So take the time to get your legit copy of Windows 7 and do a clean install!
- Ed
Howfunky...a place with useless technical content!
Saturday, February 27, 2010
Windows 7 RC warnings - time is up
Less than two days and counting until things start getting ugly for those running the Windows 7 RC still. I just spent the day doing a fresh install of Windows 7 so I am in the clear now. Just so you know, if you are seeing the following you are still on the RC:
So take the time to get your legit copy of Windows 7 and do a clean install!
- Ed
So take the time to get your legit copy of Windows 7 and do a clean install!
- Ed
Thursday, February 25, 2010
How the Microsoft MVP program uses the three elements of motivation from Drive
I've been pondering the key area's of Daniel Pink's newest book Drive: The Surprising Truth About What Motivates Us and I think Microsoft indirectly has stumbled upon the key three elements of true motivation as defined in Daniel's book which are autonomy, mastery, and purpose. For those that are skeptical hold on and see if I might be onto something.
One of the key principles of the Microsoft MVP program is the fact that the award is given to independent experts who are actively involved in community, you can see more about the program here. Microsoft is leveraging via the MVP award those that are independent from Microsoft yet give back in both time and energy to make Microsoft products and technology better. Microsoft MVP's experience the ultimate in autonomy, they don't work for Microsoft and are therefore free to say and express what they want about Microsoft's products and technologies with a few NDA exceptions. By Microsoft expressing their appreciation of these individuals they are tapping into one of the key motivations and what drives many Microsoft MVP's - autonomy in what they say but third party validation of the quality of what they are saying. In other words, what Microsoft MVP's have to say is worth listening too.
To quote a portion of the Microsoft MVP site "MVPs make exceptional contributions to technical communities, sharing their passion, knowledge, and know-how." Many within the IT Professional and Developer community consider Microsoft MVP's to be experts within their respective field. Microsoft naturally is awarding those they think are at the top of their game but I believe the Microsoft MVP award pushes those who have been awarded to meet an even higher standard. Indirectly, Microsoft nurtures the motivation of mastery within their MVP community which make their program even better. After returning from the Microsoft MVP Summit I can honestly say I am motivated to work harder and do more, I'm always impressed by the caliber of individuals I meet at the summit each year. Feeling like there is always more to learn, more to do, more skills to work on seems an ever present mantra within the Microsoft MVP community and this directly relates to mastery.
Finally, purpose. I think almost all MVP's feel a connection to community in what they do. MVP's are purpose driven animals who love to share, teach and pass on the information they have learned with others. I think that is one of the most impressive aspects of those who are awarded. When you look at the total number of people Microsoft MVP's have direct and indirect influence on no wonder Microsoft is interested in nurturing a unique relationship with their MVP's.
I by no means want to toot my own horn, there are plenty of Microsoft MVP's out there that do a far superior job in all areas than I but after reading Daniel Pink's book I really felt it struck home how I feel about the Microsoft MVP program. So, in many ways I believe Microsoft has started to utilize the principles in Drive - it would be interesting to know if those on the inside of Microsoft feel the same way about being an employee there.
- Ed
One of the key principles of the Microsoft MVP program is the fact that the award is given to independent experts who are actively involved in community, you can see more about the program here. Microsoft is leveraging via the MVP award those that are independent from Microsoft yet give back in both time and energy to make Microsoft products and technology better. Microsoft MVP's experience the ultimate in autonomy, they don't work for Microsoft and are therefore free to say and express what they want about Microsoft's products and technologies with a few NDA exceptions. By Microsoft expressing their appreciation of these individuals they are tapping into one of the key motivations and what drives many Microsoft MVP's - autonomy in what they say but third party validation of the quality of what they are saying. In other words, what Microsoft MVP's have to say is worth listening too.
To quote a portion of the Microsoft MVP site "MVPs make exceptional contributions to technical communities, sharing their passion, knowledge, and know-how." Many within the IT Professional and Developer community consider Microsoft MVP's to be experts within their respective field. Microsoft naturally is awarding those they think are at the top of their game but I believe the Microsoft MVP award pushes those who have been awarded to meet an even higher standard. Indirectly, Microsoft nurtures the motivation of mastery within their MVP community which make their program even better. After returning from the Microsoft MVP Summit I can honestly say I am motivated to work harder and do more, I'm always impressed by the caliber of individuals I meet at the summit each year. Feeling like there is always more to learn, more to do, more skills to work on seems an ever present mantra within the Microsoft MVP community and this directly relates to mastery.
Finally, purpose. I think almost all MVP's feel a connection to community in what they do. MVP's are purpose driven animals who love to share, teach and pass on the information they have learned with others. I think that is one of the most impressive aspects of those who are awarded. When you look at the total number of people Microsoft MVP's have direct and indirect influence on no wonder Microsoft is interested in nurturing a unique relationship with their MVP's.
I by no means want to toot my own horn, there are plenty of Microsoft MVP's out there that do a far superior job in all areas than I but after reading Daniel Pink's book I really felt it struck home how I feel about the Microsoft MVP program. So, in many ways I believe Microsoft has started to utilize the principles in Drive - it would be interesting to know if those on the inside of Microsoft feel the same way about being an employee there.
- Ed
Monday, February 22, 2010
IPv6 design and deployment considerations for Microsoft's DirectAccess
One on the unique aspects about DirectAccess is the requirement of IPv6 for accessing internal resources. It requires that IT Pros get a lot more familiar with IPv6 and how and why they need to deploy it within their environment.
Much of Microsoft's current design guides and recommendation revolve around proof of concept deployments and not final design deployment models. I want to address that gap and give IT Pros some things to consider when discussing with their network teams the implementation of IPv6 they require for the POC vs what the final design might look like.
Currently Microsoft offers two main methods for internal IPv6 access methods within their design guides, the first is a transition technology called ISATAP and the second is to utilize Native IPv6. While ISATAP is a functional transition technology I believe it has several pitfalls that a POC overlooks and perhaps give a false impression of the potential deployment scenarios that might be supportable long term in an environment. First, since ISATAP is a tunneling technology and effectively looks like an overlay network it can be difficult to troubleshoot access problems. In addition, there are no specific management or monitoring tools for ISATAP requiring IT Pros to know all the areas where ISATAP could potentially have problems and how to diagnose it, I find that a tall order for many IT Pros given the general lack of knowledge regarding IPv6.
To top it off, ISATAP has an implicit sunset mechanism (if you host sees a Native IPv6 address it will use that first), it's really design to transition your network to Native IPv6, so the question I pose for IT Pros is:
Why not start with Native IPv6 and bypass these issues?
So what is involved with getting a Native IPv6 deployment working? There are several options available to start using native IPv6. Likely the easiest is to use a tunnel broker like Hurricane Electric to bring up a Native IPv6 network address range at you IPv4 location. Once you have this in place you have plenty of Native IPv6 address space to utilize in your network. The next logical step is to get full Native IPv6 transit services from a provider. With Comcast's recent announcement's around IPv6 and long standing IPv6 providers like Hurricane Electric there are options for both Enterprises and small businesses now.
I think serious consideration should be given to deploying Native IPv6 services as the solution for DirectAccess. It allows the greatest flexibility long term and avoids many of the pitfalls that may happen with an ISATAP deployment. I look forward to seeing if others feel differently.
- Ed
Much of Microsoft's current design guides and recommendation revolve around proof of concept deployments and not final design deployment models. I want to address that gap and give IT Pros some things to consider when discussing with their network teams the implementation of IPv6 they require for the POC vs what the final design might look like.
Currently Microsoft offers two main methods for internal IPv6 access methods within their design guides, the first is a transition technology called ISATAP and the second is to utilize Native IPv6. While ISATAP is a functional transition technology I believe it has several pitfalls that a POC overlooks and perhaps give a false impression of the potential deployment scenarios that might be supportable long term in an environment. First, since ISATAP is a tunneling technology and effectively looks like an overlay network it can be difficult to troubleshoot access problems. In addition, there are no specific management or monitoring tools for ISATAP requiring IT Pros to know all the areas where ISATAP could potentially have problems and how to diagnose it, I find that a tall order for many IT Pros given the general lack of knowledge regarding IPv6.
To top it off, ISATAP has an implicit sunset mechanism (if you host sees a Native IPv6 address it will use that first), it's really design to transition your network to Native IPv6, so the question I pose for IT Pros is:
Why not start with Native IPv6 and bypass these issues?
So what is involved with getting a Native IPv6 deployment working? There are several options available to start using native IPv6. Likely the easiest is to use a tunnel broker like Hurricane Electric to bring up a Native IPv6 network address range at you IPv4 location. Once you have this in place you have plenty of Native IPv6 address space to utilize in your network. The next logical step is to get full Native IPv6 transit services from a provider. With Comcast's recent announcement's around IPv6 and long standing IPv6 providers like Hurricane Electric there are options for both Enterprises and small businesses now.
I think serious consideration should be given to deploying Native IPv6 services as the solution for DirectAccess. It allows the greatest flexibility long term and avoids many of the pitfalls that may happen with an ISATAP deployment. I look forward to seeing if others feel differently.
- Ed
Thursday, February 18, 2010
Quick update on Microsoft Teredo
I got my chance to meet with Joe Davies (CableGuy) with Microsoft yesterday and outline my items regarding Teredo. He is going to follow up with Sean Siler and others regarding the behavior of Teredo, the ability to manage Teredo and what exactly is collected (if anything) at teredo.ipv6.microsoft.com.
So, as soon as I hear back from Joe and Sean I will put up a post (assuming it isn't NDA) and hopefully clear up some of these items.
I also had a bunch of questions regarding ISATAP and what Microsoft has for a roadmap in terms of support and deployment around ISATAP. I've expressed my distaste for ISATAP due to the lack of management tools for it to determine where issues are within your network. That being said, I asked specifically for a written policy and guide around ISATAP so hopefully we will get something!
- Ed
So, as soon as I hear back from Joe and Sean I will put up a post (assuming it isn't NDA) and hopefully clear up some of these items.
I also had a bunch of questions regarding ISATAP and what Microsoft has for a roadmap in terms of support and deployment around ISATAP. I've expressed my distaste for ISATAP due to the lack of management tools for it to determine where issues are within your network. That being said, I asked specifically for a written policy and guide around ISATAP so hopefully we will get something!
- Ed
Wednesday, February 17, 2010
Should Microsoft have a different policy on the default behavior of their Teredo client?
Now with Windows 7 increasing in deployments there is a legitimate concern if Microsoft has the best policy regarding non domain joined client machines having Windows Teredo enabled but not active as a default setting. There are many forum and security posts saying that even minor changes in the OS activate the Teredo client service turning it on and enable it. While the new Advanced Firewall certainly is IPv6 ready and had a good default posture it concerns many people that the Teredo client is going out to teredo.ipv6.microsoft.com automatically and obtaining a legitimate routable IPv6 address.
I personally have not seen this behavior on Windows 7 clients I have used but I tend to use clients that are joined to a domain and are not stand alone clients. The behavior of non domain joined machines seems to be different then domain joined ones and this is likely to address the home/smb market and the different behavior that Microsoft wanted those people to experience than an Enterprise deployment.
For Enterprise and SMB's that are a concerned about client machines accessing Microsoft's Teredo relay server it is easy enough to write a GPO that would disable the teredo client, I covered much of the commands to do this in a previous post. What is more interesting from a security standpoint is if someone is able to exploit a client and then turn on the teredo service to register the client machine via IPv6 to a third party Teredo relay. They could easy pass all the command control portions over IPv6, have unfiltered access to the machine and have unrestricted access to many networks behind commercial firewalls providing NAT/PAT services.
I hope the days of people thinking that NAT/PAT devices provide any security are quickly at an end (finally) due to the transition technologies like Teredo that make bypassing a NAT/PAT device just way to easy. All the major torrent services use similar methods so anyone who thinks you can't share content this way is ignoring the facts. Application aware firewalls and host based firewalls are the only way to control traffic now. Microsoft has done the first step to address this with the Advanced Firewall and AD GPO policy pushes. They are introducing the second phase next with their Forefront client software suite to allow even more management and policy options through System Center. I think this will be critical for enterprises, especially those that are adopting virtualization and remote desktop configurations.
So, what are the benefits of running Teredo services? Why would Microsoft have enabled the service and let applications decide when they need unfettered access to the IPv6 network? I believe it is to address the needs of home users trying to connect multiple devices behind NAT/PAT home consumer grade network devices (Linksys, Netgear and the like) and then wanting to share the content and access their network from the public Internet. While perhaps this is awhile off in terms of a common deployment many companies are already providing similar services. Slingbox, GoToMyPC, torrents, and other file sync sites all could leverage Teredo and IPv6 to make the process work easier than it current is doing today. Instead of having a central proxy control server hosts could be directly connected with the home or work host they need content from, a novel idea. In addition, a machine could have a consistent IPv6 address all the time via the Teredo server regardless of what IPv4 network it is on, not a bad function in terms of getting content from a host and knowing you have the right one.
What I am not happy with is the lack of any intuitive interface within the GUI to tell you if Teredo is actually on or not. There is no way outside of command line that I am aware of to know if Teredo is enabled. It would seem like a simple enough process to add a small control applet to let people know if Teredo is enabled/disabled and if it is currently being used or not. This would go a long way to allowing folks to control this basic transition service.
I guess I will ask what Microsoft was thinking regarding this while I have their ear over the next few days and report back.
- Ed
I personally have not seen this behavior on Windows 7 clients I have used but I tend to use clients that are joined to a domain and are not stand alone clients. The behavior of non domain joined machines seems to be different then domain joined ones and this is likely to address the home/smb market and the different behavior that Microsoft wanted those people to experience than an Enterprise deployment.
For Enterprise and SMB's that are a concerned about client machines accessing Microsoft's Teredo relay server it is easy enough to write a GPO that would disable the teredo client, I covered much of the commands to do this in a previous post. What is more interesting from a security standpoint is if someone is able to exploit a client and then turn on the teredo service to register the client machine via IPv6 to a third party Teredo relay. They could easy pass all the command control portions over IPv6, have unfiltered access to the machine and have unrestricted access to many networks behind commercial firewalls providing NAT/PAT services.
I hope the days of people thinking that NAT/PAT devices provide any security are quickly at an end (finally) due to the transition technologies like Teredo that make bypassing a NAT/PAT device just way to easy. All the major torrent services use similar methods so anyone who thinks you can't share content this way is ignoring the facts. Application aware firewalls and host based firewalls are the only way to control traffic now. Microsoft has done the first step to address this with the Advanced Firewall and AD GPO policy pushes. They are introducing the second phase next with their Forefront client software suite to allow even more management and policy options through System Center. I think this will be critical for enterprises, especially those that are adopting virtualization and remote desktop configurations.
So, what are the benefits of running Teredo services? Why would Microsoft have enabled the service and let applications decide when they need unfettered access to the IPv6 network? I believe it is to address the needs of home users trying to connect multiple devices behind NAT/PAT home consumer grade network devices (Linksys, Netgear and the like) and then wanting to share the content and access their network from the public Internet. While perhaps this is awhile off in terms of a common deployment many companies are already providing similar services. Slingbox, GoToMyPC, torrents, and other file sync sites all could leverage Teredo and IPv6 to make the process work easier than it current is doing today. Instead of having a central proxy control server hosts could be directly connected with the home or work host they need content from, a novel idea. In addition, a machine could have a consistent IPv6 address all the time via the Teredo server regardless of what IPv4 network it is on, not a bad function in terms of getting content from a host and knowing you have the right one.
What I am not happy with is the lack of any intuitive interface within the GUI to tell you if Teredo is actually on or not. There is no way outside of command line that I am aware of to know if Teredo is enabled. It would seem like a simple enough process to add a small control applet to let people know if Teredo is enabled/disabled and if it is currently being used or not. This would go a long way to allowing folks to control this basic transition service.
I guess I will ask what Microsoft was thinking regarding this while I have their ear over the next few days and report back.
- Ed
Subscribe to:
Posts (Atom)