Site Sections
Posts
254
Comments
120
Trackbacks
120
October 2005 Entries
Now in print: the Windows NT 4.0 and Windows 98 Threat Mitigation Guide

Back in 2004, Paul, Tom, and I worked on the Windows NT 4.0 and Windows 98 Threat Mitigation Guide. Now, Microsoft has made printed versions available for purchase from their web site. If you still need to use NT 4.0 and 9x in your environment, I recommend that you take a look at this document in any format (and no, I don't get royalties, so if you can handle the electronic version, that's perfectly fine with me!)

posted @ Tuesday, October 25, 2005 12:45 PM | Feedback (0)
DCAR ebook Chapter 2: Know Your Regulations!

My ebook on DCAR (Discovery, Compliance, Archival, and Retention), published online by Windows IT Pro, has been updated; the second chapter, Know Your Regulatons!, is now available for download. It gives an overview of five key pieces of federal regulation:

  • The Gramm-Leach-Bliley Act (GLB)
  • The Healthcare Insurance Portability and Accountability Act of 1996 (HIPAA)
  • The Sarbanes-Oxley Act (SOX)
  • The Securities and Exchange Commission (SEC) Rule 17A-4
  • The Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (USA Patriot Act)
It's a free download (registration required) so there's no cost to go take a look.
posted @ Tuesday, October 25, 2005 12:33 PM | Feedback (0)
Reflections on Workplace

As Paul has mentioned, he and I are taking a look at IBM Workplace Collaboration Services. I really admire the concept that IBM is working with here: integrated email, IM, and document management all rolled together in a unified web client or rich client. IBM has an ambitious architecture for Workplace and provides the option of using third-party database, directory, and HTTP server applications. They include support for their own IBM and Lotus products, of course, but they also give the option of using Active Directory (both Windows 2000 and 2003), SQL Server 2000, and IIS 5.0. (They also support various products from Oracle, Sun, and Novell, so they are very catholic in their tastes.) The actual installation process was very easy, making Workplace a far cry from the equivalent offerings from Sun and Oracle.

My goal yesterday was to get the single-server installation working against Active Directory on Windows Server 2003, and here's where I began to notice issues. Note that my comments here are not directed toward end-user functionality. With my decade of administrative experience, I tend to look less at cost issues or end-user features and more at the following questions:

  • How easy is the product to install, both in my test and production environments?
  • How easy is it going to be to operate?
  • How easy is it going to be to maintain?
There are some who might argue that once you get to a certain size of deployment, any solution capable of taking care of the needs of the users is going to be sufficiently complex that it all evens out. That's a lovely theory, but my experience tells me that complexity only grows. If the application starts off as complex to install in test, it is not going to get any easier in production. If fact, it will certainly get far, far more chaotic once you let real live users loose on the system.

With the following questions in mind, I can safely say I have some serious doubts about Workplace. If any IBM employees or consultants (paging Ed Brill to the white courtesy comment thread) can give me a pointer to information to address these concerns, I'd appreciate it and be more than happy to post a followup.

My first concern: the documentation is woefully inadequate.
I always notice documentation, even moreso now that I write professionally. The Workplace documentation fails to impress and actively seeks to induce high blood pressure. For example, Workplace requires specific attributes to be present in the LDAP schema. The documentation says that if you're running Active Directory "You must add these attributes to the user object class in the Microsoft Active Directory schema if they are not already defined for it." What it fails to tell you is that these attributes are pretty much all added by the RFC 2798 inetOrgPerson LDAP object c lass. While this object class was not present in Windows 2000 AD out of the box, Microsoft made it available in a freely downloadabe inetOrgPerson kit. Even more importantly, this object class was added natively to Windows 2003 Active Directory -- so if your AD forest has been upgraded to the Windows 2003 schema, you don't need to worry about this issue at all. You also don't need to worry about the next step, which is to make sure certain attributes are indexed; they all are in Windows 2003.

For the sake of argument, let us suppose that you do need to add the attributes manually because you're still using Windows 2000. The easiest way to add them are to use a pre-existing LDIF file to import the required objects and ensure the proper attributes are being indexed. Don't waste your time looking for any such LDIF files; they aren't there. The best you get is a weak and generic pointer to "the Active Directory documentation". To make it worse, they don't even give you the information you need to manually add the attributes yourself! You get exactly one piece of information: the attribute name. That's it. You don't get any of the other information you need to properly add these attributes to any LDAP service -- no OID, no syntax, nothing. How hard would it have been to add an additional sentence or two stating that these attributes are part of the RFC 2798 inetOrgPerson object class and either a) provide a link to Microsoft's download kit or b) include LDIF files for people? Presumably IBM has LDIF files, since I assume they had to make the modifications to AD in their own test labs. While adding these attributes appears to be a task unique to Active Directory (thanks to Microsoft's initial lack of support for the inetOrgPerson object), all of the supported LDAP servers (including IBM Tivoli Directory Server and Domino Directory) require some sort of index configuration, so this is a general failing of the product and not a case of picking on Microsoft users.

My second concern: there are lots of needless hoops to jump through.
Once you've got the right bits in your schema, now you have to create a mess of users and groups. Again, the documentation is pretty spotty and the online resources don't provide a lot of additional insight. IBM gives you no guidelines on what privileges these accounts must have or whether any of them can be combined; I still don't know if these accounts merely have to exist as regular users in AD because they'll be used internally by Workplace, or if they need more access to Active Directory. I guess I'll find out as I go forward and break stuff. And it's not like they're picking on Microsoft users; the entire chapter on LDAP integration is written this way in a truly platform-agnostic fashion. At least they're consistent. On the other hand, I want to assure them that creating accounts programmatically is a solved problem these days and that doing so allows application developers to be sure that the right accounts exist, have the right permissions, and are in a supportable configuration. Oddly enough, this speeds up installation and decreases the time and money spent on pursuing asinine support issues. Also oddly, customers seem to appreciate these benefits, the ungrateful wretches.

Your next step: make a copy of a text file (the Active Directory version weighs in at a svelte 290 lines -- 78 of which are blank and 161 are comments, leaving a mere 51 parameters to configure by hand. Not a problem, right? Well, it's easier if you realize that many of them have already been configured appropriately for Active Directory, and even more could have been easily taken care of through a simple search and replace of common parameters (like the dc=domain,dc=tld root of the Active Directory domain, or the DN of the host running Workplace; even if they're not correct, they'd have been correct far more often than the generic entries provided). What makes it even more infuriating is that the next step is to use this text file as input to the provided Configuration Wizard, which takes the file as input and uses it to make the necessary changes to Workplace. There are a few parameters that are not included in the file (like passwords), so there's an actual UI to enter them. Again, this is the process used to configure Workplace to use any external service. Why couldn't IBM have included the necessary smarts to do this within the wizard and avoid the need to mess with the text file -- or at the very least, allow the wizard to generate the text file as a template for multiple-machine installation scenarios, with the appropriate machine-specific parameters to applied by the wizard as the template is imported?

If I were evaluating this product for my live enterprise, I'd have stopped at this point. I don't care how well-written the components are when I have to wire them all together myself. I commend IBM for being so diligently platform- and application-agnostic, but they've brought the lowest common denominator so low that they've successfully shifted the burden to their customers -- and when the developers don't take the time to provide necessary components in favor of making their customers sweat the small stuff just to get the product up and running, I have to wonder what else they've missed. I haven't even looked at the steps required to shift from the out-of-the-box Cloudscape database to an external database, but I can only imagine it is more of the same -- and if I were putting it in production, I'd have to move off of Cloudscape, since IBM states it isn't sufficient for production use. The cynic in me would argue that this is all a deliberate strategy to ensure that no customers try to install the product without purchasing consulting time, but I don't think that's the case; I honestly think IBM is still being dominated by the big-iron mentality and they expect their customers to be far more willing to shoulder the burden of installation than I think is commonly the case these days.

As I said, if I've missed documentation or guidance on how to simplify these tasks, I'm happy to be corrected. If there's something I've overlooked, please let me know!

posted @ Tuesday, October 25, 2005 9:44 AM | Feedback (1)
Sharing a subnet and DNS with multiple domains

I spend a large part of my time creating and maintaining virtual machine deployments. With the type of work we do, we often have to have a complete Active Directory environment for any given project: one or more domain controllers, one or more member servers, one or more workstations. We use virtual machines to make this kind of deployment easy.

Just to keep our network routing topology simple, we usually don't deploy these VMs on a separate TCP/IP subnet unless we have a specific reason to do so (such as developing VMs that will be passed to a client and must be fit into a specific IP and DNS address space; if the VMs are prohibitive to rebuild, then we mimic the target environment as closely as possible). Instead, we share an IP subnet. The only major caveat with this kind of deployment is to make sure that your images don't run a DHCP server. You really don't want to see what happens when one of your VMs starts handing out DHCP leases to your regular workstations.

When we install these test AD envrionments, we install them as stand-alone forests. Often, though, we'll want machines in our domain to be able to easily interact with machines in the test domains. We may be testing Exchange interoperability, for example, and want to pass messages between the test envrionment and our Exchange organization. Our developers may need to access test web services or web sites from their desktops. Functional name resolution was our major roadblock. So how did we get around it?

The first way we tried to get around this issue was to distribute a HOSTS file (C:\WINDOWS\system32\drivers\etc\hosts) to everyone who needs it. This caused some minor heartache -- someone always ended up with an old version, no matter how stable the envrionment was -- and it wasn't very scalable. I knew we could do better so I kept looking for alternatives.

Happily, the Windows Server 2003 DNS server includes a feature that addresses this specific issue -- conditional forwarding. In short, you configure your DNS server with a list of authoritative name servers on a per-domain basis. Every time a DNS request comes in from a client, Windows Server checks to see if the domain is on this list; if so, it queries the authoritative server and returns the answer to the client. In other words, it's a cheat sheet that tells your DNS server "if you get asked about domain X, talk to this server here instead of the root DNS servers." This is good stuff, and Windows MVP Mitch Tulloch wrote a great introduction to it in his article DNS Conditional Forwarding in Windows Server 2003. In addition to per-domain forwarding, you can also configure Windows Server 2003 to forward requests for all zones that the server isn't authoritative for.

Armed with this knowledge, we now have a great solution. When we deploy a new test AD forest, all I do is the following:

  1. I go to the name servers for the 3Sharp domain and add in a conditional forwarding entry for the new domain, pointing to the IP address of the DC for that domain.
  2. I go to the name server for the test domain and set the All other DNS domains forwarding entry to point to the 3Sharp nameservers.

Voila! The test domain has full DNS coverage not only of the Internet, but of our internal domain (and without me having to change the firewall settings to allow outbound DNS requests from a new server); all the machines internally can resolve the new test domain without problems. Best of all, no one has to maintain a host file. This configuration even works nicely for envrionments that are on their own subnet, as long as you can route between them.

Mark's article points out a few caveats with conditional forwarding, so be sure to read it. As he states, stub zones could also be used to solve the same problem and should be used if the DNS servers in the test domain are going to be changing, or if performance is an issue. You can also avoid using the All other DNS domains forwarding entry on the test name servers if you wanted to create a custom root hints file. In our case, though, I like the convenience of using the same method on both sides and we don't have to worry about the performance hit.

Two additional caveat from our experience:

  • Be sure that you configure the conditional forwarding entries to match on all of your name servers. We've had occasional, hard-to-solve glitches in our name resolution with our test domains from time to time. What I finally realized was that I'd failed to add the conditional forwarding entries for those domains to one of our name servers, and when clients switched over to it, it had no way to know about the test domains.
  • Be very proactive about cleaning old forwarder entries out of your DNS servers. If you're like us and have a relatively high amount of turnover for your test domains, the stale entries can add up over time and hurt your DNS server performance.
posted @ Friday, October 21, 2005 4:17 PM | Feedback (0)
404 Error Message Not Found

Edited 10/09: The source image seems to have been lost, so removed the bad IMG tag and rewrote the referencing sentence.

I was looking over my Exchange server at home today, getting ready to upgrade it to SP2, and opened Outlook to see if there were any messages I needed to take care of first. The folder with an unread count of 404 caught my eye.

If you're now laughing to yourself, able to appreciate why I was puzzled to see a 404 error for SMTP, then you've been doing this for way too long too.

posted @ Thursday, October 20, 2005 8:02 PM | Feedback (1)
Exchange 2003 SP2 is here!

Exchange 2003 SP2 is now available for download from Microsoft. Why would you want it?

SP2 works with updates to Windows Mobile 5.0 to vastly improve the mobile device experience. Direct push, better synchronization, more support for Outlook objects, and new security features such as remote wipe make it easier and better to use your mobile devices with Exchange 2003. This is a big part of SP2 and though I won't be able to make use of it myself, I'm happy these features are here.

  • Increased anti-spam support with SenderID, an updated Intelligent Message Filter, and enhanced protection from phishing.
  • The mailbox database storage limit has been raised to 75GB for Standard Edition. Wow!
  • Force your Outlook 2003 clients to cached mode, connect to (and migrate from) Groupwise 6.x with the new integrated tools, keep better control of your public folders, and reduce your sync times with a new Offline Address Book format.

 Good stuff -- I've got it downloading now.

posted @ Wednesday, October 19, 2005 9:59 AM | Feedback (0)
Well now!

Symantec is certainly on an acquisition spree of late. Latest purchase: BindView.

Since BindView does a lot in the directory management, security, compliance, and policy management areas -- both for Windows/Active Directory and other operating systems -- this is extremely interesting. Clearly, Symantec is serious about having a broad portfolio.

posted @ Monday, October 03, 2005 12:27 PM | Feedback (0)
News

Devin has moved on
to new adventures.
This blog is preserved
for historical purposes.

Please follow his
personal blog at:
Devin on Earth

Virtual Devin
Article Categories
Archives
Post Categories
Data Protection
DCAR
Exchange
Other
Security
Unified Communications
Windows