Monday 24 November 2008

Windows 7: One Vista at a time.

OK, I admit that over the past few weeks I have been a keen Windows 7 enthusiast. I really like the UI tweaks and for a M3 build, performance is exactly on par with Vista SP1.

 

And, I am getting asked every day, "Should we wait for Windows 7?"

 

I think that the answer is a resounding NO; if you meet the any of the following criteria;

 

  1. Your organisation would require over 1 year to completely migrate your applications and desktops from one platform to another. This generally translates to organisations with over 200 applications and 3000+ desktops. Yes, I know this covers most medium to large organisations.

 

  1. You are currently using Windows XP (or worse Windows 2K). Given that Windows 7 could be 18-24 months away, vendors may stop supporting XP before you are able to move to Windows 7. See the Gartner report here:  http://mediaproducts.gartner.com/reprints/microsoft/vol4/article4/article4.html . Michael Silver has some great recommendations including;

 

"Organizations that plan to skip Windows Vista should budget to replace at least twice as many PCs as normal in 2012" and that "Most organizations shouldn't skip Windows Vista entirely".

 

  1. Windows 7 will require at least the same (possibly more) application compatibility effort and desktop engineering efforts as Vista. Windows 7 is built on the Vista kernel (core) and all Windows 7 features will be a super-set of Vista's current offering. If you start now on the application compatibility effort with the transition to Vista, then the migration effort from Vista to Windows 7 should be quite straightforward.

 

  1. Windows 7 RTM may not be suitable for immediate deployment. Many organisations may have to wait for Service Pack 1 before they can migrate their desktop platforms. Windows 7 Service Pack 1 may not be available until 2011.

 

  1. Microsoft plans to tightly couple the release of the next version of their desktop and server platforms. Vista will be able to integrate better with these new server operating systems and will make a migration from Vista rather XP much easier for application compatibility,  security configuration and user acceptance.

 

 

References:

“The Business Value of Windows Vista: Five Reasons to Deploy Now”

http://download.microsoft.com/download/c/7/5/c75ff4cd-fb38-41e0-8da5-1bcd710ceb34/Vista_WP_online.pdf

 

 

Thursday 20 November 2008

Vista: Powerful enough, but clever enough?

This blog is a little bit of a moan. Not a moan at Microsoft or Windows Vista for application compatibility  issues. More of a whinge directed at my fellow Vista users; particularly Vista laptop users. And, I can't decide if large numbers of my colleagues and friends have seriously missed a major feature in Vista or that Microsoft has really missed a trick here.

The problem is Vista performance (and the perceived lack of performance) of Microsoft's Vista OS on laptops. We are getting some decent laptop builds out there now; Intel Dual Core 2 with 3 gigs of RAM is a decent configuration and I am still getting loads of complaints about the slow performance of Vista.

And, here is the really embarrassing bit. After a little bit of trouble-shooting I discovered on EVERY single machine, that the Power  Settings was set to "Power Saver" instead of "High Performance".

Quoting from Microsoft's Help documentation;

• Balanced. Offers full performance when you need it and saves power during periods of inactivity.
• Power saver. Saves power by reducing system performance. This plan can help mobile PC users get the most from a single battery charge.
• High performance. Maximizes system performance and responsiveness. Mobile PC users might notice that their battery doesn't last as long when using this plan.

"Power Saver" mode is deigned to maximize batter life for laptops, at the price of significantly reduced performance. Meaning; when you select this mode Vista will run slower. 

Obviously, some bright spark in the past had configured this setting for each laptop with the intent of making the battery last as long as possible. This is fine and makes sense.

But this is where I start to lose my patience with Vista. It should be a lot more clever. My laptop "knows" when it is plugged in and Vista "knows" when I am plugged into an AC outlet as it shows a little charging symbol in my system tray.

So, why doesn't Vista automatically switch from "Power Saver" mode when I am off the mains and on the road and then back to "High Performance" mode when plugged into the mains?

Could this simple configuration error be the source of so many Vista performance issues?



References:


Tuesday 18 November 2008

I rarely get to experience this - hence the blog entry. When is the last time you worked on something that was a proper first iteration release from Microsoft. Sure, we (all ) get plenty of BETA or ALPHA code; if you work hard and are lucky. Actually, there is plenty of BETA code around these days... But, how about pure, snow-white 1.0.0.0 releases? Pretty rare, eh?

Well that is what you get with the release of the Microsoft Cloud computing Azure Software Development Kit. Compared to the Platform SDK which weighs in at over a Gig of data (including samples of course) the Azure SDK is a lean 3.5 Meg.

That said, the requirements for the Azure SDK are pretty heavy and include;

• Windows Vista SP1 (when installing on Windows Vista)
• .NET Framework 3.5 SP1
• IIS 7.0 (with ASP.NET and WCF HTTP Activation)
• Microsoft SQL Server Express 2005 or Microsoft SQL Server Express 2008
• Windows PowerShell

And, when you try to download the .NET Framework 3.5 SP1 you get the following message;

"We are sorry, the page you requested cannot be found." Oops. Even Microsoft can make mistakes when rolling out a new version, but this link has been dead for 3 weeks now.

I tried installing the Azure SDK and the installation logic required (was looking for) the prior installation of NET 3.5 SP1 - meaning that without this update, NO Azure SDK. You can't get Azure today, by following the Microsoft instructions.

So, a couple of questions;

1) Given that I am that Microsoft responds to dead-links pretty quickly - has no one else complained?
2) Does anyone care?


There are few people out there already writing about Microsoft's Azure.... And they seem to answer the question rather strongly.

Have a read of Brian's Comments here:
http://www.brianmadden.com/blogs/brianmadden/archive/2008/11/17/What-does-Microsoft-Azure-have-to-do-with-us_3F00_-Hint_3A00_-not-much-today_2E00_.aspx

Or Hoff's here:
http://rationalsecurity.typepad.com/blog/2008/10/when-clouds-encircle-islands-things-get-foggy.html


I am going to do some more digging, but it appears that the answer to question 2 maybe, "No yet!"

Friday 14 November 2008

November 2008, Microsoft Patch Tuesday

ChangeBASE have announced their findings of Microsoft's Patch Tuesday update of November, 2008. There were two patch releases this week (MS08-068 and MS08-069) and one last week (MSO8-067).

MS067 and MS068 were critical releases as they addressed potential serious security issues. However from an application compatibility perspective they will have minimal impact on an organisation's application portfolio. This comes as good news for enterprises as it gives them a month off the full testing cycle with patch updates. In recent months the impact of patches on applications has been significant and has required a huge amount of testing to ensure business critical applications continue to work.

From our discussions with larger companies their testing activity generally falls into one of three camps:

  • Light sample testing of a small number of business critical applications - This requires limited testing resource but leaves organisations vulnerable to applications problems/failures
  • Medium testing - This takes significant resource and time but means that a wider portfolio of applications can be tested
  • Heavy testing - Many organisations do not have the resource to do this on a monthly basis and we have come across examples of corporates who only release new patches to their live environment twice a year as a result of this. The plus side of this approach is that applications are likely to be unaffected by the patch updates. The downside is that critical patches are not deployed, leaving organisations vulnerable to, for example, security breaches

ChangeBASE AOK Patch Impact Monitor identifies in minutes applications that are affected by new Microsoft releases and provides detailed information on potential compatibility issues. This can cut the testing time down to the point that heavy testing can be done on a greater number of applications in a short period of time.

Thankfully November should be a quiet time for testing as the new patches will have minimal impact on an organisation's applications.

Testing Summary

MS08-68: Marginal impact with low numbers of applications affected
MS08-69: Marginal impact with low numbers of applications affected

Patch NameTotal Issues% of apps
Affected
RebootRatingRAG
MS08-067<1%<1%YESCNo Issue
MS08-068<1%<1%YESCNo Issue
 MS08-069<1%<1%YESINo Issue

Legend: 
No IssueNo Issues Detected
FixablePotentially fixable application Impact
SeriousSerious Compatibility Issue

M = Moderate 
I = Important 
C = Critical 

c. 800 applications were tested against these patches using the ChangeBASE ACL (Application Compatibility Lab) 

Security Update Detailed Summary
MS08-067Vulnerability in Server Service Could Allow Remote Code Execution (958644)
DescriptionThis security update resolves a privately reported vulnerability in the Server service. The vulnerability could allow remote code execution if an affected system received a specially crafted RPC request. On Microsoft Windows 2000, Windows XP, and Windows Server 2003 systems, an attacker could exploit this vulnerability without authentication to run arbitrary code. It is possible that this vulnerability could be used in the crafting of a wormable exploit.
PayloadNetapi.dll
ImpactRemote Code Execution

MS08-068Vulnerability in SMB Could Allow Remote Code Execution (957097)
DescriptionThis security update resolves a publicly disclosed vulnerability in Microsoft Server Message Block (SMB) Protocol. The vulnerability could allow remote code execution on affected systems. An attacker who successfully exploited this vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
PayloadMrxsmb.sys
ImpactInformation Disclosure

MS08-069Vulnerabilities in Microsoft XML Core Services Could Allow Remote Code Execution (955218)
DescriptionThis security update resolves several vulnerabilities in Microsoft XML Core Services. The most severe vulnerability could allow remote code execution if a user viewed a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
PayloadMsxml5.dll
ImpactRemote Code Execution

Friday 7 November 2008

Windows 7 - the Quality Gates are open


For you all you appcompat hacks out there is a new bible; Microsoft's Windows Application Quality Cookbook: A Developer’s Guide to Application Compatibility, Reliability, and Performance has been released and contains a really good overview of what may cause your applications to fail when deployed to Windows 7 (the prettier, slightly faster version of Vista).

 

The Word document can be found here;

 

http://code.msdn.microsoft.com/Windows7AppQuality/Release/ProjectReleases.aspx?ReleaseId=1734

 

There are a couple of things I found intriguing about this "Compatibility Cookbook". The first is the location. It currently resides under the code sample area of the developer support site for Microsoft (MSDN).  Whereas the current "production" version of the Vista compatibility cookbook resides under a "proper" download destination and can be found here;

 

http://www.microsoft.com/downloads/details.aspx?FamilyId=69C63073-FE3F-47C3-BAA5-B37943AFE227

 

The next thing,  I found interesting about the Window 7 compatibility cookbook was that it listed the potential compatibility issues in order of severity (i.e. their potential impact) and their likelihood of occurring (probability). Reading from this document it looks like the biggest most likeliest challenges for getting applications working on Windows 7 will include;

 

  • Internet Explorer 8—User Agent String
  • Internet Explorer 8—Data Execution Protection/NX
  • Removal of Windows Mail
  • Microsoft Message Queuing (MSMQ)—Removal of Windows 2000 Client Support Service
  • Compatibility—Operating System Versioning

 

For those of us in the dirtiest of trades (getting applications to work), we better get ready to sharpen our IE8 compatibility knives. With more and more cloud-based applications on the horizon, there may be carnage.

 

Wednesday 5 November 2008

Security: Apps are the new OS

 

Earlier this week Microsoft released their bi-annual Security Intelligence Report  on security trends and detection rates across the industry for Operating systems and applications. This report focuses on industry data and trends for the past six-months on malware data, software vulnerability disclosure data and vulnerability exploit data.

 

The full report is enormous at 150 pages, while the key findings summary document is very digestible and makes incredible reading.  From the following key results; it appears that at least from Microsoft's view of the world, the security landscape is changing;

 

  • The total number of unique vulnerability disclosures across the industry decreased in 1H08, down 4 percent from 2H07 and down 19 percent from 1H07.
  • Vulnerability disclosures in Microsoft software in 1H08 continued a multi-period downward trend, both in terms of all disclosures and relative to total industry disclosures.
  • Vulnerabilities rated as High severity increased 13 percent over 2H07.
  • The percentage of disclosed vulnerabilities rated as Low complexity (and therefore easiest to exploit) increased, with 56 percent receiving a complexity rating of Low.
  • The proportion of vulnerabilities disclosed in operating systems continues to decline; more than 90 percent of vulnerabilities disclosed in 1H08 affected applications, rather than operating systems.

 

Initially the data seems a little contradictory. Overall, vulnerability disclosures are moderately lower than last year and much lower than 2007. However, the number of  vulnerabilities rated as HIGH and easy to exploit increased from both 2008 and 2007. Meaning that there are less exposed security holes in the OS; but there are more serious, more virulent and more dangerous security exploits that are easier for people to deploy  in web pages and applications in 2008 than in 2007. 

 

Simply put, your OS is more secure, but the world (the internet) is a more dangerous place.

 

That said, you have to be a little careful here as the this report does read a little like an advertisement for Vista and the reported security vulnerabilities for Vista (especially 64-bit) are much lower than for XP. Quoting from this document;

 

  • The infection rate of Windows Vista SP1 is 48.8 percent less than that of Windows XP SP3.
  • Windows Vista is 56.2 percent less than that of Windows XP SP2.

 

These are big numbers, but I still think that this is not the REAL story here.  Reading through this large document, you find that  the number of security vulnerabilities has increased for 3rd party applications, not the Operating  System.  The report suggests that a staggering 90% of security vulnerabilities are related to applications. If this is true, then Microsoft has a very powerful story here; our OS is secure, but your applications are not.

 

In terms of security nightmares, your applications may be the new Windows 98.

 

The full report and the key findings summary can be found here;

 

http://www.microsoft.com/downloads/details.aspx?FamilyId=B2984562-47A2-48FF-890C-EDBEB8A0764C&displaylang=en

 

And, the archive and collection of previous Security Intelligence reports can be found here; http://www.microsoft.com/sir