Security is a never ending journey

I'm at the 2009 Microsoft MVP Summit. Around 2000 MVP's descend on Microsoft's Redmond Campus for four days of sessions with various product teams. The sessions include a lot of two way feedback, which can be brutal from both sides. It's a lot of fun. Today I went to several security sessions. I got to hear Steve Riley talk and then answer questions from an audience that included Jesper Johansson. It was amazing. At one session Ziv Mador and Steve Adegbite were talking about the Conficker worm and Microsoft's response to the vulnerability the worm initially used to spread itself. It was fascinating to hear the process they went through to identify the vulnerability and patch it then have to wait and see the exploits developed when the bad guys reverse engineer the patch. During the session Steve Adegbite said something that really resonated with me. He said "Security is like a never ending marathon." I think that is one of the best statements I've heard regarding security. Security is hard work. You have to give it 100% all the time. There are no shortcuts. You will never be finished. To some that sounds depressing. Steve Adegbite said it was a challenge he and his team relished. I got the sense that almost everyone in the room agreed. I realised I was sitting in room full of the cream of the crop in the Windows security world. It was fun hobnobbing with the cream of the crop. Thank you Microsoft.

Computer Performance - Perceived vs. Absolute

With the public beta of Windows 7 in full swing many people are talking about performance and comparing different versions of Windows. I see many posts in forums and on newsgroups exclaiming Windows 7 boots x seconds faster than Vista. They carefully measure how long XP, Vista, and Windows 7 take to boot or shutdown. Others measure how much RAM each OS uses when at idle. Some people run benchmark software comparing various OS's. There are web sites dedicated to performance with tips on which services and scheduled tasks can be disabled to improve performance.

Most users are more concerned with perceived performance rather than actual performance. If I click on something is there a pause before something happens? If that pause is longer than x (I don't know what x is but I suspect it's less than a second) the computer or application is perceived as slow. If it's faster than x then the computer or application is perceived as fast. There isn't really any in between. There is no perception of medium performance for most people. It's either acceptable or too slow. Most current operating systems take all this into account and are optimized to give a good user experience. Sometimes this perceived better performance comes at the expense of actual performance. The operating system is doing things in the background like indexing files, optimizing the file system, pre-caching disk sectors, and more. These background tasks may cause benchmarks to run slower. Some people jump on this and disable these background tasks then proudly post benchmarks proving how much faster their computer is. The problem is that disabling these background tasks quite often makes the computer less optimized for the user experience. Programs may actually run slightly faster but loading the program or loading/saving files from within the program take longer. Finding the email you sent to Joe Smith about next week's hockey game takes impossibly long as you have to manually open each email. Over time Windows slows down because the disk is fragmented.

When tuning or measuring computer performance you have to take many things into consideration. It's very similar to a car. Most of us don't want to drive a souped up hotrod that's temperamental and needs constant attention. Most us want a car that starts up when we turn the key. The heat or the air conditioning comes on quickly not several miles down the road. We want power locks, windows and seats. We want comfort. It's the same with computers. There are enthusiasts who enjoy eaking out every millisecond of performance and don't care about the comforts or ease of use. Unfortunately many people listen to their advice and think that if they apply the same tricks their computer will be faster. It will, but the catch-22 is that their day to day computing may actually seem slower.

Why Do I Need a 64 Bit OS?

Except in very specific circumstances anyone installing Vista should be installing a 64 bit version. The day of 32 bit Windows is over. Once you’ve used a computer that can use lots of RAM you won’t want to use one that doesn’t have lots of RAM. The OS is really irrelevant here. Running a 64 bit OS with 8GB or more is just a better experience. This is true for every current OS I’ve tried. All current computers are 64 bit capable. Most can use at least 4GB. Many can use 8GB or more. Even if you initially don’t have a lot of RAM you still want to install 64 bit from the start. There isn’t a noticeable performance penalty. When you do install more RAM, at least with Windows, there is no way to upgrade from 32 bit to 64 bit. A clean install is required. This can be very painful if you have a lot of programs installed. The procedure is to backup everything. Back up everything again. Install 64 bit Windows, erasing your old install in the process. Install your programs. Restore your data. Restore all your program settings. I just did this on my laptop. It took around six hours. I’ve got way better things to do than spend six hours staring at my computer just to get it back to where I started. The payoff is I can now use all 4GB that I have installed. If I’m just checking my email or doing some word processing I don’t see much of a difference. If I start up a virtual machine to test something in XP, click on a link to a video that was in an email, start a video call on Messenger, and then decide to edit a picture I see a huge difference. If you go to 8GB, this laptop only goes to 4, the difference is startling. As you load up tasks you don’t see much of a slowdown. Everything is usable. RAM is one of the least expensive upgrades. Install a 64 bit OS and upgrade your RAM. You won’t be sorry.

Small Business Server 2008 Released

Microsoft has a new version of Small Business Server which will be launched on November 12. It’s called Small Business Server 2008. I was in the beta testing program for this and I’m quite excited about it. Similar to 2003 there are two editions, Standard and Premium. Standard includes: Server 2008 64 bit, Exchange 2007 Standard Edition, SharePoint Services 3.0, WSUS 3.0, and all the standard SBS features like RWW, as well as the standard limitations like 75 users max. Premium adds a second full Server 2008 license (32 or 64 bit) and SQL Server 2008 Standard. The Client Access Licenses (CALs) are a little different. There are different CALS for the Standard and Premium Editions with the Premium CALs being a little more expensive. CALs are available in multiples of one rather than the minimum of five in 2003. It is based on Server 2008 so by default it’s more secure than the previous version based on Server 2003. It is 64 bit only which means it can address more RAM, 32 GB vs. 4 GB for 2003. When 2003 was released RAM was expensive and 32 bit server OS’s were the norm. This is no longer the case. 4 GB can be a major choke point with a heavily loaded SBS server. The second server license in Premium is a very nice addition. This allows you to run SQL or whatever on a second server rather than trying to run it all on the SBS server. Many Line of Business applications don’t support running on a domain controller which means they are not supported running on an SBS server. The second server is also capable of running Hyper-V, Server 2008’s virtualization role. The second server is licensed to be installed as the parent and also as a child. This means you can install a decent server with lots of RAM, use the second server as the parent with the Hyper-V role enabled, and both SBS and another Server 2008 instance in child partitions (virtual machines). When I was beta testing SBS 2008 I did this and actually had three child partitions. One of them was running Untangle, an open source firewall/gateway. On a small network of 25 users a server with a couple of decent Xeon CPUs and 16 GB of RAM could easily run all of this on one box.
All in all SBS 2008 is a good product, well suited to a small business of ten to sixty users. If you grow beyond that you can migrate to the new Essential Business Server 2008 or the full Enterprise versions of Server 2008, Exchange, SQL, etc. Kudos to the SBS development team for a great product.

Computer security is like walking in the rain

This morning I was out walking in the rain trying to come up with a good idea for a blog post. I've been thinking a lot about computer security lately. As I was walking I realised that walking in the rain was a good analogy to use when thinking about computer security. I have to deal with a very wet climate. I enjoy spending time outdoors. Sometimes I have things I have to get done that require me to be outdoors. This means I have to come up with a way to deal with rain. I actually have several strategies for dealing with rain depending on what I'm doing, how hard it's raining, and how long I'll be exposed to the rain.

The simplest strategy is to just try to stay out of the rain. This is OK for very short durations in the rain. If I'm quick I stay relatively dry while going from my door to the car, or from the car to a store. In computer terms this would be like running Windows with minimal security enhancements, nothing but what's built in. It's very easy and convenient. Most of the time I won't get too wet. Occasionally I'll get caught in a downpour and get soaked to the skin requiring a full change of clothes. Most of the time I don't use this strategy nor would I recommend it for others as they will inevitably get wet at some point.

The next strategy is to wear a coat. This gives some added protection but when I do get caught in that downpour I may have to change my pants or at the very least my shoes and socks afterwards. If it rains hard enough or I'm outside long enough the coat will eventually soak through. Over time the coat wears out and becomes less effective at keeping the rain out. I have to buy a new coat. There are many different types of coats, some of which give much better protection from the rain than others. There are windbreakers, rain coats, and overcoats. Choosing which coat to use takes experience with the weather and knowing how hard it's likely to rain. This would be like Windows with an antivirus/malware program installed.

This morning while walking it was raining pretty hard. I took an umbrella and wore a rain coat. I was out in the rain for quite a while. I still got a little bit damp but that was mostly because I was too hot while walking up the hills. The problems were mostly internal caused by the protection I was using. Some of the dampness was caused because the umbrella didn't protect against splashes from the rain drops on the sidewalk and for a small period of time it was raining hard enough that some of the drops made it through the umbrella (a Microsoft golf umbrella by the way) in the form of a fine mist. This is like Windows with a hardware firewall (umbrella), antivirus software(coat), and anti-malware software (the coat is a specialised rain coat). All that protection may get in the way and cause it's own problems but in the end it does a pretty good job of protecting me from the rain. If someone was going out in the rain this is what I would recommend, with a warning that it may not be the ultimate in protection. They may get a little damp at times. Some of the dampness may be caused by the protection itself (perspiration).

Last winter I volunteered to work at one of the 2010 Olympic venues (Whistler Olympic Park) for a ski jumping event. One of the perks was a very high tech Halti all weather jacket. This jacket is made of some super high tech material that allows you to work very hard and not get soaked from your own perspiration. At the same time it is completely waterproof even if you are out in the rain for hours on end. I was shovelling snow at the top of the big ski jump in major sleet (mixed rain and snow) for hours. I had a Tilley hat, the Halti coat, similar high tech rain pants, microfibre clothing underneath, rubber boots, and some high tech thinsulate gloves. This would be like running Windows in a virtual machine on a very fast computer that was behind a locked down server class OS that enforced network policies and an enterprise class firewall. I was able to work for several hours in extremely adverse conditions without getting wet at all. I was able to get the work done with no problems caused by either my environment or the gear I was using to protect me from the environment.

What does all this say about computer security? Security is about mitigating risk. You have to assess the risk and come up with a plan to mitigate the risk that is appropriate to your budget and environment. No matter what you do, you will never get the risk down to zero. With enough resources you can get close. The closer you get to zero risk the higher the cost. For most of us the cost/benefit falls somewhere in the middle which means we may have to deal with occasionally getting a little bit damp.

Small Business Server 2008 RTM today!

Here's the official announcement:

http://blogs.technet.com/sbs/archive/2008/08/21/sbs-2008-released-to-manufacturing.aspx

I was part of the beta program from quite early on. It's a great product. I'll blog some more about it later. For now -

Congratulations to the SBS Team at Microsoft.

Best Blog Contest

I've been asked to help judge a contest to find the best Vista blog or website. You can find the details of the contest here. I was very flattered to be asked to help judge the contest. Get your entries in. There's some great prizes. I look forward to seeing everyone's entries.