One of the questions that I often get into when talking with folks normally have a dev head on around Windows Azure is why you’d want to be able to monitor a Windows Azure application with System Center and why you wouldn’t just build a bespoke monitoring solution since you’re building an application already. The answer is actually a very obvious one to integrate with existing systems. Anyone with an ounce of IT operational background or ITIL training will tell you that you rightly need to centralise monitoring and ultimately to simplify it. The first obvious reason why you’d do that is to save money but there’s a second reason:
That amazing application probably isn’t running in isolation.
You’ll find that it requires other components like network connectivity (yes even in the cloud) to be in place and available – particularly if you’re running in a hybrid environment. A holistic management solution, such as System Center will help you to achieve an overall view of what’s going on, of all the dependencies on various components of the system.
Interestingly we’ve just moved such a system to Windows Azure, along with the required monitoring and documented the whole process with a case study of moving a Business Critical application to Windows Azure. The article is well worth a read for anyone thinking about moving an application to the cloud but the following stuck out for me as benefits:
Accuracy and timeliness are so important in IT Operations it’s untrue but that second benefit around reusability is also so important. Not only will you have developed a reusable system monitoring Windows Azure applications but you’ll also have reusable skills.
How do you get started? Well you could just download this little package of 2 ready made evaluation VHDs and play with a pre-built Windows Azure application, I have and it really doesn’t take long to get to grips with.
A few weeks ago I was in a Telegraph supplement talking about cloud. Here’s the online version of the article on the Telegraph (UK national newspaper) website.
This one-day online conference features a range of sessions specially tailored for IT Pros and covering the big challenges for the year ahead.
Join Microsoft experts plus professionals from IT departments around the UK to discuss topics such as how we will embrace the influx of consumer devices into the workplace; the new features available through SQL Server Denali; and how Windows Azure can help you make sense of your Cloud offering. I’m really excited by this conference as we’re going to be using some great Microsoft Valued Professionals and some of our UK technical community who are really on the tools to share their experience.
The conference will be presented through LiveMeeting, and throughout the sessions you’ll be able to interact and pose your questions on the topics.
Date & Time – 27 October 2011, 09:00-16:00
Registration & Detailed Agenda - WWE
Further Information – TechNet Blog
There are plenty of people out there still using Windows XP, however many parts of the operating system have needed to be updated in order to keep things going. There have been three service packs released for Windows XP since it’s inception and those service packs add such critical functionality as WiFi, which wasn’t mainstream tech when Windows XP was released. It doesn’t end there - Windows XP shipped with Internet Explorer 6, which to give it it’s due has been a great browser. Whilst massively popular IE6 now requires huge amounts of work by web designers in order to keep their sites running on both it and other browsers. One thing everyone can agree on, it’s time to get a better browser.
There can be few people out there who believe that IE6 is better than modern equivalents like IE8 and IE9, the latter of which cannot be installed on computers running Windows XP because XP can’t support some of its more advanced features. Internet Explorer 8 then is where you need to be if you’re running Windows XP, IE6 doesn’t cut the mustard any longer. There are an increasing number of mainstream websites that have given up support for IE6 as modern browsers are far easier to support. However, there are still quite a few people who are yet to move off of Windows XP because of some requirement or another and although the number of organisations in this box is diminishing they still exist.
So why would you want to bring your browser more up to date with Internet Explorer 8 rather than an alternative? In a corporate environment deployment, management, control, trust and security are the top line reasons to select a browser in addition to it rendering sites well. Internet Explorer 8 has features that resolve issues in all of these areas that are unsurpassed by any other browser, except of course for IE9.
Deployment of Internet Explorer 8 can be as customised as you want it to be, so if you want to setup a specific home page, RSS feed, group of favourites, proxy server or changes to browser security then you can do that. To enable the building of an installation package you need to look to the Internet Explorer Administration Kit. This kit takes you through building a custom installation so as soon as the installation completes all your configuration requirements are set on the PC. This is great when you need an environment that can be replayed over and over to provide consistency – it also doesn’t have any requirements on 3rd party software or setting config requirements using a simple text file.
When you want ongoing management of IE8 you need to be looking to group policy. Group Policy can be used for deployment as can software distribution systems like System Center Config Manager, Windows Intune, SMS or any other deployment software capable or deploying MSI files.
On going management of Internet Explorer is best achieved using Group Policy as the configuration options are made on the PC every time the user or computer logs on. This means that once it’s deployed you can make any alterations you need by changing the GPO. So, should you need to change homepage you just change the GPO, should you need to block a specific plugin, you can do so in the GPO.
There are over 1500 settings that can be managed for IE8 with Group Policy which on the surface might sound complicated, but you only need to pick and choose what you use. It’s a bit like having every tool in the toolbox available to you, one of those big red racks on wheels you see in professional garages. In contrast some other browsers require you to use 3rd party software that’s not made by the same people as the browser and can be a step behind – a little like buying a special set of tools for a very general job. The 3rd party software is needed mainly because some browsers need to be managed using text files and anyone who’s ever done some version control will know what a pain that is. Another browser has some shiny settings that you can set with group policy but you soon realise that there are tools missing from their toolbox – a little like buying a full tool kit and realising they didn’t include a spanner!
Managing a browser isn’t just about managing a bunch of setting though, it’s also about managing the life of the browser. Inevitably there will be updates as patches to secure against vulnerabilities are released. Internet Explorer manages this using Windows Update which, therefore, delivers updates on a known time scale – Patch Tuesday – and using a known mechanism. So if you have WSUS deployed patches are deployed to your clients using this and you have control. Without a good infrastructure to manage these updates other browsers struggle, which is why you’ll often find a fix popping up and asking a user if it’s ok to install it in some other browsers. If they decline, no patch, so the vulnerability persists.
Management and Control are baked right in and work in almost the same way as IE6, but also allow you to manage compatibility. Say you have an internal site that you know needs to run in IE7 mode, well that’s fine. You can just set that using Group Policy and all your clients will use the IE7 rendering engine to do the work, compatibility delivered centrally and controllably.
Security and Trust
Internet Explorer 8 delivers some fantastic improvements over IE6 and in addition to the above delivery mechanism for security patches we also have built in Phishing protection. Phishing, if you aren’t aware, is an attack whereby someone pops up a website claiming to be a site the user should trust and asks (Phishes) for information. IE8 has inbuilt protection to highlight the risk to end users and helps them to avoid the attack. Of course there are other types of attack too, so IE8 warns your users if a site contains malware. These settings for SmartScreen filter are all configurable through Group Policy as well, ensuring you remain in control.
For some useful information on deploying IE8 take a look at the TechNet library.
In this world concerned with consumerised IT where almost everyone is familiar with using a browser of some description and many are bombarded by messages about how “fast” the internet can be if you use browser X, it really is important to keep a clear idea of what matters most to your business. Without a doubt you need a browser that’s fast enough to use the modern web, renders web pages quickly and accurately and that enables the use of java script web-based applications that run as the designer intended.
It’s very important though to remember that whilst getting all this is fantastic you also have a responsibility to ensure the security and manageability of your browsing environment, at the same time as giving users the flexibility they need to do their jobs and keeping maintenance costs down. Browsers that are fast but follow sporadic update cycles present a risk where those updates aren’t managed within your deployment environment, which can lead to a patchy experience for users and a confusing and costly state for your helpdesk services.
Unfortunately not all browsers are created equally and some do better at things than others. IE9 however seems to be doing the best at most things at the moment. There might not be the buzz that exists around using browser X or Y but IE9 has far more to offer in the security and management space than most. Internet Explorer 9 has been noted by NSS Labs to perform better, far better, than any other browser when it comes to detecting and preventing socially engineered malware. To put things into perspective IE9 fails in just 3.2% of cases tested where other browsers fail to detect and prevent around the 86% numbers.
Good security starts with making sure that you don’t have too many open doors into your organisation and with making sure that those doors you do have open are selective enough to only let the right things through. Kind of like having a good security guard on the door. Lots of people suggest that having a service that puts good sites on an allow list and deny lists all others, or that deny lists bad sites and allows all others is enough protection. Hands down they’re wrong, that is only part of the story and you don’t have to look far to find a site that has been hacked, infected with malware and or redirected to a more salubrious destination. This includes high profile newspapers and even IT news outlets, and if they are on your white list and that’s all the protection you think you need then someone just found a hole in your security.
Security at depth
The truth is that you need layers of security in order to ensure you have a secure environment, because you need many levels of security to catch a risk should something penetrate one layer. Allow and block listing are a part of that but so is the ability to detect, highlight and prevent attacks that appear in a more dynamic, on-the-fly, approach. One of the approaches that’s essential to delivering that dynamism and ability to respond to known attacks is a powerful patching mechanism.
This is another of those areas where Internet Explorer 9 excels. Patching is built into the operating system and whilst some feel that patches are pain of management they are in fact a mechanism to respond to a threat and one that is easily managed. Under almost all circumstances Microsoft release patches on the 2nd Tuesday of the month (a.k.a. patch Tuesday) and for those who remember what life was like before patch Tuesday it’s a joy. Imagine the scenario where critical patches are released every other day. Keeping up with that cycle leads to an administrative overhead that takes you down the path of missing the odd update and missing the odd update can come at the cost of something bad happening. I know because I’ve replaced patch solutions in organisations where it has – much of which I had to hand crank with VBScript, but we won’t go there!
What baffles me is why any IT Pro would want to deploy patches on an irregular basis or just leave them to chance when they can be managed in a simple singular way. No other browser has the update capabilities of Internet Explorer and some are so lacking that entire version updates with changes in capabilities can be deployed without any prior understanding of those responsible for support, IT.
Group policy support built in, not bolted on
Management is of course something that we all need to keep an eye on in our estates and sometimes we find that something has to be changed. Sometimes a homepage URL needs changing en masse, sometimes we have to tweak security settings and again Internet Explorer is a tour-de-force in this area with over 1500 settings that can be controlled with Group Policy. The nearest competitor has a shiny 87 or so, which granted are generally good but don’t include the ability to stop the browser “phoning home”, whilst other solutions try to out-fox IT by requiring you to buy additional management software. This disregard for the unique nature of doing business is disappointing at best.
Of course management starts earlier than the on going use of a browser so we have to think about how we deploy the browser in the first place. For this and to enable some highly customised deployments with very flexible requirements we have the IEAK or Internet Explorer Administration Kit that enables the repacking of Internet Explorer for custom circumstances. You can, for example, bake in a set of configurations so that upon first install everyone gets the settings you intend – perfect in a consumerised environment – but as I’ve already written we need more flexibility. For that reason just about every setting that you can alter in the IEAK can be changed through group policy.
For XP users
If you aren’t yet migrated to Windows 7, and millions are, then you are probably running Windows XP. Here the best advice is to be running IE8 because Windows XP cannot support IE9. IE8 might not have all the HTML5 bells and whistles, ultimate speed, compatibility and shear beauty of IE9, it does allow you to do all the management I’ve mentioned above. But why would you want IE8 over IE6? Well the main reason is that IE6 is old. It was released 10 years ago and the web has changed dramatically in those 10 years. Sites we take for granted, Facebook, BBC iPlayer, YouTube and thousands more didn’t exist back then and what people expect to be able to do has moved on. There are still people stuck using IE6, especially in Government in the UK, but there are not really any solid technical reasons for doing so.
Migration to IE8 from IE6 is a smooth process now, it’s a well trodden path and we have ways to circumnavigate most compatibility issues – many for free. If you have a web application that requires IE6 the first thing is to see if it’s just a header issue, where the page stops itself rendering on anything other than IE6. Test the site in IE8 without such a header, get a user to see if everything works OK and test to see if one of the compatibility modes overcomes the issue. There is nothing wrong with using compatibility mode and, you’ll never guess, you can tell your whole estate to use a compatibility mode with a simple group policy setting, still at no additional cost.
Next you can try virtualisation, either with MED-V which is part of MDOP or with P2V for Software Assurance. These two options are going to cost you something if you don’t have Software Assurance in place but the cost is usually small (for example adding SA to a Windows Intune subscription is just 60p per PC per month). The final option is to use RD RemoteApp to provide a remote desktop connection to a browser running on a Windows XP VDI Virtual Machine, hosted in Windows Server 2008 R2 Remote Desktop services or with a product from Quest or Citrix. Here the costs rise dependant upon the complexity you need but it’s time to start weighing in the fact that when XP goes out of support so does IE – so no more patches.
Hopefully this has given you some food for though about your move to IE9, if you are on Windows 7 it’s a total no brainer. If you’re on XP you should think about moving to IE8 and also about getting off of Windows XP within a year.
For the full NSS labs report on socaially engineered malware just follow this link and to learn about deploying Windows 7 and Internet Explorer 9 go complete the relevant sections of the Deployment Learning Portal – you’ll probably find you’ll be rewarded instantly for doing so. Also take a look at these Top 9 reasons enterprises should deploy IE9.