Mark Minasi's Windows Networking Tech Page
Issue #57 Late October 2006

To subscribe, visit http://www.minasi.com/nwsreg.htm. To unsubscribe, link to http://www.minasi.com/unsubs.htm. To change e-mail address or other info, link to http://www.minasi.com/edit-newsletter-record.htm.  Visit the Archives at http://www.minasi.com/archive.htm.  Please do not reply to this mail; for comments, please link to www.minasi.com/gethelp.  Document copyright 2006 Mark Minasi.

What's Inside

  • News
    • New Two-Day Seminar "Supporting Vista" Comes to DC, NY, Dallas, Seattle in December
    • Well, Actually, Supporting Vista Comes to Iceland Next Week...
    • Mastering Windows Server 2003, Upgrade Edition for SP1 and R2 is $19.95 until the end of October
  • Tech Section
    • Vista Yes or No?
  • Conferences
  • Bring a Seminar to Your Site

News

Hi all --

Microsoft will be finished with Vista next week, so it's time to ask:  Vista yes or Vista no?  We'll take that up in this newsletter.  I hope to offer some insights on the good and bad to save you some time but, first, a word from our sponsor...

New Two-Day Seminar "Supporting Vista" Comes to DC, NY, Dallas, Seattle in December

Now that I've finished writing my upcoming book Administering Vista Security:  the Big Surprises, I finally had the time to put together my two-day "Supporting Vista" seminar, and I'm bringing it to New York, the DC area, Seattle and Dallas.  In two days of lecture and demonstrations, I'll show you how installing, configuring, managing, securing and troubleshooting Vista is different from doing the same things for XP... and you'll learn all that without falling asleep.

You can see a course outline for the new Vista class at www.minasi.com/vista/vsupport.htm and you can find the links to sign up for Mahwah (November 30/December 1), Dallas (December 4-5), Seattle (December 7-8), or DC (December 11-12).  Even if you're not planning on rolling out Vista any time soon, come to this seminar to find out about the pains and gains of Vista!

Well, Actually, Supporting Vista Comes to Iceland Next Week...

Microsoft will almost certainly release Vista to manufacturing next Wednesday, 25 October... what better way to celebrate it by attending my "Supporting Vista" class in Reykjavik?

My good friends at EJS have asked me to bring Supporting Vista to their location and so I'll be doing it 25/26 October.   Their Web site is in Icelandic, but fear not; after much internal debate, I've decided to do the class in English rather than Icelandic.  To find out more, contact Sverrir Hákonarson at sverrir@ejs.is and I hope to see some of my European readers at Smoky Bay next week!  (And sorry for the short notice, my fault.)

Mastering Windows Server 2003, Upgrade Edition for SP1 and R2 Available for $19.95 Through the End Of October

You read in the last newsletter that I'd finished my follow-on volume to Mastering Windows 2003 Server, the new Mastering Windows Server 2003, Upgrade Edition for SP1 and R2.  As I explained, this new 744-page volume covers all of the new features in 2003 SP1, covers the major downloadable 2003 modules (SharePoint, Unix integration, Active Directory Application Mode), and the handful of features that are only available on 2003 R2 (DFSR, the new quotas and file filters, the Printer Management Console and more).  This book is intended to enhance your skill set whether you're using the original Windows Server 2003 with SP1 added, or if you're running Windows Server 2003 R2.  You can read more about it at Find out more at www.minasi.com/sp1r2book.  

Okay, that wasn't news.  But this is:  Bookpool's special price of $19.95 for this $40 book only lasts until the end of October.  Apparently they made some deal with Sybex and that's how they got the good price, so if you're thinking about picking up the SP/R2 book, please consider doing it before the end of the month, and save a few bucks.  Thanks! 

Tech Section

This month, we take up the big question of the month.

Vista Yes or Vista No?

In about a week, Microsoft will release the final "release to manufacturing" or RTM version of Vista or, rather, versions of Vista.  Should you upgrade, or should you stay with XP?  In this newsletter, I hope to briefly offer some advice on the salient pros and cons of the new version of Windows.  Bear in mind that I'm just expressing my opinions about what will be good or bad, and so I may not even mention some feature that someone else would find essential.

Vista Pros

I think that you'll see that Vista's biggest pluses are, in brief and in no particular order:

More group policy settings mean easier central control

I've written elsewhere that in my opinion, Windows will not be complete until everything that you can control from the GUI you can also control from the command line and group policies, and vice versa.  As with every version of Windows, and even every service pack, Microsoft has gotten a bit closer to my wishes with more group policy settings.  Vista's no exception, with nearly 700 new group policy settings.  Some, like power configuration settings, let you finally control items that have existed for years but were previously only configurable from the command line.  Others, like the nifty new Plug and Play controls, let you do things that you couldn't with any previous version of Windows -- in this case, to block certain kinds of hardware from installing altogether.

Microsoft has also completely revamped the underlying mechanism of group policies, improving its reliability, its logging capabilities, reducing its burden on your domain controller's Sysvols, and improving group policy support for VPN users.  Group Policy Management Console is promoted from a download to an in-the-box tool, we finally get a 64-bit version of GPMC, and you can have multiple local user group policy objects, all in Vista.  But that's not all -- Microsoft's promised even more group policy goodies around the time of (believe it or not) Vista SP1!

Better "baked in" security means an OS that's harder to attack

As far as I can see, the two biggest changes that Vista bring to Windows is yet another GUI (yawn) and some seriously improved security infrastructure, including

  • a new Internet Explorer that contains features to sniff out phishing and that includes a "protected mode" that will slow down Internet-borne malware by exploiting another new Vista feature called Windows Integrity Control
  • a User Account Control feature that will help users and admins become more aware of when they are exposing their computers -- and data -- to danger
  • PatchGuard, a piece of the x64 version of the OS that makes life tougher for root kit creators
  • Address Space Layout Randomization, a process that scrambles the addresses of system components so as to make writing one worm that can attack all copies of Vista -- something quite easy to do under XP and 2003 -- an order of magnitude harder
  • two new features that let you dial down the amount of privileges that a service has, and restrict heavily what resources that service can modify, making service lockdown a lot simpler
  • a vastly improved Windows Firewall (although I doubt that WF will ever become extremely powerful ... who'd buy ISA Server if it did?)
  • a 64-bit Vista requirement that all boot programs, drivers and kernel apps must be digitally signed
  • a group policy feature that allows admins to lock out classes of hardware, like USB sticks
  • BitLocker volume encryption lets you ensure that when you lose a laptop, you don't lose its data
  • the Administrator account is disabled, removing a common attack point
  • Windows Defender installs automatically on Vista... so maybe I won't have to fix friends' computers as often!

There are others, but those are the ones that come to mind immediately.  Bottom line: there's a lot more armor in Vista.

Search folders, stacks, tags and ratings will make organizing huge hard disks easier

The world's different from when we had 100 MB drives on our computers.  Soon we'll be walking around with laptops with terabyte drives.  But how do we organize that data?  With folders.  And folders inside folders inside folders...

Vista makes adding "metadata," things like keywords (Vista calls them "tags") and ratings that help us organize and re-organize our files in many different ways.  A new notion called "search folders" lets us take the same data and chop it up in different ways.  I'm already using to greatly, greatly simplify managing my digital photos.  Where I once had folders named "sunsets," "moon," and "beach," and had to puzzle where to put the picture of the Moon rising over the ocean while tinged with the color of the sunset on the other horizon, now I just tag the picture with "sunset," "moon" and "beach," and I needn't play the which-folder-does-it-go-into game at all.

UAC will be annoying but will help us put pressure on application vendors to make better apps

I mentioned UAC before; it's "the Vista feature that everyone loves to hate."  Basically it pops up a dialog box every time you're about to do something that would require administrative powers, and asks you to click "Confirm" to continue.  It sounds annoying and it can be, but I think it'll be useful overall.  I won't describe it in detail because I've written about how it works in brief at http://www.microsoft.com/technet/community/columns/secmvp/default.mspx and then I've argued why it's worthwhile at http://www.windowsitpro.com/Article/ArticleID/93358/93358.html.

I suspect, however, that UAC's greatest strength will be in empowering us to beat up on software developers who are still coding Windows applications as if it were still 1991.  Far too many applications require administrative credentials to run for just one reason:  their developers are lazy.  Microsoft enumerated how to properly create normal applications like word processors, personal financial programs and games so that they could be run by standard user accounts way back in April of 1992, but mysteriously many apps of that type still unnecessarily require administrative credentials to run.  With UAC, people will probably continue to run their systems as local administrators, but that UAC prompt will remind them when they're doing something administrator-ish.  That'll lead to raised eyebrows as those users realize that their personal finance program or digital photo processing program won't run without admin credentials... and maybe that'll cause those users to either switch brands, or send a nasty email to those apps' developers.  UAC may accidentally turn out to be a great "warning!  junk app!" alarm.

Transaction-based NTFS and Registry will make for more stable patching

I covered this a couple of newsletters back so I'll spare you the re-run.  You've got to love the notion of an install it all or just roll-back patch install, though, and Vista offers that promise.  Unfortunately, Microsoft removed that neat transaction.exe command that I demonstrated in that newsletter.  Bummer.

Most PCs purchased nowadays are laptops, and BitLocker makes great sense for laptops

BitLocker is a Vista Ultimate feature (I'll grumble about that later) that lets you encrypt the entire drive that holds your operating system.  (I refuse to call it a boot drive, dagnabbit -- the operating system's on it, it's a system drive!)  The 128 or 256 bit key's either stored on the motherboard or on a USB stick.  Result:  anyone stealing the laptop must have a valid user account to get to the data.  Or the thief could just remove the hard disk, stick it in a disk enclosure, plug it into another computer and try to read it... after he's figured out the 128- or 256- bit key. 

Imagine using this on a Longhorn-based domain controller in a branch office where you're not quite sure how well it's physically secured.  For the first time in the Windows world, the adage that "if I physically have your computer, I control it" isn't so true.

(By the way, in case the "Ultimate" reference was unclear, Vista ships in about a half-dozen flavors ranging from the very-basic Vista Home Basic to the all-goodies-included Vista Ultimate.  I was referring to that fact that BitLocker is only available on Vista Ultimate and another version of Vista only available to big customers called "Vista Enterprise.)

CompletePC backup does backups as you've never seen them before

You want to back up your system so that if the computer goes blooey then you can quickly restore it to a different piece of hardware, without losing your settings and applications?  Do a CompletePC backup.  It basically creates a virtual machine version of your computer.  That VM can be restored as an actual physical computer on another piece of hardware.  In fact, with a bit of jiggery-pokery you could use this to create a virtual machine version of your desktop.  Dang cool.

Undelete comes to Windows

Quick now:  how many hours do you spend every week restoring files for users who've accidentally deleted their vital documents?  Well, with Vista you can right-click a file or folder, and then choose Properties and a new tab, "Previous Versions."  Every time your PC creates a System Restore point, it also backs up your files.  As with 2003's Volume Shadow Copy, it keeps track of more than one previous version.  When the users ask, "can you restore my deleted document," you can answer "sure, but you can do it yourself... and which version of the document did you want?"

Neat new deployment tools

If you looked at RIS back in the Windows 2000 days and said, "no, thanks, I'll stay with Ghost," then take a look at Windows Deployment Services, RIS's successor that appears in 2003 SP2 and that exploits Vista's completely new deployment tools.  This is not your father's RIS!

CardSpace

As a guy who runs an e-commerce site, I immediately liked Microsoft's technology for making on-line transactions simpler while at the same time solving the problem of "I've got 'accounts' on 200 different Web sites, and they've all got the same password."  I wrote about at at http://www.windowsitpro.com/Articles/Index.cfm?ArticleID=40402, but in short it's a technology that is standards-based and that basically takes the burden of worrying about fraud out of the hands of the e-commerce vendor, and shifts it the credit card provider.  Vista's IE7 includes the client side component of CardSpace.

Vista Cons

In contrast, what I see as minuses include

Vista's new pricing is nothing more than price gouging

$400 for a copy of Ultimate?  Gimme a break; that's 42 percent above the cost of XP Pro.  I wish my fees could go up that much in five years.  But then, I'm not a monopoly.

Vista's new license is even worse than the XP license

The XP license and Windows Activation were a major pain that had one purpose:  to make it harder for you to own Windows, and easier for Microsoft to be sure that you actually paid for that copy of Windows.  Hey, I wish I could verify that every single copy of my books, audios etc were never pirated... ah, but I'm not a monopoly.

Force-feeding us IPv6 will make support harder

I know that there are some very nice arguments for IPv6 and I'm sure that come 2016, we'll all be using it.  (Well, maybe; I can't really imagine my ISP ever figuring it out, but I could be wrong.)  But supporting IPv6 requires some new skills that many Windows techies don't have yet, and that honestly they don't need for a few years.  So why does Vista turn on IPv6 by default?  No good reason that I can think of, except perhaps that China's trying to build a country-wide IPv6 network and Microsoft desperately wants market share in China.

Meanwhile, try firing up a copy of Vista, open a command prompt and type ipconfig /all.  You'll see more hex than in a season of Charmed.  But wait, you say, I could just always disable IPv6 on my NIC?  Sure I can... but IPv4-to-IPv6 stuff (6to4, Teredo, and Isatap) all remain, making for some ugly output.

Right now, Microsoft, computer manufacturers and ISPs enjoy the benefit of legions of people who help their friends, family and neighbors with computer problems at no charge -- and if you're reading this, I imagine you're one of them.  What'll happen the first time a volunteer techie does an ipconfig /all on a neighbor's brand new Dell/cable modem/Vista combination?  That techie might suddenly recall a pressing appointment for a root canal, or for that matter anything more fun than IPv6.

Still no anti-virus in the box

AV's not a feature.  It's an essential.  As I've said many times, why is Movie Maker an essential part of the OS... and anti-virus not?

Only putting BitLocker in Ultimate and Enterprise was dumb

You've already read that I think that BitLocker makes an astounding amount of sense security-wise.  It was very smart of Microsoft to say that security was a top priority for Vista.  So if it's a top priority, how come I have to buy the $400 version of Windows to get it?  I don't mean this to sound unkind, but the fact is that security is a problem because earlier versions of Windows were poorly designed.  Security problems are a defect to be repaired, not a feature to be exploited for money.  This kind of thing makes me worry that I'll have to pay for hotfixes soon, y'know?

Better security comes with a price in terms of application compatibility

All of that better security means that older applications written without security in mind, or ones written with Windows 95 rather than NT in mind, might stop working or might require some adjusting to make work.  It'll be annoying, but I think it's overall for the best, as I say in my last point.

Vista needs some horsepower to run

I've been test-driving Vista on my Acer Ferrari 64, a 2 GHz Turion with 2 GB of RAM and a fast perpendicular-writing IDE drive... and it feels kind of sluggish.  Don't get me wrong, it's not like I couldn't live with this... but there just plain aren't all that many laptops available that are faster than this computer, save for ones with processors that would allow them to double as stovetops or that weigh over nine pounds.  And no, there's no "debug code" in the beta -- that's a separate set of betas.

As time goes on, new laptops will have the speed to make Vista run swiftly.  I just don't think that there are many available now.  But truthfully that's always been true with new versions of Windows:  Microsoft releases new software and eventually the hardware catches up.  (Or, as some wags have put it, "Intel giveth... and Microsoft taketh way.)

Microsoft pulled its punches with some security technologies

As I've already suggested, making an OS more secure means making it less backward compatible.  It's an iron rule and, I'd guess, one that drives OS developers of all stripes crazy.  With Vista, Microsoft took some very forward steps toward securing the OS that will break many old apps, as with PatchGuard (an anti-rootkit tool that's got Symantec nuts because they can't re-wire your Windows kernel any more) or Vista x64's insistence on signed drivers.  But with some other bold security-oriented changes, it seemed that Microsoft caved to outside pressure.  Take Windows Integrity Control, for example, previously known as Mandatory Integrity Control.  Originally it was something designed to make it virtually impossible for a piece of malware to replace OS components, even if an administrator inadvertently activated that malware and lent it her powerful privileges.  It would have "sandboxed" files and programs coming from the Internet, making it far more difficult for Internet-borne malware to do damage to your system.  But as of RC2, WIC's really just a minor stumbling block to a drive-by download.  Don't get me wrong, the new WIC plumbing is still there, and you could actually restore some of WIC's abilities yourself -- but its scaled-back out-of-the-box nature is frustrating.  In another example, Vista lets you potentially secure services, but Microsoft secured only a minority of their own services.

Microsoft took some good strides ahead in securing Vista, and I'm sure that'll annoy many customers because of application compatibility problems.  But for heaven's sake, it's time to re-examine the security/compatibility balance.  

It's not 1992 any more; we all use the Internet, and 2006's Internet is a very dangerous place positively fraught with automated attack tools, spyware wrapped in spam, and criminals who will stop at nothing to harm you or, rather, harm your bank account.  Yes, there's a cost in application compatibility sometimes, but I think that refusing to accept necessary security measures just because they exact some application compatibility costs seems like living in downtown Baghdad and choosing not to buy a bulletproof vehicle because it's got lousy gas mileage.

Any OS that is the most-used OS in the world must accept that it will be the most-attacked OS in the world.  The sad fact is that Microsoft is going to have to eventually make the security changes that they backed away from some day; why not just do it now and annoy people a lot once, and get it over with, rather than annoying us a little with every new version of Windows?

Bottom Line

Some of Vista's features will be compelling, particularly for those concerned about security, and those folks will migrate immediately.  I suspect that most people who are content with their XP systems' performance and SP2-augmented security will wait until their next hardware refresh.  Either way, Microsoft's eventual withdrawal of support for XP, coupled with the seemingly-monthly discovery of truly frightening bugs mean that we'll all have to either move away from XP in a few years, or face the worm du jour alone.

Whether you intend to roll out Vista in January 2006 or 2007, its security changes and hardware requirements lead me to recommend to get it and at least play with it a bit to identify those things that may give you trouble down the road -- or to happily discover that you won't have any troubles at all.  But the earlier that you start planning, the less disruptive will be the change.

That's just my opinion, though. I'd love to hear yours and while you're welcome to email me directly, why not share your thoughts with our online forum here? I hope to see you there!

Conferences

I really hope you can join me for a seminar some time soon, but if you can't...

New Interoperability Show:  Tech X World Shows You How To Make It All Fit Together

I wanted to pass along some information about a show that I'm not speaking at, but that looks like a good deal.  It's a $129, one-day interoperability road show from Penton, the folks who put out Windows IT Pro magazine, the periodical that I do columns for.

If you're like most folks, "interop" isn't just a buzzword, it's a daily headache.  If we all used the same operating system, directory service, and database engines, then life would be a lot easier… but most of us can't.  Worse yet, interop info can be hard to come by, because no vendor's all that excited about helping you use any products but theirs.

In response to that, Penton's put together a show with four tracks, each geared to a solution.  One features Dustin Puryear talking about making Windows, Linux and Unix work together.  The second offers a day of Active Directory expert Gil Kirkpatrick on integrating AD with other LDAP directory services.  At the same time, database techie Randy Dyess explains how to solve data interoperability problems by making different databases replicate amongst one another and produce integrated reports, as well as how to integrate dissimilar relational database engines.  Last but not least, popular Windows IT Pro veteran author Mike Otey tackles what may be the single best new IT technology of the past few years -- virtualization.  Tech X World is coming to DC, Chicago, San Francisco and Dallas in the next few weeks, and you can find out more at www.techxworld.com.

Windows Connections / Exchange Connections Vegas November 6-10 2006

What's that you say?  You say you want terrific sessions on Windows administration and troubleshooting, but also need the in-depth scoop on Exchange, and honestly need to become a SharePoint black belt?  Oh, and maybe you want to know about SQL Server, with a dollop of VB, .NET and all of that jazz?  Well, then, set your sights on Las Vegas' Mandalay Bay (yeah, I hate Vegas, but the Bay has a pretty neat aquarium) and the Connections folks have managed to wangle "Exchange 12 Rollout Show" status, as well as throwing together virtually all of the different shows that they do.  Best of all, if you sign up for Windows/Exchange Connections, you get to go to anything on the developer side.  Honestly, if you don't get "menu freeze" from this show, then I'll be amazed.

I'm doing my new "XP to Vista in 75 Minutes" talk, as well as a new "Vista Security Secrets:  The Stuff That Will Explode Your Head" presentation.  I'll reprise the talk rated #8 out of 450 sessions at TechEd 2006, "Service Pack Gold," as well as The Return of the Talk That Required TWO Standing-Room Only Sessions, "Command Line Gems:  Administering Windows from C: level."  Wayne Newton will provide musical accompaniment.

(Just kidding about Wayne.)

Information at www.winconnections.com.

Bring Mark to your site to teach

I'm keeping busy doing Vista seminars and writing, but I've still got time to visit your firm.  In just two days, I'll make your current NT techies into Vista, security, XP, Active Directory and 2003 experts.  (And better yet they won't have to sit through any Redmondian propaganda.)  To join the large educational, pharmaceutical, agricultural, aerospace, utility, banking, government, telecommunication, law enforcement, publishing, transportation, military and other organizations that I've assisted, either take a peek at the course outlines at www.minasi.com/presentations.htm, mail our assistant Jean Snead at Assistant@Minasi.com, or call her at (757) 426-1431 (only between noon-5 Eastern time, weekdays, please).

Until Next Month...

Have a quiet and safe month. 

Please share this newsletter; I'd like very much to expand this periodical into a useful source of NT/2000/2003/XP information.  Please forward it to any associates who might find it helpful, and accept my thanks.  We are now at over 40,000 subscribers and I hope to use this to get information to every single Mastering 2003, XP, NT and 2000 Server reader. Thanks for letting me visit with you, and take care.  Many, many thanks to the readers who have mailed me to offer suggestions, errata, and those kind reviews.  As always, I'm at http://www.minasi.com/gethelp and please join us at the Forum with technical questions at www.minasi.com/forum

To subscribe, visit http://www.minasi.com/nwsreg.htm. To change e-mail or other info, link to http://www.minasi.com/edit-newsletter-record.htm.  To unsubscribe, link to http://www.minasi.com/unsubs.htm. Visit the Archives at http://www.minasi.com/archive.htm. Please do not reply to this mail; for comments, please link to http://www.minasi.com/gethelp.

All contents copyright 2006 Mark Minasi. You are encouraged to quote this material, SO LONG as you include this entire document; thanks.