Author Archives: Terence Rabe

Windows 8 hype and reality check

I’ve seen a lot of obvious and self-serving questions posted on LinkedIn, but one really took the biscuit a few days ago and it annoyed me to the point where I had to dust off my blog and have a little rant.

The poster asked “Will Windows 8 overtake Windows 7 at the number one spot” or something to that effect and it struck me that this is really the wrong question. It’s one of those questions that tells you a lot about the point of view of the person asking it… they’re desperate to be seen as an expert and hoping that their superficially topical will eventually lead you to buy stuff from them. Deep breath.

Of course Windows 7 will retain the number 1 spot… for a while. A better question would have been “how long will it take for Windows 8 to reach number 1” and even then I’m not sure that this actually matters to anyone except sales people, blogosphere commentators and the kind of people who can recite sport statistics.

It is obvious that one day Windows 8 will outsell Windows 7 because Microsoft will stop selling the older OS, and then one day they will stop supporting it. Microsoft will publish this information, and although it’s not all available yet this site does tell us is that they plan to support Windows 7 until 2020.

I believe the key questions are really “how long do I have to upgrade my skills” which is co-dependant on “when do I begin planning my company’s upgrades”… Don’t waste time speculating on an artificial milestone that is reached when everyone else has bought more Windows 8 than Windows 7… rather take control of your skillset. Install Windows 8 and learn the new interface, take some training, test it in your situation and make an educated choice on whether it’s right for your business.

Advertisements

Message moderation for mailboxes

Exchange 2010 features the ability to moderate message flow to any recipient. This means that I can divert an incoming message to another user (the moderator) who can either reject the message to prevent delivery or approve the message to allow delivery.

The Exchange 2010 Management Console allows you to manage  moderation for Distribution Groups and Dynamic Distribution Groups, but not user Mailboxes. Moderation of messages addressed to people can be set up with Transport rules, but I was curious to see if it could be done directly on the user’s Mailbox. 

As is usually the case with Exchange 2010, it’s best to try do it in the Exchange Management Shell before assuming that it can’t be done. After a bit of detective work on the Set-Mailbox cmdlet help page on TechNet I found the answers.

To enable moderation for an existing mailbox, use the following cmdlet;

Set-Mailbox -id “Name of User” -ModerationEnabled $true -ModeratedBy “Name of Moderator”

Remember this all needs to keyed in as one command.

You can also enable moderation when creating new mailboxes by adding the ModerationEnabled and ModeratedBy switches.

Once you’re done you can admire your handiwork by using the following cmdlet, which will deisplay all the moderated Mailboxes and who moderates them;

Get-Mailbox |  where {$_.ModerationEnabled -eq $true} | Format-Table Name, ModeratedBy

If you decide that a mailbox should not be moderated you can use the following cmdlet;

Set-Mailbox -id “Name of User” -ModerationEnabled $false

Happy moderating!

How to set up Calendar Publishing in Office 365 Beta.

UPDATE: 26 June 2011 – It appears that the PowerShell command needed to enable Calandar Publishing has been locked down by Microsoft. Attempting to run the Enable-OrganizationCustomization command now results in an error message stating “This operation is not available in current service offer”. I will try establish why this has changed and when (if?) the function will be restored. Until further notice, the instructions below will not work.

One of the features I really need from Office 365 Outlook is for people to know when I’m available without having to phone or email me. You can expose your calendar to colleagues with Calendar Sharing, but for clients and suppliers (i.e.: users outside of your organisation) you need Calendar Publishing.

Unfortunately,  Calendar Publishing is not enabled by default and comprehensive online guidance is hard to come by. Hopefully this blog will make your life a little bit  easier.

Enabling Calendar Publishing consists of two phases. The first phase enables calendar publishing for email organisation and  is made up of PowerShell cmdlets (command-lets). You will need administrator permissions in your Office  365 organisation to perform them. If you do not have administrator permissions, forward this to someone who has and ask them to help.

The second phase enables calendar publishing for your individual calendar and is easily done in your Office 365 Outlook web page. But first the detailed PowerShell steps 🙂

Before you begin, please note:

  • If you make a mistake, PowerShell will display an error message. If you do not make a mistake and the command suceeds, PowerShell often does not display anything. The lack of an error message indicates success!
  • I have colour coded the PowerShell commands like this, so it’s only the coloured text you need to retype (or copy and paste).
  • The cmdlets are not case-sensitive although it might be easier to hunt for typos if you use the same case as the sample.
  • Even though some of the longer cmdlets wrap over multiple line, you need to type them out as one continuous command before pressing enter.

Okay? Lets go.

  1. Open PowerShell. If you’re running Windows 7 or Server 2008 it should already be installed. If you don’t have it you can install it as part of the Windows Management Framework. Download the WMF here.
  2. Once Powershell is up and running type $cred = Get-Credential.
    This will open a dialog box asking for your user name and password, which PowerShell will save for later use. Your security details will be saved for the duration of the PowerShell session, so be sure to close the PowerShell window when you’re done
    .
  3. Next, type $s =  New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri  https://ps.outlook.com/powershell -Credential $cred -Authentication Basic  -AllowRedirection.
  4. Set-ExecutionPolicy -ExecutionPolicy unrestricted. This cmdlet lowers your shell security to enable you to run the next cmdlet which executes a script from Microsoft’s servers.
  5. $ImportResults = Import-PSSession $s
  6. Set-ExecutionPolicy -ExecutionPolicy  restricted. This cmdlet restores your shell security.
  7. Enable-OrganizationCustomization
  8. Set-SharingPolicy -Identity “default  sharing policy” -Domains “anonymous:calendarsharingfreebusysimple”
  9. Exit

That’s the PowerShell phase done. You only need to do this once and all your Office 365 users will be able to publish their calendars.

To publish your own calendar, begin by logging on to Office 365 with your account.

  1. Go to Outlook
  2. Go To Calendar
  3. Click on Share on the toolbar, and select “Publish this calendar to the Internet”
  4. Configure the options to control how your calendar is shared
    Publishing detail:
    Availability Only – shows Free, Busy, Tentative, or Away.
    Limited Details – also shows subjects of meetings.
    Full Details – shows all details
    Access level:
    Restricted – People only have access if they receive a link to your published calendar
    Public – Search engines can discover your calendar. Choose this option only if  you want your calendar to be available to anyone.
  5. Click Start Publishing
  6. Once the Calendar is published you can email the hyperlink to the people who need access to your Calendar.

    The “Link for subscribing to this calendar” link will enable Outlook users to add your Calendar to their Outlook and receive automatic updates whenever to update your calendar.The “Link for viewing calendar in a Web browser” will enable other users to view your Calendar or you can use the hyperlink on your own Web site like this.
  7. You’re done!

Disclaimer: As with any personal information, you need to exercise common sense and discretion in sharing it. Act within the guidelines of your company security policy. If you’re not sure whether you should publish your Calendar or what level of detail to publish, check with your IT department. I accept no responsibility for anything bad that happens due to you over-sharing 🙂

Happy Publishing!

References:

No Single Instance Storage on Microsoft Exchange 2010.

You may or may not know that Exchange 2010 no longer supports Single Instance Storage (SIS). Simply put, SIS saved space in Exchange databases by only storing a single instance of messages and attachments that were sent to multiple recipients.

The feature was introduced in Exchange 4.0 when (according to Microsoft) the target audience for Exchange was the small department who needed an email system that was unlikely to have more than one database. Also, at that time hard disk space was much more expensive than it is now.

Fast forward to the present and Exchange is a very different beast. Now aimed more at enterprises, Exchange typically holds multiple databases per server and those servers have much more memory and cheaper disks. On top of that, Microsoft needed to make several changes to the internal architecture of the Exchange database to support certain scalability and high availability features… features that were inherintly incompatible with SIS. So in Exchange 2007 Microsoft deprecated SIS to only store single instances of attachments, and in Exchange 2010 they removed the feature altogether. To mitiagte the increase in mailbox sizes Microsoft points to the cheap cost of storage (since SATA disks are now supported) and the fact that they have improved the compression of message bodies and headers, resulting in typical databases sizes on par with those of Exchange 2007.

Where does this leave Exchange administrators? As ever, the answer is “it depends”… let’s consider the following scenarios;

  • Currently running legacy Exchange (4.0 through 2003) –  significant increase in mailbox database sizes possible when you migrate your mailboxes to Exchange 2010.
  • Currently running Exchange 2007 – no increase in mailbox database size expected when you migrate to Exchange 2010.

Another point Microsoft takes some pains to make is that they have never advised that you factor SIS into your database capacity planning. True this may be, but it’s always an emotive issue when a feature that was marketed as being an awesome unique selling point is discarded. Even if those who complain the loudest about it are seldom able to quantify how much space it was saving them.

For the original (technically detailed) article that I based this blog on, visit the Exchange Team Blog. Be sure to scroll down and read the comments also for some enlightening debate on the subject.

AppLocker

This is the fourth part of a feature comparison series where I look at the differences between Microsoft Windows 7 Professional and Enterprise editions. For the full list of features, see the first post.

In this post I’ll review the usage scenarios and explore the benefits and caveats of AppLocker; hopefully it will help you decide if AppLocker contributes to the case for the extra cost of the Enterprise license.

AppLocker is a policy based security mechnaism that either allows or disallows software from running on a system. You’re right in thinking this sounds a lot like Microsoft’s Software Restriction Policy (SRP) feature. They are very similar, but not the same thing. As with SRP, AppLocker can either block all applications from running except for the ones you whitelist, or allow all except for the ones you blacklist. Like most security solutions, the more secure it is, the more burdensome management can be. AppLocker improves on SRP with new features that make setup and management easier. My favourite is the ability to white- or black-list applications by vendor, so for example I can unlock all Adobe apps with one rule.

Applocker may be better than SRP but this doesn’t mean that you have to get rid of your SRP group policies, as Windows 7 supports both AppLocker and SRP. It does this by ignoring SRP if both AppLocker and SRP settings are applied to the system. This also means that if you have a mixture of Windows 7, XP and or Vista machines then you can use use a mixture of AppLocker and SRP, but it is advisable to thoroughly test the effects of combining these settings in the same group policy.

To conclude, I think AppLocker offers a great way to make your Windows 7 desktops more secure. The biggest obstacle to implementing it may actually be user acceptance, especially in environments where they had free reign over their pre-Windows 7 machines, but that’s not an insurmountable problem. To get started with evaluating Applocker you can download the walkthrough from Microsoft’s website.

Bitlocker and Bitlocker To Go

This is the third part of a feature comparison series where I look at the differences between Microsoft Windows 7 Professional and Enterprise editions. For the full list of features, see the first post.

In this post I’ll review the usage scenarios and explore the benefits and caveats of Bitlocker and Bitlocker To Go; hopefully it will help you decide if Bitlocker contributes to the case for the extra cost of the Enterprise license.

Bitlocker has been a feature of Microsoft’s client operating systems since Windows Vista, but Windows 7 adds some compelling new features, most notable of which is Bitlocker To Go, which enables protection of USB flash drives.

Bitlocker offers data protection in scenarios where loss or theft of storage media is a concern, so it’s ideal for protecting portable storage media, laptops and physically vulnerable desktops. It works by encrypting the entire volume, and only allowing access to the disk after the system has been started by a trusted party. This trust is established during the boot process when the user either keys in a PIN, inserts a USB key or both.

On the plus side, Bitlocker trumps EFS (Microsoft’s file-level encryption technology) as it is transparent to users and does not rely on them remembering to encrypt sensitive data. On the down side, it offers no protection once the system is up and running. Bitlocker can also cause administrators headaches if there is no centralised management of data encryption. Bitlocker has the potential to render important information inaccessible if users enter the incorrect PIN too many times and then can’t remember their recovery password. Fortunately Bitlocker can be managed with a variety of Group Policy settings that allow comprehensive management of Bitlocker, including saving the recovery password information to Active Directory.

Group Policy makes it possible to manage Bitlocker on an enterprise scale but this not guarantee everything will be plain sailing. It is advisable to invest some time and resources in evaluating and testing Bitlocker in your environment. I’d recommend that you only roll out Bitlocker once you have a tried and tested recovery procedure in place and you’ve trained support staff and end users how to use it.

In summary, Bitlocker offers protection against attackers who try to access your sensitive data by booting compromised systems with other operating systems or by installing stolen disks in another system and either booting from or slaving them. When properly managed, it offers an important layer of security to enterprises who’s mobile users travel with sensitive data.

For more information, including a FAQ page and detailed deployment guides, visit the Windows 7  Bitlocker page on TechNet

BranchCache

This is the second part of a feature comparison series where I look at the differences between Microsoft Windows 7 Professional and Enterprise editions. For the full list of features, see the first post.

In this post I’ll review the usage scenarios and explore the benefits and caveats of BranchCache, and hopefully help you decide if it makes a compelling case for the extra cost of the Enterprise license.

As the name suggests, BranchCache enables caching on Windows 7 systems and it is aimed at branch offices. This is not to say it will only work in branches; it will work on any high latency network. BranchCache works with network requests made over SMB, HTTP or BITS, therefore websites, Windows file shares, WSUS and System Centre content can be cached. Once you enable BranchCache, Windows 7 clients will be able to retrieve cached copies of data either from a specified cache location (Hosted mode) or from Windows 7 peers (Distributed mode), rather than over the WAN. This will reduce the time it takes to retrieve files, is transparent to users and will reduce your WAN utilisation.

Since distributed mode is effectively peer-to-peer caching it is ideal for sites where it is not viable to host any servers. In this mode a Windows 7 system will first check with its peers whether a desired file is cached by any of them. If it isn’t, the file will be retrieved as normal and cached by the requesting client. The next time the file is requested by a client the file will be retrieved from the peer(s) where it is cached, but only if the file stored on the content server has not changed since it was cached.  Distributed caching is simple to enable and doesn’t require additional hardware or software investment on the client. The price you pay for all this “free” caching goodness starts with the extra cost of the Enterprise license, and the disk space (5% by default) and processing power that peer-to-peer caching will consume on you Windows 7 clients. but the real cost lies in the fact that all of the file/web/content servers at head office need to be running Windows Server 2008 R2 to play nice with your BranchCache clients. Not a problem if your servers are already up to date, but possibly a deal breaker otherwise.

This brings us to Hosted mode caching. Hosted mode is well suited to environments where resources are accessed via slow networks, but where it isn’t viable to set up and maintain local replicas of your content servers. In this scenario the cached data is held on a designated server. It can be a dedicated server or a server with available disk/processor capacity, but it does have to be a Windows Server 2008 R2 system. As with distributed caching, the servers that store the original content need to be running R2. Client setup is via group policy again and setting up the cache host requires the File Server role to be installed along with its BranchCache sub-component. The caching mechanism is similar also, except that clients refer to the central host instead of referring to peers when looking for cached data.

I would recommend Hosted caching only if Distributed caching does not provide adequate responsiveness or creates too much peer-to-peer workload on Windows 7 clients. Your results will vary so it’s worth monitoring performance in a small test group before and after implementing this feature, but according to an internal case study, “Microsoft IT significantly improved service availability while maintaining network traffic encryption including HTTPS and IPsec and reducing WAN usage and server demand”, and “Using BranchCache, Microsoft IT expects to save money while increasing branch user productivity.”

For a more detailed overview of BranchCache review this TechNet article, or download the Deployment Guide for a step by step walk through.

The next article in this series deals with Bitlocker and Bitlocker To Go.

Microsoft Windows 7 Professional vs. Enterprise Feature Comparison

While preparing for an upcoming course I was surprised that I couldn’t find a concise summary of the difference between Windows 7 Professional and Enterprise editions. Most resources seem obsessed with comparing the Ultimate edition which is only interesting for “must-have-all-the-shiny-toys” enthusiasts.

Judging by the names it seems obvious that one is designed for business and  the other is designed for big business, but which features are you paying extra for and are they worth the expensee?

Looking at Microsoft’s own Windows 7 site and Paul Thurrrot’s great Supersite for Windows,  I was able to determine the following key features that Windows 7 Enterprise has over and above the Professional edition.

Rather than drill down into the detail here I have blogged on the benefits and caveats of each feaure in a seperate article. Click the links below to read on ;

First Exchange 2007 courses

I trained my first Exchange 2007 course early in May and all in all found it challenging and rewarding. The style of the course is slightly different from Microsoft’s previous courses but it’s more of an evolution than a  revolution. The course content is pretty good and shows off the product well. Some of the questions that came up during the course were not covered in the courseware… I’ve just finished digging up the last answers and have added them to my Exchange 2007 FAQ. If you’d like access to the FAQ just email me (please note access to the FAQ is for course attendees only).