September 2003

Security Roles, Uniting Technology and Controlling Windows Remotely

• By MCP Magazine Readers
• 09/01/2003

Hi, David. It’s located in AdminPak.msi, which you can find on any Windows Server 2003 CD.
—Don Jones

I’m the IT manager for the City of Lafayette in Colorado, and we’re in the process of installing Windows 2003 enterprise as our standard desktop operating system. We currently have about 100 staff members on terminal server. These users are in public works engineering, finance, courts, parks and recreation, waste water plant, water treatment plant, and the service center. And we’ll soon be adding about 50 users from the police department. In addition, we’ll then add our library staff and public computers to terminal server.

Our network consists of a Windows 2000 domain with 20 Windows NT/2000 servers, about 200 computers and 25 laptops. This is spread over 10 different sites and nine different departments. In 2001, we were replacing 25 percent of our desktops each year. Our desktop rotation cycle was 37 percent of the total IS budget.

In 2001 we considered a thin-client environment. We researched the technology, and Windows 2000 terminal server was our best choice, due to the low cost of implementation and the fact that we wouldn’t need to rotate our desktops any longer.

We’ve already seen some benefit from our terminal server implementation. In 2002, we took the same dollar figure that had gone to our desktop rotation and purchased our terminal servers. In 2003, we purchased Office XP and other software updates with the dollars that we would have spent on desktop hardware. As we rolled out terminal server, we also rolled out the latest software that we could. Without implementing terminal server, we never would have been able to consider purchasing the upgrade software like Office XP.

We’re also taking advantage of the “Remote Control” desktop in Terminal Server Manager. We’ve hired an application support specialist, who supports all staff remotely. We can respond to more staff requests instantly, rather than having to set up an appointment. This has greatly reduced the number of visits to each desktop to support the applications.

We’ve had some challenges as we implemented Windows 2003 terminal server, however. One challenge was to get the whole staff on the same version of software. This required us to open up communications with all departments to do our software inventory. We also needed to find a way to manage the software license. We accomplished this through KeyServer from Sassafras. And the biggest challenge was to balance the security of terminal services with the needs of the end users. We did that through Active Directory and Group Policy Objects.

The City of Lafayette has set Windows 2003 Terminal Server as our standard desktop for our staff. In fact, instead of replacing or adding any computers, we plan on installing a true thin-client piece of hardware. These hardware costs are much lower than desktop hardware.
—Dennis Marquardt, MCSE
Lafayette, Colorado

The article on remote connectivity missed the best feature of all. No, not the Time Zone remapping (though that is great) but the console mode—MSTSC /console. The MSTSC Help and Support topic incorrectly states that you can use the /console switch to connect to the console session (session 0) of a specified Windows 2000 Server (mstsc.exe is the Remote Desktop Connection client, earlier known as TS Client). You can’t use the /console switch to connect to the console session of a Windows 2000 Server-based computer. However, you can use the /console switch to connect to the console session of an XP Professional or Windows 2003 computer.

I’m working on a system right now that I’ll have to support in Russia long distance from Alabama. Connecting directly to the console will be perfect when or if they get an error on screen.

Because you can connect twice with Remote Desktop and once with Console at the same time, the numbers for 2003 were off. You can have three connections at a time.
—Rodney R. Fournier, MCSA, MCSE +Internet, MCT
Huntsville, Alabama

What a great article on Windows Server 2003 remote administration! One additional feature that wasn’t mentioned is the ability to use the Remote Desktop Connection to connect to the Console on a Windows 2003 server (Knowledge Base article 309375). This has been one of my biggest complaints on the earlier version of TS Admin.
—Roger Prestine, MCSE
Milwaukee, Wisconsin

You're absolutely right, and a number of folks spoke up to point that one out! I'm actually planning to talk about the new console connection—and some other new RDP features—in an upcoming “Tips and Tricks” column. Thanks for the heads up!
—Don Jones

Security Roles
Regarding Dian Schaffhauser’s “Editor’s Desk” column, “A Simple Plan,” I spent a lot of time and effort on the Security+ exam. A lot of industry people respect it as a benchmark for entry-level security. The kind of statement Andy Barkl made about the exam disparages a certification many have worked hard to obtain.

Think about the employers who get this magazine. Somebody who’s hiring might read the article and Barkl’s quote a day before reviewing a résumé for a job candidate who lists the Security+ designation. And, based on that one opinion, he might toss the candidate’s résumé to the side. Meanwhile, that candidate probably has two to three years of experience and spent the last four months studying to hone his or her skills for such a test.
—James Bohling, MCP, Security+, CCNA
Chesapeake, Virginia

I understood the reasoning behind the “+ Internet” designation, as well as “+Site Building”—if you had the skills from the TCP/IP and IIS exams, you could demonstrate an aptitude for such a moniker on your certification. I also agree that if you master the skills for Microsoft’s security-related exams, adding a “Security” designator is warranted.

But I also believe it’s not justified. Security isn’t about placing an ISA Server in your structure or configuring your machines to a hardened state. Security the Microsoft way isn’t enough, which is why I applaud the Security+ certification option. Instead of jumping on the bandwagon, Microsoft should take more than a “patch this” approach.

I might pursue it after Security+ and SANS GIAC. I want to keep my system administration skills intact. I’m trying to be less cynical without losing my basic level of paranoia!
—Kevin Shaw, MCSE, MCP+I
Martinsburg, West Virginia

Uniting Technology
My guess is that the intrusive, unusable scenario Em C. Pea envisioned for telephone/PC integration in her July “Call Me Certifiable” column, “That Pesky Convergence Stuff,” is a bit off the mark. The scenario assumes the lowest-quality software providers will have a monopoly on the user interface for the PC phone. Thus, pop-up advertising, crashes and misdials abound. This won’t be the case, because competition among UI providers will eliminate overly intrusive advertising.

As for misdials, there’s no reason to think the PC-phone will be only voice-activated. Any number frequently dialed will probably be mapped to a quick-dial function, available via mouse-click or some code.

Regarding computer crashes, it would apply to all uses of a computer, and it’s increasingly unlikely as Microsoft continues to improve the reliability of its OSs.

PC features (a big monitor, Internet connection) could enable many enhancements to current phone functionality, all while dramatically lowering the price. I’d buy that.
—David Vestal, MCP
Statesville, North Carolina

I take issue with the hacking on Microsoft’s stability, especially in comparison to the telephone. If I took a computer, installed most any flavor of Windows and told it to do one thing and gave it no capability to do anything else, I’d have a system that was as stable as an analog phone. The reason I’ve tried to rebuild my PC every so often is that I’m constantly messing with it by installing and uninstalling software. When we have phones that can run multiple applications, then we’ll start to see stability problems.
—James Riley, MCSE
Noblesville, Indiana

The Pleistocene was a time during which climates shifted dramatically—just as the climate shifted from having separate data and voice networks to one that converges voice, data and video over a single infrastructure. This convergence has provided opportunities for new integration of PC and telephone services, but Internet Protocol (IP) telephony over a converged network doesn’t require a PC interface in order to provide new services. Vendors provide applications that arrange hotel reservations, order takeout food or check the status of airline arrivals and departures—all from an IP telephone keypad. Users can be alerted of emergencies that activate a message light on the phone, display a message on the phone’s video display or stream an emergency alert over the telephone that only the intended recipient hears.

The telephone has become a network appliance, much like the PC. It can receive software updates automatically from its call processing server. It can be unplugged from its network connection and relocated within the customer’s organization, where it reboots, downloads its configuration and continues operating as before. The user can configure services, speed dials and so forth without needing the help of an administrator or telephone repair person.

Microsoft recognizes the success that companies have had in implementing this technology and wants to participate. The alternative is to not weather the climate change and become extinct.
—Ginger Kavan, MCSE, MCSA
Sacramento, California

How to Land the Next Job
I was one of the people referenced in the “Editor’s Desk” in the August issue, “A Different Take.” I still haven’t landed a position, but I’m waiting on the results from one interview and not holding my breath on another.

I have three pieces of advice for people who are unemployed or who may feel unemployment coming in the near future.

Keep every business card you receive from those you talk to. Even if you don’t get a card, keep a little notebook and write down names and companies (and any other information you obtain). Try to write down any conversation piece that sticks out, for example, “How is the project coming along?” Or, “Did you get that Exchange server fixed?” Every month or so, write a short note bringing up that conversation, remind the recipient who you are and where you last spoke, and then indicate that you’re still seeking job leads.

Spend time exercising and focusing on your career. Figure out if this line of work is for you. I’ve jumped from programming to databases to security and a lot of places in between. Set goals after you’ve determined in what direction you want to head and stick to them. The small successes in accomplishing short-term and long-term goals will keep you from becoming a couch potato and giving up. My latest direction has been security for Microsoft platforms. I’ve just passed the 70-214 exam and will be taking 70-227 (ISA Server) within the next few weeks so that I can add “+Security” to my MCSE.

Last, keep your spirits up. No matter how bad it gets—and chances are it may get pretty bad—things never last forever. Keep what’s important in front of you: Family and friends. Lean on them for support.

The IT industry is picking up, slowly. The great thing about technology is that it keeps advancing. I see the end of my unemployment coming.
—Robert F. Murphy, MCSE+I, MCT, A+, N+
Austin, Texas

Correction
In her August column, “A Different Take,” Dian Schaffhauser ran an incorrect number for Dell salaries. The number referenced by the reader in Austin, Texas should have been $12 an hour, not $12,000 a year.