Replication helps protect your data and files by producing a duplicate copy at a second site, server, or storage array. I covered host-based replication in a previous blog.
In this blog, I’ll cover two other types of replication — array-based replication and network (or fabric) based replication.
Array-based replication
Array-based replication requires a central data storage unit (SAN or NAS) and a partner unit. With array-based replication, the SAN or NAS processes the data and the commands to process and validate the data being replicated.
Advantages of array-based replication
The work is offloaded from the servers to the storage device.
You only need one location to control many replications of multiple servers.
Hosts (Servers) are not required at the second site or to be attached to the second SAN/NAS.
A central SQL server can be set up to replicate with the servers that actually present applications to users, such as order tracking applications.
The right software can queue databases to ensure that transactions and the database are in a recoverable state.
Disadvantages of array-based replication
Cost per device can be high, especially when you’re not replicating all of the data on the SAN.
Only SAN or NAS based data can be replicated or controlled.
A second SAN or NAS is required, increasing the cost for the solution.
There could be compatibility problems of replication technology/software between SAN/NAS hardware and vendors.
Examples of array-based replication software
HP StorageWorks XP
EMC SANCOPY - Supports EMC and some other vendor arrays
EMC MirrorView - EMC only replication
NetApp SnapMirror
Network-based replication
The last type of replication is network (or fabric) based replication. This type of replication works separately from the hosts (servers) and the storage devices. A device on the network intercepts packets being sent to and from hosts and arrays and copies them. These copies are replicated to a second device that then replays the packets at a second location. The devices are, in essence, splitters. The data goes in and then it’s split out to different sources.
Advantages of network-based replication
It’s a separate component from the SAN/NAS or the hosts.
Processing is independent to the host and SAN/NAS.
It allows replication between multi-vendor products.
Disadvantages of network-based replication
The cost of implementing devices to support this kind of replication is high.
Newer technology for the data center, standards, and process are still being worked out.
There are a limited number of “players” in this area of replication.
Saturday, March 29, 2008
Five new developments in storage infrastructure solutions
First there was Ethernet. Then, there was IP over Ethernet. Next came the mixed use of Ethernet, IP, and the SCSI command set (iSCSI) to simplify storage and to bring down the cost and complexity of storage. Today, iSCSI and Fibre Channel are fighting it out in all but the largest enterprises, and both have their pros and cons. Even though these are the two primary contenders in today’s block-level shared storage market, there are some other alternatives. The line is continuing to blur between these solutions as new initiatives are brought to market. Let’s take a look at some new developments in storage infrastructure solutions.
Faster Fibre ChannelTwo Gbps and 4 Gbps Fibre Channel are very common in the marketplace, and manufacturers are just now beginning to demonstrate 8 Gbps Fibre Channel gear. There are also standards in the works for Fibre Channel running at 10 Gbps and 20 Gbps. This venerable technology continues to improve to meet the increasingly robust storage needs demanded by the enterprise. In some cases, Fibre Channel solutions on the market rival iSCSI solutions from a price perspective (i.e., Dell/EMC AX150) for simple solutions. However, faster Fibre Channel still has the same skill set hurdles to overcome. Just about every network administrator knows IP, but Fibre Channel skills are a different matter.
iSCSI over 10G EthernetiSCSI has become a technology that deserves short-list status… and at a gigabit per second, no less. Many iSCSI naysayers point to its slower interlink speed as a reason that it won’t stack up to Fibre Channel. However, iSCSI solutions are now on the cusp of moving to 10 Gbps Ethernet, meaning that iSCSI’s link speed could surpass even the fastest Fibre Channel solutions on the market. Of course, iSCSI still has IP’s overhead and latency, so we’ll see how well 10 Gbps Ethernet performs in real-world scenarios when compared to 8 Gbps Fibre Channel.
Further, 10 Gbps Ethernet gear is still extremely expensive, so, for the foreseeable future, 10 Gbps-based iSCSI solutions probably won’t fit the budgets of many organizations considering iSCSI as a primary storage solution. All this said, interlink speed is not necessarily the primary driver for replacement storage infrastructure in the enterprise. Performance boosts are often achieved by adding more disk spindles to the infrastructure or by moving to faster disk drives (i.e., SATA to 15K RPM SAS or Fibre Channel).
Fibre channel-over-IP (FCIP)Fibre Channel-over-IP (FCIP) is a method by which geographically distributed Fibre Channel-based SANs can be interconnected with one another. In short, FCIP is designed to extend the reach of Fibre Channel networks over wide distances.
Internet Fibre Channel Protocol (iFCP)Internet Fibre Channel Protocol (iFCP) is an effort to bring an IP-based infrastructure to the Fibre Channel world. Much of the cost of Fibre Channel is necessary infrastructure, such as dedicated host bus adapters (HBAs) and switches. These components can, on a per-port basis, add thousands of dollars to connect a server to the storage infrastructure. In contrast, transmitting Fibre Channel commands over an IP network would drive down infrastructure costs in a major way, requiring only gigabit Ethernet connections, which are already found on most servers. Further, even high-density Gigabit Ethernet switches cost only a couple thousand dollars. The main drawback to this proposal is the limitation to 1 Gbps Ethernet; although 10 Gbps gear is available, it would negate some of the cost benefit. On the plus side, iFCP (even on 10 Gbps Ethernet) would open Fibre Channel solutions to administrators that have IP-based skill sets. iFCP was ratified by the Internet Engineering Task Force in late 2002/early 2003.
ATA-over-Ethernet (AoE)ATA-over-Ethernet (AoE) hasn’t enjoyed the popularity of iSCSI, but this isn’t due to any technical hurdles. The AoE specification is completely open and only eight pages in length. AoE doesn’t have the overhead of IP as does iSCSI since it runs right on top of Ethernet. Of course, this does limit AoE’s use to single locations, generally, since raw Ethernet can’t be routed. You can find more about AoE in one of my previous posts.
SummaryThe future of storage is wide open. Between iSCSI, Fibre Channel ,and even AoE, solutions abound for organizations of any size and as the lines blur between some of these technologies, cost becomes less of an issue across the board.
Faster Fibre ChannelTwo Gbps and 4 Gbps Fibre Channel are very common in the marketplace, and manufacturers are just now beginning to demonstrate 8 Gbps Fibre Channel gear. There are also standards in the works for Fibre Channel running at 10 Gbps and 20 Gbps. This venerable technology continues to improve to meet the increasingly robust storage needs demanded by the enterprise. In some cases, Fibre Channel solutions on the market rival iSCSI solutions from a price perspective (i.e., Dell/EMC AX150) for simple solutions. However, faster Fibre Channel still has the same skill set hurdles to overcome. Just about every network administrator knows IP, but Fibre Channel skills are a different matter.
iSCSI over 10G EthernetiSCSI has become a technology that deserves short-list status… and at a gigabit per second, no less. Many iSCSI naysayers point to its slower interlink speed as a reason that it won’t stack up to Fibre Channel. However, iSCSI solutions are now on the cusp of moving to 10 Gbps Ethernet, meaning that iSCSI’s link speed could surpass even the fastest Fibre Channel solutions on the market. Of course, iSCSI still has IP’s overhead and latency, so we’ll see how well 10 Gbps Ethernet performs in real-world scenarios when compared to 8 Gbps Fibre Channel.
Further, 10 Gbps Ethernet gear is still extremely expensive, so, for the foreseeable future, 10 Gbps-based iSCSI solutions probably won’t fit the budgets of many organizations considering iSCSI as a primary storage solution. All this said, interlink speed is not necessarily the primary driver for replacement storage infrastructure in the enterprise. Performance boosts are often achieved by adding more disk spindles to the infrastructure or by moving to faster disk drives (i.e., SATA to 15K RPM SAS or Fibre Channel).
Fibre channel-over-IP (FCIP)Fibre Channel-over-IP (FCIP) is a method by which geographically distributed Fibre Channel-based SANs can be interconnected with one another. In short, FCIP is designed to extend the reach of Fibre Channel networks over wide distances.
Internet Fibre Channel Protocol (iFCP)Internet Fibre Channel Protocol (iFCP) is an effort to bring an IP-based infrastructure to the Fibre Channel world. Much of the cost of Fibre Channel is necessary infrastructure, such as dedicated host bus adapters (HBAs) and switches. These components can, on a per-port basis, add thousands of dollars to connect a server to the storage infrastructure. In contrast, transmitting Fibre Channel commands over an IP network would drive down infrastructure costs in a major way, requiring only gigabit Ethernet connections, which are already found on most servers. Further, even high-density Gigabit Ethernet switches cost only a couple thousand dollars. The main drawback to this proposal is the limitation to 1 Gbps Ethernet; although 10 Gbps gear is available, it would negate some of the cost benefit. On the plus side, iFCP (even on 10 Gbps Ethernet) would open Fibre Channel solutions to administrators that have IP-based skill sets. iFCP was ratified by the Internet Engineering Task Force in late 2002/early 2003.
ATA-over-Ethernet (AoE)ATA-over-Ethernet (AoE) hasn’t enjoyed the popularity of iSCSI, but this isn’t due to any technical hurdles. The AoE specification is completely open and only eight pages in length. AoE doesn’t have the overhead of IP as does iSCSI since it runs right on top of Ethernet. Of course, this does limit AoE’s use to single locations, generally, since raw Ethernet can’t be routed. You can find more about AoE in one of my previous posts.
SummaryThe future of storage is wide open. Between iSCSI, Fibre Channel ,and even AoE, solutions abound for organizations of any size and as the lines blur between some of these technologies, cost becomes less of an issue across the board.
Rolling back device driver updates in Windows Server 2003’s Device Manager
When updating a device driver to solve a problem or improve the performance of a device, there may be other things included with the new driver that produce unexpected results or cause other aspects of your Windows Server 2003 system to function differently than you expect.
Fortunately, there is a safeguard for situations where you have updated driver files that aren’t performing as needed: You can roll back the updates.
In this tip, we’ll take a look at the process for rolling back driver updates.
Note: You will only be able to roll back the driver file if the driver has been updated. If it has not yet been updated, there will be no driver available to revert back to.
Rolling back driver updates is simple. Follow these steps:
Open the Computer Management Console by right-clicking the My Computer icon on the Start menu and selecting Manage.
In the left pane of the console, select Device Manager.
Once loaded in the right pane, expand the category for the device whose drivers you wish to roll back.
Right-click the device in the list and select Properties.
On the device’s Property sheet, select the Driver tab.
Click the Rollback Driver button.
Note: If the Rollback Driver button is grayed out, the driver has not been updated and cannot be rolled back.
The driver will roll back to the previously installed version. You should also keep in mind that some drivers from Windows Update may need rolling back due to conflicts within a system. This may not happen often, but is a great tool for correcting problems with driver updates.
Fortunately, there is a safeguard for situations where you have updated driver files that aren’t performing as needed: You can roll back the updates.
In this tip, we’ll take a look at the process for rolling back driver updates.
Note: You will only be able to roll back the driver file if the driver has been updated. If it has not yet been updated, there will be no driver available to revert back to.
Rolling back driver updates is simple. Follow these steps:
Open the Computer Management Console by right-clicking the My Computer icon on the Start menu and selecting Manage.
In the left pane of the console, select Device Manager.
Once loaded in the right pane, expand the category for the device whose drivers you wish to roll back.
Right-click the device in the list and select Properties.
On the device’s Property sheet, select the Driver tab.
Click the Rollback Driver button.
Note: If the Rollback Driver button is grayed out, the driver has not been updated and cannot be rolled back.
The driver will roll back to the previously installed version. You should also keep in mind that some drivers from Windows Update may need rolling back due to conflicts within a system. This may not happen often, but is a great tool for correcting problems with driver updates.
How do I… Add music and narration to a PowerPoint presentation?
The best presentations engage the audience using a number of creative tools. Sound effects, such as music and voice recordings can mean the difference between a good presentation and an outstanding presentation. You can energize your audience with a quick tempo, play your company’s latest jingle, or add narration to an on-demand presentation. At the very least, you can play music at the beginning and ending of a presentation as the audience enters and leaves the room. The only limits are good taste and your imagination.
Microsoft PowerPoint supports media clips, which include sound and video files. The computer playing your presentation will need a sound card and speakers. That doesn’t mean just the system you use to create the presentation, but any system on which you might play the presentation. Today, most systems come with everything you need, but older systems might need an upgrade. (It’s highly unlikely that you’ll encounter such an old system, but don’t rely on that — check it out first!)
Table A lists the media files PowerPoint supports, although this article deals only with sound files.
Table A: Media support
File Explanation Attributes
MIDI Musical Instrument Digital Interface Sound
WAV Microsoft Windows audio format Sound
MPEG Motion Picture Exerts Group Standard video format with a frame per
second rate
AVI Microsoft Windows video format Video format with a constant frame rate per second
GIF Graphical Interface Format 256 color picture that supports animation.
Like most special effects, sound can catch the attention of your audience and convey a message or emotion in a way words or pictures can’t. On the other hand, used poorly, sound can be distracting or even annoying. As always, your purpose will determine how much, if any, sound your presentation needs.
The basics — inserting soundIncluding sound is as simple as selecting a file:
Use existing clips by double-clicking one of the Title, Text and Media Clip layouts from the Slide Layout task pane. Double-click the media clip icon shown in Figure A to launch the Media Clip dialog box.
Figure A
Choose a media slide from the Slide Layout task pane
When you double-click a WAV or MIDI file, PowerPoint displays the prompt shown in Figure B. The options Automatically and When Clicked are self-explanatory.
Figure B
PowerPoint will play the sound file when the slide is current, or you can click the icon to play it
Work with unique sound files by choosing Movies and Sound from the Insert menu and then selecting Sound From File or Sound From Clip Organizer. You can also record sound or play a track from a CD. After selecting a file, PowerPoint prompts you to specify how to execute the file (see Figure B).
If PowerPoint doesn’t support a clip’s format, choose Object from the Insert menu and choose the appropriate object type. Alternately, you can convert the file to a supported type. Use a search engine to search for “video file conversion.” However, don’t be surprised if the converted file is less than satisfactory. It’s difficult to maintain quality when converting media files.
In PowerPoint 2007, you’ll find the Sound option in the Media Clips group on the Insert tab.
PowerPoint displays a sound clip as a small icon, which shows during Slide Show view. When the presentation plays the clip automatically, you might want to hide the icon. There’s really no good reason to display it.
To hide the icon, right-click the icon and choose Edit Sound Object from the resulting submenu. In the Sound Options dialog box, shown in Figure C, check the Hide Sound Icon During Slide Show option, and click OK. Double-click the icon in PowerPoint 2007 to find these options.
Figure C
Edit the file’s attributes
If you choose the click option, it’s worth mentioning that clicking the icon a second time doesn’t disable the sound — the file plays from beginning to end once you click it. In PowerPoint 2007, clicking the icon restarts the file.
To learn just how long a file lasts, right-click the icon and choose Edit Sound Object. The file’s playing time is in the Information section at the bottom (see Figure C). If you want the file to play continuously, while the slide is current, check the Loop Until Stopped option. Moving to the next or previous slide will cancel the loop.
Narrating a presentationTo record a unique sound or message, you’ll need a microphone. Unfortunately, some microphones that come with today’s systems aren’t very sophisticated. If you record someone talking, it may sound distorted when played. Suddenly, you may have a lisp or an accent! Specialized software can clear up some problems, but they’re expensive and that’s just one more piece of software you’ll have to learn. It might be more efficient to invest in a better microphone.
PowerPoint makes it easy to narrate a presentation, which is a plus in a Web-based, automated, or on-demand presentation. You might also use this feature to include a statement from an individual, such as a celebrity or your company’s CEO.
Don’t jump right into recording. First, write a script and rehearse it. Once you’re comfortable with your speaking part, you can record your narration:
Choose Record Narration from the Slide Show menu to open the Record Narration dialog box. In PowerPoint 2007, this option is in the Set Up group on the Slide Show tab.
Click Set Microphone Level to check your microphone. Read the sentence that appears in the Microphone Check dialog and let the Microphone Wizard adjust your microphone automatically. Click OK.
If you need to adjust the quality to CD, radio, or telephone, click Change Quality to open the Sound Selection dialog box. Just remember that quality increases the file’s size. If file size is a concern, you may have to compromise quality just a bit.
By default, PowerPoint stores the narration with the presentation. To store the sound file in a separate WAV file (in the same folder) check Link Narrations In. Click Browse to change the location of the separate WAV file, but use caution when doing so — only store the two separately when you have a good reason for doing so. If a sound file is over 50MB, you must link it.
Click OK and start recording. As PowerPoint displays your presentation, you narrate just as you want the message played. Continue to narrate each slide until you’re done.
At the end of the presentation, PowerPoint will prompt you to save the timings with each slide. This can be helpful if you didn’t get each slide just right and you need more practice.
Step five mentions linked files. If you’re using the same system to both create and show the presentation, linked files are fine, but not necessary. Linked files are a good choice if the sound files are large or if you plan to change the source file. By default, PowerPoint automatically links sound files that are larger than 100KB.
To change this setting, choose Options from the Tools menu, and then click the General tab and update the Link Sounds With File Size Great Than option. PowerPoint 2007 users will find this option by clicking the Office button, clicking the PowerPoint options button (at the bottom right) and then choosing Advanced. The option is in the Save section.
Use the Package for CD (PowerPoint 2003) or Pack And Go Wizard (PowerPoint 2002) to make sure you save linked files with the presentation. Names can be problematic: A linked file’s path name must be 128 characters or less.
More optionsNarration is only one type of recoding you might consider. If you can record it, you can include it in your presentation. To record a single message or unique sound, choose Movies and Sound from the Insert menu and choose Record Sound. In PowerPoint 2007, this option is in the Sound option’s dropdown list, in the Media Clips group on the Insert tab.
In the resulting Record Sound dialog box shown in Figure D, enter a description and name. Click Record when you’re ready to begin. Click Stop when you’re done. Use Play to listen to the new recording. Click OK to save the sound with the presentation. Or, click Cancel to exit and try again. If you save a sound, it appears as an icon, which you can use anywhere in the presentation you like. Mix this capability with action settings for a unique effect. Just don’t over do it!
Figure D
You can record sounds inside PowerPoint
Playing a CDPlaying music is a great way to begin or end a presentation. However, the music doesn’t have to be a top 10 tune. It only needs to be appropriate. For example, you might play Mendelssohn’s Wedding March if your presentation is about catering receptions. Or, pleasing dinner music might be the way to go. It’s really up to you; just keep your audience in mind. To include a song from a CD, do the following:
Insert the CD.
From the Insert menu, choose Movies and Sound. Then, select Play CD Auto Track to open the Insert CD Audio dialog box. In PowerPoint 2007, choose Play CD Audio Track from the Sound option’s dropdown list. You’ll find this option in the Media Clips group on the Insert tab.
The Start At Time and End At Time fields let you capture just part of a track instead of using the entire track.
Use the Sound Volume button to control the audio’s volume.
Check the Hide While Not playing option in the Display Options section if you don’t want the audio’s icon to show when the music isn’t playing.
Click OK when you’re done. PowerPoint lets you play the track by clicking or displaying the slide.
Like other sound files, Power Point displays a CD icon on the current slide. Just be careful that you don’t violate any copyright laws when including someone else’s music in your presentation.
A word on animationYou can use custom animation to control sound files to add a unique and creative dimension to your presentation. To get started, select a sound icon and display the Custom Animation task pane. PowerPoint offers a ton of options, and does a good job of disabling inappropriate choices for the selected clip.
Creating custom animation can be complicated and the truth is most presentations won’t need that much energy. However, the feature’s there and you might as well learn a bit about it. There’s an entire tab dedicated to animation in PowerPoint 2007. Click the Custom Animations option in the Animations group to create custom effects.
Design for effectMultimedia files can liven up any presentation and sound is definitely part of that mix. You can play an appropriate tune or your company’s jingle. With one click, you can play your company’s latest radio ad for the head honchos. Whether you’re pitching a new product or sharing photos of your new baby, use sound to set the mood.
Microsoft PowerPoint supports media clips, which include sound and video files. The computer playing your presentation will need a sound card and speakers. That doesn’t mean just the system you use to create the presentation, but any system on which you might play the presentation. Today, most systems come with everything you need, but older systems might need an upgrade. (It’s highly unlikely that you’ll encounter such an old system, but don’t rely on that — check it out first!)
Table A lists the media files PowerPoint supports, although this article deals only with sound files.
Table A: Media support
File Explanation Attributes
MIDI Musical Instrument Digital Interface Sound
WAV Microsoft Windows audio format Sound
MPEG Motion Picture Exerts Group Standard video format with a frame per
second rate
AVI Microsoft Windows video format Video format with a constant frame rate per second
GIF Graphical Interface Format 256 color picture that supports animation.
Like most special effects, sound can catch the attention of your audience and convey a message or emotion in a way words or pictures can’t. On the other hand, used poorly, sound can be distracting or even annoying. As always, your purpose will determine how much, if any, sound your presentation needs.
The basics — inserting soundIncluding sound is as simple as selecting a file:
Use existing clips by double-clicking one of the Title, Text and Media Clip layouts from the Slide Layout task pane. Double-click the media clip icon shown in Figure A to launch the Media Clip dialog box.
Figure A
Choose a media slide from the Slide Layout task pane
When you double-click a WAV or MIDI file, PowerPoint displays the prompt shown in Figure B. The options Automatically and When Clicked are self-explanatory.
Figure B
PowerPoint will play the sound file when the slide is current, or you can click the icon to play it
Work with unique sound files by choosing Movies and Sound from the Insert menu and then selecting Sound From File or Sound From Clip Organizer. You can also record sound or play a track from a CD. After selecting a file, PowerPoint prompts you to specify how to execute the file (see Figure B).
If PowerPoint doesn’t support a clip’s format, choose Object from the Insert menu and choose the appropriate object type. Alternately, you can convert the file to a supported type. Use a search engine to search for “video file conversion.” However, don’t be surprised if the converted file is less than satisfactory. It’s difficult to maintain quality when converting media files.
In PowerPoint 2007, you’ll find the Sound option in the Media Clips group on the Insert tab.
PowerPoint displays a sound clip as a small icon, which shows during Slide Show view. When the presentation plays the clip automatically, you might want to hide the icon. There’s really no good reason to display it.
To hide the icon, right-click the icon and choose Edit Sound Object from the resulting submenu. In the Sound Options dialog box, shown in Figure C, check the Hide Sound Icon During Slide Show option, and click OK. Double-click the icon in PowerPoint 2007 to find these options.
Figure C
Edit the file’s attributes
If you choose the click option, it’s worth mentioning that clicking the icon a second time doesn’t disable the sound — the file plays from beginning to end once you click it. In PowerPoint 2007, clicking the icon restarts the file.
To learn just how long a file lasts, right-click the icon and choose Edit Sound Object. The file’s playing time is in the Information section at the bottom (see Figure C). If you want the file to play continuously, while the slide is current, check the Loop Until Stopped option. Moving to the next or previous slide will cancel the loop.
Narrating a presentationTo record a unique sound or message, you’ll need a microphone. Unfortunately, some microphones that come with today’s systems aren’t very sophisticated. If you record someone talking, it may sound distorted when played. Suddenly, you may have a lisp or an accent! Specialized software can clear up some problems, but they’re expensive and that’s just one more piece of software you’ll have to learn. It might be more efficient to invest in a better microphone.
PowerPoint makes it easy to narrate a presentation, which is a plus in a Web-based, automated, or on-demand presentation. You might also use this feature to include a statement from an individual, such as a celebrity or your company’s CEO.
Don’t jump right into recording. First, write a script and rehearse it. Once you’re comfortable with your speaking part, you can record your narration:
Choose Record Narration from the Slide Show menu to open the Record Narration dialog box. In PowerPoint 2007, this option is in the Set Up group on the Slide Show tab.
Click Set Microphone Level to check your microphone. Read the sentence that appears in the Microphone Check dialog and let the Microphone Wizard adjust your microphone automatically. Click OK.
If you need to adjust the quality to CD, radio, or telephone, click Change Quality to open the Sound Selection dialog box. Just remember that quality increases the file’s size. If file size is a concern, you may have to compromise quality just a bit.
By default, PowerPoint stores the narration with the presentation. To store the sound file in a separate WAV file (in the same folder) check Link Narrations In. Click Browse to change the location of the separate WAV file, but use caution when doing so — only store the two separately when you have a good reason for doing so. If a sound file is over 50MB, you must link it.
Click OK and start recording. As PowerPoint displays your presentation, you narrate just as you want the message played. Continue to narrate each slide until you’re done.
At the end of the presentation, PowerPoint will prompt you to save the timings with each slide. This can be helpful if you didn’t get each slide just right and you need more practice.
Step five mentions linked files. If you’re using the same system to both create and show the presentation, linked files are fine, but not necessary. Linked files are a good choice if the sound files are large or if you plan to change the source file. By default, PowerPoint automatically links sound files that are larger than 100KB.
To change this setting, choose Options from the Tools menu, and then click the General tab and update the Link Sounds With File Size Great Than option. PowerPoint 2007 users will find this option by clicking the Office button, clicking the PowerPoint options button (at the bottom right) and then choosing Advanced. The option is in the Save section.
Use the Package for CD (PowerPoint 2003) or Pack And Go Wizard (PowerPoint 2002) to make sure you save linked files with the presentation. Names can be problematic: A linked file’s path name must be 128 characters or less.
More optionsNarration is only one type of recoding you might consider. If you can record it, you can include it in your presentation. To record a single message or unique sound, choose Movies and Sound from the Insert menu and choose Record Sound. In PowerPoint 2007, this option is in the Sound option’s dropdown list, in the Media Clips group on the Insert tab.
In the resulting Record Sound dialog box shown in Figure D, enter a description and name. Click Record when you’re ready to begin. Click Stop when you’re done. Use Play to listen to the new recording. Click OK to save the sound with the presentation. Or, click Cancel to exit and try again. If you save a sound, it appears as an icon, which you can use anywhere in the presentation you like. Mix this capability with action settings for a unique effect. Just don’t over do it!
Figure D
You can record sounds inside PowerPoint
Playing a CDPlaying music is a great way to begin or end a presentation. However, the music doesn’t have to be a top 10 tune. It only needs to be appropriate. For example, you might play Mendelssohn’s Wedding March if your presentation is about catering receptions. Or, pleasing dinner music might be the way to go. It’s really up to you; just keep your audience in mind. To include a song from a CD, do the following:
Insert the CD.
From the Insert menu, choose Movies and Sound. Then, select Play CD Auto Track to open the Insert CD Audio dialog box. In PowerPoint 2007, choose Play CD Audio Track from the Sound option’s dropdown list. You’ll find this option in the Media Clips group on the Insert tab.
The Start At Time and End At Time fields let you capture just part of a track instead of using the entire track.
Use the Sound Volume button to control the audio’s volume.
Check the Hide While Not playing option in the Display Options section if you don’t want the audio’s icon to show when the music isn’t playing.
Click OK when you’re done. PowerPoint lets you play the track by clicking or displaying the slide.
Like other sound files, Power Point displays a CD icon on the current slide. Just be careful that you don’t violate any copyright laws when including someone else’s music in your presentation.
A word on animationYou can use custom animation to control sound files to add a unique and creative dimension to your presentation. To get started, select a sound icon and display the Custom Animation task pane. PowerPoint offers a ton of options, and does a good job of disabling inappropriate choices for the selected clip.
Creating custom animation can be complicated and the truth is most presentations won’t need that much energy. However, the feature’s there and you might as well learn a bit about it. There’s an entire tab dedicated to animation in PowerPoint 2007. Click the Custom Animations option in the Animations group to create custom effects.
Design for effectMultimedia files can liven up any presentation and sound is definitely part of that mix. You can play an appropriate tune or your company’s jingle. With one click, you can play your company’s latest radio ad for the head honchos. Whether you’re pitching a new product or sharing photos of your new baby, use sound to set the mood.
Saturday, March 8, 2008
Securing end users’ pesky password problems
This is the first of a three-part series introducing simple fixes to security breaches that your end users might be committing.
If you are anything like me, you have worked with varying degrees of security requirements for some time now. Regardless of what you do in technology, there is a requirement, spoken or otherwise that you have at least an awareness of what policies are in place.
In most HIPPA/GLBA/SOX/PCI shops, the policy is likely to be something that you sign off on when you begin working and possibly before you are allowed to have access to the network. In many companies, you are required to listen to a lecture, take a training course, or participate in a Webinar. Generally, it will cover such things as password requirements, acceptable use, and possibly a component on social engineering and how to avoid it. It will, or should, also tell you how you will maintain paper documents and dispose of them. If that policy is really good, it will include information on the classification of documents.
If business has gone through all the trouble of making all that information available to you, they must have some intention of enforcing the policies, right? The answer is “sometimes.”
Don’t get me wrong, business wants those policies adhered to. In many cases, there are audit standards that must be met and those audit standards require compliance. Business just may not have considered the step of how to communicate the policies in a way that the average user can be compliant and still get the job done. This is a place that IT can step in and help out.
Let’s look at password length and complexity. Generally, a password requires uppercase and/or lowercase, numerals, and special characters. The most common minimum length I have run across is eight. Today’s user is generally managing multiple passwords on multiple systems and in frustration may find it easier to just write them down. I even had a user who took to writing them on the monitor bezel! (Some things you just can’t make up!) Most will make some effort to keep them from becoming public knowledge but many will leave their written copies in an easily accessible location. That is where I can help.
One solution is to consider password vault software. A utility on my Mac is called Keychain. It stores and manages passwords in an encrypted state until I provide a master password on challenge. It is a simple and useful tool. Another good one is the open-source Password Safe. It works on a master PIN. There are also a variety of enterprise-level tools available.
If your environment is anything like where I have worked, getting a new piece of software to the end user is tough. It is at least a lengthy process. So try a couple of other ideas.
Most cubicles have an overhead bin or lockable drawer. I encourage end users to store their password file there. At least it is locked. For laptop users who don’t have a lockdown cable but DO have a lockable bin or drawer, I encourage them to put their laptops away nightly. I recall coming in to the office early one morning to find one of the cleaning staff struggling with a trash can with several laptops in it. I have been vigilant ever since.
If you don’t have a key for your desk or bin, ask your manager how to obtain one or ask Facilities for one. If your company has a Compliance Officer, that person will likely be able to help you out. While I am sure it can happen, I have never heard of a key request being turned down.
Because the solution is simple, most end users don’t have a problem with complying. And that is really what is at the heart of failure to comply with security requirements at the end user level. It needs to be simple.
Sometimes in IT we forget that the end user is there to do a very different kind of job than we are. What they care about most is their work product– the ability to turn out work that meets or exceeds business needs. Anything that they perceive is in the way of that effort is likely to meet with resistance. When we take the time to work through roadblocks with them, that resistance will go away.
What kinds of advice do you give end users on being more secure with their multiple passwords?
If you are anything like me, you have worked with varying degrees of security requirements for some time now. Regardless of what you do in technology, there is a requirement, spoken or otherwise that you have at least an awareness of what policies are in place.
In most HIPPA/GLBA/SOX/PCI shops, the policy is likely to be something that you sign off on when you begin working and possibly before you are allowed to have access to the network. In many companies, you are required to listen to a lecture, take a training course, or participate in a Webinar. Generally, it will cover such things as password requirements, acceptable use, and possibly a component on social engineering and how to avoid it. It will, or should, also tell you how you will maintain paper documents and dispose of them. If that policy is really good, it will include information on the classification of documents.
If business has gone through all the trouble of making all that information available to you, they must have some intention of enforcing the policies, right? The answer is “sometimes.”
Don’t get me wrong, business wants those policies adhered to. In many cases, there are audit standards that must be met and those audit standards require compliance. Business just may not have considered the step of how to communicate the policies in a way that the average user can be compliant and still get the job done. This is a place that IT can step in and help out.
Let’s look at password length and complexity. Generally, a password requires uppercase and/or lowercase, numerals, and special characters. The most common minimum length I have run across is eight. Today’s user is generally managing multiple passwords on multiple systems and in frustration may find it easier to just write them down. I even had a user who took to writing them on the monitor bezel! (Some things you just can’t make up!) Most will make some effort to keep them from becoming public knowledge but many will leave their written copies in an easily accessible location. That is where I can help.
One solution is to consider password vault software. A utility on my Mac is called Keychain. It stores and manages passwords in an encrypted state until I provide a master password on challenge. It is a simple and useful tool. Another good one is the open-source Password Safe. It works on a master PIN. There are also a variety of enterprise-level tools available.
If your environment is anything like where I have worked, getting a new piece of software to the end user is tough. It is at least a lengthy process. So try a couple of other ideas.
Most cubicles have an overhead bin or lockable drawer. I encourage end users to store their password file there. At least it is locked. For laptop users who don’t have a lockdown cable but DO have a lockable bin or drawer, I encourage them to put their laptops away nightly. I recall coming in to the office early one morning to find one of the cleaning staff struggling with a trash can with several laptops in it. I have been vigilant ever since.
If you don’t have a key for your desk or bin, ask your manager how to obtain one or ask Facilities for one. If your company has a Compliance Officer, that person will likely be able to help you out. While I am sure it can happen, I have never heard of a key request being turned down.
Because the solution is simple, most end users don’t have a problem with complying. And that is really what is at the heart of failure to comply with security requirements at the end user level. It needs to be simple.
Sometimes in IT we forget that the end user is there to do a very different kind of job than we are. What they care about most is their work product– the ability to turn out work that meets or exceeds business needs. Anything that they perceive is in the way of that effort is likely to meet with resistance. When we take the time to work through roadblocks with them, that resistance will go away.
What kinds of advice do you give end users on being more secure with their multiple passwords?
Using the Windows Server 2003 Computer Management Console’s Device Manager snap-in
Windows Server 2003 supports devices large and small, both as internal cards and external USB devices, which can be cumbersome for admins. Fortunately, Device Manager is included as a snap-in to the Computer Management Console. I view Device Manager as one of the hidden gems in Windows Server 2003 system maintenance.
To access Device Manager, open the Computer Management Console and select the Device Manager object in the left pane. This will display the Device Manager in the right pane.
Once it’s open, Device Manager displays a list of the categories of devices detected in the local system. Expanding these categories will show each device of this type installed, both internal and external. (Note: If a device fits multiple categories, its name will appear in all relevant categories. For instance, a USB CD-ROM drive will appear in the USB devices category, as well as the CD/DVD ROM device category.)
You can also get to Device Manager from the system applet in Control Panel, grouped in Computer Management for ease of use.
Using Device Manager
If you expand a device’s category in the right pane, you will see a list of all of the devices in the category. Devices that are experiencing problems will have a yellow exclamation point on them. Devices that are disabled will typically appear with a red x in Device Manager.
To view a device’s Properties, expand its Category, right-click the device in the list, and then select Properties. This will display the Properties dialog box for the device. These tabs are available:
General: Contains a description of the device and displays any issues with the device. This tab is useful for identifying a problem between Windows Server 2003 and the device by showing a description of the error message — regardless of whether it concerns communication or drivers.
Driver: Displays the options available for managing device drivers.
Resources: Displays the resource usage information for the device.
By using the Driver tab, you can perform the following actions against the device’s driver:
Driver Details: View the details of the driver, including the publisher and installation date.
Update Driver: Update the existing device driver to a newer version.
Rollback Driver: Undo a driver update, rolling back to the previously installed version.
Uninstall Driver: Completely remove a device driver from the system.
To access Device Manager, open the Computer Management Console and select the Device Manager object in the left pane. This will display the Device Manager in the right pane.
Once it’s open, Device Manager displays a list of the categories of devices detected in the local system. Expanding these categories will show each device of this type installed, both internal and external. (Note: If a device fits multiple categories, its name will appear in all relevant categories. For instance, a USB CD-ROM drive will appear in the USB devices category, as well as the CD/DVD ROM device category.)
You can also get to Device Manager from the system applet in Control Panel, grouped in Computer Management for ease of use.
Using Device Manager
If you expand a device’s category in the right pane, you will see a list of all of the devices in the category. Devices that are experiencing problems will have a yellow exclamation point on them. Devices that are disabled will typically appear with a red x in Device Manager.
To view a device’s Properties, expand its Category, right-click the device in the list, and then select Properties. This will display the Properties dialog box for the device. These tabs are available:
General: Contains a description of the device and displays any issues with the device. This tab is useful for identifying a problem between Windows Server 2003 and the device by showing a description of the error message — regardless of whether it concerns communication or drivers.
Driver: Displays the options available for managing device drivers.
Resources: Displays the resource usage information for the device.
By using the Driver tab, you can perform the following actions against the device’s driver:
Driver Details: View the details of the driver, including the publisher and installation date.
Update Driver: Update the existing device driver to a newer version.
Rollback Driver: Undo a driver update, rolling back to the previously installed version.
Uninstall Driver: Completely remove a device driver from the system.
How do I… Request and install SSL certificates in IIS 7.0?
SSL (Secure Sockets Layer) certificates are perhaps the most common way to protect information being transmitted between a visitor Web browser and your Web site. SSL provides encryption services to information flowing between systems and can protect Web traffic, e-mail, instant messages and a host of other kinds of data transmittals.
I’m not going to go into great detail about the inner workings of SSL except to say that it is a critical infrastructure component for any organization that has a desire to protect customer or other confidential information. SSL is widely used by banks, e-commerce companies, and other Web entities that require transmission of sensitive information, such as passwords, social security numbers, etc.
I will show you how to obtain and install a third-party SSL certificate into Microsoft Internet Information Server 7.0 (IIS 7) running on Windows Server 2008. I am running the RC0 version of Windows Server 2008.
In the most simplistic view, there are four kinds of certificates to which you will be exposed during your SSL installation:
Self-signed SSL certificates: These are certificates that you generate and use to encrypt information passing between a client and your server. These certificates are good insofar as they do allow you to encrypt data, but since they are created on-site, the certificates have not been verified by a third party entity, meaning that the site can’t necessarily be trusted.
Third-party SSL certificate: A third-party SSL certificate provides the same encryption capabilities as a self-signed certificate. However, since the certificate is issued by a third party, it is considered a more trusted type of certificate, especially when the certificate chain extends to a trusted root certificate.
Intermediate certificate: Not all SSL certificate vendors are created equal. In order to be fully trusted, any certificate you obtain needs to eventually link to a root certificate that is trusted by your Web browser. However, not all vendors’ SSL certificates are natively trusted by root certificates. As such, with these vendors, you need to complete the SSL trust chain by (in addition to installing your SSL certificate) installing an intermediate certificate between a root certificate and your new SSL certificate. If you skip this step, users will continue to get certificate errors until this trust chain is established. The use of an intermediate SSL certificate requires a bit of additional network communication at the initial establishment of an SSL-secure session but beyond that, there is no performance penalty.
Trusted root certificate (or Trusted root certification authorities): A root certificate is the Grand PooBah of the certificate world. In order to complete the trust chain, your individual certificate must, in some way, link to a root certificate.
A third-party SSL certificate is generally considered more trusted than a self-signed certificate since the certificate information is verified by a third party and the certificate ultimately maps to what is called a trusted root certificate.
Note: I am assuming that you will be installing a brand new certificate that you do not yet own and not importing some kind of existing certificate. Further, I assume that you do not have a complex public key infrastructure in-house and that you need to get your certificate from a third party. Finally, I’m making the assumption that you have already installed IIS 7 on your Windows Server 2008 system.
Step 1: Prepare a Certificate Signing Request (CSR)Regardless of the SSL vendor you use, you first step in the process is to create a Certificate Signing Request (CSR) that will be sent to the SSL vendor of your choice. The CSR is a Base-64 encoded PKCS#10 message (this basically means it’s a bunch of gobbledygook that is unreadable by humans) that contains all of the information necessary to identify the person or company applying for the certificate. The request also includes the applicant’s public key. This key is the public portion of a combined public key/private key structure that, together, is able to effectively and securely encrypt information.
Choose Start | Administrative Tools | Internet Information Services (IIS) Manager
In the IIS Manager, choose your server name
In the Features pane (the middle pane), double-click the Server Certificates option (Figure A) located under the Security heading.
Figure A
Open the properties page for the site you want to protect
You will notice two default certificates already installed on this server. To begin the process of requesting a new certificate, from the Actions pane, choose the Create Certificate Request option as shown below in Figure B.
Figure B
Click the Server Certificate button to begin the process
The first screen of the wizard asks for details regarding the new site. The common name should match the fully-qualified domain name for the site. Otherwise, provide information about your site, making sure to spell out the name of your state. (Figure C)
Figure C
Provide information about your site
Click Next to continue.
The next screen of the wizard asks you to choose cryptography options. The default, Microsoft RSA SChannel Cryptography Provider is fine. A key length of 1,024 bits is the default option and is fine as well. (Figure D)
Figure D
Choose a cryptography provider and key length
Click Next to continue.
Finally, provide a filename to which to save the certificate request. You will need the contents of this file in the next step, so make sure you know where to find it. (Figure E)
Figure E
Save the CSR
Here’s some of the CSR mumbo jumbo associate with this certificate request:
Step 2: Request a certificate from a certificate vendorNow, with your CSR in hand, visit the Web site of your favorite SSL certificate provider and buy your new certificate. During the registration process, you need to provide the certificate company with information validating you or your company’s identity. Some consider this part a hassle, but it really is a vital part of the overall SSL chain. After all, you don’t want just anyone receiving a certificate that uses your company name!
The certificate request process varies by certificate company, so I can’t really provide the exact steps for the certificate request. What I can tell you is that, at some point, you’ll need to open up the text file that contains the certificate request in order to copy and paste the encrypted certificate request in the appropriate field on the order form.
Once you complete the vendor’s certificate request (Figure F) form and provide them with payment, you’ll need to wait for the SSL certificate to be delivered to you via e-mail.
Figure F
Provide the necessary information for the SSL certificate vendor
Step 3: Save the provided certificate somewhere accessibleWhat you get back from a certificate vendor depends on the vendor you choose. In the case of the company that I used to get my certificate, they sent back a zip file with three certificates. One of the certificates is named ssltest_westminster-mo_edu.crt. This is the certificate I need for the new Web site. The other two certificates are required if you need to chain the new certificate back to a root certificate. We will not be discussing them in this document.
The new certificate is nothing more than a text file, as was the case with the CSR. However, in this case, the information starts with —–BEGIN CERTIFICATE—– and ends with —–END CERTIFICATE—–. In the previous step, the terms were BEGIN CERTIFICATE REQUEST and END CERTIFICATE REQUEST. Extract the contents of this zip file to a location accessible from your Web server.
Step 4: Install the certificateAfter making sure that your Web server can access the certificate files, you need to install the new certificate so that it can be used by your Web site.
Choose Start | Administrative Tools | Internet Information Services (IIS) Manager.
In the IIS Manager, choose your server name.
In the Features pane (the middle pane), double-click the Server Certificates option located under the Security heading.
To complete the process of requesting a new certificate, from the Actions pane, choose the Complete Certificate Request option.
The Complete Certificate Request window opens and asks you to provide the location at which the certificate file can be located (Figure G). Provide this location and also indicate what friendly name you would like to use for the certificate.
Figure G
Tell the wizard where it can find the certificate file and provide a friendly name
The certificate is now installed and ready to be assigned to a Web site.
Step 5: Add an HTTPS binding to a Web siteNow, with the certificate installed, it’s time to put it to work. In IIS 7, you need to bind the HTTPS protocol to a Web site and then assign an installed certificate to be used to protect that Web site. Follow these steps:
Choose Start | Administrative Tools | Internet Information Services (IIS) Manager.
In the IIS Manager, browse to your server name | Sites | Your SSL-based site. You may need to create a new site. In Figure H below, notice that my site is named ssltest. The full Internet path to this site is ssltest.westminster-mo.edu. Since this Windows Server 2008 machine is running in a lab, you will see that it is a member of the Contoso domain, but I have added westminster-mo.edu sites to this server and appropriately configured DNS.
Figure H
A look at a site to which HTTPS will be bound
From the Actions pane, choose Bindings. This opens the Site Bindings window shown in Figure I.
Figure I
The Site Bindings window
In the Site Bindings window, choose Add. This opens the Add Site Binding window shown in Figure J.
From the Site Bindings window, provide the binding type (HTTP or HTTPS, but for this purpose use HTTPS), the IP address that will be used for this site (192.168.0.16 for me), and the port that will be used for SSL.
Next, choose the SSL certificate that you want to use to protect this site. Note that I have chosen ssltest.westminster-mo.edu. Use the Browse button to locate the right certificate.
Figure J
Provide the appropriate details for the Add Site Binding dialog box
Click the OK button. See Figure K for the result.
Figure K
The results of the new binding
Step 6: Test your certificateNow, test your certificate by browsing to the new site. You should not get any certificate errors. In Figure L note that I have successfully browsed to the new site and that there is a lock icon indicating that SSL is active. Figure M is a look at the certificate as detailed in the Web browser.
Figure L
The site is being protected by SSL
Figure M
The certificate is valid
I’m not going to go into great detail about the inner workings of SSL except to say that it is a critical infrastructure component for any organization that has a desire to protect customer or other confidential information. SSL is widely used by banks, e-commerce companies, and other Web entities that require transmission of sensitive information, such as passwords, social security numbers, etc.
I will show you how to obtain and install a third-party SSL certificate into Microsoft Internet Information Server 7.0 (IIS 7) running on Windows Server 2008. I am running the RC0 version of Windows Server 2008.
In the most simplistic view, there are four kinds of certificates to which you will be exposed during your SSL installation:
Self-signed SSL certificates: These are certificates that you generate and use to encrypt information passing between a client and your server. These certificates are good insofar as they do allow you to encrypt data, but since they are created on-site, the certificates have not been verified by a third party entity, meaning that the site can’t necessarily be trusted.
Third-party SSL certificate: A third-party SSL certificate provides the same encryption capabilities as a self-signed certificate. However, since the certificate is issued by a third party, it is considered a more trusted type of certificate, especially when the certificate chain extends to a trusted root certificate.
Intermediate certificate: Not all SSL certificate vendors are created equal. In order to be fully trusted, any certificate you obtain needs to eventually link to a root certificate that is trusted by your Web browser. However, not all vendors’ SSL certificates are natively trusted by root certificates. As such, with these vendors, you need to complete the SSL trust chain by (in addition to installing your SSL certificate) installing an intermediate certificate between a root certificate and your new SSL certificate. If you skip this step, users will continue to get certificate errors until this trust chain is established. The use of an intermediate SSL certificate requires a bit of additional network communication at the initial establishment of an SSL-secure session but beyond that, there is no performance penalty.
Trusted root certificate (or Trusted root certification authorities): A root certificate is the Grand PooBah of the certificate world. In order to complete the trust chain, your individual certificate must, in some way, link to a root certificate.
A third-party SSL certificate is generally considered more trusted than a self-signed certificate since the certificate information is verified by a third party and the certificate ultimately maps to what is called a trusted root certificate.
Note: I am assuming that you will be installing a brand new certificate that you do not yet own and not importing some kind of existing certificate. Further, I assume that you do not have a complex public key infrastructure in-house and that you need to get your certificate from a third party. Finally, I’m making the assumption that you have already installed IIS 7 on your Windows Server 2008 system.
Step 1: Prepare a Certificate Signing Request (CSR)Regardless of the SSL vendor you use, you first step in the process is to create a Certificate Signing Request (CSR) that will be sent to the SSL vendor of your choice. The CSR is a Base-64 encoded PKCS#10 message (this basically means it’s a bunch of gobbledygook that is unreadable by humans) that contains all of the information necessary to identify the person or company applying for the certificate. The request also includes the applicant’s public key. This key is the public portion of a combined public key/private key structure that, together, is able to effectively and securely encrypt information.
Choose Start | Administrative Tools | Internet Information Services (IIS) Manager
In the IIS Manager, choose your server name
In the Features pane (the middle pane), double-click the Server Certificates option (Figure A) located under the Security heading.
Figure A
Open the properties page for the site you want to protect
You will notice two default certificates already installed on this server. To begin the process of requesting a new certificate, from the Actions pane, choose the Create Certificate Request option as shown below in Figure B.
Figure B
Click the Server Certificate button to begin the process
The first screen of the wizard asks for details regarding the new site. The common name should match the fully-qualified domain name for the site. Otherwise, provide information about your site, making sure to spell out the name of your state. (Figure C)
Figure C
Provide information about your site
Click Next to continue.
The next screen of the wizard asks you to choose cryptography options. The default, Microsoft RSA SChannel Cryptography Provider is fine. A key length of 1,024 bits is the default option and is fine as well. (Figure D)
Figure D
Choose a cryptography provider and key length
Click Next to continue.
Finally, provide a filename to which to save the certificate request. You will need the contents of this file in the next step, so make sure you know where to find it. (Figure E)
Figure E
Save the CSR
Here’s some of the CSR mumbo jumbo associate with this certificate request:
Step 2: Request a certificate from a certificate vendorNow, with your CSR in hand, visit the Web site of your favorite SSL certificate provider and buy your new certificate. During the registration process, you need to provide the certificate company with information validating you or your company’s identity. Some consider this part a hassle, but it really is a vital part of the overall SSL chain. After all, you don’t want just anyone receiving a certificate that uses your company name!
The certificate request process varies by certificate company, so I can’t really provide the exact steps for the certificate request. What I can tell you is that, at some point, you’ll need to open up the text file that contains the certificate request in order to copy and paste the encrypted certificate request in the appropriate field on the order form.
Once you complete the vendor’s certificate request (Figure F) form and provide them with payment, you’ll need to wait for the SSL certificate to be delivered to you via e-mail.
Figure F
Provide the necessary information for the SSL certificate vendor
Step 3: Save the provided certificate somewhere accessibleWhat you get back from a certificate vendor depends on the vendor you choose. In the case of the company that I used to get my certificate, they sent back a zip file with three certificates. One of the certificates is named ssltest_westminster-mo_edu.crt. This is the certificate I need for the new Web site. The other two certificates are required if you need to chain the new certificate back to a root certificate. We will not be discussing them in this document.
The new certificate is nothing more than a text file, as was the case with the CSR. However, in this case, the information starts with —–BEGIN CERTIFICATE—– and ends with —–END CERTIFICATE—–. In the previous step, the terms were BEGIN CERTIFICATE REQUEST and END CERTIFICATE REQUEST. Extract the contents of this zip file to a location accessible from your Web server.
Step 4: Install the certificateAfter making sure that your Web server can access the certificate files, you need to install the new certificate so that it can be used by your Web site.
Choose Start | Administrative Tools | Internet Information Services (IIS) Manager.
In the IIS Manager, choose your server name.
In the Features pane (the middle pane), double-click the Server Certificates option located under the Security heading.
To complete the process of requesting a new certificate, from the Actions pane, choose the Complete Certificate Request option.
The Complete Certificate Request window opens and asks you to provide the location at which the certificate file can be located (Figure G). Provide this location and also indicate what friendly name you would like to use for the certificate.
Figure G
Tell the wizard where it can find the certificate file and provide a friendly name
The certificate is now installed and ready to be assigned to a Web site.
Step 5: Add an HTTPS binding to a Web siteNow, with the certificate installed, it’s time to put it to work. In IIS 7, you need to bind the HTTPS protocol to a Web site and then assign an installed certificate to be used to protect that Web site. Follow these steps:
Choose Start | Administrative Tools | Internet Information Services (IIS) Manager.
In the IIS Manager, browse to your server name | Sites | Your SSL-based site. You may need to create a new site. In Figure H below, notice that my site is named ssltest. The full Internet path to this site is ssltest.westminster-mo.edu. Since this Windows Server 2008 machine is running in a lab, you will see that it is a member of the Contoso domain, but I have added westminster-mo.edu sites to this server and appropriately configured DNS.
Figure H
A look at a site to which HTTPS will be bound
From the Actions pane, choose Bindings. This opens the Site Bindings window shown in Figure I.
Figure I
The Site Bindings window
In the Site Bindings window, choose Add. This opens the Add Site Binding window shown in Figure J.
From the Site Bindings window, provide the binding type (HTTP or HTTPS, but for this purpose use HTTPS), the IP address that will be used for this site (192.168.0.16 for me), and the port that will be used for SSL.
Next, choose the SSL certificate that you want to use to protect this site. Note that I have chosen ssltest.westminster-mo.edu. Use the Browse button to locate the right certificate.
Figure J
Provide the appropriate details for the Add Site Binding dialog box
Click the OK button. See Figure K for the result.
Figure K
The results of the new binding
Step 6: Test your certificateNow, test your certificate by browsing to the new site. You should not get any certificate errors. In Figure L note that I have successfully browsed to the new site and that there is a lock icon indicating that SSL is active. Figure M is a look at the certificate as detailed in the Web browser.
Figure L
The site is being protected by SSL
Figure M
The certificate is valid
Thursday, February 21, 2008
Capturing SQL Server 2005 database file size information
It’s very important to capture trends of the sizes of your SQL Server 2005 database because it allows you to plan for future space needs, notice types of problems, and plan for time periods of heavy volume. I’ll show you the simple method that I use to capture this information.
An exampleI will capture a snapshot of the information related to the sizes of my database files; in my next article, I will analyze the information to see when my data files and log files grow the most.
Each database on the SQL Server contains information regarding the size of the database files, along with some other related information. In order for me to get to this information, I need a method to retrieve the data from the individual databases one at a time. I have two available options:
sp_spaceused: This system stored procedure will return the size statistics for the current database context in which it is running. It is very useful for returning ad hoc information regarding database or table sizes within the database; however, it is not very friendly for reporting purposes. It is possible to capture the information for each database through a script, but it would require the use of a user-defined cursor.
sp_msforeachdb: This is a very useful system stored procedure that will execute any SQL script you pass to for in each of the databases on your SQL Server instance. The stored procedure just loops through the databases, which is simple to write, but it saves you from having to do it yourself. This is the method I will use for my code to capture database file size information.
The information I want to gather and store is available in the sys.database_files system view. This gives me the size of the database files, along with some other handy information such as the state of the database, the manner in which the files grow (size or percentage), and if it is read-only. I will need to capture this information for each database.
The script below creates a table named DatabaseFiles (if it does not already exist) based upon the structure of the system view sys.database_files; it also adds a new column to capture when the record was added to the table.
IF OBJECT_ID('DatabaseFiles') IS NULL
BEGIN
SELECT TOP 0 * INTO DatabaseFiles
FROM sys.database_files
ALTER TABLE DatabaseFiles
ADD CreationDate DATETIME DEFAULT(GETDATE())
ENDNow it is time to populate the DatabaseFiles table. This script uses the sp_msforeachdb stored procedure and passes a SQL script that inserts data from the sys.database_files view into the DatabaseFiles table that I created above. If you examine the script, you will notice that I am building in the database name for each database. This is subtle, and it’s accomplished by the [?] prefix to the sys.database_files view. This code is actually executed in each database on the instance, and the name of the database is used in place of the [?] marker. Information for each database is inserted into the DatabaseFiles table with one line of code, and it is a lot easier than writing a cursor to do the same. I also added a GETDATE() call to indicate when the records were inserted into the table.
Note: This example somewhat goes against two coding standards that I am typically strict about: using SELECT * and inserting into a table without a column list. I omitted them because the SQL string that I am building would have been a lot less desirable to view. If this was code that I put into a production environment, I would have made the necessary changes accordingly.
EXECUTE sp_msforeachdb 'INSERT INTO DatabaseFiles SELECT *, GETDATE() FROM [?].sys.database_files'To make sure that all of my data was captured correctly, I’ll look at what is in the table.
SELECT * FROM DatabaseFiles
An exampleI will capture a snapshot of the information related to the sizes of my database files; in my next article, I will analyze the information to see when my data files and log files grow the most.
Each database on the SQL Server contains information regarding the size of the database files, along with some other related information. In order for me to get to this information, I need a method to retrieve the data from the individual databases one at a time. I have two available options:
sp_spaceused: This system stored procedure will return the size statistics for the current database context in which it is running. It is very useful for returning ad hoc information regarding database or table sizes within the database; however, it is not very friendly for reporting purposes. It is possible to capture the information for each database through a script, but it would require the use of a user-defined cursor.
sp_msforeachdb: This is a very useful system stored procedure that will execute any SQL script you pass to for in each of the databases on your SQL Server instance. The stored procedure just loops through the databases, which is simple to write, but it saves you from having to do it yourself. This is the method I will use for my code to capture database file size information.
The information I want to gather and store is available in the sys.database_files system view. This gives me the size of the database files, along with some other handy information such as the state of the database, the manner in which the files grow (size or percentage), and if it is read-only. I will need to capture this information for each database.
The script below creates a table named DatabaseFiles (if it does not already exist) based upon the structure of the system view sys.database_files; it also adds a new column to capture when the record was added to the table.
IF OBJECT_ID('DatabaseFiles') IS NULL
BEGIN
SELECT TOP 0 * INTO DatabaseFiles
FROM sys.database_files
ALTER TABLE DatabaseFiles
ADD CreationDate DATETIME DEFAULT(GETDATE())
ENDNow it is time to populate the DatabaseFiles table. This script uses the sp_msforeachdb stored procedure and passes a SQL script that inserts data from the sys.database_files view into the DatabaseFiles table that I created above. If you examine the script, you will notice that I am building in the database name for each database. This is subtle, and it’s accomplished by the [?] prefix to the sys.database_files view. This code is actually executed in each database on the instance, and the name of the database is used in place of the [?] marker. Information for each database is inserted into the DatabaseFiles table with one line of code, and it is a lot easier than writing a cursor to do the same. I also added a GETDATE() call to indicate when the records were inserted into the table.
Note: This example somewhat goes against two coding standards that I am typically strict about: using SELECT * and inserting into a table without a column list. I omitted them because the SQL string that I am building would have been a lot less desirable to view. If this was code that I put into a production environment, I would have made the necessary changes accordingly.
EXECUTE sp_msforeachdb 'INSERT INTO DatabaseFiles SELECT *, GETDATE() FROM [?].sys.database_files'To make sure that all of my data was captured correctly, I’ll look at what is in the table.
SELECT * FROM DatabaseFiles
Using the Computer Management Console’s Shared Folders snap-in
Managing open files, active shares, and user sessions can take up quite a bit of time. The Computer Management Console’s Shared Folders snap-in can make your job easier by showing remote activity and resource access on a given system.
Shared Folders will not list the documents that you are working on locally; keep this in mind if you open one of these objects on a system, and the view is empty. As with other Computer Management Console snap-ins such as Event Viewer, Shared Folders is available on all versions of Windows 2000, Windows XP, Windows Server 2003, and Windows Vista.
Components of the Shared Folders snap-in
Shared Folders includes the following three objects, which allow you to monitor systems from the comfort of your office for any system on your network.
Shares: Shows the active shares (including all administrative shares) for the system to which you are connected.
Sessions: Shows all the user sessions that are connected to your system. If someone is accessing a Windows Server 2003 resource remotely, this snap-in will show you their session. You can disconnect sessions by right-clicking a session and choosing either Disconnect Selected Session or Disconnect All Sessions.
Open Files: Shows the files on the system that are currently open and shows you which users have the files or folders open; this can be helpful in tracking down why other users cannot open certain files. When using Open Files, you can close any file that any user has open simply by right-clicking the file’s entry in the list and choosing Close Open File.
Remote connections
When accessing the Computer Management Console, you can connect remotely to other systems to view their resources. (The remote systems must be running Windows 2000 or higher.)
To connect remotely to other systems, follow these steps:
Open the Computer Management Console by right-clicking My Computer from the Windows XP Start menu. (In Windows 2000, you right-click My Computer from the desktop. In Windows Vista, you right-click Computer or enter Computer Management in the Start Menu’s Search box.)
Right-click the computer object at the top of the left pane and select Connect To Another Computer. Or, click the Action menu and select Connect To Another Computer.
Enter the name of the computer you wish to connect to and click OK.
If the desired system is available, the Computer Management Console will display the resources as available on the remote system.
Next week, I will focus on the Computer Management Console’s Local Users and Groups snap-in.
Shared Folders will not list the documents that you are working on locally; keep this in mind if you open one of these objects on a system, and the view is empty. As with other Computer Management Console snap-ins such as Event Viewer, Shared Folders is available on all versions of Windows 2000, Windows XP, Windows Server 2003, and Windows Vista.
Components of the Shared Folders snap-in
Shared Folders includes the following three objects, which allow you to monitor systems from the comfort of your office for any system on your network.
Shares: Shows the active shares (including all administrative shares) for the system to which you are connected.
Sessions: Shows all the user sessions that are connected to your system. If someone is accessing a Windows Server 2003 resource remotely, this snap-in will show you their session. You can disconnect sessions by right-clicking a session and choosing either Disconnect Selected Session or Disconnect All Sessions.
Open Files: Shows the files on the system that are currently open and shows you which users have the files or folders open; this can be helpful in tracking down why other users cannot open certain files. When using Open Files, you can close any file that any user has open simply by right-clicking the file’s entry in the list and choosing Close Open File.
Remote connections
When accessing the Computer Management Console, you can connect remotely to other systems to view their resources. (The remote systems must be running Windows 2000 or higher.)
To connect remotely to other systems, follow these steps:
Open the Computer Management Console by right-clicking My Computer from the Windows XP Start menu. (In Windows 2000, you right-click My Computer from the desktop. In Windows Vista, you right-click Computer or enter Computer Management in the Start Menu’s Search box.)
Right-click the computer object at the top of the left pane and select Connect To Another Computer. Or, click the Action menu and select Connect To Another Computer.
Enter the name of the computer you wish to connect to and click OK.
If the desired system is available, the Computer Management Console will display the resources as available on the remote system.
Next week, I will focus on the Computer Management Console’s Local Users and Groups snap-in.
Create your own special characters in Windows XP
If you’ve ever wanted to create your own font or maybe just a special character — for example, a character showing your initials for when you wish to approve documents with your “signature” — you can easily create your own special characters using a hidden Windows XP tool called the Private Character Editor. Here’s how:
Press [Windows]R to open the Run dialog box.
Type eudcedit in the Open text box and click OK.
When the Private Character Editor launches, you’ll see the Select Code dialog box. Click OK.
A user interface that looks and works very much like Paint will appear. From this, you may use standard tools to create your characters.
When you finish, select the Save Character command on the Edit menu.
Once you save your new character, you can access it using the Character Map tool. Here’s how:
Press [Windows]R to open the Run dialog box.
Type charmap in the Open text box and click OK.
When the Character Map appears, select the Font drop-down list and select All Fonts (Private Characters).
Select your character, click the Select button, and then click the Copy button.
You can now paste your font character in any document that you want.
Press [Windows]R to open the Run dialog box.
Type eudcedit in the Open text box and click OK.
When the Private Character Editor launches, you’ll see the Select Code dialog box. Click OK.
A user interface that looks and works very much like Paint will appear. From this, you may use standard tools to create your characters.
When you finish, select the Save Character command on the Edit menu.
Once you save your new character, you can access it using the Character Map tool. Here’s how:
Press [Windows]R to open the Run dialog box.
Type charmap in the Open text box and click OK.
When the Character Map appears, select the Font drop-down list and select All Fonts (Private Characters).
Select your character, click the Select button, and then click the Copy button.
You can now paste your font character in any document that you want.
Sunday, February 10, 2008
Enterprise considerations for Microsoft Network Access Protection
Having a MS-NAP implementation in place will provide your network an extra level of protection at the entry point. There are certainly networks that need the maximum level of security for every point of connectivity; however, only the business or your technology situation can determine what you need from the perspective of network access protection. The MS-NAP implementation uses many different communication mechanisms if fully implemented. A strong point for MS-NAP is that the MS-NAP implementation can be utilized with some or all of the features and roles. In this article, we'll take a look at some of things you need to take into consideration from an enterprise perspective.
Enforcement types for MS-NAP
If you are considering MS-NAP for your environment, you cannot invest enough time in the planning and testing phases. Deciding on the best enforcement type for a policy is critically important. The means of enforcing MS-NAP are varied in their functionality and complexity.
Enforcement types
The MS-NAP implementation can enforce the compliance policy through these four mechanisms:
VPN: The VPN server relays the policy from the Network Policy Server (NPS) to the requesting client and performs the validation. This is not to be confused with Windows Server 2003's Network Access Quarantine Control feature.
DHCP: The DHCP server interacts with the policies from the NPS to determine the client's compliance.
IPSec: The IPSec enforcement of MS-NAP is Microsoft's strongest offering for network access protection. It enforces the policy and configures the systems out of compliance with a limited access local IP security policy for remediation.
802.1X: The MS-NAP client authenticates over an 802.1X authenticated network and is the best solution when integrating hardware from other vendors. Luckily, the 802.1X authentication protocol was developed jointly by Microsoft, Cisco, HP, Trapeze, and Enterasys.
Each enforcement type will direct the client that is out of compliance to the remediation network where a resolution should be able to occur before accessing the desired network. The remediation network should be given some thorough planning. Making the remediation network a place where clients (managed or unmanaged) can gain the requisite updates or programs without support staff intervention will be critical in making the entire MS-NAP implementation a success. Choosing an enforcement method is an important first step in a successful implementation.
Planning what can happen on the remediation network is very important as well. Question whether updates be accessed from this network; if anti-virus updates/installations be accessed there; and, most importantly, whether the users perform the required updates automatically or without involving the client support staff.
Network Policy Server (NPS) mastery
In planning a MS-NAP implementation, a deep-level understanding of the NPS role of Windows Server 2008 should be reached. This server role will determine where systems will go based on their configuration. This is especially important because this server role touches other server roles or equipment depending on the enforcement mechanism selected. The NPS role also acts as a RADIUS server for the MS-NAP clients.
Real-world administration effort and support
Many network administrators are overworked and can have a difficult time perceiving a time where they could allocate the time to properly plan a network access protection system much less fully test and implement such a solution. The common response from a quick, unscientific survey of network administrators is "It would be nice, but I don't have the time" for a network access protection solution. Regardless of it being a Microsoft or a networking company solution, the responses are fairly consistent.
From an ongoing support perspective, the MS-NAP implementation can go one way or the other. If the remediation network has a way for the users to become compliant and a robust, intuitive way of doing such, the support effort will be minimized for ongoing access to networks from systems that have dipped out of compliance.
Networking hardware support
If the 802.1X enforcement method is selected, a unique challenge is presented. This method is unique because it would require maintaining support for the MS-NAP implementation from a networking hardware and server operating system perspective. While the implementations offered by the networking hardware vendors offer 802.1X authentication for an individual port, it takes an additional administration effort to ensure end-to-end compatibility.
New services on clients and domain group policy objects
For the client elements using the MS-NAP implementation, there are new services and local configuration elements that are required to utilize the functionality. Pushing these configuration elements to managed systems through an Active Directory domain GPO is the best way to deploy to large numbers of existing systems. The new configuration elements for the MS-NAP implementation are not available in Active Directory domains running at Windows Server 2003 level, but are available for Windows Server 2008 level domains. There are other ways to configure the new services for clients, but it would be optimal to be native in the domain group policy editor and link the new GPO to an OU or a domain.
It is not clear what implementation configuration would be required for Windows XP clients since Service Pack 3 is not yet available; nor is it clear how a Windows XP MS-NAP client would be managed -- if at all possible -- from a Windows Server 2008 functionality level Active Directory domain.
Enforcement types for MS-NAP
If you are considering MS-NAP for your environment, you cannot invest enough time in the planning and testing phases. Deciding on the best enforcement type for a policy is critically important. The means of enforcing MS-NAP are varied in their functionality and complexity.
Enforcement types
The MS-NAP implementation can enforce the compliance policy through these four mechanisms:
VPN: The VPN server relays the policy from the Network Policy Server (NPS) to the requesting client and performs the validation. This is not to be confused with Windows Server 2003's Network Access Quarantine Control feature.
DHCP: The DHCP server interacts with the policies from the NPS to determine the client's compliance.
IPSec: The IPSec enforcement of MS-NAP is Microsoft's strongest offering for network access protection. It enforces the policy and configures the systems out of compliance with a limited access local IP security policy for remediation.
802.1X: The MS-NAP client authenticates over an 802.1X authenticated network and is the best solution when integrating hardware from other vendors. Luckily, the 802.1X authentication protocol was developed jointly by Microsoft, Cisco, HP, Trapeze, and Enterasys.
Each enforcement type will direct the client that is out of compliance to the remediation network where a resolution should be able to occur before accessing the desired network. The remediation network should be given some thorough planning. Making the remediation network a place where clients (managed or unmanaged) can gain the requisite updates or programs without support staff intervention will be critical in making the entire MS-NAP implementation a success. Choosing an enforcement method is an important first step in a successful implementation.
Planning what can happen on the remediation network is very important as well. Question whether updates be accessed from this network; if anti-virus updates/installations be accessed there; and, most importantly, whether the users perform the required updates automatically or without involving the client support staff.
Network Policy Server (NPS) mastery
In planning a MS-NAP implementation, a deep-level understanding of the NPS role of Windows Server 2008 should be reached. This server role will determine where systems will go based on their configuration. This is especially important because this server role touches other server roles or equipment depending on the enforcement mechanism selected. The NPS role also acts as a RADIUS server for the MS-NAP clients.
Real-world administration effort and support
Many network administrators are overworked and can have a difficult time perceiving a time where they could allocate the time to properly plan a network access protection system much less fully test and implement such a solution. The common response from a quick, unscientific survey of network administrators is "It would be nice, but I don't have the time" for a network access protection solution. Regardless of it being a Microsoft or a networking company solution, the responses are fairly consistent.
From an ongoing support perspective, the MS-NAP implementation can go one way or the other. If the remediation network has a way for the users to become compliant and a robust, intuitive way of doing such, the support effort will be minimized for ongoing access to networks from systems that have dipped out of compliance.
Networking hardware support
If the 802.1X enforcement method is selected, a unique challenge is presented. This method is unique because it would require maintaining support for the MS-NAP implementation from a networking hardware and server operating system perspective. While the implementations offered by the networking hardware vendors offer 802.1X authentication for an individual port, it takes an additional administration effort to ensure end-to-end compatibility.
New services on clients and domain group policy objects
For the client elements using the MS-NAP implementation, there are new services and local configuration elements that are required to utilize the functionality. Pushing these configuration elements to managed systems through an Active Directory domain GPO is the best way to deploy to large numbers of existing systems. The new configuration elements for the MS-NAP implementation are not available in Active Directory domains running at Windows Server 2003 level, but are available for Windows Server 2008 level domains. There are other ways to configure the new services for clients, but it would be optimal to be native in the domain group policy editor and link the new GPO to an OU or a domain.
It is not clear what implementation configuration would be required for Windows XP clients since Service Pack 3 is not yet available; nor is it clear how a Windows XP MS-NAP client would be managed -- if at all possible -- from a Windows Server 2008 functionality level Active Directory domain.
Cisco's NAC hardware explained
Cisco Network Admission Control (NAC) is a system to enforce the security policy of your company on all devices attempting network access. The Cisco NAC solution is made up of many different pieces of hardware, software, and services; this article will explain its many pieces.
What hardware makes up Cisco's NAC solution?
On Cisco's network security solutions Web page, you'll find the following list of Cisco technologies, all of which play a part in the complete Cisco NAC solution:
Advanced Services for Network Security
Cisco Security Agent (CSA)
Cisco Security Monitoring, Analysis and Response System (MARS)
Cisco Trust Agent 2.0 (CTA)
Cisco Secure Access Control Server for Windows (ACS)
Cisco Secure Access Control Server Solution Engine (ACS)
Cisco Works Interface Configuration Manager (ICM)
Cisco Works Security Information Management Solution (CW-SIMS)
NAC-enabled routers
Router security
Cisco VPN 3000 Series Concentrators
Cisco Unified Wireless Network
Cisco Catalyst switches
Let's discuss some of the more critical pieces of Cisco's NAC solution.
Cisco NAC-enabled routers
The recently released Cisco router NAT module enforces NAC at the remote branch locations or ancillary buildings of a campus. Apart from that, the NAC router module also improves the overall security of the network by making sure that all incoming users and devices comply with security policies.
Additionally, the Cisco NAC router module (part # NME-NAC-K9) brings the capabilities of Cisco NAC Appliance Server to Cisco 2800 and 3800 Series Integrated Services Routers. This module helps network administrators by not having to deploy NAC appliances across the board and it helps to consolidate the administrative tasks into fewer boxes.
Amazingly, this module is actually a 1 GHz Intel Celeron PC, with 512 MB RAM, 64 MB of Compact Flash, and an 80 GB SATA hard drive. All that fits onto a single 1 pound module that slides into a router and enforces your security policies. This module requires a 2800 or 3800 series router running IOS 12.4(11)T or later.
Cisco NAC Appliance
The single most popular piece of the Cisco NAC solution has been the Cisco NAC Appliance. As evident from the name itself, Cisco NAC Appliance is an appliance-based solution that offers fast deployment, policy management, and enforcement of security policies.
With the Cisco NAC Appliance, you can opt for an in-band or out-of-band solution. The in-band solution is for smaller deployments. As your network grows into a more campus environment, you may not be able to keep in the in-band design. In that case, you can move to the out-of-band deployment scenario.
Here are some advantages of the Cisco NAC Appliance:
Identity: At the point of authentication, the Cisco NAC Appliance recognizes users, as well as their devices and their responsibility in the network.
Compliance: Cisco NAC Appliance also takes into account whether machines are compliant with security policies or not. This includes enforcing operating system updates, antivirus definitions, firewall settings, and antispyware software definitions.
Quarantine: If the machines attempting to gain access don't meet the policies of the network, the Cisco NAC Appliance can quarantine these machines and bring them into compliance (by applying patches or changing settings), before releasing them onto the network.
For more information about the Cisco NAC Appliance, see the Cisco NAC Appliance datasheet.
Cisco Secure Access Control Server (ACS)
The Cisco ACS Server could be called the "brain" of the Cisco NAC solution. It is here that users' credentials are checked to see if they are valid, policies are sent back to be enforced, and activities are logged. The ACS server is called an AAA Server because it performs authentication, authorization, and accounting.
This server runs on an existing Windows server in your organization and can use other existing databases in your organization to verify users' credentials. For example, most companies have ACS point toward their Windows Active Directory (AD) system to look up credentials. If those credentials are valid, then ACS can enforce network authorization polices on those users, with the help of the network hardware: NAC Appliance, Router NAC module, or ASA/PIX firewalls.
Cisco Security Agent (CSA)
Cisco CSA is a software client that is run on every machine in an organization. These clients talk to a centralized policy server. Together, these software applications know what software and activities that occur on each PC in the organization are or are not "normal". The CSA agent may alert on or block certain activities that it sees as abnormal.
When compared to anti-virus software that depends on definition updates to stay current, Cisco touts that the CSA never needs updating because it is constantly "learning" and monitoring activities, not definitions of viruses.
For more information about the Cisco CSA solution, see the Cisco CSA datasheet.
Cisco Trust Agent (CTA)
You can think of the Cisco Trust Agent as the "NAC Client". The CTA runs on each PC in the organization. It talks to the NAC Appliance, for example, to tell it about the state of the device attempting to access the network. For example, the CTA reports the version of the OS, patch level, the AV definition level, the firewall status, and more. According to Cisco, the CTA "interrogates devices." You can obtain CTA free of charge from Cisco Systems.
Cisco Works Security Information Management Solution (CW-SIMS)
The Cisco Works Security Information Management Solution (CW-SIMS) in the centralized repository that all Cisco devices use for security logging and other information. According to Cisco, this application "integrates, correlates, and analyzes security event data from the enterprise network to improve visibility and provide actionable intelligence for strengthening an organization's security."
With so many security devices in your network, one application has to try to correlate all the logs and security information that is generated. According to Cisco, here are the features that the CW-SIMS offers:
Comprehensive Correlation: Statistical, rules-based, and vulnerability correlation of events as they happen, in real time, across all integrated Cisco network devices.
Threat Visualization: See a visual status and generate reports of all the security events as they happen across your network.
Incident Resolution Management: SIMs integrates with common helpdesk packages to track security events until resolution.
Integrated Knowledge Base: SIMS can be a source of knowledge about security issues and how they are resolved.
Real-Time Notification: SIMS can notify security admins, in real time, when events occur.
For more information about the Cisco CW-SIMS solution, see the Cisco SW-SIMS datasheet.
Cisco Security Monitoring, Analysis, and Response System (MARS)
While MARS may seem similar to CW-SIMS, it is quite different. MARS actually understands the configuration and topology of your network. You can think of MARS as a "virtual security admin" for your network -- working while you sleep.
MARS uses NetFlow data from Cisco routers to have a real-time understanding of network traffic. It knows what is considered normal and what is not; this is called behavioral analysis. With behavioral analysis, MARS can stop abnormal network traffic. MARS has over 150 audit compliance templates ,and will make recommendations on how to remediate threats to your network.
MARS is actually an appliance that you install on your network. This appliance comes in a variety of sizes and license levels based on the size of your network. Cisco Security MARS and Cisco Security Manager are part of the Cisco Security Management Suite.
In summary
To be a complete solution that can fulfill the Cisco Self-Defending Network framework, the hardware and software of Cisco's NAC solution must integrate well. With nine or more different pieces of hardware and software related to NAC, the challenge of acquiring (i.e., affording), learning to configure, deploying, and monitoring these solutions can be a large task for any organization. While having the centralized software applications like CW-SIMS and MARS can really bring it all together, those applications will take time, effort, and expertise to master. For this reason, I can relate to anyone who says that deploying a security solution is difficult.
In this article, I've attempted to clarify the purpose of the different NAC security solutions offered by Cisco today; with this information, I hope that your quest for strong network security can be realized.
What hardware makes up Cisco's NAC solution?
On Cisco's network security solutions Web page, you'll find the following list of Cisco technologies, all of which play a part in the complete Cisco NAC solution:
Advanced Services for Network Security
Cisco Security Agent (CSA)
Cisco Security Monitoring, Analysis and Response System (MARS)
Cisco Trust Agent 2.0 (CTA)
Cisco Secure Access Control Server for Windows (ACS)
Cisco Secure Access Control Server Solution Engine (ACS)
Cisco Works Interface Configuration Manager (ICM)
Cisco Works Security Information Management Solution (CW-SIMS)
NAC-enabled routers
Router security
Cisco VPN 3000 Series Concentrators
Cisco Unified Wireless Network
Cisco Catalyst switches
Let's discuss some of the more critical pieces of Cisco's NAC solution.
Cisco NAC-enabled routers
The recently released Cisco router NAT module enforces NAC at the remote branch locations or ancillary buildings of a campus. Apart from that, the NAC router module also improves the overall security of the network by making sure that all incoming users and devices comply with security policies.
Additionally, the Cisco NAC router module (part # NME-NAC-K9) brings the capabilities of Cisco NAC Appliance Server to Cisco 2800 and 3800 Series Integrated Services Routers. This module helps network administrators by not having to deploy NAC appliances across the board and it helps to consolidate the administrative tasks into fewer boxes.
Amazingly, this module is actually a 1 GHz Intel Celeron PC, with 512 MB RAM, 64 MB of Compact Flash, and an 80 GB SATA hard drive. All that fits onto a single 1 pound module that slides into a router and enforces your security policies. This module requires a 2800 or 3800 series router running IOS 12.4(11)T or later.
Cisco NAC Appliance
The single most popular piece of the Cisco NAC solution has been the Cisco NAC Appliance. As evident from the name itself, Cisco NAC Appliance is an appliance-based solution that offers fast deployment, policy management, and enforcement of security policies.
With the Cisco NAC Appliance, you can opt for an in-band or out-of-band solution. The in-band solution is for smaller deployments. As your network grows into a more campus environment, you may not be able to keep in the in-band design. In that case, you can move to the out-of-band deployment scenario.
Here are some advantages of the Cisco NAC Appliance:
Identity: At the point of authentication, the Cisco NAC Appliance recognizes users, as well as their devices and their responsibility in the network.
Compliance: Cisco NAC Appliance also takes into account whether machines are compliant with security policies or not. This includes enforcing operating system updates, antivirus definitions, firewall settings, and antispyware software definitions.
Quarantine: If the machines attempting to gain access don't meet the policies of the network, the Cisco NAC Appliance can quarantine these machines and bring them into compliance (by applying patches or changing settings), before releasing them onto the network.
For more information about the Cisco NAC Appliance, see the Cisco NAC Appliance datasheet.
Cisco Secure Access Control Server (ACS)
The Cisco ACS Server could be called the "brain" of the Cisco NAC solution. It is here that users' credentials are checked to see if they are valid, policies are sent back to be enforced, and activities are logged. The ACS server is called an AAA Server because it performs authentication, authorization, and accounting.
This server runs on an existing Windows server in your organization and can use other existing databases in your organization to verify users' credentials. For example, most companies have ACS point toward their Windows Active Directory (AD) system to look up credentials. If those credentials are valid, then ACS can enforce network authorization polices on those users, with the help of the network hardware: NAC Appliance, Router NAC module, or ASA/PIX firewalls.
Cisco Security Agent (CSA)
Cisco CSA is a software client that is run on every machine in an organization. These clients talk to a centralized policy server. Together, these software applications know what software and activities that occur on each PC in the organization are or are not "normal". The CSA agent may alert on or block certain activities that it sees as abnormal.
When compared to anti-virus software that depends on definition updates to stay current, Cisco touts that the CSA never needs updating because it is constantly "learning" and monitoring activities, not definitions of viruses.
For more information about the Cisco CSA solution, see the Cisco CSA datasheet.
Cisco Trust Agent (CTA)
You can think of the Cisco Trust Agent as the "NAC Client". The CTA runs on each PC in the organization. It talks to the NAC Appliance, for example, to tell it about the state of the device attempting to access the network. For example, the CTA reports the version of the OS, patch level, the AV definition level, the firewall status, and more. According to Cisco, the CTA "interrogates devices." You can obtain CTA free of charge from Cisco Systems.
Cisco Works Security Information Management Solution (CW-SIMS)
The Cisco Works Security Information Management Solution (CW-SIMS) in the centralized repository that all Cisco devices use for security logging and other information. According to Cisco, this application "integrates, correlates, and analyzes security event data from the enterprise network to improve visibility and provide actionable intelligence for strengthening an organization's security."
With so many security devices in your network, one application has to try to correlate all the logs and security information that is generated. According to Cisco, here are the features that the CW-SIMS offers:
Comprehensive Correlation: Statistical, rules-based, and vulnerability correlation of events as they happen, in real time, across all integrated Cisco network devices.
Threat Visualization: See a visual status and generate reports of all the security events as they happen across your network.
Incident Resolution Management: SIMs integrates with common helpdesk packages to track security events until resolution.
Integrated Knowledge Base: SIMS can be a source of knowledge about security issues and how they are resolved.
Real-Time Notification: SIMS can notify security admins, in real time, when events occur.
For more information about the Cisco CW-SIMS solution, see the Cisco SW-SIMS datasheet.
Cisco Security Monitoring, Analysis, and Response System (MARS)
While MARS may seem similar to CW-SIMS, it is quite different. MARS actually understands the configuration and topology of your network. You can think of MARS as a "virtual security admin" for your network -- working while you sleep.
MARS uses NetFlow data from Cisco routers to have a real-time understanding of network traffic. It knows what is considered normal and what is not; this is called behavioral analysis. With behavioral analysis, MARS can stop abnormal network traffic. MARS has over 150 audit compliance templates ,and will make recommendations on how to remediate threats to your network.
MARS is actually an appliance that you install on your network. This appliance comes in a variety of sizes and license levels based on the size of your network. Cisco Security MARS and Cisco Security Manager are part of the Cisco Security Management Suite.
In summary
To be a complete solution that can fulfill the Cisco Self-Defending Network framework, the hardware and software of Cisco's NAC solution must integrate well. With nine or more different pieces of hardware and software related to NAC, the challenge of acquiring (i.e., affording), learning to configure, deploying, and monitoring these solutions can be a large task for any organization. While having the centralized software applications like CW-SIMS and MARS can really bring it all together, those applications will take time, effort, and expertise to master. For this reason, I can relate to anyone who says that deploying a security solution is difficult.
In this article, I've attempted to clarify the purpose of the different NAC security solutions offered by Cisco today; with this information, I hope that your quest for strong network security can be realized.
Finding dependencies in SQL Server 2005
Any time you need to modify objects in your SQL Server 2005 database, the objects that are dependent upon those objects are a concern. You don’t want to remove columns from tables, procedures, views, or tables if there are objects dependent upon them that are being used.
This tutorial will show how you can write a procedure that will look up all of the objects that are dependent upon other objects.
How to write the procedureTo start a dependency chain, I create a table and then create some objects that will depend upon that table. Below is a script to create my SalesHistory and load some data into it:
IF OBJECT_ID('SalesHistory')>0
DROP TABLE SalesHistory;
GO
CREATE TABLE [dbo].[SalesHistory]
(
[SaleID] [int] IDENTITY(1,1) NOT NULL PRIMARY KEY,
[Product] [char](150) NULL,
[SaleDate] [datetime] NULL,
[SalePrice] [money] NULL
)
GO
DECLARE @i SMALLINT
SET @i = 1
WHILE (@i <=100)
BEGIN
INSERT INTO SalesHistory
(Product, SaleDate, SalePrice)
VALUES
('Computer', DATEADD(mm, @i, '3/11/1919'), DATEPART(ms, GETDATE()) + (@i + 57))
INSERT INTO SalesHistory
(Product, SaleDate, SalePrice)
VALUES
('BigScreen', DATEADD(mm, @i, '3/11/1927'), DATEPART(ms, GETDATE()) + (@i + 13))
INSERT INTO SalesHistory
(Product, SaleDate, SalePrice)
VALUES
('PoolTable', DATEADD(mm, @i, '3/11/1908'), DATEPART(ms, GETDATE()) + (@i + 29))
SET @i = @i + 1
ENDI’ll create a couple of objects that are dependent upon the SalesHistory table. This view uses the DENSE_RANK ranking function to return the sales rank of each product based on when the product was entered into the table. This view is directly dependent upon the SalesHistory table.
CREATE VIEW vw_SalesHistory
AS
SELECT SaleRank = DENSE_RANK() OVER (PARTITION BY Product ORDER BY SaleID ASC), *
FROM SalesHistory
GOThe stored procedure returns the total sales for the Computer product group. This procedure uses the view that I just created, so it is dependent upon that view, which is dependent upon the SalesHistory table. In a sense, this creates a dependency chain.
CREATE PROCEDURE usp_GetTotalComputerSales
(
@TotalSales MONEY OUTPUT
)
AS
BEGIN
SELECT @TotalSales = SUM(SalePrice)
FROM vw_SalesHistory
WHERE Product = 'Computer'
END
GOHere is the code to create the system stored procedure for finding object dependencies:
USE master
GO
CREATE PROCEDURE sp_FindDependencies
(
@ObjectName SYSNAME,
@ObjectType VARCHAR(5) = NULL
)
AS
BEGIN
DECLARE @ObjectID AS BIGINT
SELECT TOP(1) @ObjectID = object_id
FROM sys.objects
WHERE name = @ObjectName
AND type = ISNULL(@ObjectType, type)
SET NOCOUNT ON ;
WITH DependentObjectCTE (DependentObjectID, DependentObjectName, ReferencedObjectName, ReferencedObjectID)
AS
(
SELECT DISTINCT
sd.object_id,
OBJECT_NAME(sd.object_id),
ReferencedObject = OBJECT_NAME(sd.referenced_major_id),
ReferencedObjectID = sd.referenced_major_id
FROM
sys.sql_dependencies sd
JOIN sys.objects so ON sd.referenced_major_id = so.object_id
WHERE
sd.referenced_major_id = @ObjectID
UNION ALL
SELECT
sd.object_id,
OBJECT_NAME(sd.object_id),
OBJECT_NAME(referenced_major_id),
object_id
FROM
sys.sql_dependencies sd
JOIN DependentObjectCTE do ON sd.referenced_major_id = do.DependentObjectID
WHERE
sd.referenced_major_id <> sd.object_id
)
SELECT DISTINCT
DependentObjectName
FROM
DependentObjectCTE c
ENDThis procedure uses a Common Table Expression (CTE) with recursion to walk down the dependency chain to get to all of the objects that are dependent on the object passed into the procedure. The main source of data comes from the system view sys.sql_dependencies, which contains dependency information for all of your objects in the database.
Note: There are exceptions to this table. SQL Server 2005 will only place data into the sys.sql_dependencies view if it is able to at the creation of the object. If the database is not able to add a dependency, it will let you know at the time the object is created.
I want to mark the stored procedure as a system stored procedure so I can call it for any object in any database.
EXECUTE sp_ms_marksystemobject 'sp_FindDependencies'Now I can call my new system stored procedure to find any objects that are dependent upon the SalesHistory table that I just created.
EXECUTE sp_FindDependencies 'SalesHistory'I get the results that I expect from the procedure. The following objects are returned:
usp_GetTotalComputerSales
vw_SalesHistoryThe view vw_SalesHistory is returned because it is directly dependent upon the SalesHistory table. The procedure usp_GetTotalComputerSales is returned because it is dependent upon the view vw_SalesHistory, which in turn is dependent upon the SalesHistory table.
Use with cautionThe ability to view objects that are dependent upon other objects (e.g., views that use tables, procedures that use views) is useful when you need to alter or remove certain objects. Be extra careful when you modify objects that other objects may depend on.
This tutorial will show how you can write a procedure that will look up all of the objects that are dependent upon other objects.
How to write the procedureTo start a dependency chain, I create a table and then create some objects that will depend upon that table. Below is a script to create my SalesHistory and load some data into it:
IF OBJECT_ID('SalesHistory')>0
DROP TABLE SalesHistory;
GO
CREATE TABLE [dbo].[SalesHistory]
(
[SaleID] [int] IDENTITY(1,1) NOT NULL PRIMARY KEY,
[Product] [char](150) NULL,
[SaleDate] [datetime] NULL,
[SalePrice] [money] NULL
)
GO
DECLARE @i SMALLINT
SET @i = 1
WHILE (@i <=100)
BEGIN
INSERT INTO SalesHistory
(Product, SaleDate, SalePrice)
VALUES
('Computer', DATEADD(mm, @i, '3/11/1919'), DATEPART(ms, GETDATE()) + (@i + 57))
INSERT INTO SalesHistory
(Product, SaleDate, SalePrice)
VALUES
('BigScreen', DATEADD(mm, @i, '3/11/1927'), DATEPART(ms, GETDATE()) + (@i + 13))
INSERT INTO SalesHistory
(Product, SaleDate, SalePrice)
VALUES
('PoolTable', DATEADD(mm, @i, '3/11/1908'), DATEPART(ms, GETDATE()) + (@i + 29))
SET @i = @i + 1
ENDI’ll create a couple of objects that are dependent upon the SalesHistory table. This view uses the DENSE_RANK ranking function to return the sales rank of each product based on when the product was entered into the table. This view is directly dependent upon the SalesHistory table.
CREATE VIEW vw_SalesHistory
AS
SELECT SaleRank = DENSE_RANK() OVER (PARTITION BY Product ORDER BY SaleID ASC), *
FROM SalesHistory
GOThe stored procedure returns the total sales for the Computer product group. This procedure uses the view that I just created, so it is dependent upon that view, which is dependent upon the SalesHistory table. In a sense, this creates a dependency chain.
CREATE PROCEDURE usp_GetTotalComputerSales
(
@TotalSales MONEY OUTPUT
)
AS
BEGIN
SELECT @TotalSales = SUM(SalePrice)
FROM vw_SalesHistory
WHERE Product = 'Computer'
END
GOHere is the code to create the system stored procedure for finding object dependencies:
USE master
GO
CREATE PROCEDURE sp_FindDependencies
(
@ObjectName SYSNAME,
@ObjectType VARCHAR(5) = NULL
)
AS
BEGIN
DECLARE @ObjectID AS BIGINT
SELECT TOP(1) @ObjectID = object_id
FROM sys.objects
WHERE name = @ObjectName
AND type = ISNULL(@ObjectType, type)
SET NOCOUNT ON ;
WITH DependentObjectCTE (DependentObjectID, DependentObjectName, ReferencedObjectName, ReferencedObjectID)
AS
(
SELECT DISTINCT
sd.object_id,
OBJECT_NAME(sd.object_id),
ReferencedObject = OBJECT_NAME(sd.referenced_major_id),
ReferencedObjectID = sd.referenced_major_id
FROM
sys.sql_dependencies sd
JOIN sys.objects so ON sd.referenced_major_id = so.object_id
WHERE
sd.referenced_major_id = @ObjectID
UNION ALL
SELECT
sd.object_id,
OBJECT_NAME(sd.object_id),
OBJECT_NAME(referenced_major_id),
object_id
FROM
sys.sql_dependencies sd
JOIN DependentObjectCTE do ON sd.referenced_major_id = do.DependentObjectID
WHERE
sd.referenced_major_id <> sd.object_id
)
SELECT DISTINCT
DependentObjectName
FROM
DependentObjectCTE c
ENDThis procedure uses a Common Table Expression (CTE) with recursion to walk down the dependency chain to get to all of the objects that are dependent on the object passed into the procedure. The main source of data comes from the system view sys.sql_dependencies, which contains dependency information for all of your objects in the database.
Note: There are exceptions to this table. SQL Server 2005 will only place data into the sys.sql_dependencies view if it is able to at the creation of the object. If the database is not able to add a dependency, it will let you know at the time the object is created.
I want to mark the stored procedure as a system stored procedure so I can call it for any object in any database.
EXECUTE sp_ms_marksystemobject 'sp_FindDependencies'Now I can call my new system stored procedure to find any objects that are dependent upon the SalesHistory table that I just created.
EXECUTE sp_FindDependencies 'SalesHistory'I get the results that I expect from the procedure. The following objects are returned:
usp_GetTotalComputerSales
vw_SalesHistoryThe view vw_SalesHistory is returned because it is directly dependent upon the SalesHistory table. The procedure usp_GetTotalComputerSales is returned because it is dependent upon the view vw_SalesHistory, which in turn is dependent upon the SalesHistory table.
Use with cautionThe ability to view objects that are dependent upon other objects (e.g., views that use tables, procedures that use views) is useful when you need to alter or remove certain objects. Be extra careful when you modify objects that other objects may depend on.
Tuesday, January 1, 2008
How do I... Install Windows Vista in a dual-boot configuration along with Windows XP?
Are you really excited about the prospect of experimenting with the new features in the Windows Vista operating system, but are not yet ready to give up your existing Windows XP installation? For instance, you may be on the fence, because you're not 100 percent sure that all your existing hardware and software will work in Vista and you still need them to get your work done.
If so, then you may be the perfect candidate for a dual-boot configuration. With this type of configuration, you can easily experiment with Windows Vista and still use Windows XP. In other words, you get to have your cake and eat it too.
In this article, I'll discuss some of the options you'll need to consider as you begin thinking about and planning for adding Windows Vista to your existing system in a dual-boot configuration. I’ll then walk you step by step through the entire procedure.
The location options
In order to install Windows Vista in a dual-boot configuration along with Windows XP, you need to have either a second partition on your existing hard disk or a second hard disk in your system. To give yourself enough room to experiment, you should have at least 20 GB and preferably 40 GB of space available on either the second partition or on the second hard disk.
If you don't have enough available space on your existing hard disk for a second partition, then you'll need to connect a second hard disk to your system. If you do have enough available space on your exiting hard disk for a second partition, then you'll need to obtain a partitioning software package. I recommend, Symantec’s Norton PartitionMagic only because I’ve used PartitionMagic for years. However, there are other partitioning software packages that I’ve heard are just as good, such as Acronis Disk Director or VCOM Partition Commander Professional.
Of course, detailed instructions on connecting a second hard disk or partitioning your existing hard disk are beyond the scope of this article. However, in either case, the second hard disk or the second partition must be formatted with NTFS before you begin the installation operation. If you add a second partition to your existing hard disk via a partitioning software package, you will be able to format it as NTFS at the same time as you create the partition. If you're installing a second hard disk, the easiest way to format it as NTFS is from within Windows XP’s Disk Manager, which you can quickly access by pressing [Windows]+R to access the Run dialog box and typing diskmgmt.msc in the Open text box.
The installation options
You can approach the dual-boot installation operation in one of two ways -- by cold booting from the Windows Vista DVD or by inserting the Windows Vista DVD while Windows XP is running. As you can imagine, you'll encounter slightly different introductory screens depending on which approach you use, but once you get stared the operation is essentially the same.
While both methods will produce the same result, I prefer the cold booting from the DVD method. The main reason is that you don't have to worry about any interference from antivirus/antispyware/firewall software on your existing Windows XP installation.
Performing the installation
Once you have your second partition or second hard disk operational, just insert your Windows Vista DVD, restart the system, and boot from the DVD. Once the system boots from the DVD, Windows Vista’s Setup will begin loading and will display the screen shown in Figure A.
Figure A:
Windows Vista’s Setup will take a few moments to load files before the installation actually commences.
In a few moments, you’ll see the screen that prompts you to choose the regional and language options, as shown in Figure B. As you can see, the default settings are for U.S. and English and if that’s you, you can just click Next to move on.
Figure B:
The default settings on the regional and language screen are for the U.S. and English.
On the next screen, you’ll be prompted to begin the installation procedure, as shown in Figure C. To begin, just click the Install Now button
Figure C:
To get started, click the Install Now button.
In the next screen, you’ll be prompted to type in your product key for activation, as shown in Figure D. By default, the Automatically Activate Windows When I’m online check box is selected; however, you’ll notice that I’ve cleared it. The main reason that I’ve done so here is that while writing this article, I’ve experimented over and over with this installation procedure and want to conserve on the number of times that I can legitimately activate this copy of Windows Vista before Microsoft locks it down and requires me to call in and manually request a new product key.
Figure D:
At this point in the installation, you’re prompted to type in your product key for activation.
Now, if you just want to temporarily install Vista in a dual-boot configuration while you experiment, but plan on installing it as your main operating system once you’re satisfied with the way that Vista behaves with your hardware and software, you too may want to disable the automatic activation routine. Even though you’ve disabled the automatic activation routine, you can still install Windows Vista and use it as you normally would for 30 days.
If you want to keep Vista in a dual-boot configuration, you can activate your license online anytime you want. If you decide to make Vista your main operating system, you can repartition your hard disk, reinstall Vista on the main partition and activate the new installation in the process.
If you decide to disable the automatic activation routine, you’ll see a confirmation dialog box, as shown in Figure E, which contains a harsh warning and prompts you to reconsider. You can just click No to continue.
Figure E:
Even though this dialog box contains a harsh warning, Microsoft wouldn’t have made automatic activation a choice if opting out was really dangerous.
Because, I didn’t enter in a product key, Setup doesn’t know what edition I’ve purchased and prompts me to select one of the seven editions on this disk, as shown in Figure F. Since, I'm working with the Ultimate edition, I selected that edition, checked the box, and clicked Next.
Figure F:
When you don’t enter a product key, Setup doesn’t know what edition you have a license for and so prompts you to select one of the seven editions
On the next page (Figure G), you’ll see the Microsoft Software License Terms and are prompted to read through them. However, unless you’re very curious you can just select the I Accept The License Terms check box and click Next.
Figure G:
Unless you’re very curious, you can just click through the license terms screen.
If you’re booting from the DVD, when you get to the Which Type Of Installation Do You Want page, the only option is Custom (advanced) as shown in Figure H. To move on, just click the Custom icon.
Figure H:
When you boot from the Windows Vista DVD, the only installation type that is available is the Custom (advanced).
When you arrive at the Where Do You Want To Install Windows? page, you’ll see your second partition or second drive. I created a second partition on which to install Windows Vista, so my page looked like the one in Figure I.
Figure I:
I created a second partition on a 160 GB hard disk on which to install Windows Vista.
Once the select a partition or disk and click Next, the rest of the installation will continue as it normally would. As such, I won’t follow the installation procedure any further in this article.
Windows Boot Manager
Once the installation is complete, you'll see the Windows Boot Manager screen, as shown in Figure K. As you can see, booting either Windows XP (listed as an Earlier Version of Windows) or Windows Vista is a simple menu choice. This menu will appear on the screen for 30 seconds before Windows Boot Manager launches the default operating system, which is Windows Vista.
Figure J:
The Windows Boot Manager allows you to select which operating system you want to boot.
The Activation countdown
Since I described installing Windows Vista without activating it for testing purposes, I wanted to point out that the Windows Vista will indeed keep track of your 30 day trial on the System screen, as shown in Figure K. In addition, it will regularly display
Figure K:
If you decide not to activate during your dual-boot installation, you can keep track of how many days you have until you must activate on the System page.
Configuring Windows Boot Manager
As I mentioned, the Windows Boot Manager menu will appear on the screen for 30 seconds before Windows Boot Manager launches the default operating system -- Windows Vista. However, if you wish to adjust the countdown or change the default operating system, you can do so from within Windows Vista.
Once you've booted into Windows Vista, press [Windows]+[Break] to access the System page. Next, click the Advance System Setting link in the Tasks pane and confirm though the UAC prompt. When you see the System Properties dialog box, click Settings in the Startup and Recovery panel. You’ll then see the Startup and Recovery dialog box, as shown in Figure L.
Figure L:
You can use the controls in the Startup and Recovery dialog box change the default operating system and the number of seconds that the Windows Boot Manager menu will appear on the screen.
In the System Startup pane, you can change the Default Operating System setting from the drop down list as well as use the spin buttons to adjust, up or down, the number of seconds to display the menu before launching the default operating system.
Conclusion
Installing Windows Vista in a dual-boot configuration along side Windows XP is a great way to experiment with the new operating system until you get comfortable with it. In this article, I’ve shown you how to how to create a Windows Vista dual-boot configuration.
If so, then you may be the perfect candidate for a dual-boot configuration. With this type of configuration, you can easily experiment with Windows Vista and still use Windows XP. In other words, you get to have your cake and eat it too.
In this article, I'll discuss some of the options you'll need to consider as you begin thinking about and planning for adding Windows Vista to your existing system in a dual-boot configuration. I’ll then walk you step by step through the entire procedure.
The location options
In order to install Windows Vista in a dual-boot configuration along with Windows XP, you need to have either a second partition on your existing hard disk or a second hard disk in your system. To give yourself enough room to experiment, you should have at least 20 GB and preferably 40 GB of space available on either the second partition or on the second hard disk.
If you don't have enough available space on your existing hard disk for a second partition, then you'll need to connect a second hard disk to your system. If you do have enough available space on your exiting hard disk for a second partition, then you'll need to obtain a partitioning software package. I recommend, Symantec’s Norton PartitionMagic only because I’ve used PartitionMagic for years. However, there are other partitioning software packages that I’ve heard are just as good, such as Acronis Disk Director or VCOM Partition Commander Professional.
Of course, detailed instructions on connecting a second hard disk or partitioning your existing hard disk are beyond the scope of this article. However, in either case, the second hard disk or the second partition must be formatted with NTFS before you begin the installation operation. If you add a second partition to your existing hard disk via a partitioning software package, you will be able to format it as NTFS at the same time as you create the partition. If you're installing a second hard disk, the easiest way to format it as NTFS is from within Windows XP’s Disk Manager, which you can quickly access by pressing [Windows]+R to access the Run dialog box and typing diskmgmt.msc in the Open text box.
The installation options
You can approach the dual-boot installation operation in one of two ways -- by cold booting from the Windows Vista DVD or by inserting the Windows Vista DVD while Windows XP is running. As you can imagine, you'll encounter slightly different introductory screens depending on which approach you use, but once you get stared the operation is essentially the same.
While both methods will produce the same result, I prefer the cold booting from the DVD method. The main reason is that you don't have to worry about any interference from antivirus/antispyware/firewall software on your existing Windows XP installation.
Performing the installation
Once you have your second partition or second hard disk operational, just insert your Windows Vista DVD, restart the system, and boot from the DVD. Once the system boots from the DVD, Windows Vista’s Setup will begin loading and will display the screen shown in Figure A.
Figure A:
Windows Vista’s Setup will take a few moments to load files before the installation actually commences.
In a few moments, you’ll see the screen that prompts you to choose the regional and language options, as shown in Figure B. As you can see, the default settings are for U.S. and English and if that’s you, you can just click Next to move on.
Figure B:
The default settings on the regional and language screen are for the U.S. and English.
On the next screen, you’ll be prompted to begin the installation procedure, as shown in Figure C. To begin, just click the Install Now button
Figure C:
To get started, click the Install Now button.
In the next screen, you’ll be prompted to type in your product key for activation, as shown in Figure D. By default, the Automatically Activate Windows When I’m online check box is selected; however, you’ll notice that I’ve cleared it. The main reason that I’ve done so here is that while writing this article, I’ve experimented over and over with this installation procedure and want to conserve on the number of times that I can legitimately activate this copy of Windows Vista before Microsoft locks it down and requires me to call in and manually request a new product key.
Figure D:
At this point in the installation, you’re prompted to type in your product key for activation.
Now, if you just want to temporarily install Vista in a dual-boot configuration while you experiment, but plan on installing it as your main operating system once you’re satisfied with the way that Vista behaves with your hardware and software, you too may want to disable the automatic activation routine. Even though you’ve disabled the automatic activation routine, you can still install Windows Vista and use it as you normally would for 30 days.
If you want to keep Vista in a dual-boot configuration, you can activate your license online anytime you want. If you decide to make Vista your main operating system, you can repartition your hard disk, reinstall Vista on the main partition and activate the new installation in the process.
If you decide to disable the automatic activation routine, you’ll see a confirmation dialog box, as shown in Figure E, which contains a harsh warning and prompts you to reconsider. You can just click No to continue.
Figure E:
Even though this dialog box contains a harsh warning, Microsoft wouldn’t have made automatic activation a choice if opting out was really dangerous.
Because, I didn’t enter in a product key, Setup doesn’t know what edition I’ve purchased and prompts me to select one of the seven editions on this disk, as shown in Figure F. Since, I'm working with the Ultimate edition, I selected that edition, checked the box, and clicked Next.
Figure F:
When you don’t enter a product key, Setup doesn’t know what edition you have a license for and so prompts you to select one of the seven editions
On the next page (Figure G), you’ll see the Microsoft Software License Terms and are prompted to read through them. However, unless you’re very curious you can just select the I Accept The License Terms check box and click Next.
Figure G:
Unless you’re very curious, you can just click through the license terms screen.
If you’re booting from the DVD, when you get to the Which Type Of Installation Do You Want page, the only option is Custom (advanced) as shown in Figure H. To move on, just click the Custom icon.
Figure H:
When you boot from the Windows Vista DVD, the only installation type that is available is the Custom (advanced).
When you arrive at the Where Do You Want To Install Windows? page, you’ll see your second partition or second drive. I created a second partition on which to install Windows Vista, so my page looked like the one in Figure I.
Figure I:
I created a second partition on a 160 GB hard disk on which to install Windows Vista.
Once the select a partition or disk and click Next, the rest of the installation will continue as it normally would. As such, I won’t follow the installation procedure any further in this article.
Windows Boot Manager
Once the installation is complete, you'll see the Windows Boot Manager screen, as shown in Figure K. As you can see, booting either Windows XP (listed as an Earlier Version of Windows) or Windows Vista is a simple menu choice. This menu will appear on the screen for 30 seconds before Windows Boot Manager launches the default operating system, which is Windows Vista.
Figure J:
The Windows Boot Manager allows you to select which operating system you want to boot.
The Activation countdown
Since I described installing Windows Vista without activating it for testing purposes, I wanted to point out that the Windows Vista will indeed keep track of your 30 day trial on the System screen, as shown in Figure K. In addition, it will regularly display
Figure K:
If you decide not to activate during your dual-boot installation, you can keep track of how many days you have until you must activate on the System page.
Configuring Windows Boot Manager
As I mentioned, the Windows Boot Manager menu will appear on the screen for 30 seconds before Windows Boot Manager launches the default operating system -- Windows Vista. However, if you wish to adjust the countdown or change the default operating system, you can do so from within Windows Vista.
Once you've booted into Windows Vista, press [Windows]+[Break] to access the System page. Next, click the Advance System Setting link in the Tasks pane and confirm though the UAC prompt. When you see the System Properties dialog box, click Settings in the Startup and Recovery panel. You’ll then see the Startup and Recovery dialog box, as shown in Figure L.
Figure L:
You can use the controls in the Startup and Recovery dialog box change the default operating system and the number of seconds that the Windows Boot Manager menu will appear on the screen.
In the System Startup pane, you can change the Default Operating System setting from the drop down list as well as use the spin buttons to adjust, up or down, the number of seconds to display the menu before launching the default operating system.
Conclusion
Installing Windows Vista in a dual-boot configuration along side Windows XP is a great way to experiment with the new operating system until you get comfortable with it. In this article, I’ve shown you how to how to create a Windows Vista dual-boot configuration.
Wednesday, December 26, 2007
10 ways to work better with your boss
Bosses: You can’t live with them, and you can’t live without them. Like it or not, most of us must deal with a boss, and the way we do so affects not just our career advancement and our salary, but also our mental well-being. Here are some tips on how to get along better with your boss.
#1: Remember that your boss just might have useful insights
Think you have a clueless boss? Remember the words of Mark Twain, who once said that when he was 14, his father was so stupid it was unbearable. Then, he continued, when he became 21, he was amazed at how much his father had learned in just seven years. Your boss might be smarter than you think, and maybe later in your career, you will appreciate that fact. Regardless, a bad boss can still offer good advice.
I remember what a boss from years ago told me about the workplace. He said I should be aggressive and find out what people needed done rather than sit back and wait for assignments.
Think of it this way: You still can learn from a bad boss. Analyze why that boss is a bad boss and then resolve to avoid those things if you ever become a boss yourself. As the cynic reminds us, even a stopped clock is correct twice a day.
#2: Know your boss’ objectives
Software developers often concern themselves with “traceability.” The requirements for a software system must directly or indirectly be tied, or traced, to the objectives of the company. In theory, therefore, any requirement that lacks such traceability should be considered irrelevant and removed.
In the same way, try to see the bigger picture. You need to know what the boss expects of you (see the next tip). But at the same time, you need to understand how your job helps the boss. Make sure that what you’re doing not only meets your own job description but helps the boss achieve his or her own objectives.
#3: Know what your boss expects of you
When I was young, I once complained to my mother that I had nothing to do. “Calvin,” she answered, “Why don’t you practice piano?” That was the last time I ever complained to her about that topic.
Ignorance of your parents’ wishes may be fine when you’re a child, but ignorance (willful or otherwise) of your boss’s expectations can kill your career. How can you expect a good performance evaluation if you’re unaware of how you’re going to be measured? If you know your objectives, are they quantifiable? If so, both of you will have an easier time during your evaluation.
Every once in a while, check with your boss about what you’re doing and what you’ve accomplished and make sure your boss has that same understanding. If your boss has issues with your performance, it’s better for both of you that you know sooner rather than later, so you have time to make adjustments.
In a perfect world, no surprises should arise during your performance review. If they do, either your boss didn’t communicate the objectives or you failed to understand them. Don’t let that happen to you.
#4: Be low maintenance
Don’t be the “problem employee,” the one the boss always has to check up and follow up on. Instead, try to be the one the boss can depend on. It might not be apparent immediately, but a good boss will recognize and appreciate that trait.
Are you going to be perfect in your work? Of course not. You’re probably going to make a mistake or create a problem at least once. However, when that happens, and you go to your boss (as you should, as mentioned below), try to go not just with the report of the problem. Think of some solutions and be prepared to offer your recommendations to your boss.
#5: Don’t surprise your boss
Don’t let your boss be blindsided by bad news. In other words, “fee up” if you created a problem or made a mistake. It’s better that bad news about you should come from you — not from a customer, not from a co-worker, and absolutely not from your boss’s boss. Did you have a negative interaction with an abusive caller or customer? As soon as the call is finished, call your boss and give a briefing. Tell the boss who you spoke with, why that person is upset, and what the boss can expect to hear from that person. Also give your side of the story.
The same advice applies to good news as well. Let your boss know about your successes. Otherwise, your boss might give the impression of being unaware of them when his or her own boss offers congratulations.
#6: Acknowledge your boss in your successes
The moment has arrived: You’re in front of your group, receiving an award or other recognition from your boss or your boss’ boss. An appropriate thing to do at this point is to recognize the people who made it possible, in particular your boss. It’s easy to do if your boss really did help you. What about the “difficult” boss, though? You should try to say something, but at the same time you probably should be truthful as well.
Remember what we discussed above — that even a bad boss can provide good insights and examples. Did your boss discourage you or make things difficult? Maybe, in that case, you could thank your boss for helping you “keep things in perspective” or for “serving as a sanity check” or for helping you “see the problem from multiple points of view.” Don’t push things, or you may start sounding cute and insincere. However, do try to say something about your boss’ help.
#7: Don’t take criticism personally
Because most of us are so involved with our work, it’s hard to separate ourselves from it. So when someone criticizes our work, we view that criticism as a personal attack. Reacting that way can hinder our development and our progress. The next time your boss (or anyone else) criticizes your work, try pretending that the work was done by someone else. Then, examine it as a third party would and test the validity of the criticism.
A smart boss realizes that your success is tied to his or her own success. Therefore, the boss has an interest in your doing well. Furthermore, criticism from the boss could be a sign that the boss has high expectations from you. When I first began working, I was upset because my boss had given me a task that I thought was too hard. I discussed my concern with a friend of my father, who worked in the same area as I did. Though it happened years ago, I still remember that friend’s advice. “Calvin,” he said, “[name of boss] gave you that task because he thinks you can do a good job.”
#8: Remember your boss has a boss
We discussed earlier the importance of knowing your boss’ objectives. In the same vein, be aware that your boss has a boss as well. You can use that fact to build a collaborative relationship with your own boss, because both of you have a common objective of making the boss’ boss happy and making your boss look good. Having that collaborative relationship gives your boss a better impression of you and gives you visibility to your boss’ boss.
#9: Don’t upstage your boss
Upstaging your boss can limit your career mobility. Therefore, be careful of correcting your boss in public, as someone did to my father once. While he was making a group presentation, he referred to Worcester Polytechnic Institute. In doing so, he correctly pronounced it as “Woo-ster.” This person spoke up, saying, “Wellington, you’re wrong. It’s ‘Woo-ches-ter.’” Fortunately, my father was smart, deflecting the comment with the following answer: “I’m sorry. Please forgive me. English is only my fifth language.” My father humorously defused the situation. However, the fact that after all these years I still hear this story tells you what my father thought of that correction and the person who made it.
There’s one instance when it’s okay to correct your boss in public: when your boss mistakenly thinks he or she made a mistake but really didn’t. Suppose your boss quotes a figure while giving a presentation. He or she then stops and says, “I’m sorry, I think I made a mistake.” If you know the boss was originally correct, it’s fine at that point to interrupt and say, “No, [boss’ name], you’re correct.”
#10: Manage your boss when necessary
Getting ahead in your career requires more than just sitting back and waiting for assignments. You must take initiative, looking for opportunities and problems to be solved. In doing so, take advantage of any organizational power your boss might have. Explain to your boss your plans and why they represent a good business decision. Then, ask your boss to fight any bureaucratic battles that may arise and to run interference for you. In doing so, you recognize the boss is the boss. However, you are directing your boss, in taking advantage of pull that you possibly lack.
#1: Remember that your boss just might have useful insights
Think you have a clueless boss? Remember the words of Mark Twain, who once said that when he was 14, his father was so stupid it was unbearable. Then, he continued, when he became 21, he was amazed at how much his father had learned in just seven years. Your boss might be smarter than you think, and maybe later in your career, you will appreciate that fact. Regardless, a bad boss can still offer good advice.
I remember what a boss from years ago told me about the workplace. He said I should be aggressive and find out what people needed done rather than sit back and wait for assignments.
Think of it this way: You still can learn from a bad boss. Analyze why that boss is a bad boss and then resolve to avoid those things if you ever become a boss yourself. As the cynic reminds us, even a stopped clock is correct twice a day.
#2: Know your boss’ objectives
Software developers often concern themselves with “traceability.” The requirements for a software system must directly or indirectly be tied, or traced, to the objectives of the company. In theory, therefore, any requirement that lacks such traceability should be considered irrelevant and removed.
In the same way, try to see the bigger picture. You need to know what the boss expects of you (see the next tip). But at the same time, you need to understand how your job helps the boss. Make sure that what you’re doing not only meets your own job description but helps the boss achieve his or her own objectives.
#3: Know what your boss expects of you
When I was young, I once complained to my mother that I had nothing to do. “Calvin,” she answered, “Why don’t you practice piano?” That was the last time I ever complained to her about that topic.
Ignorance of your parents’ wishes may be fine when you’re a child, but ignorance (willful or otherwise) of your boss’s expectations can kill your career. How can you expect a good performance evaluation if you’re unaware of how you’re going to be measured? If you know your objectives, are they quantifiable? If so, both of you will have an easier time during your evaluation.
Every once in a while, check with your boss about what you’re doing and what you’ve accomplished and make sure your boss has that same understanding. If your boss has issues with your performance, it’s better for both of you that you know sooner rather than later, so you have time to make adjustments.
In a perfect world, no surprises should arise during your performance review. If they do, either your boss didn’t communicate the objectives or you failed to understand them. Don’t let that happen to you.
#4: Be low maintenance
Don’t be the “problem employee,” the one the boss always has to check up and follow up on. Instead, try to be the one the boss can depend on. It might not be apparent immediately, but a good boss will recognize and appreciate that trait.
Are you going to be perfect in your work? Of course not. You’re probably going to make a mistake or create a problem at least once. However, when that happens, and you go to your boss (as you should, as mentioned below), try to go not just with the report of the problem. Think of some solutions and be prepared to offer your recommendations to your boss.
#5: Don’t surprise your boss
Don’t let your boss be blindsided by bad news. In other words, “fee up” if you created a problem or made a mistake. It’s better that bad news about you should come from you — not from a customer, not from a co-worker, and absolutely not from your boss’s boss. Did you have a negative interaction with an abusive caller or customer? As soon as the call is finished, call your boss and give a briefing. Tell the boss who you spoke with, why that person is upset, and what the boss can expect to hear from that person. Also give your side of the story.
The same advice applies to good news as well. Let your boss know about your successes. Otherwise, your boss might give the impression of being unaware of them when his or her own boss offers congratulations.
#6: Acknowledge your boss in your successes
The moment has arrived: You’re in front of your group, receiving an award or other recognition from your boss or your boss’ boss. An appropriate thing to do at this point is to recognize the people who made it possible, in particular your boss. It’s easy to do if your boss really did help you. What about the “difficult” boss, though? You should try to say something, but at the same time you probably should be truthful as well.
Remember what we discussed above — that even a bad boss can provide good insights and examples. Did your boss discourage you or make things difficult? Maybe, in that case, you could thank your boss for helping you “keep things in perspective” or for “serving as a sanity check” or for helping you “see the problem from multiple points of view.” Don’t push things, or you may start sounding cute and insincere. However, do try to say something about your boss’ help.
#7: Don’t take criticism personally
Because most of us are so involved with our work, it’s hard to separate ourselves from it. So when someone criticizes our work, we view that criticism as a personal attack. Reacting that way can hinder our development and our progress. The next time your boss (or anyone else) criticizes your work, try pretending that the work was done by someone else. Then, examine it as a third party would and test the validity of the criticism.
A smart boss realizes that your success is tied to his or her own success. Therefore, the boss has an interest in your doing well. Furthermore, criticism from the boss could be a sign that the boss has high expectations from you. When I first began working, I was upset because my boss had given me a task that I thought was too hard. I discussed my concern with a friend of my father, who worked in the same area as I did. Though it happened years ago, I still remember that friend’s advice. “Calvin,” he said, “[name of boss] gave you that task because he thinks you can do a good job.”
#8: Remember your boss has a boss
We discussed earlier the importance of knowing your boss’ objectives. In the same vein, be aware that your boss has a boss as well. You can use that fact to build a collaborative relationship with your own boss, because both of you have a common objective of making the boss’ boss happy and making your boss look good. Having that collaborative relationship gives your boss a better impression of you and gives you visibility to your boss’ boss.
#9: Don’t upstage your boss
Upstaging your boss can limit your career mobility. Therefore, be careful of correcting your boss in public, as someone did to my father once. While he was making a group presentation, he referred to Worcester Polytechnic Institute. In doing so, he correctly pronounced it as “Woo-ster.” This person spoke up, saying, “Wellington, you’re wrong. It’s ‘Woo-ches-ter.’” Fortunately, my father was smart, deflecting the comment with the following answer: “I’m sorry. Please forgive me. English is only my fifth language.” My father humorously defused the situation. However, the fact that after all these years I still hear this story tells you what my father thought of that correction and the person who made it.
There’s one instance when it’s okay to correct your boss in public: when your boss mistakenly thinks he or she made a mistake but really didn’t. Suppose your boss quotes a figure while giving a presentation. He or she then stops and says, “I’m sorry, I think I made a mistake.” If you know the boss was originally correct, it’s fine at that point to interrupt and say, “No, [boss’ name], you’re correct.”
#10: Manage your boss when necessary
Getting ahead in your career requires more than just sitting back and waiting for assignments. You must take initiative, looking for opportunities and problems to be solved. In doing so, take advantage of any organizational power your boss might have. Explain to your boss your plans and why they represent a good business decision. Then, ask your boss to fight any bureaucratic battles that may arise and to run interference for you. In doing so, you recognize the boss is the boss. However, you are directing your boss, in taking advantage of pull that you possibly lack.
Subscribe to:
Posts (Atom)