Microsoft Security Bulletin MS03-011, “Flaw in Microsoft VM Could Enable System Compromise,” reports that a critical-rated vulnerability has been found in all versions of Microsoft’s Virtual Machine, the software that runs Java applications in Microsoft Windows and Internet Explorer.

Details
The newly discovered vulnerability is due to a flaw in the way the ByteCode Verifier loads. This is a low-level process that determines whether the Java code is valid. A carefully crafted applet on a Web site or sent via HTML e-mail could bypass any security checks.

For more information about how Microsoft supports Java, see the Microsoft Virtual Machine index page. On that page, you’ll also find links to the current status of the legal wrangling between Sun and Microsoft over just which version of the Virtual Machine will ship with Microsoft products.

Best Microsoft MCTS Training – Microsoft MCITP Certification at Certkingdom.com

Applicability
According to the Microsoft Security bulletin, “all builds of the Microsoft Virtual Machine up to and including build 5.0.3809 are affected by these vulnerabilities.” The Microsoft Virtual Machine is likely to be found running on all versions of Windows starting with Windows 95. To determine whether your system has Microsoft Virtual Machine installed, open the command prompt and run the command jview.

If the Microsoft Virtual Machine is installed, the program will execute and present a list of options. The top line will also include the version number. For example, this might be 5.00.3161 on an early Windows XP installation.

The latest version of the Microsoft Virtual Machine is 5.0.3810. If you have that version installed—or you don’t have the Microsoft Virtual Machine installed at all—no action is required.

Risk level–critical
Exploiting the hole in this piece of code can enable an attacker to run arbitrary code on the penetrated system.

Mitigating factors
As usual with this sort of threat, the attacker needs to entice a user to visit a particular Web site or open malicious HTML e-mail. Any system that has been configured so that HTML e-mail is opened in the Restricted Zone will be safe from this attack.

On a network, this attack will grant the same privileges as those held by the user who was attacked. Firewalls may provide protection against this attack vector.

Fix–Upgrade Virtual Machine
The new VM build, which Microsoft reports can be installed on Windows 98 and later systems, addresses all the issues discussed in the following Microsoft security bulletins:

* MS99-031
* MS99-045
* MS00-011
* MS00-059
* MS00-075
* MS00-081
* MS02-013
* MS02-052
* MS02-069

Microsoft doesn’t specifically say that you can’t install this new build on Windows 95 systems, so it may have been left out simply because the company no longer supports Windows 95.

Final word
Although users would have to be tricked into visiting a malicious Web site containing Java code designed to exploit this vulnerability, we all know that users can often be tricked into doing a lot of things, so this is a significant threat. I also have my doubts about just how many systems are properly configured to open malicious HTML e-mails in the Restricted Zone.

Best Microsoft MCTS Training – Microsoft MCITP Certification at Certkingdom.com

Microsoft has reduced the confusing array of volume licensing options to only four programs:

* Open
* Select
* Enterprise Agreement
* Enterprise Subscription Agreement

And although many IT managers have expressed their discontent with the possibility of subscribing to licenses, this could actually be a good solution for scores of companies looking to ease the administration of their licensing and its associated costs. Here’s a closer look at Microsoft’s new licensing and how it will affect different organizations.

Open License agreements are great for small organizations
Only five licenses are needed to acquire an Open License agreement, which has two levels of pricing: Open Business and Open Volume. An Open License provides opportunities for growing companies to receive volume license pricing from Microsoft. The customer’s discount level is determined by the first purchase of licenses; the discount then lasts for two years.

How do Select Licenses and Enterprise Agreements work?
With Select License and Enterprise Agreement, a company agrees to purchase a certain number of perpetual licenses for a minimum of 250 desktops. For Select, as the company grows and meets the various level requirements, Microsoft automatically promotes the agreement to the improved pricing level that’s reached. Monthly reporting for Enterprise Agreements determines the need to true-up or add to the current license-in-use amount, the number of licenses added that month. If you have a layoff or a division is sold, you still have to pay for those seats.

The greatest benefit of these agreements is indisputably the CD subscription kit. This provides the customer with a predetermined set of Microsoft Software CDs, including evaluation software, that doesn’t require separate activation codes. Windows XP is included.

Many people have worried that Windows XP’s new activation key would be a disadvantage to the enterprise customer, but Rebecca LaBrunerie, Microsoft Program Manager Volume Licensing, said that corporate Volume License Product Keys will be provided to each Select and Enterprise Agreement customer, which will make product activation unnecessary for those customers.

How about an Enterprise Subscription Agreement?
While the Enterprise Subscription Agreement has received a great deal of negative press, I would like to point out some benefits of this type of licensing for some companies. A subscription agreement provides reduced up-front costs to the customer and benefits corporations who “expect significant fluctuation in the number of PCs in the organization over three years.”

A subscription customer has a commitment to lease software over a three-year period at a reduced cost. Subscription customers have the added advantage of the opportunity to true-down their licensing for a period when the number of desktops is lower or reduced for some reason, such as a division of the corporation being sold or phased out. Be sure to check with your tax adviser, since there may be tax savings in leasing vs. purchase plans.

Software Assurance = new upgrade licensing
Organizations who sign agreements have the opportunity to enroll each application license in a new program called Software Assurance. Software Assurance is the new SKU available to Microsoft’s volume license customers, replacing all of the confusing CUPS, PUPS, LUPS, and VUPS upgrade options previously offered with Upgrade Advantage.

That’s right, I said replacing. All other upgrade options in volume licensing will be gone, and only Software Assurance is to remain for the Open/Select/Enterprise 6.0 customer. Software Assurance gives the customer rights to the latest version of each software application. Customers with an agreement in place who purchase hardware with OEM Microsoft products are eligible to enroll these products in Software Assurance within 90 days of purchase. Microsoft still recommends using the OEM versions of software, as they have been customized by Microsoft and the manufacturer to work properly with that specific hardware.

This offers the greatest advantage for those who are migrating hardware systems as well as operating systems. With Software Assurance on your server OS, Select and Enterprise customers are entitled to the latest version, and Microsoft does not object to running the two in parallel during migration. “We realize that that’s exactly how today’s IT manager[s] run [their] business and that they don’t deploy all at the same time. They just want to know they have the rights to it and roll it out at their convenience. With an Enterprise Agreement, they always have access to the latest versions of the products,” said LaBrunerie.

“Today, the IT manager, whether he has 50 desktops, 500, or 5,000, doesn’t always know what underlying licenses he owns based upon what version upgrades he has purchased. Within the last three years, he may have bought three or four types of upgrades, and now he doesn’t really know what he owns. So we’ve eliminated that confusing option and simplified it, so that he knows he either has the license or he has software assurance.”

BackOffice licensing changes
If you previously purchased BackOffice client licenses, contemptuously cursing because you had to pay for expensive SQL Server client access licenses even though you don’t use SQL Server, you will be happy to note that Microsoft has remedied this. BackOffice client licenses have been replaced with Core Client Access Licenses (or Core CALs). Core CALs include the following clients:

* Exchange CAL
* Systems Management Server CAL
* Windows CAL
* SharePoint Portal Server CAL

SQL Server CALs are now a separate product.

Online licensing tracking
Microsoft now has an online site called eOpen to track licenses purchased through Open Licensing and Volume Licensing Services to track licenses purchased through Select and Enterprise Agreements. This can further simplify management of your licensing by providing a central location for administrators to verify their current licensing situation and to always know exactly where they stand with respect to licensing of Microsoft products.

Existing Select and Enterprise customers
Select 5.0 and Enterprise 5.0 customers (who have an agreement in place prior to Oct. 1, 2001) still have the opportunity to enroll in Upgrade Assurance from Oct. 1, 2001, to July 31, 2002. The Upgrade Advantage Brief outlines this information. See Gartner’s report “Act now to cut Windows upgrade costs by up to one-half” for clarification on this change.

Other available agreements are specially tailored for academic organizations and government agencies. Additional details regarding Microsoft Volume Licensing Software Assurance can also be found at Microsoft’s Web site.

A snowball’s chance
It comes as no surprise that the vast majority of the members who responded were upset about the new license-activation process created by Microsoft.

Cert kingdom member Nbdyfool says he doesn’t see how software piracy could be truly hurting Microsoft and its profits, as its chairman, Bill Gates, is one of the world’s five richest people. He also finds it hard to sympathize with Microsoft when it’s apparent that the company is doing so well.

Another member, TechBoy 606, says he will not be making the jump to Windows XP because of its limited installations. He remembers when software installations were done by floppy disk instead of CDs, and the floppies counted the number of installs made by each disk. TechBoy also says that his job requires a lot of time already, and he won’t do anything that will require more time by e-mailing or calling a company about issues with licensing.

Best Microsoft MCTS Training – Microsoft MCITP Certification at Certkingdom.com

Member Nick Clark asks why Microsoft didn’t ask its clients for their opinions about piracy prevention:
“With this becoming such a BIG problem for us to adhere to, why hasn’t Microsoft asked us what we thought about piracy prevention? I know for a fact there are some Cert kingdom members that have had good ideas in the past when asked for ideas to real world issues. Microsoft has to do the same! It appears to me that all the flack they’re getting will result in a lot of new UNIX/Linux admins out there.”

Is it time to turn your back on Microsoft?
While some Cert kingdom members expressed their views on the new licensing scheme, other members had opinions to share about alternatives to Microsoft products.

Cert kingdom member Cutplug believes that the new licensing program will move people away from Microsoft products and toward Linux as the new OS of choice, specifically Red Hat. He continues by saying that no one in their right mind would pay such a large amount of money without control over the product that they’re purchasing.

Member Raheesom says, “I KNOW Novell technology is better than MS, but Novell is no longer popular enough for the IT professional to take it seriously.” Raheesom says he will have to look for a Linux or UNIX alternative.

Finally, Cert kingdom member FrankArrow asks members to consider MacOS X. He says that the new Macintosh operating system is based on the Free BSD UNIX kernel and doesn’t require any kind of registration. He further states that purchasing Macs over PCs would send a strong message to Microsoft: Don’t push us, because we have alternatives.

If you can’t join ‘em, work around ‘em
The discussion also focused on ways to get around Microsoft’s new licensing system.

Some members, such as Tetsu96, expressed an interest in cracking the license in Windows XP and Office XP. He believes that if Microsoft continues with their activation plan, hackers will have a field day finding ways around the license registration. Tetsu96 says that there are too many variables that would keep Internet registration from being practical for an average Windows user.

Cert kingdom member RobertR explained that there are already ways around the licensing scheme:
“[There are currently] several ways around the [Windows XP] online process. When registering the final version, you will be able to get a ‘code’ via the phone. Just use the same code when you reinstall. As for Office XP, the phone option exists and the code is reusable! Also, you can crash the install by saying no to the registration, reboot, then ‘unregister’ a certain dll, add a certain registry key, reboot, and, poof, it’s ‘registered’!”

Some Cert kingdom members, such as Brian Gray, expressed a concern with supporting users in business environments and home use. Brian explains that he carries a case of burned CDs with him wherever he goes in order to help him do his job in a “timely manner.” He says that he knows he isn’t the only IT professional who uses this method. He goes on to say that he isn’t a software pirate; he only wants to fix the problem quickly. He believes this won’t be possible if he’s waiting on the phone with a Microsoft representative, which will in turn cost his clients time and money.

Some will support XP no matter what
While a large majority of the Cert kingdom members who joined this debate stated that they don’t like Microsoft’s new licensing program, other members support Microsoft’s side of the argument.

A good example is Bergeo, who is a product demonstrator for Microsoft in Belgium. Bergeo explains that the product activation can occur in one of two ways: Internet or telephone. According to Bergeo, both are painless, often quick, and require no personal user information. Bergeo also explains how the hardware changes in a PC might cause a product to stop working:
“For people who often change hardware pieces in their PC, Office XP will refuse to start after five changes in the configuration. All you have to do is to call Microsoft and tell them to cancel the activation you’ve made before.”

Cert kingdom member Sdouglas thinks that the product activation feature is actually a clever idea. Sdouglas believes that using the activation feature will force users to be honest about their use of Windows or Office. Sdouglas also says that anyone who is complaining about the new licensing activation is most likely involved in pirating software.

With the upcoming release of its new SQL Server database (code-named Yukon), Microsoft has decided to enter a market traditionally led by specialized business reporting software companies, such as Crystal Decisions and Actuate. Because the business reporting segment is still experiencing growth in an otherwise bleak software market, Microsoft obviously sees an opportunity to capitalize when its venerable SQL Server database product is released. Tentatively named SQL Server Reporting Services, Microsoft plans to develop this add-on feature to provide the database services capabilities needed to generate reports. Let’s take a look at how this new SQL Server add-on will possibly change this software market.

The importance of Microsoft SQL
End-user business reporting is extremely specialized. Business reporting software companies have to work closely with larger organizations to tailor the output for their customers’ individual requirements. This close relationship has blossomed over the years and developed into the multibillion-dollar business reporting services industry. A key part of that growth was Microsoft’s SQL Server software, which provided the engine for these custom reporting applications to operate.

Best Microsoft MCTS Training – Microsoft MCITP Certification at Certkingdom.com

By staying out of end-user reporting services, Microsoft created opportunities for other software companies to custom-tailor reporting packages for organizations looking to make sense of valuable database information. While many of these software companies continue to develop products in a cross-platform environment, Microsoft SQL is obviously an important part of their business strategy.

What does SQL Server Reporting Services mean for vendors?
First off, it is important to note that Microsoft has not indicated a desire to provide actual report generation with its SQL Server Reporting Services. It merely includes the hooks in the database server for report creation. Another third-party reporting engine will still have to handle the actual writing of the reports. Second, this service is still in a testing phase, so many details about what the add-on will include are still unknown. Also, with the traditionally long testing cycles for Microsoft products, it is difficult to say when the add-on will be available. Nonetheless, Microsoft’s impact will be significant in the once third-party-dominated field of reporting services.

The biggest question is how the relationships between the reporting services vendors and their customers will be changed now that Microsoft is providing the back-end computing for report generation. These vendors have worked with Microsoft SQL extensively in the past to ensure a smooth reporting infrastructure for their customers. With Microsoft entering the reporting services market, that relationship should become adversarial.

Fortunately, in the short term, the business reporting software vendors can count on few changes in their business model. The larger vendors develop their reporting software to work in more realistic, non-Microsoft SQL-only environments, so their cross-platform advantage will keep their customers from switching right away. For instance, Crystal Decisions’ new Crystal Enterprise 9 product release boasts of interoperability among various operating systems by explaining, “Different systems can be combined in one installation, allowing you to pick the best platform for each component. For example, large reports may be better run close to the database on a UNIX platform, and Web components may be managed more easily on a Windows platform.”

Pricing
One area of concern is future product pricing. Traditional Microsoft forays into established software businesses have made pricing difficult for those vendors that developed off the Microsoft SQL platform. Many future buyers of reporting services will be hard-pressed to justify the higher costs for third-party products when much of the database engine work has already been included with Microsoft’s new SQL Server version. In addition, upgrades could be put off until the SQL Server Reporting Services product is tested, causing vendors to adjust their prices further downward.

The future of business reporting software
Business reporting software makes sense out of the seemingly infinite amounts of data accumulated by organizations today. From end-user reports to sales-analysis tools, the software that drives this process is database software. In the past, Microsoft has enabled certain business reporting services companies to develop unfettered of its long reach and superior market position. When Yukon is finally released and the database reporting software that is proposed is fully tested, that all may change.
Tell us what you think
We would like to know your position on this topic. Start a discussion at the end of this article by clicking on the Discuss button below. Some food-for-thought topics include:

* Will your current investment in existing business reporting products preclude you from making a switch to Microsoft’s proposed SQL Server Reporting Services?
* Will the multiserver environments that most third-party business reporting vendors operate out of make it difficult for Microsoft to completely take over this market?
* Do you foresee Microsoft eventually extending its SQL Server offerings to include report generation?

Microsoft Security Bulletin (MS01-034)
Regarding: “Malformed Word Document Could Enable Macro to Run Automatically”
Date Posted: June 21, 2001
Patch URL: Microsoft Word 2002
Patch URL: Microsoft Word 2000
Patch URL: Microsoft Word 97
Patch URL: Microsoft Word 2001 for Macintosh
Patch URL: Microsoft Word 98 for Macintosh
Information URL: Click here for more information.

When a Word document is opened, it is automatically scanned for macros. Depending on the user’s security settings in Word 2000 and 2002, and always in Word 97, the user is allowed to choose whether to execute the macro. A vulnerability has been discovered that will allow some specially modified macros to execute regardless of the user’s choice or knowledge. If security patch MS01-028 has been applied, this patch is unnecessary.

Best Microsoft MCTS Training – Microsoft MCITP Certification at Certkingdom.com

Microsoft Security Bulletin (MS01-036)
Regarding: “Function Exposed via LDAP over SSL Could Enable Passwords to be Changed”
Date Posted: June 25, 2001
Patch URL: Windows 2000 Server and Advanced Server
Information URL: Click here for more information.

If the LDAP server has been configured to allow LDAP over SSL connections and to allow users to change data attributes of directory principals, a vulnerability exists that would allow a domain user to change password attributes for any user, including the administrator. This could allow an attacker to change the password-denying service to that user and give the attacker the privileges of the affected user.

Novell issues
Regarding: NDS 8, NDS Corporate Edition, NDS eDirectory, eDirectory 8.5, iChain, iChain 1.5
Date Posted: June 25, 2001
Patch URL: Click here to download the patch.
Information URL: Click here for more information.

This patch fixes local repair options for the NDSRepair utility.

Regarding: NetWare 5.1, Novell Small Business Suite 5.1
Date Posted: June 25, 2001
Patch URL: Click here to download the patch.
Information URL: Click here for more information.

This patch for Account Management for Win2K fixes a password synchronization problem.

Virus updates from Trend Micro
Virus/Worm: BAT_FORMATC.K
Posted: June 21, 2001
Risk: Low
Information URL: Click here for more information on this virus.

Virus/Worm: PE_MARI.A
Posted: June 22, 2001
Risk: Low
Information URL: Click here for more information on this virus.

Virus/Worm: TROJ_LEAVE.A
Posted: June 25, 2001
Risk: Low
Information URL: Click here for more information on this virus.

Virus/Worm: TROJ_NEWSFLOOD.A
Posted: June 25, 2001
Risk: Low
Information URL: Click here for more information on this virus.

Virus/Worm: TROJ_CHOKE.A
Posted: June 25, 2001
Risk: Low
Information URL: Click here for more information on this virus.

Virus/Worm: TROJ_VAMP.A
Posted: June 25, 2001
Risk: Low
Information URL: Click here for more information on this virus.
Check out our archive of updates and patches
Are you keeping up with the latest patches from Microsoft and Novell? If not, visit the Exterminator archive for past columns with information on bugs and patches you may have missed.

Exterminator brings you weekly updates on bug fixes, virus recovery, service release announcements, and security notices for Windows, Novell, Linux, and other systems.

Microsoft Security Bulletin (MS01-034)
Regarding: “Malformed Word Document Could Enable Macro to Run Automatically”
Date Posted: June 21, 2001
Patch URL: Microsoft Word 2002
Patch URL: Microsoft Word 2000
Patch URL: Microsoft Word 97
Patch URL: Microsoft Word 2001 for Macintosh
Patch URL: Microsoft Word 98 for Macintosh
Information URL: Click here for more information.

When a Word document is opened, it is automatically scanned for macros. Depending on the user’s security settings in Word 2000 and 2002, and always in Word 97, the user is allowed to choose whether to execute the macro. A vulnerability has been discovered that will allow some specially modified macros to execute regardless of the user’s choice or knowledge. If security patch MS01-028 has been applied, this patch is unnecessary.

Microsoft Security Bulletin (MS01-036)
Regarding: “Function Exposed via LDAP over SSL Could Enable Passwords to be Changed”
Date Posted: June 25, 2001
Patch URL: Windows 2000 Server and Advanced Server
Information URL: Click here for more information.

If the LDAP server has been configured to allow LDAP over SSL connections and to allow users to change data attributes of directory principals, a vulnerability exists that would allow a domain user to change password attributes for any user, including the administrator. This could allow an attacker to change the password-denying service to that user and give the attacker the privileges of the affected user.

Novell issues
Regarding: NDS 8, NDS Corporate Edition, NDS eDirectory, eDirectory 8.5, iChain, iChain 1.5
Date Posted: June 25, 2001
Patch URL: Click here to download the patch.
Information URL: Click here for more information.

This patch fixes local repair options for the NDSRepair utility.

Regarding: NetWare 5.1, Novell Small Business Suite 5.1
Date Posted: June 25, 2001
Patch URL: Click here to download the patch.
Information URL: Click here for more information.

This patch for Account Management for Win2K fixes a password synchronization problem.

Virus updates from Trend Micro
Virus/Worm: BAT_FORMATC.K
Posted: June 21, 2001
Risk: Low
Information URL: Click here for more information on this virus.

Virus/Worm: PE_MARI.A
Posted: June 22, 2001
Risk: Low
Information URL: Click here for more information on this virus.

Virus/Worm: TROJ_LEAVE.A
Posted: June 25, 2001
Risk: Low
Information URL: Click here for more information on this virus.

Virus/Worm: TROJ_NEWSFLOOD.A
Posted: June 25, 2001
Risk: Low
Information URL: Click here for more information on this virus.

Virus/Worm: TROJ_CHOKE.A
Posted: June 25, 2001
Risk: Low
Information URL: Click here for more information on this virus.

Virus/Worm: TROJ_VAMP.A
Posted: June 25, 2001
Risk: Low
Information URL: Click here for more information on this virus.

A newly discovered flaw in Microsoft’s Passport put another layer of tarnish on the company’s already heavily corroded security image. Microsoft was forced to temporarily shut down its Passport e-wallet service after being warned that hackers could pickpocket individual e-wallets.

Passport and e-wallet
Microsoft’s Passport service provides a centralized database to store and distribute confidential data and a way for users to be identified on the Web. Passport can make Web sites easier to use because you don’t have to keep identifying yourself to gain access to various services.

Of course, this convenience comes at the not-so-minor cost of giving Microsoft control over your personal data, which, because of the company’s spotty security record, is not something I would recommend.

The online shopping feature of Passport, known as e-wallet, is supposed to eliminate all that tedious data input when you place an order online. Microsoft’s promise is essentially this: “Give us your name, address, and credit card number, and we will send that information to merchants on request.” So far, more than 70 online merchants have signed up for Microsoft’s Express Purchase service.

Best Microsoft MCTS Training – Microsoft MCITP Training at Certkingdom.com

Handing over your virtual wallet
Does it really take a highly paranoid security specialist like me to see that this might be a bad idea? Apparently, several million people out of the much larger Passport community have already signed up for this e-wallet service. According to Microsoft, those subscribers may have placed their personal data at risk due to a flaw that could allow a hacker to obtain the contents of their virtual wallet just by clicking on a link contained in a Hotmail e-mail account message.

Microsoft said that it immediately shut down the e-wallet service after learning of the problem and that Passport security has been enhanced. But that leaves open the question of whether any hacker took advantage of this flaw before a white-hat hacker discovered it and informed Microsoft.

Microsoft was quick to point out that this was an “isolated” problem (almost every individual security problem is) and that it patched the flaw immediately. The company also said that no e-wallet user’s credit card information was actually compromised. That may be true, but the cracker would probably leave no trace using this method, so I’m not certain just how Microsoft can know that no personal data was stolen.

Is even one of you surprised by this latest security breach at Microsoft? Did anyone not see this coming? The answer to both questions is probably a resounding “No.” For some time now, many IT professionals have been very cautious about Passport and downright obstinate about e-wallet.

The bottom line
Convincing people to trust Passport is vital to a number of upcoming Microsoft services in the .NET initiative. So if this recent Passport security flaw becomes widely known, it could be a much bigger PR problem for Microsoft than it appears to be on the surface. Indeed, Passport, which has recently been renamed .NET Passport, may be the crown jewel in the .NET crown.

Unfortunately, most average users will know little about this problem, and even fewer will realize that this is only one in a long string of Microsoft security problems. Anyone with any concerns about personal or business privacy and identity theft must place a great deal of trust in a company’s security policies before they give any confidential information to an online service that offers to serve as a gatekeeper for sensitive personal and financial information.

Microsoft must be hoping that average users won’t notice that there were about 100 Microsoft security bulletins in 2000 and that we are well on track to see another 60 or 70 by the end of this year. In addition to credit card information, Microsoft wants people to eventually store other confidential data, such as medical records, in Passport accounts.

Some people will even be foolish enough to provide debit card numbers, which, unlike credit cards, offer little or no fraud protection. While having your credit card stolen is annoying, it isn’t a big problem because credit card issuers limit the amount you can be forced to pay for fraudulent charges. But since debit cards offer direct access to your bank account, having that number stolen can be just like losing a checkbook full of signed, blank checks.

There is also some question as to whether can you continue to use Microsoft software and still avoid Passport. That’s going to become a major problem in the near future. If you haven’t yet installed a copy of XP, you may not realize that anyone running the new Microsoft operating system will be virtually forced to sign up for Passport.

Microsoft is making a big push to get everyone to use Passport as part of the impending .NET initiative, and in the years ahead, it will probably become increasingly difficult to use Microsoft programs if you don’t provide at least a minimum of information to Passport.

Would you like to provide your users with accessibility to your company’s e-mail system no matter where they are? With Microsoft Outlook Web Access for Exchange Server, they’ll never be more than a browser (with frames support) away from their Inbox. They can have secure access to their Inbox and calendar from any PC with Internet access in the world.
This article appears courtesy of TechRepublic’s TechProGuild, the subscription Web resource for IT administration and support professionals. Among other great benefits, TechProGuild offers in-depth technical articles, e-books, and weekly chats moderated by industry experts on hot topics such as the latest OS developments and career advancement. Sign up now for a FREE 30-day trial of our TechProGuild service.
Outlook Web Access (OWA) became available with Microsoft Exchange version 5. Basically, OWA is intended to supplement Microsoft Outlook. It gives users remote access to many of the core components and functions of the client that they use in the office. Unfortunately, most administrators don’t know about it, so they don’t use its great features. In this Daily Drill Down, I’ll discuss how you can put these helpful features to work in your organization.

Best online Microsoft MCTS Certification, Microsoft MCITP Certification at Actualkey.com

Outlook Web Access requirements
For your server, you’ll need the following components:

* Pentium 6/200 single processor
* 256 MB RAM
* Network connection to Microsoft Exchange Server
* Microsoft Windows NT operating system with Service Pack 4 (SP4) or later
* Microsoft Internet Information Server (IIS); Exchange Server 5.0 supports IIS 3.0 only, but Exchange Server 5.5 supports IIS 3.0 or later
* Active Server Pages (ASP), which are available on Microsoft Windows NT 4.0 Service Pack 3 CD-ROM
* Active Server components (which come with Exchange Server 5.0) or Outlook Web Access components (which come with Microsoft Exchange Server 5.5)
* Exchange Server 5.0 Service Pack 1 (SP1) or Microsoft Exchange Server 5.5 Service Pack 2 (SP2); SP1 and SP2 provide enhanced Outlook Web Access components

For your client, you’ll need an Internet browser that’s capable of displaying Active Server Pages. You’ll also need Internet Explorer 3.02 or later (or any third-party browser that’s capable of supporting frames).

Outlook Web Access recommendations
As with most of Microsoft’s server-based products, you ought to dedicate at least one server to performing the foundation that’s needed by Internet Information Server and Outlook Web Access Server components. Microsoft recommends that Outlook Web Access and Microsoft Exchange Server not be installed on the same machine. (Please note that Windows NT Challenge/Response (NTLM) authentication isn’t supported.) Microsoft also recommends that you use load balancing hardware or software in order to serve users better and to improve server response and availability.

The Microsoft Outlook Web Access server performs most of the processing for connected clients. The OWA Server also handles the entire load that’s required by active client connections. Supporting one client on the Outlook Web Access Server is similar to running one instance of Microsoft Outlook. Thus, to support the connections and requests, the Outlook Web Access Server must run many active MAPI sessions to the Microsoft Exchange Server. The overhead that’s created by the Internet browser running on the client computer is small, but the session that’s created by the client connection to the Outlook Web Access Server consumes many resources on that server. Keep this information in mind and plan the potential load on the Outlook Web Access Server accordingly.

When you plan any project, you must address scalability. To ensure that OWA maintains a semblance of scalability and to allow for organizational growth and changes, Outlook Web Access and Internet Information Server must reside on a dedicated server that’s separate from other Exchange Servers. As the number of clients increases, the load on the Outlook Web Access Server will increase, and you’ll need to add more servers. You can add more OWA Servers without affecting the existing Microsoft Exchange Server or the mailboxes in your organization.

When you need to add another Microsoft Outlook Web Access Server to your organization, load balancing makes the process much easier. Load balancing, which is available in hardware and software variations, allows multiple servers to process and handle requests that are intended for a single IP address. Load balancing has several benefits. First, users will need only one URL to access their e-mail accounts; the load balancing software or hardware will determine which Outlook Web Access Server handles the request. Another benefit is its continued availability. If a user makes a request and a member of a server load balancing team is down, the request will be directed to another server automatically. In some cases, load balancing software or hardware can distribute the load that’s placed on servers by noting which servers are busiest at the time of the request and then by directing the new request to a less burdened machine.

To satisfy general load-balancing requirements, Microsoft recommends that you use Windows Load Balancing Service (WLBS) as a load balancing software solution and Cisco’s LocalDirector as a load balancing hardware solution. WLBS supports up to 32 servers; LocalDirector supports up to 64,000. However, WLBS won’t work in OWA scenarios because WLBS uses round-robin DNS: When a request is made to a DNS server, the DNS server points the request to the next available member of the WLBS team. It doesn’t consider server load. Round-robin DNS works only with stateless ASP applications. Each user request is sent to the next server that’s a member of the WLBS team, but the new server interrupts the user’s ASP session. That means that users who try to access their e-mail via the OWA Server must log in every time they make another request.

Functionality
With Microsoft Outlook Web Access for Exchange Server, access to a user’s e-mail account is no longer restricted to a particular operating system. As long as the browser being used supports frames, access to important information is possible. OWA provides a true cross-platform messaging and application collaboration system. OWA is a MAPI application that’s composed of binary, HTML, and ASP script files. The scripts use Collaborative Data Objects (CDO) to access mailbox and public folder information that’s stored on the Microsoft Exchange Server computer. OWA also uses Microsoft Active Server Pages on the Internet Information Server. JavaScript and Java control, which are downloaded to the user’s Internet browser on demand, generate HTML pages.

Although the browser uses the downloaded JavaScript to perform some of the processing on the client computer, the Microsoft Outlook Web Access Server handles most of the processing that the Outlook Client usually completes. This server processing includes MAPI sessions, client logic, state information, address resolution, rendering, content conversion, and Remote Procedure Calls (RPC) communications with the Microsoft Exchange Server. The Exchange Server receives and completes requests that the Outlook Web Access Server makes. (These requests resemble requests from any MAPI client.)

The process
Here’s what happens when users open messages in their Microsoft Exchange Server Mailboxes using a browser with Outlook Web Access. First, a browser with the Outlook Web Access client sends a request to a Microsoft Internet Information Server and the OWA Server. This request includes a cookie that identifies the browser and the user. IIS accepts the request and hands it to Active Server Pages (ASP) for processing. ASP verifies that the cookie points to a valid ASP session and that the user making the request has logged on properly. Next, the Internet Services API (ISAPI) filter determines which language to use when displaying messages in the browser. Then, ASP opens the script that’s named in the URL and executes any server-side Microsoft Visual Basic script it contains. These scripts use CDO to open the message that’s in the user’s Microsoft Exchange Server Information Store. The message GUID is passed on within the query string of the URL. Next, The CDO rendering library (Cdohtml.dll) converts the requested message into HTML format, and IIS sends the HTML to the browser. Finally, the browser renders the HTML, including the embedded JavaScript.

Outlook Web Access security
You can configure Outlook Web Access to support one or more of several different types of authentication. As usual, there are advantages and disadvantages to many of these configuration options. The following configurations will authenticate OWA users:

* Anonymous
* Basic (clear text)
* Basic (clear text) over Secure Sockets Layer (SSL)
* Windows NT Challenge/Response (NTLM)

Anonymous authentication
If Outlook Web Access is set up to accept an anonymous connection, any user with access to the OWA Web page can use Outlook Web Access without specifying a Windows NT account name or password. When a user accesses OWA and makes an anonymous connection, Internet Information Server logs on the user with an anonymous (guest) account, which is a valid Windows NT user account. The default IIS user account is IUSR_computername. Be aware that anonymous authentication grants access only to resources that are anonymously published, such as public folders and directory content. Table A summarizes the advantages and disadvantages of using anonymous authentication.

Table A

Basic (clear text) authentication
When using basic (clear text) authentication, a user who tries to connect to OWA must supply a valid Windows NT account username and password. The user’s account and password are transmitted as clear text over the network to the Internet Information Server/Outlook Web Access Server. Validating users with basic (clear text) authentication gives them the ability to access an unlimited number of resources that are located on machines other than the Outlook Web Access Server. A user can access e-mail on one Microsoft Exchange Server and public folders on another Microsoft Exchange Server.

Since basic authentication transmits clear text passwords across the network, Microsoft recommends that you also use SSL. SSL encrypts all information that passes through IIS. Table B summarizes the advantages and disadvantages of using basic authentication.

Table B

Basic (clear text) over SSL
When using basic authentication over SSL, a user must specify a valid Windows NT user account name and password in order to access OWA. Usernames and passwords are transmitted as encrypted information over the network to the Internet Information Server/Outlook Web Access Server. Basic authentication over SSL allows users to access an unlimited number of resources, which may be located on machines other than the Outlook Web Access Server—just like basic (clear text) authentication does. Table C summarizes the advantages and disadvantages of using basic over SSL authentication.

Table C

Windows NT Challenge and Response (NTLM)
Windows NT Challenge and Response requires a user to specify a valid Windows NT user account name and password in order to access the OWA Server. The username and password are sent from the browser to the IIS as encrypted information. All information that the user wants to access must reside on the same server as IIS and the Outlook Web Access Server. Windows NT Challenge and Response authentication isn’t supported if IIS and the OWA Server are located on the same machine that contains Microsoft Exchange Server. Table D summarizes the advantages and disadvantages of using Windows NT Challenge and Response.

Table D

Multiple users
If multiple users are going to share the same computer and use it to access e-mail via OWA, Microsoft recommends that you disable local caching. Doing so lessens the chances that a message a user accessed via Outlook Web Access still resides on the local disk, where the wrong user could access it. Microsoft also recommends that you disable the Save Password option in Internet Explorer in order to lower the chances that a nosy user will access another person’s e-mail account.

Outlook Web Access installation
Below, I’ve provided a step-by-step guide that will explain how to install Microsoft Outlook Web Access. The test machine is a Windows NT 4.0 Server with Windows NT Service Pack 6a, Internet Information Server 4.0, and Active Server Pages installed.

1. Insert the Microsoft Exchange 5.5 CD-ROM into the machine on which you plan to install Outlook Web Access.
2. In the Setup Selection window, select Set Up Server And Components.
3. In the Choose And Install window, select Microsoft Exchange Server 5.5.
4. Accept the End User License Agreement.
5. In the Exchange Server Setup box, select Complete/Custom.
6. Make sure that the Outlook Web Access option is the only one that’s checked and click Continue. If you haven’t installed IIS 4.0 and/or Active Server Pages yet, you’ll be notified via a pop-up screen. (Setup won’t continue. You’ll have to stop setup and install the missing component(s).) Then, start these steps over. Please note that IIS 4.0, which can be found in the Windows NT 4 Option Pack, requires Internet Explorer 4.01 or later.
7. Exchange Server Setup begins and explains that it will stop the Internet Information Server Service.
8. Microsoft Exchange Server Setup prompts you for the name of the Microsoft Exchange Server to which the Outlook Web Access Server will connect.
9. Files are copied to the local computer. Services that OWA needs are stopped and started, and Outlook Web Access is installed.
10. Upon completion, a pop-up window appears and lets you know if all is well.
11. You’re finished.
12. To test your setup, open your browser, type the name of the computer that’s running Outlook Web Access in the address line, and press [Enter]. (The address probably will be something like https:://computername/exchange.)
13. You’ll be prompted for your username and password. You may need to include your domain name, too (such as domainname\username). Don’t check Save This Password, since that would allow anyone to access your mailbox from your computer.
14. You’ll be welcomed to your Inbox.
15. After successfully reading and sending some e-mail messages, remember to log off and close your browser. That way, you can be certain that no unauthorized users will view your mail.

Conclusion
Microsoft’s Outlook Web Access provides a quick and easy method of increasing the accessibility of your company’s e-mail system. Configuring OWA properly gives you a solid and secure method of remotely accessing e-mail. Of course, you must consider the variables when you’re implementing OWA. All Microsoft installations will be unique to your organization, so you should customize OWA accordingly. For more information on tuning and enhancing the performance of IIS and ASP, please point your browser here.

Microsoft Corp. Chairman Bill Gates has announced he is moving aside to let company president Steve Ballmer take the reins as the company’s chief operating officer. Gates, who will remain chairman, now has the title of chief software architect.

The announcement came amid reports that lawyers prosecuting the government’s case against Microsoft are pushing to split the company into two or three separate companies. However, company officials say yesterday’s change was planned long before Microsoft’s legal troubles.

How is the announcement being interpreted, and what will the change mean for Microsoft? Here are 10 links that explain yesterday’s news.

Best online Microsoft MCTS Certification, Microsoft MCITP Certification at Actualkey.com

* ·  The New York Times gives a thorough overview of yesterday’s announcement . Included is an analysis of Microsoft’s struggles with Internet competitors. The Times also has an article that quotes Ballmer as saying that the breakup of Microsoft into smaller companies would be “reckless.”
* ·  The Washington Post ran a profile of Ballmer this morning that quotes one Microsoft official as calling him “Microsoft’s ‘heart and soul.’“
* ·  MCNBC, which is partially owned by Microsoft, has a lengthy story on Ballmer that includes a “Ballmer-Gates Partnership” timeline.
* ·  If you have a multimedia player, you can listen to a report on National Public Radio’s All Things Considered that includes comments by Ballmer on the breakup.
* ·  Some of the most comprehensive coverage of the announcement has come from CNET, which includes an analysis of Gates’ continuing role in Microsoft as well as Microsoft’s move to Internet-based software.
* ·  A story in the Financial Times focuses on the challenges that Gates will face as the company’s “software architect” in a changing software environment .
* ·  You can also check out a press release on the announcement from Microsoft that includes numbers for the media and investor relations.
* ·  And while it’s not a free site, if you subscribe or have a trial subscription to The Wall Street Journal Interactive Edition, you can check out a thorough analysis of yesterday’s announcement.

What do you think about Steve Ballmer taking on the day-to-day working of Microsoft? What changes do you think are in store for Microsoft? How will this affect consumers? Post a comment below.

Microsoft Corp. Chairman Bill Gates has announced he is moving aside to let company president Steve Ballmer take the reins as the company’s chief operating officer. Gates, who will remain chairman, now has the title of chief software architect.

The announcement came amid reports that lawyers prosecuting the government’s case against Microsoft are pushing to split the company into two or three separate companies. However, company officials say yesterday’s change was planned long before Microsoft’s legal troubles.

How is the announcement being interpreted, and what will the change mean for Microsoft? Here are 10 links that explain yesterday’s news.

* ·  The New York Times gives a thorough overview of yesterday’s announcement . Included is an analysis of Microsoft’s struggles with Internet competitors. The Times also has an article that quotes Ballmer as saying that the breakup of Microsoft into smaller companies would be “reckless.”
* ·  The Washington Post ran a profile of Ballmer this morning that quotes one Microsoft official as calling him “Microsoft’s ‘heart and soul.’“
* ·  MCNBC, which is partially owned by Microsoft, has a lengthy story on Ballmer that includes a “Ballmer-Gates Partnership” timeline.
* ·  If you have a multimedia player, you can listen to a report on National Public Radio’s All Things Considered that includes comments by Ballmer on the breakup.
* ·  Some of the most comprehensive coverage of the announcement has come from CNET, which includes an analysis of Gates’ continuing role in Microsoft as well as Microsoft’s move to Internet-based software.
* ·  A story in the Financial Times focuses on the challenges that Gates will face as the company’s “software architect” in a changing software environment .
* ·  You can also check out a press release on the announcement from Microsoft that includes numbers for the media and investor relations.
* ·  And while it’s not a free site, if you subscribe or have a trial subscription to The Wall Street Journal Interactive Edition, you can check out a thorough analysis of yesterday’s announcement.

What do you think about Steve Ballmer taking on the day-to-day working of Microsoft? What changes do you think are in store for Microsoft? How will this affect consumers? Post a comment below.

Microsoft on Thursday divulged a few more details about its upcoming Internet Explorer 7, and admitted that its implementation of tabs — one of the most-requested new features — will be just “catch-up” to rivals such as Firefox and Opera.
Tony Schreiner, a Microsoft developer with the IE team, posted a lengthiest-yet description to the Redmond, Wash.-based company’s blog of how tabs will be implemented in the upcoming IE 7.

Best Microsoft MCTS Training – Microsoft MCITP Training at Certkingdom.com

The browser is expected to roll into beta sometime this summer.

“Our philosophy for tabbed browsing is to keep the user in control of the experience,” claimed Schreiner at the start of the blog. He then went into detail on some of the tab features IE 7 will sport

Tabs will be turned on by default, Schreiner confirmed. In some situations, windows will continue to open in new, separate frames rather than in a new tab, but ordinary pop-ups will open in a new foreground tab.

“This seems to correlate with scenarios where showing a window on top of the current window is desirable, such as replying to posts on message boards and getting a close-up view of items on shopping sites,” said Schreiner.

Users will be able to open links in a new tab by middle-clicking on a three-button mouse, or Ctrl-clicking links. Keyboard shortcuts will be available for switching between tabs — Firefox, for instance, uses Ctrl-Tab — and users will be allowed to open tabs in the background or foreground, or open them in a new window.

At the moment, the plan is for each tab to operate on its own thread (as will each frame). Each tab is on a separate thread, and the frame is also on its own thread. Schreiner admitted that this would boost the memory footprint of IE, but argued that it would the browser to “feel faster and provide an overall better user experience.”

One of the more surprisingly lines in the blog, however, is an admission that IE is behind the times, something many users — and all Firefox proponents — have been saying for months.

“This core functionality is largely catch-up to other browsers which support tabs,” said Schreiner. “[But it’s] a necessary foundation for future work.”

Schreiner wouldn’t spill the beans on every aspect of tabs in IE 7. When blog readers posted queries about such features as moving tabs (to better arrange the tab lineup) and asked how tabs would look, Schreiner deflected the questions. “The UI and configurability are something we can’t really talk about right now,” he said. “[But] there will probably be another blog post about this closer to or shortly after Beta 1 release.”

In my post on free software titles that can be used to make money in consulting, one product that came up from TechRepublic members in this discussion (and others) is FreeNAS. FreeNAS is a software storage operating system based on FreeBSD that supports all of the major storage networking protocols. Right there is the big difference between it and some of the other products; FreeNAS is focused on storage networking protocols. This includes, but is not limited to, Common Internet File System (CIFS) as is used for Windows networking, FTP, NFS and iSCSI.

FreeNAS is very flexible, as it can be installed on direct hardware or within a virtual machine. Be sure to check Donovan Colbert’s tip on how to configure it as a VirtualBox virtual machine for a synchronization service. This is just the nature of FreeNAS, it can do a lot of different protocols and use cases for storage networking. As the name implies, it is free; and that is a good thing. In fact, features such as replication, deduplication, and other smart functionality that drive these solutions adds incredible value to the customer seeking free storage software.

Best Microsoft MCTS Training – Microsoft MCITP Training at Certkingdom.com

FreeNAS isn’t new either, in fact I’m three years late in introducing FreeNAS here as Justin Fielding did just that in 2007 on this very blog.

The biggest area in which FreeNAS can’t help free software seekers is fibre channel storage management. While block storage is available via the iSCSI initiator and target functionality; the name is FreeNAS not FreeSAN.

Today, FreeNAS has a number of options available for easy-to-run use. This includes flash or embedded types of installs for USB sticks, small hard drives, and virtual machine appliances. To be fair, the free storage appliances such as FreeNAS and others like it are not on my priority list. The VMware Compatibility Guide dictates what products are on the supported configuration list for my virtualization platform of choice. For FreeNAS, the storage protocol is iSCSI and, like other products, iSCSI for VMware virtualization may work with products not on the support lists. However, this is not an area you want to rely on for a production workload, unless it is an acceptable risk. Mark it a call to diligence to trade off the costs of a supported solution with the free package that works for you.

See the companion gallery, “Configuring FreeNAS for CIFS storage connectivity.”

What is your opinion of FreeNAS? Share your comments below and tell me what you’d like to covered.