit key's either
stored on the motherboard or on a USB stick. Result: anyone
stealing the laptop must have a valid user account to get to the data.
Or the thief could just remove the hard disk, stick it in a disk
enclosure, plug it into another computer and try to read it... after
he's figured out the 128- or 256- bit key.
Imagine using this on a Longhorn-based domain controller in a branch
office where you're not quite sure how well it's physically secured.
For the first time in the Windows world, the adage that "if I physically
have your computer, I control it" isn't so true.
(By the way, in case the "Ultimate" reference was unclear, Vista
ships in about a half-dozen flavors ranging from the very-basic Vista
Home Basic to the all-goodies-included Vista Ultimate. I was
referring to that fact that BitLocker is only available on Vista
Ultimate and another version of Vista only available to big customers
called "Vista Enterprise.)
CompletePC backup does backups as you've never seen them before
You want to back up your system so that if the computer goes blooey
then you can quickly restore it to a different piece of hardware,
without losing your settings and applications? Do a CompletePC
backup. It basically creates a virtual machine version of
your computer. That VM can be restored as an actual physical
computer on another piece of hardware. In fact, with a bit of
jiggery-pokery you could use this to create a virtual machine version of
your desktop. Dang cool.
Undelete comes to Windows
Quick now: how many hours do you spend every week restoring
files for users who've accidentally deleted their vital documents?
Well, with Vista you can right-click a file or folder, and then choose
Properties and a new tab, "Previous Versions." Every time your PC
creates a System Restore point, it also backs up your files. As
with 2003's Volume Shadow Copy, it keeps track of more than one previous
version. When the users ask, "can you restore my deleted
document," you can answer "sure, but you can do it yourself... and which
version of the document did you want?"
Neat new deployment tools
If you looked at RIS back in the Windows 2000 days and said, "no,
thanks, I'll stay with Ghost," then take a look at Windows Deployment
Services, RIS's successor that appears in 2003 SP2 and that exploits
Vista's completely new deployment tools. This is not your father's
RIS!
CardSpace
As a guy who runs an e-commerce site, I immediately liked Microsoft's
technology for making on-line transactions simpler while at the same
time solving the problem of "I've got 'accounts' on 200 different Web
sites, and they've all got the same password." I wrote about at at
http://www.windowsitpro.com/Articles/Index.cfm?ArticleID=40402, but
in short it's a technology that is standards-based and that basically
takes the burden of worrying about fraud out of the hands of the
e-commerce vendor, and shifts it the credit card provider. Vista's
IE7 includes the client side component of CardSpace.
Vista Cons
In contrast, what I see as minuses include
Vista's new pricing is nothing more than price gouging
$400 for a copy of Ultimate? Gimme a break; that's 42 percent
above the cost of XP Pro. I wish my fees could go up that much in
five years. But then, I'm not a monopoly.
Vista's new license is even worse than the XP license
The XP license and Windows Activation were a major pain that had one
purpose: to make it harder for you to own Windows, and easier for
Microsoft to be sure that you actually paid for that copy of Windows.
Hey, I wish I could verify that every single copy of my books,
audios etc were never pirated... ah, but I'm not a monopoly.
Force-feeding us IPv6 will make support harder
I know that there are some very nice arguments for IPv6 and I'm sure
that come 2016, we'll all be using it. (Well, maybe; I can't
really imagine my ISP ever figuring it out, but I could be wrong.)
But supporting IPv6 requires some new skills that many Windows techies
don't have yet, and that honestly they don't need for a few years.
So why does Vista turn on IPv6 by default? No good reason that I
can think of, except perhaps that China's trying to build a country-wide
IPv6 network and Microsoft desperately wants market share in China.
Meanwhile, try firing up a copy of Vista, open a command prompt and
type ipconfig /all. You'll see more hex than in a season of
Charmed. But wait, you say, I could just always disable IPv6
on my NIC? Sure I can... but IPv4-to-IPv6 stuff (6to4, Teredo, and
Isatap) all remain, making for some ugly output.
Right now, Microsoft, computer manufacturers and ISPs enjoy the
benefit of legions of people who help their friends, family and
neighbors with computer problems at no charge -- and if you're reading
this, I imagine you're one of them. What'll happen the first time
a volunteer techie does an ipconfig /all on a neighbor's brand new
Dell/cable modem/Vista combination? That techie might suddenly
recall a pressing appointment for a root canal, or for that matter
anything more fun than IPv6.
Still no anti-virus in the box
AV's not a feature. It's an essential. As I've said many
times, why is Movie Maker an essential part of the OS... and anti-virus
not?
Only putting BitLocker in Ultimate and Enterprise was dumb
You've already read that I think that BitLocker makes an astounding
amount of sense security-wise. It was very smart of Microsoft to
say that security was a top priority for Vista. So if it's a top
priority, how come I have to buy the $400 version of Windows to get it?
I don't mean this to sound unkind, but the fact is that security is a
problem because earlier versions of Windows were poorly designed.
Security problems are a defect to be repaired, not a feature to be
exploited for money. This kind of thing makes me worry that I'll
have to pay for hotfixes soon, y'know?
Better security comes with a price in terms of application
compatibility
All of that better security means that older applications written
without security in mind, or ones written with Windows 95 rather than NT
in mind, might stop working or might require some adjusting to make
work. It'll be annoying, but I think it's overall for the best, as
I say in my last point.
Vista needs some horsepower to run
I've been test-driving Vista on my Acer Ferrari 64, a 2 GHz Turion
with 2 GB of RAM and a fast perpendicular-writing IDE drive... and it
feels kind of sluggish. Don't get me wrong, it's not like I
couldn't live with this... but there just plain aren't all that many
laptops available that are faster than this computer, save for ones with
processors that would allow them to double as stovetops or that weigh
over nine pounds. And no, there's no "debug code" in the beta --
that's a separate set of betas.
As time goes on, new laptops will have the speed to make Vista run
swiftly. I just don't think that there are many available now.
But truthfully that's always been true with new versions of Windows:
Microsoft releases new software and eventually the hardware catches up.
(Or, as some wags have put it, "Intel giveth... and Microsoft taketh
way.)
Microsoft pulled its punches with some security technologies
As I've already suggested, making an OS more secure means making it
less backward compatible. It's an iron rule and, I'd guess, one
that drives OS developers of all stripes crazy. With Vista,
Microsoft took some very forward steps toward securing the OS that will
break many old apps, as with PatchGuard (an anti-rootkit tool that's got
Symantec nuts because they can't re-wire your Windows kernel any more)
or Vista x64's insistence on signed drivers. But with some other
bold security-oriented changes, it seemed that Microsoft caved to
outside pressure. Take Windows Integrity Control, for example,
previously known as Mandatory Integrity Control. Originally it was
something designed to make it virtually impossible for a piece of
malware to replace OS components, even if an administrator inadvertently
activated that malware and lent it her powerful privileges. It
would have "sandboxed" files and programs coming from the Internet,
making it far more difficult for Internet-borne malware to do damage to
your system. But as of RC2, WIC's really just a minor stumbling
block to a drive-by download. Don't get me wrong, the new WIC
plumbing is still there, and you could actually restore some of WIC's
abilities yourself -- but its scaled-back out-of-the-box nature is
frustrating. In another example, Vista lets you potentially
secure services, but Microsoft secured only a minority of their own
services.
Microsoft took some good strides ahead in securing Vista, and I'm
sure that'll annoy many customers because of application compatibility
problems. But for heaven's sake, it's time to re-examine the
security/compatibility balance.
It's not 1992 any more; we all use the Internet, and 2006's Internet
is a very dangerous place positively fraught with automated attack
tools, spyware wrapped in spam, and criminals who will stop at nothing
to harm you or, rather, harm your bank account. Yes, there's a
cost in application compatibility sometimes, but I think that refusing
to accept necessary security measures just because they exact some
application compatibility costs seems like living in downtown Baghdad
and choosing not to buy a bulletproof vehicle because it's got lousy gas
mileage.
Any OS that is the most-used OS in the world must accept that it will
be the most-attacked OS in the world. The sad fact is that
Microsoft is going to have to eventually make the security changes that
they backed away from some day; why not just do it now and annoy people
a lot once, and get it over with, rather than annoying us a
little with every new version of Windows?
Bottom Line
Some of Vista's features will be compelling, particularly for those
concerned about security, and those folks will migrate immediately.
I suspect that most people who are content with their XP systems'
performance and SP2-augmented security will wait until their next
hardware refresh. Either way, Microsoft's eventual withdrawal of
support for XP, coupled with the seemingly-monthly discovery of truly
frightening bugs mean that we'll all have to either move away from XP in
a few years, or face the worm du jour alone.
Whether you intend to roll out Vista in January 2006 or 2008, its
security changes and hardware requirements lead me to recommend to get
it and at least play with it a bit to identify those things that may
give you trouble down the road -- or to happily discover that you won't
have any troubles at all. But the earlier that you start planning,
the less disruptive will be the change.
|