Those inclined to see numerological conspiracy every time the number 13 pops up will want to take a deep breath before pondering Microsoft’s release of 13 security bulletins for this Patch Tuesday, which just happened to fall on 10/13/2009. As for myself, I’m always reminded of the superstitions surrounding Friday the 13th, and the famous line from Walt Kelly’s Pogo comic strip — namely, “Friday the 13th done come on a Tuesday” (at least, in this case). Superstition to the side, there’s a lot of important stuff in this set of security bulletins.
You can find several interesting overviews from Microsoft and others on this latest batch of security updates online:
- Microsoft Security Bulletin Summary for October 2009
- Shavlik Security Center Blog: “October Patch Tuesday Overview“
- iTWire “October Patch Tuesday is biggest ever“
Here’s the 10,000 foot view/breathless summary: 13 bulletins, 8 critical (remote code execution) and 5 important, 23 vulnerabilities, and the first-ever security bulletins that involve Windows 7 and Windows Server 2008 R2. There’s a long-awaited fix to SMB issues (MS09-050), a fix to GDI+ (MS09-062), and a cumulative update for IE (MS09-054). You’ll also find a couple of bulletins that address issues related to the Windows Media Runtime and Windows Media Player (MS09-051 and MS09-052, respectively). Active Template Library security issues surface again, with lots of ActiveX killbits stuff in MS09-055, and for ATL Active-X controls in MS Office in MS09-060. Other items address .NET and Silverlight (MS09-061), the Windows Indexing Service (MS09-057), the Windows Kernel (MS09-058, but requires hands-on system access to exploit), CryptoAPI (MS09-056), and the LSASS (MS09-059). Finally there are fixes for the IIS FTP service in MS09-053.
OK, admins: get ready to roll up your sleeves and start pushing patches. There’s some important stuff here, so you’re going to have to figure out what affects your environment, do some testing, and start deploying!
Microsoft Enterprise Desktop Virtualization (MED-V 1.0) is software that uses Microsoft Virtual PC to provide an enterprise toolset for desktop virtualization. It lets admins create, deliver, and amange Virtual PC images on Windows desktop PCs, and is a key component of the Microsoft Desktop Optimization Pack (MDOP) that’s routinely delivered to Microsoft Software Assurance customers. The final version of this guide went live on October 8, 2009, and you can now download this Operations Guide from the Microsoft Download Center.
The file in question is a 855 KB Word .doc file named MED-V1.0.Guide.doc, and is 83 pages long. It provide an overview to MED-V including a high-level architecture description, and an overview of virtual images based on MS Virtual PC. You also get information on installing the MED-V server, configuring the server itself and stocking it with images, installing and working with the MED-V client software, and working in the client/server MED-V environment. There’s also deployment information, tips on how to add and manage published applications, create and manage workspace images, manage MED-V settings, and more.
If you’re curious about how this environment works and what it can do, you can skim this document in under an hour and come away with an excellent understanding of what’s required, what’s involved, and how to work with this tool. For those interested in MS base virtualization, or already considering MDOP it’s a no brainer. For the curious, it could also be a rewarding read.
I’ve been trolling the various blogs, the download site, and the news lately to keep up as the final pieces fall into place for the long-anticipated general availability date for Windows 7 on Thursday, October 22 (just a little under two weeks away as I write this blog). I’m seeing evidence of some real progress being made, but I also find myself wondering how close MS will go to the wire on providing some final last-minute materials.
Take the Windows 7 Upgrade Advisor as an example. MS updated that tool on September 17, but they haven’t released the final production version yet. I’m wondering how much change there’ll be from the current beta to that version, if any at all. I’m also wondering how long they’re going to wait to make this transition. I’d made a bet with myself that this would occur two weeks prior to GA (yesterday, in other words) but alas I’ve lost that bet as this morning’s check turns up no new versions in the MS Download Center.
The Windows 7 Logo Program finally became publicly visible at the end of September — see Mark Relph’s blog on that subject dated 9/30/2006 — and starts out with pretty good critical mass with over 6000 products that can bear this logo:
But there’s still precious little information publicly available about exactly which hardware items bear this logo, nor can I find anything about logo’d items at winqual.microsoft.com just yet. I guess this will be another piece that falls into place sometime between today and October 22.
The final, final release of Windows XP Mode won’t occur until that day, as Brandon Leblanc posted on 10/1/09 to inform readers about when it would appear for general access in the Microsoft Download Center. Perhaps this is a harbinger of what’s ahead: dead calm for the next little while, then everything hits the ‘net on 10/22. No wonder Microsoft uses Akamai to help it with downloads — despite their many data centers and formidable infrastructure, there’s no way one company can handle the millions of downloads that will begin on October 22.
Stay tuned. You can be sure more is coming, if only on (or not until) “GA Day!”
All the way back on June 29, Ed Bott at ZDNet compiled a table of features that appear only in Windows 7 Professional and Ultimate (and by extension, also in Enterprise as well). Since early August, a lot of us have been installing the RTM version like mad and have learned more about which of those features that really matter. Here’s my own short list of same, that enterprise admins may want to consider, especially when pondering which OS to order, install, or allow on traveling notebooks — especially for those “gray area” machines that might be described as “purchased by the end user primarily for personal use, but upon which they may occasionally do real work, including e-mail and possible remote access.”
Pay attention: it’s the remote access that turns out to make many of the most important differences.
Of the 14 features only available on either (or all) of these higher-end Windows 7 versions, my experience has been that the following items are most likely to make a real difference, either to the users who work on such machines, or the IT professionals who must occasionally (or regularly) do likewise:
- Encrypting file system: matters for those organization or users too cheap to spring for an add-on encryption product (also addresses the final BitLocker item at the end of this list as well, in most cases). Some kind of encryption is absolutely essential on any machine upon which sensitive, confidential, or potentially “compliance-busting” data (HIPAA, SoX, PCI, and so forth) will reside.
- Windows XP mode: matters when users will want to run legacy applications that won’t work on Windows 7, but do work on Windows XP. Of obvious relevance when organizations use legacy apps that users may want to run on their machines for work purposes.
- Backup to network: Doesn’t sound like a big convenience, but beats the pants off having to provide and/or manage plug-in external USB drives when big storage or backup servers are readily available.
- Offline files: new improvements to this capability which manages synchronization between local and network copies of files, especially those that support policies about which ones sync and which ones don’t, may be appealing or convenient for IT professionals (but probably not to end users).
- Join Windows Domain: Absolutely, positively essential for most corporate or organizational networks. If users want to get any work done on the business network, they must first log in. If they can’t interact with AD, no dice.
- Remote Desktop Host: A huge convenience for IT professionals who might need to poke around on, or manage end-user machines remotely. Unless your help desk/IT staff have some kind of analogous third-party toolset (GoToMyPC, Remote Control Pro, numerous versions of VNC, and so on–see this list at Wikipedia for more candidates) this could be pretty important.
- AppLocker: requires Group Policy support (and hence by extension, AD/Windows Domain support). In the unlikely (but conceivable) event that you want to control which apps an end-user can run on a personal, quasi-business machine, this is an invaluable tool. I don’t see this happening on most end-user machines, however, because of the intrusiveness factor. But if security or official policy mandates such control before machines are allowed on internal networks, it might still happen anyway. In that case, this can indeed be a useful feature.
- BitLocker drive encryption: Basic, built-in “whole drive” encryption. Same observation as for EFS earlier: if the company (or user) is too cheap to spring for commercial 3rd-party add-ons, this could prove a must-have. Otherwise, not.
In my own personal experience of late, RDC (that is Remote Desktop Host) and Windows XP Mode have proved to be the biggest inducements for me to install and run Windows 7 Professional on production or test machines. RDC because it lets me jump over the network to do stuff on such machines; and Windows XP Mode not just because of its legacy app and dll support, but also because it provides a quick, easy way to let PC’s run custom-built virtual machines configured just the way I want ’em. And BTW, backup to network is really, really handy if your network includes any kind of Windows server with sufficient storage space for backups.
One of the big bugaboos of Windows 7 is its inability to directly upgrade systems from XP to Windows 7. Considering that 80% of business users who run Windows are still running Windows XP (source: Gartner Small Business Outlook for 2009) this is bound to irk IT professionals and end-users alike. In his 9/29 blog for ZDNet entitled “Can you upgrade an old XP PC to Windows 7? Should you?”, Ed Bott tackles this problem head-on. As usual, he unearths a few gems along the way.
He took a 2005 Sony VAIO VGN-TX651P as his subject machine (1.2 GHz Pentium M, 1 GB RAM, 60 GB HD, Intel 915 graphics chipset) and tried several approaches to performing the upgrade, all of which began with a clean (custom) install because the installer supports no direct upgrade path from XP to Windows 7. Here’s a quick summary of the two approaches he took:
- Use Windows Easy Transfer to grab preferences, settings, and user files and store them on an external drive, then perform a clean install, restore the Easy Transfer files and settings, then reinstall applications.
- Use Laplink PCMover to migrate everything from XP that still runs under Windows 7. It’s similar to Easy Transfer in that you must install PCMover, run an Upgrade Assistant on XP, perform a clean install of Windows 7 on that machine, restart, then run PCMover’s Upgrade Assistant on Windows 7. It’s actually smart enough to go into the Windows.old directory, grag program and data files, and add necessary registry edits for each program it migrates.
Bott also notes that it’s possible to do a direct upgrade from XP to Vista, and from Vista to Windows 7, but he chose to use a cheap-o version of Windows 7 Home Premium for his final resting point, and the Sony box came with XP Professional installed, so a two-step process wouldn’t work anyway (you can’t get from Professional to Home Premium, because it’s not a valid upgrade path).
During the various processes, which took 4 hours or more to complete, he observed that Windows 7 did a good to great job of recognizing hardware and installing drivers (this squares nicely with my own recent Windows 7 install experience on a handful of netbooks, plus half a dozen each notebooks and desktop PCs). We have both run into issues with proper recognition of memory card readers, and have both taken advantage of our ability to find drivers on vendor Websites to remedy such defects. We’ve also both observed the value and power of cleaning up the old environment (deleting old files, reducing the size of volume shadow stores, cleaning out old restore points, uninstalled unused or unwanted applications, and so forth) before installing the new OS. Fanatic that I am, I also usually run a industrial grade defrag (I use PerfectDisk and recommend it highly) on the old OS image before starting the clean install on that hard disk. And for extra protection, I usually also make an image backup of the old version just in case something goes wrong during the install process. Windows 7 install hasn’t bitten me yet, but who’s to say it can’t happen?
Bott also reports that Laplink was able to migrate most applications, but ran into some issues with Windows Live programs (which needed to be reinstalled) and hit a snag with an Adobe activation code for InDesign3 (I was able to migrate Adobe Premiere without any issues, but I came from Vista, not XP during that particular transition). He also rightly dings PCmover for installing the Ask toolbar and changing the home page and default search provider, where the former is disguised as a EULA and the latter is done by default. Given prior warning, most users will choose to avoid such things, and Laplink falls short in providing same, according to what he reports. Shame on them!
Other than some minor gotchas, and the aforementioned sneakware attack, Laplink does make it much easier to migrate from XP to Windows 7 and also shaves at least an hour off the total time required. The company plans to charge $30 for a Windows 7 only version of PCmover and, according to Bott, will offer that program for a mere $15 between October 1 and October 22 (the latter is the Windows 7 GA date) directly from their Website. It is indeed a heck of a deal, and will cheerfully permit users to migrate from XP or Vista versions to Windows 7 versions that Microsoft doesn’t itself permit or support.
Yesterday (September 29, 2009) MS relased its latest free anti-malware service to provide basic protection against viruses, spyware, and other malware. There’s a home page for this technology at www.microsoft.com/security_essentials/ from whence you can download this software for 32- and 64-bit versions of Windows including Windows XP, Windows Vista, and Windows 7. Is there a catch to this largesse? You bet, but it’s neither onerous nor surprising: you can only install and use this software if your Windows installation meets the “genuine Windows” test (which requires downloading an ActiveX authenticity checker, then passing its tests). Minimum system requirements are described in detail as well, and from what I see there, nobody who can run one of the OSes it supports should be unable to run this toolset, either. It even supports Windows XP Mode within Windows 7, which should make it a pretty popular anti-malware solution for those who need protection for their Windows VMs.
I downloaded and installed this software on one of my netbook PCs, and observed some interesting things along the way. First, even though MS says you can access and download the software using either Firefox or IE, I was only able to get the download to work using IE (it looked like some kind of Silverlight-based download pop-up window which IE let me manipulate quite happily, but which Firefox couldn’t do much with). Second, I observed some astounding download transfer rates while grabbing this file: I averaged nearly 1.5 MBps (that’s 12 Mbps) throughout the download, and saw a peak of 2.44 MBps (that’s around 20 Mbps). MS is obviously running some fast, powerful server farms these days, and probably using some fancy download compression tools, to produce these kinds of results — especially the day after a major product announcement like this one.
I’m going to be trying out Security Essentials and reporting as I go on my various test machines and adventures. Check out some of these early or pre-reviews for some interesting information so far:
- Neil Rubenking has posted a review of Microsoft Security Essentials 1.0 at PCMag.com. He rates it with “Average malware removal” and “One-Dimensional Malware Blocking,” for a modest ho-hum evaluation.
- Nick Mediati described this software for PC World in a pre-release news story entitled “Microsoft Security Essentials Launches Tuesday.” His 6/23/09 review chronicles the beta version in some detail.
- John Leyden at the UK-based Channel Register also reviewed the beta version on 6/24/09 in a story entitled “.MS no-frills security scanner gets thumbs up in early tests“
As more reviews appear on this product I’ll provide pointers. Some time soon, I’ll come back to this software to talk about my own observations and experiences. Stay tuned
OK, take note: the posting date for this blog is 9/25/2009. Now, take a look at this picture:
As I was poking around on TechNet looking for refreshed content related to Windows 7 (whose GA date is now less than a month in the offing) I stumbled across this Windows 7: Deployment item. I don’t want to intimate that Microsoft is misrepresenting anything here, nor can I imagine they’ve mastered time travel among their many patented and proprietary technologies. Instead, I have to speculate that somebody, somewhere goofed somehow and the wrong date field got supplied for this material (and all I can really say for sure is that it’s here on the TechNet site as I’m looking at it on September 25th).
Enough with the humor, already. What you’ll find in this Library element is a roadmap to all kinds of Windows 7 deployment tools and information. Major headings include Application Compatibility, Upgrade and Migration, and Desktop Deployment, with minor headings for the User State Migration Tool 4.0 and the latest version of the Windows Automated Installation Kit (WAIK for Windows 7).
Despite the gaffe on the date, there are some good pointers in here. You’ll probably want to have your laugh, then dig into the various materials linked here. Laugh first, enjoy next!
[Added later on 9/25/09]My latest TechNet Flash just popped into my inbox, and sure enough, Windows 7 is at the top of its coverage. Check out this snippet from that newsletter (it will eventually show up as Volume 11, Issue 21 on the TechNet Flash page, but it’s not there yet: they seem to hang two newsletters behind online).
In poking around the MS Download Center, I observed that Microsoft posted a new, but still-beta version of the Windows 7 Upgrade Advisor (9/17/2009). Having run it on a couple of desktops and another pair of notebooks, I don’t see any obvious or even visible differences or changes to this program vis-a-vis the version that appeared in the download center on or about June 15. Given that we now have less than a month to go to reach the Windows 7 GA (general availability) date on 10/22/2009, I’m curious to know when this tool will change from beta to released status.
Drat! I’d kind of hoped that would happen yesterday or today. I’ll keep an eye on this, and let you know when that status changes. In the meantime, this tool does the job reasonably well. You can also visit my “guided tour” of the previous version dated 6/22/2009. Because this tool shows no obvious or apparent changes, it should still give you a pretty good idea of what this latest version of the Windows 7 Upgrade Advisor can do, and how it works!
“Back to school” just got some added impetus from Microsoft: for a limited time, students at accredited institutions of higher learning (college or university) can purchase one full-blown copy of either Windows 7 Home Premium or Windows 7 Professional for $29.99. The trade-off appears to be domain support (some schools require or support it, others don’t: the former group needs Professional, while the latter can use Home Premium). The deal is good only until January 3, 2010, and obviously aims at students currently enrolled for the fall semester at a qualifying institution (the Spring 2010 semester generally won’t start until later in January).
The offer is explained on what looks like a pretty slick Silverlight based site at www.win741.com (to cut to the chase, unless you like watching lots of attractive, music driven one-minute videos, click on the BUY block). The 741 in the domain name should probably be understood to mean “one copy of Windows 7 for students” and is a pretty slick bit of text compression. The official offer is presented on a Digital River web page, and uses a domain check on a college/university e-mail address to check eligibility.
Gosh! Nobody’s likely to see a price tag like this on Windows 7 again any time soon. If you’re in school, or know somebody who is, it may be worth looking into and exercising this offer. It’s not only almost too good to be true, it’s also too good to pass up.
As I’m slowly but surely upgrading all of my PC’s to Windows 7 — I’ll keep a few dual-boot notebooks with Vista, and netbooks with XP, just for testing and checking on older OSes — I’m encountering interesting things on my systems right and left. In a recent blog on ViztaView.com, I recount how a bungled BIOS flash cost me the use of my machine during a one-month period when I had to wait for replacement BIOS chip to show up in the mail. It seems that the Asus BIOS protection capabilities for the P5K motherboard are not resilient enough to withstand a completely mangled BIOS, though they are pretty good at dealing with bad settings and suchlike.
With the return of that machine to activity, thanks to a quick replacement of the bad BIOS chip with a good one, that PC roared back into life. But alas, something then caused its built-in Atheros GbE interface to go on the fritz. While I was able to bring the machine back up and begin using it, I quickly realized that although the on-board NIC appeared to be working to some extent (to the point where lights were blinking, both BIOS and Device manager able to recognize the interface, inbound and outbound network activity could even be registered in the IP stack, and commands like PING LOOPBACK or PING <own-IP-address> appeared to be working) the machine had become unable to access the network. To make things interesting, DHCP simply wouldn’t work, though I could manually assign a working IP address and get enough of a configuration working that I became sure the problem did not lie in the IP stack software itself.
After about two-and-a-half hours of sometimes calm and deliberate, sometimes hot and heavy troubleshooting that included OS repair, uninstall/reinstall of the Atheros drivers, disabling of the firewall and other security software, replacement of DHCP auto-configuration for TCP/IP with manual settings, and a romp through my D-Link DIR-655 combo router/WAP/gateway device interface, I came to the conclusion that for whatever reason, the network interface simply wasn’t working. I was able to confirm this an hour or two later, when one of my partners showed up with an AirLink101 Wireless USB adapter (802.11b/g/n, which I’m using with an D-Link DWL2100AP 802.11g WAP).
For this device, Plug’n’Play worked just like it’s supposed to: in under a minute I had a working network connection. I just wish I hadn’t loaned out all three of my wireless USB devices because I could’ve solved the problem much more quickly if I’d had one around to try the old network troubleshooting practice best epitomized as “if the obvious path doesn’t work, try a known good working alternative path.” The AirLink will keep that machine working until I have time to head down to Fry’s to pick a PCI or PCI-e GbE interface for my test machine, which should boost my networking speed noticeably, and should cost me no more than $20-22 (here’s a NIC from TRENDnet that costs a whopping $10).
Next, I’m going to migrate my current production install from my Gigabyte P35T-DQ6 mobo build into a new case, replace that mobo with an Asus P5Q3, substitute a 128 GB SSD for my mirrored 500 GB Samsung drives, and consolidate a bunch of smaller data and archival drives into a single 1 TB Samsung SpinPoint drive. But first, I’ll have move my working files and applications onto the now-operational test machine so I can keep working while the switch is in process. Who knows what other moles to whack I’ll find along that way? Stay tuned, and I’ll let you know!