Why so excited?  See the list of things this update includes.  WDS!!!  Windows Deployment Services will update RIS to support network deployment of Windows Vista.

I was just reading an article from AtDM  regarding TechTV rebirth.  I can remember back when it was ZDTV and there was more of a focus on legitmate technical talk.  For a long time I've thought it would be great to have some type of TV show that delivered an unbiased look at enterprise technologies.  Imagine flipping channels and finding a serious look at desktop management tools!  I know I'm crazy but there are others out there like me, I've been to MMS...  Consider the success of Channel 9.

Maybe someday!  Of course it would have to be late at night or else I could only hope to catch it on my second MCE tuner to watch later, my wife would not put up with it during prime time.

Link to Addicted to Digital Media - Wired News: TechTV Reborn as 'UndoTV'

In the past week I have been in my "lab" testing out WDS, AIK, SIM, and the included tools.  Everything has gone quite well and the documentation has been good especially for SIM.  WDS is really pretty simple to use and I like that Mixed Mode is available if you would like to retain RIS images.  I'm just getting in to adding drivers to images and other more complex operations.

I ran in to a strange issue where I could not delete files from a mounted image while using explorer.  The issue does not exist when I delete from the command line.  Turns out this is well known and was blogged by one of our testers over a year ago.  It is due to Explorer moving files to the recycle bin rather than actually using the "delete" action.  According to the post the wimfltr does not support the "move" action.  Good to know!

I recently had the pleasure of working with Elliot Lewis, a Network Security Architect at Microsoft who is well informed on Network Access Protection.  Probably the most common question we have been asked by customers in Higher Education is how NAP will work with student machines, other platforms, and non-Microsoft infrastructure servers.  While many see the advantage of NAP to secure the desktop, often those who will make the decision to deploy NAP in a University setting do not have ownership of the network infrastructure including DHCP and DNS.

<Michael>I understand there is an answer for student owned machines, can you explain how Universities should approach this problem and what the typical student would need to do?

<Elliot> Network Access Protection is a platform that allows for all kinds of integration into the quarantine system – it allows for managed, un-managed, local attached, remote attached, wired or wireless clients. In short, no matter HOW you touch the university's network, quarantine operations are going to take place. In order to accomplish comprehensive control we use multiple quarantine enforcement mechanisms under the covers to control all of the various enforcement points. Examples of these enforcements mechanisms are IPsec, DHCP, VPN, 802.1x, and Terminal Services. The university can choose any one or any combination of these enforcement controls – they can even be combined if desired to meet the needs of the university's environment.

So in answer to the question above, the university needs to decide which enforcement mechanisms they want to utilize across their enterprise and this will determine what, if anything, the students will need to do to their machines to get on the network. Here are some of the issues to think about:

1. What client OS is the student running on his PC? If it is Vista then the NAP client is already running in the OS on the base load. If it is XP (or any other downlevel or 3^rd party OS), then the student will have to update the client with the appropriate update to install a NAP client. For XP, this update will be available via Microsoft. For all others, such as MAC or Linux, the NAP architecture is open to additions for 3^rd party clients. There are vendors looking at making these 3^rd party OS NAP clients now – and this would be a very interesting project for a university to potentially look at doing <wink>.
2. Which enforcement mechanisms does the university want to use? The un-managed student PC will need to have a quick script run on the PC to set the enforcement client controls and user interface settings (all other options are supplied by the Network Policy Services (NPS) servers on the network). NOTE: In the case of using IPsec control, the university will set up Health Registration Authority (HRA) servers that are essentially web-based front end servers to health certificate authorities. This parameter will be included in the setup script as well. If the student PC is part of a domain and can take group policy then all of this can be done via GPO.

<Michael> So, students will need to install something on their machines?

<Elliot> Yes, as described in the last question there will need to be some configuration if the student machine is not Vista + domain joined. But this being said, once that one simple script is run giving the student the settings they need to participate in quarantine operations EVERYTHING is handled by the network itself and the student should have little to no need to deal with the quarantine operations. (NOTE: If the student does NOT run the script, they will not get on the network – NAP controls will simply quarantine them until such time as they have the appropriate settings to participate in quarantine ops. This means that "not running the script" = "off the network by default"! The only way around this is to have an NAP exemption from the network administrators OR compliance to a "non-NAP aware" policy on the Network Policy Servers.)

<Michael> I suspect we have partners working on a NAP solution for Apple and Linux?

<Elliot> We do have partners looking at this, but to date we have no firm commitments on delivery. As stated earlier, this is an excellent opportunity for some work at the universities to create such a client!

<Michael> Will Mac or Linux users need to worry about being blocked from the network?

<Elliot> In short, no, there is no danger of this. As stated earlier, the administrators can set a policy in the NAP settings to allow for non-NAP aware clients to be handled in a certain way. Therefore, if the client in question cannot provide Microsoft based health credentials for evaluation the NAP system will understand this and can check for a policy to deal with that client – whether allowing it on the network by default or placing into some sort of quarantine control area – the choices are completely up to the administrator. Another option is to allow for exemptions per machine in the system – be aware this method can be an administrative burden. When a MAC or Linux NAP client is eventually developed then these OSes will be able to provide health credentials and participate under normal operations.

<Michael> If we let other OS's on, wouldn't that allow some way for students running Vista to circumvent NAP?

<Elliot> Absolutely not. Each client coming online is handled in its own context and that control is handled by the network – not the clients! Anytime a client touches the bandwidth of the network in any way the NAP architecture will assess it for health status. If it is able to provide health status – as is the case in XP or Vista – then the NAP system will evaluate the client from the network side of the house. Network entry is by no means authorized on the client side – it is all controlled on the network and server infrastructure. Since enforcement mechanisms like IPsec, 802.1x, VPN and Terminal Services are all authenticated by network based operations there is no way for a student to bypass that authorization control process! The one exemption on this rule could potentially be the use of DHCP enforcement control by the university because in the case where the student is a local administrator on their PC they can manually override DHCP IP addressing and plumb manual addressing parameters onto their own PC. This being said, the student will have to be able to manipulate far more than just the IP address (we won't go into the other settings on this blog J) and have intimate knowledge of the network operations of the university to get their settings right. If this is a concern then DHCP can be combined with the other enforcement controls to "harden" it.

<Michael> Will antivirus vendors need to develop special ties to NAP?

<Elliot> Not necessarily – this depends on how closely the university wants to control the anti-virus vendors allowed to be used in their environment. For instance, if the university wants to ONLY allow certain AV vendors to be used on campus and MANDATE that use amongst the student body then yes, they should get the particular NAP-aware AV software and supply it to the student body. On the other hand, if the university just wants to make that each student is using SOME sort of AV and does not care which one it is then the university can use the built-in Windows System Health Agent (SHA) that comes in Windows and the base NAP code. The Windows SHA works off of Security Center which runs on XP and Vista and the university can check for all of the security settings that Security Center checks for and can mandate compliance to those settings via NAP. One of those settings is the presence and "up-to-date" status of AV software – without specifying WHICH AV software is running. Other settings that can be checked/enforced on XP/Vista clients are the Windows Firewall active and running and Automatic Updates active and running with the latest patches available from Microsoft. In Vista, Security Center has the ability to check for Microsoft Defender spyware settings as well. Since the Windows SHA comes "out-of-the-box" with the NAP client for XP/Vista there is no need to download or manage any other SHAs to do this level of functionality!

<Michael> Is there any way for NAP to work with non-Microsoft infrastructure servers that provide DHCP and DNS?

<Elliot> Absolutely. First of all, NAP does not rely on DNS services to do the work so there are no issues there. Now as for DHCP, as I said earlier, NAP is designed to use several enforcement controls – DHCP is just one option for use! If the university is not using Microsoft DHCP services then they can use another of the enforcement controls to handle quarantine operations. This being said, I have to state once again that NAP is designed to be a "pluggable" architecture – we have over 60 vendors working on the NAP architecture to align their systems to work with NAP. If the university is using a non-Microsoft DHCP service and wish to use DHCP as the enforcement control then there is no reason why that service provider cannot modify their DHCP ops to work with NAP. Microsoft has provided all of the APIs to allow that integration!

<Michael> Is there anything we can do for machines that use a static IP?

<Elliot> Absolutely – just use IPsec, 802.1x, VPN, Terminal Services, or a combination of all four to handle the quarantine control for the network!

Thanks very much to Elliot for time and knowledge sharing. Network Access Protection is a good step towards intercepting student machines as they join the University network and checking to ensure they are not putting themselves and others at risk. For more information see the TechNet website on NAP. Comments welcome!

I've seen the link to this site in a couple of blogs and even Email signatures.  Wikipedia (I'm a fan) has a great series of articles on Vista including an overview and new features.  I'm impressed!  This is a great community effort to consolidate all the new information.

Link to Windows Vista - Wikipedia, the free encyclopedia

Tom Archer interviews Matt Ayers, PM for the ReadyBoost technology in Vista (think - USB to speed up your PC).

Nice unbiased article on ZDNet regarding a recent posting to a Mozilla dev newsgroup from the director of the Microsoft Open Source Labs.  The letter was in regards to the Mozilla team utilizing the Microsoft Open Source Lab for testing and working on builds of Mozilla for Windows Vista.  If you haven't already seen the Open Source Lab's blog, you should check it out as well.  I recently attended a presentation from the guys who run the lab and it was quite impressive.

http://port25.technet.com/

Link to Microsoft offers helping hand to Firefox | Tech News on ZDNet

Just caught some interesting news – according to this post there will be no support in Vista for MSDE 1.0 or 2000. More on the SQL MSDN blog. Additional coverage here. IMHO this is a good thing!

So, I am planning a couple of additional Education FAQ write-ups.  The next on my list is BitLocker, I just haven't done the work yet.  I am also planning a write-up on deployment that is specific to Education.  In the mean time, I found a great screencast by Keith Combs if you would like to see an overview of the imaging technologies.  Very cool!   Great CSS on his site.

Link to Keith Combs' Blahg : Windows Vista Imaging screencast

 The third pillar of Microsoft's strategy in education is to support the digital lifestyle.  Zune is on the way and will hopefully be attractive to students.  Also, for gamers, there is now a site up announcing a joint project between Microsoft and Razer to develop a gaming mouse.  I've been a fan of Razer products for a long time.  Back when I was in college I used the original Razer Boomslang and it was awesome!  Looking forward to the release of this new device (October 2006).

Link to Microsoft Habu™ - Coming Soon.

 Interesting Press Release.  Good to see some alignment going on with such a popular tool in Education.

Link to Microsoft and Facebook Team Up for Advertising Syndication: Combination of Microsoft’s and Facebook’s consumer assets provides potent offering for advertisers.