I’ve just come off of a really interesting call and this question is floating around in my head. I think I know the answers, but please get in touch in the comments, it’s a chance to get involved with shaping how we think about Azure and the IT Pro.
The top 10 things I’ve heard are:
So I’m really interested as to what you think, if it’s one of the above reasons or something else let me know, I’m going to be interviewing two of the Azure General Managers over the coming weeks and I can put concerns to them an get answers.
There are basically three basic aspects to securing your Windows 7 desktop, all are possible for free to home users and small businesses and with market leading technologies. In this post I’ll discuss how to work with these basic component and how some of those same technologies can be scaled for big business too. The technologies we’ll take a look at are: Anti-Malware (Antivirus, spyware, adware and phishing) courtesy of Microsoft Security Essentials and Forefront, Windows Firewall and Windows Update.
Lets start with Microsoft Security Essentials which as of 7th October is free for small businesses (small is less than 10 PCs). Lets just hold on that for a moment. Just over a year ago Microsoft had no free anti-malware option for home users, now we have a product that gained huge respect in that space and has been expanded to small businesses. What people like most about the software is that it follows an almost “Install and forget” model, only really letting you know it exists when you need to take some action. The quality of the protection is really high too in fact it uses the same signatures as our Forefront protection engine that big businesses use.
So what is the experience like? Lets take a look at the user experience first. After MSE is installed the latest definitions (the details about how to match viruses) are downloaded and a scan of the computer is undertaken to establish that everything is ok.
When a virus is found, in this case it’s just a test virus, the user gets a message pop up letting them know that’s something's been found.
Clicking Show details gives them all the info they need to make an informed decision and it’s a simple case of clicking Clean computer to remove the infection
All the red and green colouring on the messages and dialogues mean that there’s no confusion as to there being a problem that needs some type of action.
As MSE isn't intended for larger install bases it doesn’t have the capabilities, such as centralised alerting and policy, that commercial products do. Instead the focus is on making the users journey easier to understand. That said we have some great alternatives to that do scale really well. When it is released Windows Intune will be one of those products and it focuses very neatly on providing that control whilst still maintaining the ease of use that consumers are used to.
Right now though businesses over 10 users will want to go for something like Forefront Client Security that allows a more granular level of customisation and alerting. Forefront Endpoint Protection 2010 is the next version of our enterprise level client offering however that’s currently in Beta but available for download.
Taking a quick look through Forefront is a tough thing to do because essentially there are lots of components that you need to pick up for your enterprise. There is however a great learning resource for it on TechNet.
Andrew has summed it all up expertly with a video:
Windows Firewall in Windows 7 can alter the level of restriction around what can be accessed network wise depending up on the network you’re currently connected to. For example at home you can have the ability to share and stream music to other computers in the home enabled, at work you can have that same access disabled and in public places you can ensure that all the sharing features of Windows 7 are disabled.
Most consumers come across this when they connect to WiFi in a new location and they receive a pop up asking them to classify the type of the location they just connected to. It’s very good to get you users into the habit of classifying correctly to help them protect themselves.
Windows Firewall can be configured for enterprise use using group policy and with that you can control specific applications to be allowed through the firewall, specific applications and ports to be blocked to prevent them accessing the network and what happens in each of the profiles.
Patching is one of those things that you just have to take care of if you don’t it's like allowing a whole to form in the wall of your house without taking care of it, one day someone is going to try to get in through the hole or at least they might try to take a peak. Most IT Professionals who manage Windows are used to the regular and predictable patch Tuesday model that Microsoft have employed for years. One of the great bits of feedback that we get about this is that it’s got the high level of predictability that allows you to plan around the rhythm of releasing patches at the same point in time, wouldn’t it make life easier if everyone followed the same rhythm?
There are again lots of ways for you to manage patching in your environment. If you have a small business of 10 or so machines you’ll probably find it easiest to just have Windows automatically pull updates from Windows Update (which by the way is a massive Microsoft cloud that regularly handles millions of update requests totally seamlessly). If you’re larger or you have very limited bandwidth available you’ll want to think about deploying Windows Software Update Services.
WSUS looks at Microsoft's Windows Update servers and watches for new updates to be released, when they are they’re downloaded to the WSUS server. WSUS essentially replaces the public Windows Update servers as far as the clients are concerned. Because WSUS comes within the control of your network you can control which updates are made available to your clients, so if you should have a particular update that you know breaks your line of business (LOB) apps you can hold off on installing it until you’ve had time to fix the LOB app. WSUS also allows you to test updates to avoid any problem with your LOB apps by grouping your clients, that way you can test new patches on a group of typical machines before rolling a patch to your entire estate and potentially hitting any repercussions from incompatibilities.
You need to do quite a bit of planning to implement WSUS optimally but the guide makes lots of sense. WSUS can be seen as a core part of a Windows infrastructure and it not only controls updates for Windows but it’s leveraged by other services. For example Forefront Client Security uses the WSUS service to manage updates.
To step up the management a level then System Center Essentials 2010 or the full System Center are needed to provider more granular and device specific management.
Of course all of this is just a part of deploying your Windows 7 Optimized Desktop and Springboard has some stunning resources for you there.
I created this presentation for a briefing session that I did recently and I didn’t get to run through the whole thing. So I thought I’d share it and do so by showing off a new and cool feature of Office Web Apps: the ability to embed a slide show from your SkyDrive in a web page. The question is, what’s the presentation for? Respond in the comments and the first correct answer will win a copy of the Windows 7 Administrators Pocket Consultant.
If you’re viewing this through an RSS reader you might need to go to my site to see this in all it’s Lego glory. If you want to know how to do this take a look at the simple instructions to embed PowerPoint. Obviously you get the best results by sharing Office 2010 PowerPoint docs.
I just came across this interesting video about how to migrate mailboxes to BPOS using PowerShell saving you time of having to go through the web interface each time. If you’re doing a bulk migration this is a very efficient way of doing it.
The video is really well done and walks you through, explaining it brilliantly step by step.
Virtual Machines are excellent routes to testing and are an integral part of building a private cloud. What happens though when patches are released and you have virtual machines that haven’t been online for a while? Well there are options and a new, or rather updated one is the Virtual Machine Servicing Tool 3.0. The tool not only does servicing of virtual machines, but I think the killer feature for anyone building a private cloud is the ability to schedule servicing.
Download the Virtual Machine Servicing Tool and read the abstract about what it can do.