Blackflies & Mosquitos - part deux

Hello from Eastern Canada - specifically Grippen Lake - the land of blackflies, mosquitos and, believe it or not, dial-up Internet access - yuch.

Below you'll see the newest Canadian innovation modeled by my mother-in-law, Evelyn. I'll be patenting this: Take a baseball cap, one of those plastic beer cups (blue is best), duct tape it on the ball cap and liberally spread "tanglefoot" over the beer cup. The color of the cup attracts the blackflies, they land, get trapped in the tanglefoot and Bob's your uncle.

"Software Assurance is for losers"

Really interesting article over at ComputerWorld (7/16/07) regarding Microsoft's Software Assurance program. In a nutshell the author says that "software assurance is for losers".

The basic problem is that customers who have signed up for SA are seeing that they aren't getting upgrades during the term of their SA agreement. So, it's obvious in those cases that it would have been better to not subscribe to SA and just acquire the upgrades once they were released. He specifically mentions that customers who subscribed to SA and expected to get Vista or Office 2007 got screwed.

According to the author, Forrester says 25% who subscribed to SA won't renew. That's big. Both from a revenue perspective and from a problem-to-solve perspective. The author's basic view is that product slips are costing SA customers more than non-SA customers because they are paying for the SA "service" and end up having to purchase the software anyway when it slips and becomes generally available after their SA contract expires.

Product managers and business owners at Microsoft aren't paying enough attention to "providing value for SA subscribers" and they should be...

Technorati Tags:
Microsoft

Black flies & mosquitos

Every once in a while I hear someone in Bellevue complain about a mosquito or two. Being from eastern Canada I've had an experience or two with mosquitos and, most unfortunately, "black flies". I happened to be cruising You Tube and found this CBC classic that I fondly remember from my childhood. I think of this video everytime someone complains about mosquitos.

Check it out:



Here's a live version by Mad Dog Mcrea...

Vulnerability in Windows Active Directory Could Allow Remote Code Execution

I know a lot of you (83%!) are running Active Directory so if you haven't looked at this just published (last week) security bulletin you should: Vulnerability in Windows Active Directory Could Allow Remote Code Execution. No point in allowing AD to be used by the bad guys, eh? Here's the summary from the article - I've underlined the scary part:

This critical security update resolves a privately reported vulnerability in implementations of Active Directory on Windows 2000 Server and Windows Server 2003 that could allow remote code execution or a denial of service condition. Attacks attempting to exploit this vulnerability would most likely result in a denial of service condition. However remote code execution could be possible. On Windows Server 2003 an attacker must have valid logon credentials to exploit this vulnerability. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts.

This is a critical security update for supported editions of Windows 2000 and an important security update for supported editions of Windows Server 2003. For more information, see the subsection, Affected and Non-Affected Software, in this section.

This security update addresses the vulnerability by validating the number of convertible attributes in the client LDAP request. For more information about the vulnerability, see the next section, Vulnerability Information.

If you have not subscribed to Microsoft's security bulletins via e-mail or RSS you really should do that...

Technorati Tags:
Microsoft, Active Directory

Simplifying/Consolidating versus Managing - a crazy example

Situation

• Customer has >1,000 Unix servers
• Adding or deleting users takes weeks because the /etc/passwd file on each host must be edited
• Reporting for SOX and other regulatory concerns is nearly impossible
• Lots of security concerns - was the person deleted? When?

Solution

• Customer pays $5 million for an identity management suite/framework from one of the big vendors
• After connecting 10 - yes, you are reading that right - 10 Unix hosts to their metadirectory the suite becomes so bogged down that it is no longer viable

Customer is now interested in simplifying their identity management architecture by consolidating those Unix hosts and identities into Active Directory.

What a surprise. And, to tell the truth, this isn't the first time I have seen this.

I guess it is too late to send them my Tenets of Identity Management white paper because there are at least a few of them that they "broke"...

Technorati Tags:
identity management

Quest Software named Microsoft Global ISV Partner of the Year!

Wow, we did it again - Microsoft's 2007 Global ISV Partner of the Year!!

Congrats to Quest and all the staff of Steve Dickson's Microsoft business unit.

Technorati Tags:
Quest Software, Microsoft

Securing Passwords

I saw this in ComputerWorld (6/4/2007 in the "Security Log")

Most companies mismanage administrative passwords by keeping them in unsecured locations and not controlling access to them. 57% of companies store their administrative passwords manually, and 18% store them in an Excel spreadsheet; 82% of IT professionals store them mentally.

In my opinion you can equate "store them mentally" as the administrator uses the same password for multiple systems.

I really think that managing administrative, root or "power" passwords (a.k.a. identities) is truly lacking. Who is using one? For what? How is it audited? What did they actually type while they were a superuser? Who authorized that person to have that access?

I bet many companies can't answer those questions...

Technorati Tags:
identity management

Quest and ScriptLogic

I caught up with Dave Kearns' article on Quest's acquisition of ScriptLogic and wanted to point out that Quest did state that ScriptLogic would operate as an independent subsidiary. I think ScriptLogic has done an excellent job building their products, channel and customer base. So excellent that I wouldn't want to see us diddle with it.

Diddle =

• start telling them what to do or how to do it
• "meeting" them to death
• integrating them to death
• distracting them from their day job

I haven't even had a call with them yet...and if I can keep it that way I will...

You guys keep up the good work.

Technorati Tags:
Quest Software, Microsoft

Simplifying/Consolidating versus Managing

I brought up the concept of simplification versus managing your identity problems in my white papers "Tenets of Identity Management". Aberdeen has published a white paper titled "Dealing with Directories: Fewer Fuels Faster and More Efficient Operations" that you should take a look at. The salient, highlight worthy points...

• Best in Class companies have a factor of 1.9X fewer total directories (16) than the Industry Average (31)
• Best in Class companies are 2.4X more likely to have consolidated to a single directory (19%) than the Industry Average (8%)
• Best in Class companies are 1.9X more likely than the Industry Average to synchronize directories completely … or through consolidation, not at

Here's the statistic that I like the most:

• Best in Class companies reported an average of 16 separate directories, compared to 31 for the Industry Average

That's a 50% reduction in the number of directories between the average and best in class companies. Can you imagine how much easier the identity management problem is at the company with 50% less directories to manage?

For those companies who choose to consolidate around a single directory, consolidation around Active Directory (AD) is consistent with the dominance of Windows in server operating systems. In the 2007 Aberdeen Report (May 2007), approximately 90% of all companies reported that Microsoft was the leading server operating system. At the same time, Linux and leading flavors of Unix from IBM, HP and Sun also have a significant footprint. Even in an AD-centric environment, the material presence of Unix and Linux in companies of all sizes requires companies to develop explicit strategies for integration of non-Windows systems as well.

Their conclusion - which I, of course, agree with...

Companies that effectively address these issues and streamline management of their identity directories position themselves to reap the operational and security benefits of more effective user provisioning and de-provisioning.

Interesting sidenote - This paper was authored by Derek Brink. I knew Derek when he was at RSA and we were both involved in the PKI Forum. It's great to see him over at Aberdeen. He's a wealth of knowledge.

Technorati Tags:
identity management, Active Directory, Microsoft

Active Directory Management Made Easy with PowerShell

If you have an interest in Microsoft's PowerShell technology you might want to listen in to our webcast on this topic - just click on the link directly below to register...

Webcast: Active Directory Management Made Easy with PowerShell

When: Thursday, July 12, 2007 - 10 a.m. PDT/1 p.m. EDT

In this session, we will talk about using Windows PowerShell to manage Active Directory. We'll cover different approaches ranging from ADSI to AD cmdlets, and demo the features that are backwards-compatible with Windows 2000/2003 and the ones unique to Windows Server 2008 (e.g. Server Core and Read Only Domain Controller).

In the first half of the session, we will also highlight how you can customize and extend provisioning with Quest ActiveRoles Server through PowerShell. In the second half of the session, we’ll demo how you can use PowerGUI to build custom administrative consoles for PowerShell enabled systems, such as Active Directory, IIS, Exchange and Operations Manager.

Technorati Tags:
Quest Software, PowerShell, Microsoft

Lake Union Fireworks

My friends at "Catering As You Like It" invited me to take photos from the top of the Swedish Cultural Center on the west side of Lake Union. I took over 475 shots and uploaded what I thought the best ones were to Picasa. Feel free to take a look...

4th of July Fireworks - Lake Union

Shake up in the SMS/MOM division at MS?

Interesting story over at eWeek - Microsoft's Ailing MBS Group Gets New Leader. Kirill Tatarinov the VP of the Windows Enterprise Management Division (WEMD) aka SMS & MOM is moving over to Microsoft Business Solutions (MBS) aka Great Plains.

The MBS group has gone through a series of VPs over the last while. MBS was initially headed by Doug Burgum.

Burgum announced in September 2005 that he would step down the following November as the head of the MBS group, which had been steadily losing money.

In the summer of 2006 the MBS group was transitioned to the larger Microsoft Business Division that encompasses Microsoft Office, SharePoint Server and Microsoft unified communications products. The move was made to help align Microsoft's business applications group with the rest of the company.

Finally, in September 2006, Satya Nadella was named to the top spot in the MBS division—a job he held for all of six months until he was transferred over to head the newly created Search and Ad Platform group.

Microsoft then named Tami Reller, corporate vice president of MBS at the time, as the interim leader of the business applications division. The plan was that Reller would work with Jeff Raikes, president of the Microsoft Business Division, to find a new leader for the MBS group.

It is rumored, however, that Reller was bucking to maintain the top spot in the MBS group, and that she has been passed over in favor of Tatarinov.

Kirill is a dyed-in-the-wool systems management guy that came from BMC so this is a bit of a surprise. I'm not sure if it means he's being rewarded or being handed a boat anchor - I guess time will tell.

In the meantime, I'm hoping the change at the top of the WEMD group will lead to some windows being opened and some fresh air to be let in and some hot air to be let out...

Technorati Tags:
Microsoft