I haven't kept this as up to date as I'd like but the stuff that is here is good to know. I'm going to modify it so other people can add sections to it and it can be a living document, but until then this is all you get.
Microsoft on Monday issued a lengthy statement about the recent Windows 7 battery controversy, echoing my assessment from earlier in the day, but backing it up with hard, cold evidence. Put simply, Windows 7 is not responsible for any battery life issues
The PowerPivot Team wants to see what you're made of! Win a $250 Microsoft Store shopping spree and a chance for a free trip to 2010 Microsoft BI Conference!
An often irreverent look at some of this week's other news, including some interesting he-said/she-said moments between Microsoft and an ex-executive and between Apple CEO Steve Jobs and Google, an Office 2010 RC, a 17 year old Windows bug, and much more.
Echoing an economic reality that also hampers its Xbox video gaming business, Microsoft's Bing search engine has cost the company over $5 billion over the past several years.
Good news: This might be the only thing you read this week that doesn't talk about Apple's product announcements! Instead, I want to cover another hot news topic, the computer-based attacks (note that I refuse to use the cyber- prefix) on a number of major American corporations.
Are you at risk? It's hard to say because there are so many conflicting accounts of the attacks. Understandably, many of the victims are keeping quiet; their silence aids the investigations now taking place by various parts of the US government and by private consultants retained for their specific expertise in computer security. However, a few common threads are visible enough to warrant talking about.
First, it appears that the attacks were initiated by email: Targeted messages were sent to victims. The Christian Science Monitor reported this week that three major oil companies were targeted by spear-phishing attacks in which fake email messages were carefully crafted to look legitimate ("US oil industry hit by cyberattacks: Was China involved?"). The phishing messages contained a link to a malicious website that exploited one or more vulnerabilities to drop a Trojan on the victim's machine. Once infected, that machine could then be remotely controlled by the attacker and used as a springboard for further attacks.
This is essentially the same pattern that attackers used to break into Google, Adobe, and a number of other companies. How can you protect yourselves?
Here's the sad truth: A sufficiently motivated attacker with enough resources will get in anywhere they want. Security experts talk about "advanced persistent threats," or APTs, as the major bugaboo they worry about. That's because APT is code for "nation-state level attackers": well-funded, with access to expert talent and huge resources. If you're targeted by an adversary at this level, it's extremely difficult to protect yourself.
Because this column focuses on email, I want to point out a couple of areas worth your attention. First is that the attacks didn't send malware in email, so conventional scanning couldn't catch the spear-phishing messages. The malware was dropped separately. Up-to-date desktop antivirus software might have helped prevent some of these attacks, although some exploited previously unknown vectors. However, alert employees noticed and reported the spear-phishing messages in at least one case mentioned in the CSM article. A useful defense, then, is to redouble your efforts to train your organization about how to detect phishing messages.
Another way to protect yourself is to watch for unusual patterns of data flowing out of your organization. For the most part, individual computers on your network will have predictable patterns of outbound traffic. A good monitoring solution—which includes watching for unusual patterns of email messages—can help alert you to attacks before the attacker walks off with your crown jewels.
It's likely that these kinds of targeted expert attacks will continue. Being aware of the threat is a good way to start protecting your organization.
In some businesses, there's always pressure for increased uptime of the messaging and other systems. I've worked with law firms, financial organizations, and other customers for whom time really is money, and their focus is often on squeezing the most possible uptime from their Microsoft Exchange Server organization. With that in mind, I wanted to start discussing how many 9s of uptime Exchange Server 2010 can offer.
Recall that four 9s is 99.99 percent uptime, meaning that the system is down for no more than 52 minutes and 36 seconds per year. That's a paltry 9 seconds per day! A 99.9 percent uptime would allow just less than 9 hours of downtime per year, which still isn't enough for most maintenance purposes. How is it that companies are seeking—and vendors are claiming—99.9 percent or better uptime?
Let's start with a definition of what qualifies as uptime. The first time you have to install the monthly security patches—much less an Exchange rollup or a service pack—you'll blow right through your 9-seconds-per-day downtime limit on a single server. For that reason, Exchange lets you use multiple or clustered servers, and almost everyone excludes planned maintenance from uptime calculations.
With that definition in mind, how many 9s is it reasonable to expect from Exchange? The real answer is a resounding "Who cares?" Not because uptime is unimportant, but because it's the wrong measurement. Rather than counting the seconds of downtime that you can tolerate, your efforts should be focused on two areas: recovery time objective (RTO) and recovery point objective (RPO).
RTO, of course, is the amount of time you're willing to allocate to recovery operations. This figure can range from seconds to days. For example, a complete restoration from a massive failure (like, say, a large office fire that melts all your servers) might take days, but failing over users from one Database Availability Group (DAG) member to another might take only seconds. You get to choose the RTO that's most appropriate for your business, then spend the right amount to ensure that you're protected.
RPO is a bit different, but equally important: It represents the amount of data loss you're willing to tolerate. For example, an RPO of four hours means that you're able to tolerate the loss of up to four hours of mail data. RPOs can range from seconds to weeks (imagine taking a full backup only once per month).
Together, these two factors make up a significant chunk of your service level agreement (SLA). You might not have a formal, written SLA, but I would bet a box of Krispy Kreme doughnuts that you have an implicit SLA that your messaging operations are expected to meet—even if you don't find out about it until an emergency happens. Fallout over implicit SLAs often takes the form of loud arguments about uptime after a failure, threats of firing, and so on, although the results can be more subtle.
Notice that I didn't spend any time in the preceding paragraphs telling you how many 9s Exchange 2010 can deliver. That's because the answer is a big fat "It depends." In future UPDATEs, I'll be delving into this topic in more detail. In the meantime, though, I'd love to hear what your RTO and RPO are, and what your SLA (if any) says they should be.
Outlook Web Access (OWA) has come a long way since its debut in Microsoft Exchange Server 5.5. The Exchange 2000 version was the first production AJAX application, and subsequent versions have continued to add features and capability, many of which are unmatched by competing web mail systems.
The Exchange 2010 release—which, remember, changed the name to Outlook Web App—addressed one of the biggest complaints about OWA: the difference in functionality between different browsers. Safari, Firefox, and Internet Explorer are now co-equal, providing the same experience for users. However, there are a few other areas where OWA could use some improvement, including the ability for administrators to customize its look and behavior.
Of course, you can control which features users have access to in OWA. Both the Exchange Management Shell and the Exchange Management Console provide tools for restricting user access to calendaring, contacts, instant messaging integration, and other OWA features. (Take a look at the Help for the Set-OwaVirtualDirectory cmdlet to see a full list of the things you can change.) These settings are useful, but they don't address some areas that I frequently see people asking for.
Probably the biggest request I hear is for branding, or the ability to "skin" OWA to reflect your organization's logo, color scheme, and other design elements. OWA 2007 let administrators define themes that users could select or that could be applied directly by the administrator. This feature made it easy to apply branding, although it was sometimes misused. OWA 2010 still has themes. More properly, it has a single theme that's stored in \\Client Access\OWA\version\themes. You can modify the graphic elements, colors, and so on in the theme, but you only get one, so users can't switch between themes, and it's difficult to test your changes before applying them. Also, any changes you make to the default theme will be overwritten when you deploy an Exchange rollup or service pack, so make sure you keep backups!
The second kind of customization that I often hear requested is the ability to embed pieces of OWA in other web applications. The canonical example is a company web portal, into which you want to embed a web part that shows the user's inbox. The story here is somewhat confusing. The TechNet documentation page "Introduction to Outlook Web App Customization" says that you can embed OWA 2010 components in other web pages . . . right before it says that you can't embed OWA 2010 components in other web pages. As far as I can determine, this capability is no longer supported, but if you've got it working, I'd love to learn otherwise.
What about customizing the logon page for OWA? This feature is another frequent request; unlike the first two, this one is easy to do. The Microsoft article "Customize the Outlook Web App Sign-In and Sign-Out Pages" has complete instructions, but basically you need to edit the logon.css file to change colors and styles, then replace the system-provided logos with your own choices. Microsoft doesn't support changing the logon page itself, although you can certainly edit it to control which security controls appear, whether the "Use the light version of Outlook Web App" checkbox is present, and so forth. Like changing the theme, though, the changes you make to the logon page will be overwritten when you apply rollups or service packs.
Customizing OWA gives you a fairly simple way to make your OWA environment reflect your organization's overall look and feel, so it's worth looking into if you want something more than the attractive, yet bland, default look. Give it a try. As for me, I'm off to wrap Christmas presents! My very best holiday wishes to you, along with my thanks for being an UPDATE subscriber.
When I think about messaging and collaboration, security is never far from my mind. Most of the time, Microsoft Exchange Server and Office Communications Server (OCS) administrators think of security as a matter of data integrity: protecting against threats from malware and spam. Sometimes, we consider security as a matter of confidentiality, but in most cases we think of confidentiality as something to protect while messages are in motion from place to place. That attitude explains the popularity of Transport Layer Security (TLS) for SMTP, along with Microsoft's sound decision to automatically deploy self-signed certificates for TLS protection in Exchange 2010 and Exchange 2007.
However, protecting data at rest is important, too. An attacker who can steal data from your Exchange servers can get essentially the whole enchilada: all of your email (or at least all of it from that server) in a convenient, portable form that can easily be read by third-party tools from AppAssure, Kroll Ontrack, and others. What can you do to protect yourself?
First, you have to understand that Exchange itself doesn't provide any means of encrypting Exchange mailbox or public folder databases. Microsoft SQL Server has the ability to encrypt individual database fields or entire databases, but Exchange hasn't gotten around to including this functionality. Fortunately, there are both hardware and software options that you can deploy, often at little or no additional cost.
Let's start with software. Microsoft ships two separate but complementary encryption tools in Windows Server 2008 and Server 2008 R2. The first tool is the Encrypting File System (EFS), which you can use to securely encrypt files and folders on NTFS volumes. Microsoft doesn't support the use of EFS with Exchange[But you could do it anyway if you were daring—or foolhardy—enough?] In fact, the Microsoft Exchange Best Practices Analyzer warns you if it notices you doing so. You can still use EFS, and it might even work for you, but Microsoft disclaims all obligation to help you when it goes off the rails.
The second software option, Windows BitLocker Drive Encryption (BDE), protects entire disk volumes, not just selected files or folders. BDE, explained well in the Jan De Clercq article "A Better BitLocker: BDE Enhancements," is fully supported by Microsoft for Exchange 2010 and Exchange 2007, provided that you do the necessary Jetstress testing to verify that the small performance impact of BitLocker won't be a problem for your Exchange deployment. Microsoft characterizes the BDE performance hit as "in the single digits," which is borne out by my own use of BDE. BDE is easy to deploy and manage, and it lets you store recovery keys securely in Active Directory to reduce the risk of data loss when a drive fails. However, BDE requires that your servers have Trusted Platform Module (TPM) hardware support, and not all servers include it.
If you'd rather, you can use hardware disk encryption to protect your data. A couple of years ago, the US National Security Agency (NSA) approved Seagate's Momentus FDE line of 2.5" disks for securing data at rest in laptops, so these drives have become fairly common in government use. Earlier this fall, Seagate announced several lines of server-grade disks, in both 2.5" and 3.5" form factors, that use the same encryption technology and have the same approval from the NSA.
The problem with these drives is that you can only use one of them at a time in a server because the BIOS mechanism that lets you unlock the drive at boot time can't deal with multiple encrypted drives. Luckily, Seagate has a solution for that: LSI Corporation and Intel make hardware (RAID cards and motherboards respectively) that support hardware RAID with multiple encrypted drives. I'll be testing this approach with Exchange (and Jetstress) and will report back on how well it works in a future UPDATE column.
Of course, no matter how you encrypt your data at rest, it's still critical that you're able to restore it when needed! Be careful if you decide to experiment with BitLocker on your servers.
First off: Happy Thanksgiving! Whether or not you celebrate the American holiday, I encourage you to take a few minutes to reflect on the many things we all have to be thankful for in our lives.
Every year around this time, I like to put together a holiday gift guide. There are tons of sites out there trumpeting the best deals on items such as big-screen TVs, laptops, and the like, but what I wanted was a guide to smaller, simpler gifts. (As always, I haven't been compensated in any way for these recommendations—they're just things I think you might like.)
How about a little stress relief? Last year, my wonderful wife gave me a Gripmaster Prohands, a small hand exerciser. I've found that it's incredibly useful during aggravating conference calls, unwanted office visits, and other occasions that would normally raise my stress level. A few dozen squeezes on the Gripmaster and I'm calm and happy once again.
I travel a lot, so I bought an Amazon Kindle a couple of years ago, and I've been very happy with it. But why buy a dedicated device if you already have a laptop or PC? Instead, give that special someone an Amazon gift card and a link to the free Windows version of the Kindle software; they'll have access to Amazon's huge library of electronic titles. (And to forestall a storm of mail from irritated readers: Yes, I know DRM-protected eBooks are less than optimal, but to me the benefits of being able to read such a wide range of titles on the go are worth the minor additional hassles.)
Food is always a popular gift item, especially around the holidays. I've long recommended Blair's Death Rain Habanero chips, but this year I have developed a new appreciation for spicy chocolate. The contrast of a good-quality dark chocolate and the spice of cayenne or other peppers make a wonderful combination of sweetness and spice. There are lots of different brands, and they tend to vary by region and store, so you might need to experiment. High-end grocery stores such as Whole Foods, or dedicated chocolate shops such as The Chocolate Shoppe are good places to look for these.
If you're feeling charitable this holiday season, there are many worthwhile causes that would benefit from a donation in your recipient's name. I'd suggest the Electronic Frontier Foundation, which has done a great deal to help clarify case law around electronic messaging, the National Transplant Assistance Fund, or Share Our Strength. In addition, Heifer International provides a great opportunity for you to give a water buffalo, duck, beehive, or other wildlife in your recipient's name.
And a non-holiday-related tip: Take a look at Mark Minasi's "Time to Get Green with 'Bluejuice,'" which asks the provocative question, “Why can’t electronics companies standardize power connections and batteries?”
Time to upgrade your Wordpress sites. A vulnerability in versions prior to 2.8.4 could let the bad guys reset passwords. And there's a nasty worm infiltrating sites based on an older vulnerability in the code.
Since Twitter is so hugely popular it makes sense that someone would create a tool to help protect users from malicious URLs within the posts at the site.
But if we laugh with derision, we will never understand. Human
intellectual capacity has not altered for thousands of years so far as
we can tell. If intelligent people invested intense energy in issues
that now seem foolish to us, then the failure lies in our understanding
of their world, not in their distorted perceptions. Even the standard
example of ancient nonsense -- the debate about angels on pinheads --
makes sense once you realize that theologians were not discussing
whether five or eighteen would fit, but whether a pin could house a
finite or an infinite number.
-- S. J. Gould, "Wide Hats and Narrow Minds"
