In this world concerned with consumerised IT where almost everyone is familiar with using a browser of some description and many are bombarded by messages about how “fast” the internet can be if you use browser X, it really is important to keep a clear idea of what matters most to your business. Without a doubt you need a browser that’s fast enough to use the modern web, renders web pages quickly and accurately and that enables the use of java script web-based applications that run as the designer intended.
It’s very important though to remember that whilst getting all this is fantastic you also have a responsibility to ensure the security and manageability of your browsing environment, at the same time as giving users the flexibility they need to do their jobs and keeping maintenance costs down. Browsers that are fast but follow sporadic update cycles present a risk where those updates aren’t managed within your deployment environment, which can lead to a patchy experience for users and a confusing and costly state for your helpdesk services.
Unfortunately not all browsers are created equally and some do better at things than others. IE9 however seems to be doing the best at most things at the moment. There might not be the buzz that exists around using browser X or Y but IE9 has far more to offer in the security and management space than most. Internet Explorer 9 has been noted by NSS Labs to perform better, far better, than any other browser when it comes to detecting and preventing socially engineered malware. To put things into perspective IE9 fails in just 3.2% of cases tested where other browsers fail to detect and prevent around the 86% numbers.
Good security starts with making sure that you don’t have too many open doors into your organisation and with making sure that those doors you do have open are selective enough to only let the right things through. Kind of like having a good security guard on the door. Lots of people suggest that having a service that puts good sites on an allow list and deny lists all others, or that deny lists bad sites and allows all others is enough protection. Hands down they’re wrong, that is only part of the story and you don’t have to look far to find a site that has been hacked, infected with malware and or redirected to a more salubrious destination. This includes high profile newspapers and even IT news outlets, and if they are on your white list and that’s all the protection you think you need then someone just found a hole in your security.
Security at depth
The truth is that you need layers of security in order to ensure you have a secure environment, because you need many levels of security to catch a risk should something penetrate one layer. Allow and block listing are a part of that but so is the ability to detect, highlight and prevent attacks that appear in a more dynamic, on-the-fly, approach. One of the approaches that’s essential to delivering that dynamism and ability to respond to known attacks is a powerful patching mechanism.
This is another of those areas where Internet Explorer 9 excels. Patching is built into the operating system and whilst some feel that patches are pain of management they are in fact a mechanism to respond to a threat and one that is easily managed. Under almost all circumstances Microsoft release patches on the 2nd Tuesday of the month (a.k.a. patch Tuesday) and for those who remember what life was like before patch Tuesday it’s a joy. Imagine the scenario where critical patches are released every other day. Keeping up with that cycle leads to an administrative overhead that takes you down the path of missing the odd update and missing the odd update can come at the cost of something bad happening. I know because I’ve replaced patch solutions in organisations where it has – much of which I had to hand crank with VBScript, but we won’t go there!
What baffles me is why any IT Pro would want to deploy patches on an irregular basis or just leave them to chance when they can be managed in a simple singular way. No other browser has the update capabilities of Internet Explorer and some are so lacking that entire version updates with changes in capabilities can be deployed without any prior understanding of those responsible for support, IT.
Group policy support built in, not bolted on
Management is of course something that we all need to keep an eye on in our estates and sometimes we find that something has to be changed. Sometimes a homepage URL needs changing en masse, sometimes we have to tweak security settings and again Internet Explorer is a tour-de-force in this area with over 1500 settings that can be controlled with Group Policy. The nearest competitor has a shiny 87 or so, which granted are generally good but don’t include the ability to stop the browser “phoning home”, whilst other solutions try to out-fox IT by requiring you to buy additional management software. This disregard for the unique nature of doing business is disappointing at best.
Of course management starts earlier than the on going use of a browser so we have to think about how we deploy the browser in the first place. For this and to enable some highly customised deployments with very flexible requirements we have the IEAK or Internet Explorer Administration Kit that enables the repacking of Internet Explorer for custom circumstances. You can, for example, bake in a set of configurations so that upon first install everyone gets the settings you intend – perfect in a consumerised environment – but as I’ve already written we need more flexibility. For that reason just about every setting that you can alter in the IEAK can be changed through group policy.
For XP users
If you aren’t yet migrated to Windows 7, and millions are, then you are probably running Windows XP. Here the best advice is to be running IE8 because Windows XP cannot support IE9. IE8 might not have all the HTML5 bells and whistles, ultimate speed, compatibility and shear beauty of IE9, it does allow you to do all the management I’ve mentioned above. But why would you want IE8 over IE6? Well the main reason is that IE6 is old. It was released 10 years ago and the web has changed dramatically in those 10 years. Sites we take for granted, Facebook, BBC iPlayer, YouTube and thousands more didn’t exist back then and what people expect to be able to do has moved on. There are still people stuck using IE6, especially in Government in the UK, but there are not really any solid technical reasons for doing so.
Migration to IE8 from IE6 is a smooth process now, it’s a well trodden path and we have ways to circumnavigate most compatibility issues – many for free. If you have a web application that requires IE6 the first thing is to see if it’s just a header issue, where the page stops itself rendering on anything other than IE6. Test the site in IE8 without such a header, get a user to see if everything works OK and test to see if one of the compatibility modes overcomes the issue. There is nothing wrong with using compatibility mode and, you’ll never guess, you can tell your whole estate to use a compatibility mode with a simple group policy setting, still at no additional cost.
Next you can try virtualisation, either with MED-V which is part of MDOP or with P2V for Software Assurance. These two options are going to cost you something if you don’t have Software Assurance in place but the cost is usually small (for example adding SA to a Windows Intune subscription is just 60p per PC per month). The final option is to use RD RemoteApp to provide a remote desktop connection to a browser running on a Windows XP VDI Virtual Machine, hosted in Windows Server 2008 R2 Remote Desktop services or with a product from Quest or Citrix. Here the costs rise dependant upon the complexity you need but it’s time to start weighing in the fact that when XP goes out of support so does IE – so no more patches.
Hopefully this has given you some food for though about your move to IE9, if you are on Windows 7 it’s a total no brainer. If you’re on XP you should think about moving to IE8 and also about getting off of Windows XP within a year.
For the full NSS labs report on socaially engineered malware just follow this link and to learn about deploying Windows 7 and Internet Explorer 9 go complete the relevant sections of the Deployment Learning Portal – you’ll probably find you’ll be rewarded instantly for doing so. Also take a look at these Top 9 reasons enterprises should deploy IE9.
There are plenty of people out there still using Windows XP, however many parts of the operating system have needed to be updated in order to keep things going. There have been three service packs released for Windows XP since it’s inception and those service packs add such critical functionality as WiFi, which wasn’t mainstream tech when Windows XP was released. It doesn’t end there - Windows XP shipped with Internet Explorer 6, which to give it it’s due has been a great browser. Whilst massively popular IE6 now requires huge amounts of work by web designers in order to keep their sites running on both it and other browsers. One thing everyone can agree on, it’s time to get a better browser.
There can be few people out there who believe that IE6 is better than modern equivalents like IE8 and IE9, the latter of which cannot be installed on computers running Windows XP because XP can’t support some of its more advanced features. Internet Explorer 8 then is where you need to be if you’re running Windows XP, IE6 doesn’t cut the mustard any longer. There are an increasing number of mainstream websites that have given up support for IE6 as modern browsers are far easier to support. However, there are still quite a few people who are yet to move off of Windows XP because of some requirement or another and although the number of organisations in this box is diminishing they still exist.
So why would you want to bring your browser more up to date with Internet Explorer 8 rather than an alternative? In a corporate environment deployment, management, control, trust and security are the top line reasons to select a browser in addition to it rendering sites well. Internet Explorer 8 has features that resolve issues in all of these areas that are unsurpassed by any other browser, except of course for IE9.
Deployment of Internet Explorer 8 can be as customised as you want it to be, so if you want to setup a specific home page, RSS feed, group of favourites, proxy server or changes to browser security then you can do that. To enable the building of an installation package you need to look to the Internet Explorer Administration Kit. This kit takes you through building a custom installation so as soon as the installation completes all your configuration requirements are set on the PC. This is great when you need an environment that can be replayed over and over to provide consistency – it also doesn’t have any requirements on 3rd party software or setting config requirements using a simple text file.
When you want ongoing management of IE8 you need to be looking to group policy. Group Policy can be used for deployment as can software distribution systems like System Center Config Manager, Windows Intune, SMS or any other deployment software capable or deploying MSI files.
On going management of Internet Explorer is best achieved using Group Policy as the configuration options are made on the PC every time the user or computer logs on. This means that once it’s deployed you can make any alterations you need by changing the GPO. So, should you need to change homepage you just change the GPO, should you need to block a specific plugin, you can do so in the GPO.
There are over 1500 settings that can be managed for IE8 with Group Policy which on the surface might sound complicated, but you only need to pick and choose what you use. It’s a bit like having every tool in the toolbox available to you, one of those big red racks on wheels you see in professional garages. In contrast some other browsers require you to use 3rd party software that’s not made by the same people as the browser and can be a step behind – a little like buying a special set of tools for a very general job. The 3rd party software is needed mainly because some browsers need to be managed using text files and anyone who’s ever done some version control will know what a pain that is. Another browser has some shiny settings that you can set with group policy but you soon realise that there are tools missing from their toolbox – a little like buying a full tool kit and realising they didn’t include a spanner!
Managing a browser isn’t just about managing a bunch of setting though, it’s also about managing the life of the browser. Inevitably there will be updates as patches to secure against vulnerabilities are released. Internet Explorer manages this using Windows Update which, therefore, delivers updates on a known time scale – Patch Tuesday – and using a known mechanism. So if you have WSUS deployed patches are deployed to your clients using this and you have control. Without a good infrastructure to manage these updates other browsers struggle, which is why you’ll often find a fix popping up and asking a user if it’s ok to install it in some other browsers. If they decline, no patch, so the vulnerability persists.
Management and Control are baked right in and work in almost the same way as IE6, but also allow you to manage compatibility. Say you have an internal site that you know needs to run in IE7 mode, well that’s fine. You can just set that using Group Policy and all your clients will use the IE7 rendering engine to do the work, compatibility delivered centrally and controllably.
Security and Trust
Internet Explorer 8 delivers some fantastic improvements over IE6 and in addition to the above delivery mechanism for security patches we also have built in Phishing protection. Phishing, if you aren’t aware, is an attack whereby someone pops up a website claiming to be a site the user should trust and asks (Phishes) for information. IE8 has inbuilt protection to highlight the risk to end users and helps them to avoid the attack. Of course there are other types of attack too, so IE8 warns your users if a site contains malware. These settings for SmartScreen filter are all configurable through Group Policy as well, ensuring you remain in control.
For some useful information on deploying IE8 take a look at the TechNet library.
This one-day online conference features a range of sessions specially tailored for IT Pros and covering the big challenges for the year ahead.
Join Microsoft experts plus professionals from IT departments around the UK to discuss topics such as how we will embrace the influx of consumer devices into the workplace; the new features available through SQL Server Denali; and how Windows Azure can help you make sense of your Cloud offering. I’m really excited by this conference as we’re going to be using some great Microsoft Valued Professionals and some of our UK technical community who are really on the tools to share their experience.
The conference will be presented through LiveMeeting, and throughout the sessions you’ll be able to interact and pose your questions on the topics.
Date & Time – 27 October 2011, 09:00-16:00
Registration & Detailed Agenda - WWE
Further Information – TechNet Blog
A few weeks ago I was in a Telegraph supplement talking about cloud. Here’s the online version of the article on the Telegraph (UK national newspaper) website.
Windows Azure has now been around long enough to be a mature platform for building services on and as such IT Professionals are being asked to look at the service. Of course IT Pros are looking for slightly different things from a platform than others. We’re concerned with how things work, the up time, the resilience and with monitoring and troubleshooting. Lets take a look at the current state of play with the platform, walking through some of the basics and explaining some concepts.
Windows Azure is built from the ground up to be consumed as a service and as a platform with the intention that you don’t need to over engineer or spend too much time on some of the nitty gritty parts of traditional deployments. For example if I were planning and designing a service 5 or 6 years ago I’d have to think about some basics like patching the OS or building in capacity for a disaster recovery or preproduction. Those concerns have somewhat gone away with Windows Azure; because of it’s utility nature you can have as much capacity as you need, when you need it. We patch the Operating System (for the most part) and have built in resilience.
As a result when you think about your architecture it’s far more simplistic, you only need to think about how you want the service to run – what the final service is like. Also, you won’t always need to incur the cost of running your preproduction and disaster recovery environments, unless you’re using them of course, and because they’re not a sunk cost in the hardware it will probably be more cost effective.
So what are the parts and how do they fit together? First and foremost, you don’t have to use any of the following components together, you can take what you need and just use that.
Within Windows Azure we can broadly provide services by creating an instance of one of three roles. The first - Web role, is an IIS web server that’s normally used for hosting a front-end web application which can be built in ASP.net, PHP and a few other languages. The second is the Worker role which allows you to run any custom code on the server and is often used to provide the back end functionality of a web application. The web role is just like a Windows Server running a custom service or application that you might deploy on premises, however commonly it’s an application that has been developed specifically for Windows Azure.
These two roles are delivered to you when you request them, you don’t have to provide a custom build or hard drive – in fact you can’t – and as such they are very easy to support, quick to provision and provide a stable, you-know-what-you’re-getting approach. All that’s required to use these roles is a few clicks, the provision of a package file containing the custom code to run and a configuration file that describes the architecture of the service you’re running.
The third role type is very interesting and highly flexible, but also more limited. The VM role is a custom VHD that you build on premises using Hyper-V server and Windows Server 2008 R2, and as such you can put whatever you like into that image. It’s perfect for deployments where you need to deliver something complicated, like a special bit of software that has an installer that needs lots of clicks. There are some limitations to this flexibility though, firstly it’s stateless. Stateless means that you loose changes between reboots, every time you reboot your VM role instance the first thing it will do is come out of sysprep. This is actually not just a limitation of the VM role, it does in fact affect all instances. However the only place you’re likely to come across that issue is with a VM role, as with the other roles the developers will have built an application that doesn’t have a life-span. A good example is that for this statelessness reason you can’t host a SharePoint site or a Domain controller in Windows Azure.
The second limitation of the VM role is upload time – typically when you’ve built your VHD it’ll be about 30gb and that can take quite a time to upload. I once left a VHD uploading for 3 days. The good thing is that you can test that it’ll work before you upload it and that Windows Azure will be able to host it. Provisioning time can be longer too with the VM role because there’s more custom stuff to do, so when you want to spin up more instances that’s something to think about.
So we have 3 types of roles, but how many of those roles can you have, surely not just one? That’s right you can have many of instances of a role.
If you were going to think of a parallel between instances and traditional, on-prem deployment models an instance would be a server. Actually each instance is a virtual machine within Windows Azure, some of the resources will be shared by many Virtual Machines on the same physical server and some will be dedicated to a particular Virtual Machine. For example an Extra Small Virtual Machine uses shared CPU (just like most hyper visors do on premises, by default) but the other instances have dedicated CPUs. But what does this mean? It means that, for example, a 16 core physical server could host 2 extra Large instances and or 16 small instances. Of course none of this matters to you because you do not care about the physical hardware – that’s the bit we take care of. The following table shows you the differences between the different sizes of instances.
So we have some instances of some roles that can provide some type of service which is excellent, but the next piece of the puzzle that needs to be completed is storage. Obviously you’ll see from the table above that instances have their own storage, but since instances are stateless where does that leave that storage? The answer is that anything that is saved within the instances internal storage may not persist between reboots because the instances themselves are stateless. To overcome this issue we have three different types of storage that do not form part of an instance or role but are a totally separate entity within the service. If you wanted a parallel to an on-prem type of deployment this could be an area of shared storage like a network drive.
There three types of Windows Azure Storage that are optimised to help you achieve different things. The first is a binary large object or a BLOB. BLOB storage can contain anything you like, it could be pictures, music, data files anything you want to put in there. A clever feature of Windows Azure Storage is Windows Azure Drive which allows a page of BLOB storage to be loaded as a VHD file and therefore allows a VHD to be mounted into a Virtual Machine.
Tables are a far more efficient way to deal with large amounts of data that needs some structure, like a list of names and address for example, however unlike a table as you would find in SQL the tables need not be uniform. For example the first line of a table could contain name and address data, the second could contain the number of fish in a bowl. Obviously that example would make the information less useful but it provides lots of flexibility and the idea of rules can be custom built within an application.
Queues are used for communication and are just what they seem, drop on a message and lift it off. They’re very useful for communication between roles and ensure that messages always get delivered.
A very cool element of Windows Azure Storage that has just been introduced is that BLOBs and tables are now replicated between data centres within a region automatically, so in the result of Data Center failure another copy exists within the region. For those concerned by this for Europe that means between Dublin and Amsterdam. The second very cool element is that the data is replicated three times so should a single disk fail or the infrastructure housing the disk (the rack, power supply, etc.) fail there are other copies available. This level of fault tolerance would be very costly to implement on-prem.
Finally, to help improve the performance of your data delivery with an application living in Windows Azure we provide a Content Delivery Network (CDN) which, when enabled, distributes your data to a data centre local to the users accessing your service. So for example if your service is hosted in Europe and you have CDN enabled and a customer in Singapore access data, then a copy of the data is temporarily located near Singapore. When the time out for the data expires the data is removed from the region. The timeout is obviously controllable.
Windows Azure allows you to integrate your application into your organisations Active Directory using ADFS 2.0. This provides you with a secure way to control access based on the same credentials that facilitate logon to your users computers and to much of your on-prem infrastructure, including file shares and other access users take for granted. Deploying this type of authentication helps people to use applications seamlessly but also helps you manage their access. Providing someone with access to a Windows Azure application can be as simple as making them a member of a group in Active Directory.
In addition you can control access using a variety of web providers like Windows Live ID, Google, Yahoo! and Facebook, which are especially useful for publicly accessible services.
Monitoring and troubleshooting
Now we have all the puzzle pieces in place lets think about how we do some of our traditional IT stuff with those roles.
Lets say you want to understand what’s going on in a Windows Azure service that you’ve deployed – something you’ll likely be asked to do if you’ve got any service management ethos in place – how do we do that? Well the first thing to understand is that the roles are just servers running a modified but familiar OS – Windows Server – and second that instances of roles are stateless and changes don’t persist between reboots, which means nor do logs, troubleshooting information or minor changes.
That changes what you need to do to monitor and troubleshoot somewhat. Firstly logs need to be shipped off site to BLOB storage regularly, but not excessively, because storing too much information will start to cost you some money – this is utility computing after all. So with logs you need to ensure that the roles are configured to save just enough information for your needs.
From within the Windows Azure web portal you can launch RDP sessions to your instances running in Windows Azure which, again, requires some up front configuration and the provision of a security certificate as part of specifying the service. From this RDP session there is much you can do but many things that you can’t. You can see Task Manager, view the event log etc. but you can’t fix something. For example, say you have an errant registry entry which is causing an application problem, you edit it, fix it and all is well. Then the instance is rebooted and reporovisioned and your registry change is lost forever. All changes that you want to make that persist to your web and worker roles need to be made as a change to the application package, for the VM role you can also make the changes required to your VHD and re-upload it.
How do we do some more integrated monitoring then? That’s where the Windows Azure Monitoring Pack for System Center Operations Manager 2007 steps in. With this pack you can monitor your Windows Azure service just as you would anything else within SCOM with the ability to create alerts etc. Of course if you’re building a service that is business critical it’s unlikely that you’ve built a service where every aspect is based in Windows Azure. So with SCOM you can monitor your service end to end, building alerts to notify you if say, the Internet connection that joins up your on-prem database service to the Azure Service has a wobble.
Trying it out
Now that we’ve covered some of the basics you’re probably thinking about trying some of this stuff out. The easiest way is with this Azure Monitoring Evaluation which will give you a System Center Operations Manager and Active Directory environment along with a Windows Azure application to deploy, monitor and play with.
Windows Azure is now incredibly deep so you’ll want to learn more including the depths of how CDN works, how caching works, how PKI enables Windows Azures security model and critically how SQL Azure can allow you to place structured data into the cloud.