The Official ScriptLogic Blog

MSI Studio for Microsoft Systems Center Configuration Manager

2008-06-27T07:06:00.003-04:00

We've recently released a new version of our MSI Studio solution made specifically for SCCM. MSI Studio for SCCM extends beyond its already impressive list of packaging features (which include the packaging, repackaging, merging, editing, and conflict testing of MSI installer) to include integration with SCCM by deploying packages directly into SCCM from within MSI Studio.

Take the Walkthrough Tour of MSI Studio to see how this "for admins, by admins" MSI management solution makes the creation, editing, and deployment processes of MSIs a simple task.

A 15-day evaluation is available, as is an online TestDrive of the solution.

Our very first online Game!

2008-04-24T12:57:00.003-04:00

Because all of you using ScriptLogic solutions are so very productive, you therefore have oodles of time to spend doing "whatever." In that spirit, we have created a flash-based game, "Power to the Admin" where you weild the mighty keyboard and take care of users the right way! ;-)

Here's a few screenshots:

The game is free to play and does not require registration. Just enjoy your productive time off!

Play the "Power to the Admin" game today!

Test Driving ScriptLogic Solutions

2008-03-04T09:36:00.003-05:00

We've recently taken great strides to make our solutions quickly available for evaluation to our customers. Today we are making 11 of our solutions available for customers to "TestDrive" using nothing more than a web browser. This TestDrive environment allows you to work in a pre-defined Windows environment (complete with one server and one desktop) with our solutions pre-installed and configured.

To assist with the review of our solutions, we've included the appropriate User or Getting Started guides in the "Guide and Tutorlials" pane of the TestDrive.

The solutions you can TestDrive are:

Desktop Authority Asset Inspector

2008-01-02T09:58:00.000-05:00

We've just released Desktop Authority Asset Inspector for public beta. DA Asset Inspector is a web-based soluiton for accessing and managing hardware and software assets utilizing the inventory collected using Desktop Authority.

Desktop Authority has enabled organizations to inventory the hardware and software, but it is Asset Inspector that will allow true management of that data. Asset Inspector will allow a drill down of hardware and software, custom grouping of assets and license management.

You can download the beta of Desktop Authority Asset Inspector on our public beta site. If you do not have a copy of Desktop Authority installed, you can download a 30-day evaluation.

ScriptLogic podcast on myITforum.com

2007-12-21T13:57:00.000-05:00

I had a great conversation this week with Rod Trent at myITforum.com (one of the premiere IT Professional websites) which is available as a podcast. In it we discuss the Quest acquisition, our recent product releases, virtualization and a host of other topics.

Take a listen.

Remotely Support Users Anywhere with our Remote Management Gateway

2007-12-21T13:29:00.000-05:00

This is a very exiciting release for us. We've extended our Remote Management client from within Desktop Authority by creating a separate remote management offering with Desktop Authority Remote Management Gateway which now, in addition to the standard set of workstations within the corporate office, supports both workstations that are not domain members and those whose machines are not physically in the office.

Utilizing a gateway service residing in your perimeter network, the Remote Management Gateway facilitates the support of users regardless of whether the user being supported or the IT professional doing the supporting are within the walls of the office.

Remote management takes on more than just remote control by allowing you to perform over 40 tasks without needing to be interactive with the user, raising the user's productivity and then still facilitate remote control should interactivity with the user be required to solve the problem.

This is a fantastic solution in conjunction with our helpdesk product, BridgeTrak, providing a comprehensive issue management solution.

A fully functional 30-day evaluation is available.

You can also take the web-based Interactive Walkthrough.

Enterprise Security Reporter for SharePoint is Available!

2007-12-07T11:31:00.001-05:00

We excited to announce the addition of SharePoint reporting to our Enterprise Security Reporter platform. Enterprise Security Reporter for SharePoint enhances the reporting capabilities from just Windows and Active Directory security to now include SharePoint servers.

The following SharePoint security information can be collected and reported on:

Sites
Permission levels
Groups
Libraries
Accounts

Over 20 turnkey reports exist out of the box and, as always, custom reports can be easily created using a simple wizard-driven report generator. No SQL knowledge is required!

Take the Interactive Walkthrough demo or Download a 30-day fully-functional evaluation.

Mastering SQL Security with Security Explorer for SQL Server

2007-12-07T08:29:00.000-05:00

We recently released Security Explorer for SQL Server which takes the search, management, backup and recovery of security capabilities to your Microsoft SQL Server!

This new version of Security Explorer allows you to manage the following SQL Server permissions:

SQL Server instances
Databases
Database roles
Stored procedures
Tables
Users
Views

In addition, SQL Server security can be backed up and restored separate from the data in the database.

Lastly, Security Explorer for SQL Server can search for insecure SQL logons by finding those that have blank passwords or passwords that match the user account name.

A fully-functional 30-day evaluation is available for download.

Desktop Authority Wins Redmond Roundup

2007-11-15T13:32:00.000-05:00

This month, Redmond Magazine's Peter Varhol (Redmond's Executive Editor of Reviews) headed up an Automating the Desktop "Redmond Roundup" comparing three solutions, each addressing Desktop Management from very different angles.

Desktop Authority was named the Redmond Roundup Champion with its score of 8.8 out of 10, beating out ActiveBatch and Privilege Manager (which was mistakenly named champion, but only actually received a score of 8.4). Kace's KBox was also mentioned in the article, but did not participate in the scoring.

Peter praises Desktop Authority by saying "I found Desktop Authority to provide great information and make a number of activities involving servicing desktops far easier that they could be done manually."

Peter does a great job covering the wide range of capabilities Desktop Authority has; from its ability to eliminate the need for logon scripts, to application deployment, to software inventory to USB and Port security, to patch management. You can read about thie comparison on Redmond Magazine's website.

MSI Studio 4.0 Now Available!

2007-11-12T10:41:00.000-05:00

It's a very busy week for us at ScriptLogic - First, the release of Desktop Authority 7.7, then the acquisition of Kemma Software, and today we released Desktop Authority MSI Studio version 4.0.

This is a very exciting release for us becuase, in addition to the various improvements we've made to the product (which I'll mention in a moment), it integrates with Microsoft System Center Configuration Manager 2007!

The integration is made possible using the Configuration Manager Package Deployment Wizard which is ued to establish the SCCM settings and then deploys the package to SCCM. As always, MSI Studio also integrates with Desktop Authority's Software Management Repository.

In addition, MSI Studio also has the following enhancements:

Improved Workflow-Oriented Interface - the editor interface can be expanded, collapsed and reorganized to improve MSI creation workflow

Custom Action Wizard - actions, such as running an external script or additional MSI package can be easily added through MSI Studio's wizard-driven process

Dialog Sequencing - Now you can only allow the desired installation screens to be visible to the end-user

Simplified Packaging of Support Files - this is helpful should you need a license file (or any other type of supporting file) to be dropped into the installation folder without needing to editing the MSI package itself

Windows Installer Patch File Support - Existing MSIs can be updated using MSPs, as well as MSPs can be created using MSI Studio's Patch Creation Wizard

Take 2 minutes with the interactive Walkthrough Demo to get a feel for the product.

Also, 30-day evalution is available on our website.

ScriptLogic and the Help Desk

2007-11-12T10:16:00.000-05:00

We announced this morning that we have acquired the assets of Kemma Software, the creators of the BridgeTrak help desk solution. This is a fantastic acquisition for ScriptLogic and will enhance our desktop and management offering.

You can read the press release here. More to come about this exciting solution in the coming weeks!

Desktop Authority 7.7 Released!

2007-11-09T14:48:00.000-05:00

I've been on hiatus from the blog, focusing on a ton of internal needs, but I'm excited to get things started back up by announcing we released Desktop Authority 7.7 last week!

This release includes some awesome enhancements to our award winning Desktop Management solution in four key areas: client support, reporting, patch management and USB/Port Security.

Client Support - While we made Desktop Authority ready for Windows Vista back in version 7.6, we've added support for 64-bit hardware, allowing you to manage all of the newest Windows desktops out there.

Reporting - We've added a fantastic reporting wizard to make building your own custom reports even easier.

Patch Management - There are a number of new enhancements:

Support for patching in multiple languages

Patch Rollbacks - as simple as selecting the patch and "Rollback" from a dropdown menu

User Deferment - patching can be configured to allow user to defer the patch a number of times before it is forced

Reboot Options - Choose to bypass reboots and/or allow users to cancel reboots

The Update and Patch Download Service - if you have ScriptLogic servers with no access to the Internet (as is the case for a number of government agencies) or with limited bandwidth, you can download the updates at a site with access, and zip them for easy transport and extraction at the non-connected site

USB/Port Security - We've added more management granularity by allowing you to create USB device white/blacklists based on either serial numbers or PID/VID combination.

If you are a Desktop Authority customer within maintenance, I highly recommend you update to the latest version.

If you've never tried Desktop Authority, you can download a 30-day evaluation.

Bluetooth: The next USB?

2007-08-28T08:27:00.000-04:00

USB Devices have received a ton of focus over the past few years as THE device IT needs to be worried about. As a extremely mobile storage medium, USB devices can easily carry malicious code into an organization or sensitive corporate data out. Podslurping is a great example of the hype.

So IT reacts, locks down the USB ports by most likely disabling them (which XP and Vista allow natively), and thinks they're now safe. While true in context of USB devices, the organization is hardly safe.

Take my laptop for example - I have bluetooth built in which allows me (on a side note) to use a VERY cool bluetooth mouse from Newton Peripherals. But it also allows me to connect to a bluetooth enabled cell-phone and transfer files.

As a quick test, I paired a cell phone (a Samsung SPH-A900) to my laptop and transferred a file over to the cell phone - all in under about 3 minutes.

The cell phone I used has 64MB of flash memory - while hardly comparable to the 4GB and 8GB USB flash drives out today, you can still hold a ton of information exported to CSV... And with a cell phone holding the newly transferred data, it can be emailed out of the company or transferred to another device via bluetooth and then deleted from the phone with no trace it was ever copied should someone inspect the phone. This is VERY potent stuff!

This example of using bluetooth instead of USB is merely one of many access methods IT needs to consider. Consider the following additional methods for stealing corporate data or introducing malicious software from a standard desktop or laptop that are NOT currently being locked down:

Firewire Drives (theft at the speed of light)
Floppies (remember those!?!?!?)
Infrared (it's not just for printing...)
Modems (all you need is a phone jack...)
Serial Port (e.g.: establish an ftp session to a laptop not allowed on the corporate net via serial cable)
PC Card-based storage
PC Card-based cell device to access the Internet (gmail, anyone?)
WiFi devices (ad-hoc wireless can be your enemy)

Our customers use the USB & Port Security option within Desktop Authority to granularly secure all of the ports mentioned. With this option, each type of port can be locked down with those that are read-write (such as a CD-Burner) can be set to read-only which helps balance the implementation of security with the preservation of user productivity (e.g.: making a CD-Burner read-only so that a user can at least read CDs they need for their job, but cannot burn any information off to CD).

It's time for IT to wake up a bit and realize if they are going to truly secure their network from malicious software and/or data theft, they need a comprehensive security plan.

Enterprise Security Reporter 3.1 Released!

2007-07-19T12:52:00.000-04:00

Today we released the latest version of Enterprise Security Reporter. The big change to this version: more reports! Along with some minor bug fixes and customer requested enhancements, Enterprise Security Reporter now touts over 140 turnkey reports.

Along with the new reports are two compliance packs for SOX and HIPAA compliance needs. These packs breakdown the compliance standards (by section and requirement) and match the standard to turnkey reports that should be run to assess the state of Windows security.

While no additional compliance packs exist today, Enterprise Security Reporter is still useful for other standards such as GLBA, FISMA, NIST/FIPS, PCI, ITIL, COBIT, and ISO 17799 - the application of reports to specific standards simply isn't spelled out. Additional packs should be expected in future versions.

You can download a 30-day evaluation of Enterprise Security Reporter on our website.

NFR Copies of ScriptLogic Solutions for MVPs

2007-06-29T12:48:00.000-04:00

I am pleased to announce that we are offering NFR copies of some of our solutions to Microsoft MVPs. The following solutions are available:

Active Administrator
Desktop Authority MSI Studio
Enterprise Security Reporter
File System Auditor
Secure Copy
Security Explorer (don't forget Security Explorer for SharePoint is in final beta)

If you are a current Microsoft MVP (in any specialty) interested in receiving any of the solutions listed above, send an email to AskNick@ScriptLogic.com and provide me with the following:

Name
Email Address
URL to your MVP Profile
Address
Phone Number
NetBIOS Name and FQDN of your Domain (applicable for only some solutions)

We will in turn provide you with 5-user NFR copies of the solutions you requested.

ScriptLogic to be acquired by Quest

2007-06-22T10:26:00.000-04:00

You may or may not have heard already, but yesterday ScriptLogic announced that we have agreed to be acquired by Quest Software. You can read the Press Release here.

We've already seen some blogs by customers wondering what's going on and have expressed an uncertainty in the future of our solutions. As stated in the Press Release, ScriptLogic will be a wholly-owned subsidiary of Quest. That means we will continue to develop, sell, and support great software the same as always, just as a separate business unit of Quest once the acquisition is complete.

Internally, we're very excited about the news and look forward to reaching a broader customer base with our award-winning solutions.

Manage SharePoint Security with Security Explorer

2007-06-18T08:14:00.000-04:00

ScriptLogic recently released a beta of Security Explorer 6.5, dubbed Security Explorer for SharePoint. In this release, you can now manage SharePoint security enterprise-wide from a single interface.

Features of this new version include the ability to:

Search for SharePoint permissions at the list and item levels

Manage SharePoint permissions centrally

Manage SharePoint groups

Manage and Assign Permission Levels

Backup & Restore SharePoint Security

This new version is currently in public beta and available for download.

File System Auditor 2.0 Released!

2007-05-29T08:37:00.001-04:00

Today we released version 2.0 of our File System Auditor solution.

If you're unfamiliar with the product it does what the name implies; audits the activity in a Windows file system. Using a file system driver, File System Auditor tracks each and every action with the file system and records those actions in a centralized secure SQL database. Actions are intelligently audited, so a move of a file (which could really be a copy and a delete) shows up as a single move entry rather than two separate entries. No longer do you need to rummage through thousands of event log entries or rely on snapshot solutions that only get bits and pieces of the changes to your Windows file servers.

What's new with FSA 2.0:

New improved interface
Centralized configuration of audit settings enterprise-wide
Support for Windows Clustered servers
Improved Reporting of activities

File System Auditor assists with compliance needs for such standards as SOX, HIPAA, GLBA, FISMA, NIST/FIPS, ITIL, COBIT, PCI, 21CRF11 and more that require organizations to audit activity of users on secured systems.

A 30-day evaluation is available on the File System Auditor product homepage.

7 Best Security Practices: (4) Compliance Self-Assessments

2007-05-21T11:58:00.000-04:00

Continuing my blogs on Gary Miliefsky's article "The 7 best practices for network security in 2007", I'd like to take the next logical step (which happens to also be Gary's next step) after Frequent Security Assessments, which is to apply the security you have in place to compliance standards and perform Compliance Self-Assessments.

First, not every company is subject to compliance standards. Here are a few:

Sarbanes-Oxley - Applies to publically traded companies
Health Insurance Portability and Accountability Act (HIPAA) - applies to the health industry
Gramm-Leach-Bliley Act (GLBA) - applies to the financial and insurance industries All security sections of compliance standards do is define
Payment Card Industry Data Security Standard (PCI DSS) - applies to any organization handling creditcard information.

There are a ton more; I just picked some of the most broad-reaching standards.

Organizations can take the Frequent Security Assessments and simply apply the results towards proving compliance. Every standard, while seemingly specific to a partular industry secretly is so generic, they could almost be interchanged with one-another with only the protected data terms being switched out. Just like the old 70's skit Letterman, you can rip out "Patient Health Information" in HIPAA with "cardholder information" in PCI and you'd have nearly the same standards.

The key issue here is knowing what steps need to be taken to assess your security according to the appropriate standard and working to test those standards out before you are audited.

MSI Readiness Analyzer

2007-05-17T08:58:00.000-04:00

Today we released a FREE standalone tool for testing application compatibility with Microsoft Windows Vista - the MSI Readiness Analyzer for Windows Vista.

This tool will analyze legacy MSI packages and test them for compatibility with Windows Vista:

Required Admin Privileges
Use of Vista's Restart Manager
Use of Logging
Registry and File System Permissions

It will also perform the MCE validation (which is an advanced and faster form of Microsoft's ICE validation that checks for consistency within the MSI package) found within Desktop Authority MSI Studio.

You can find out more about the MSI Readiness Analyzer on our website. The download is free and does not require any registration.

ScriptLogic Google and Live Toolbar Buttons

2007-05-11T14:16:00.000-04:00

If you're a user of either the Google or the Microsoft Live toolbar, you can now install a ScriptLogic button to gain direct access to:

Searching ScriptLogic.com (using the Google search box)
ScriptLogic Knowledgebase and Discussion Forums
The latest product downloads
Beta downloads
ScriptLogic news
The latest whitepapers

Get the Google Toobar here and install the ScriptLogic Google Toolbar Button here.

Get the Microsoft Live Toolbar here and install the ScriptLogic Live Toolbar button here.

ScriptLogic on TechForum Live

2007-05-09T15:27:00.000-04:00

I've been on a hiatus from the 7 security best practices as my wife just had our 4th child (I'm sure you all will understand). I'll return to complete those later this week.

Last Friday, I had the privilege of being on TechForum Live, the streamed live "radio" show arm of the Technology Managers Forum, a NY-based professional association for IT Managers. The topic of discussion was "The Microsoft Desktop: Coping with Imperfect Software" (not my favorite title choice) with myself and Eric Schultze of Shavlik (Eric, whom I've known for about a year now is the authority on Microsoft patching. If you have a chance to meet him, ask him about the time Microsoft asked him to hack into their system to retrieve the password of I think it was Bill Gates - it is a fantastic story if your a real techie).

I got a chance to discuss the issues migrating to Windows Vista and Eric spoke about protection through patching, even in the case of Vista. It is about an hour show and was informative, even for me.

You can listen to the recorded broadcast here.

7 Best Security Practices: (3) Frequent Security Assessments

2007-04-26T09:22:00.000-04:00

Continuing my blogs on Gary Miliefsky's article "The 7 best practices for network security in 2007", I'd like to continue by discussing the need for Frequent Security Assessments.

The basic premise is to continually double-check yourself. The real question is "whose standard should you check yourself against?"

In the world of Windows, you can start with the Microsoft Baseline Security Analyzer (MBSA) which determines the state of security for your Window's servers. If you'd like to dig a bit deeper and look at everything from your Windows environment to IT policies to training to perimeter defense (and more), you can check out Microsoft's Security Assessment Tool (MSAT).

If you want to step outside of Redmond and use a third-party standard, you can look at:

The NSA's guide for Windows Server 2003
The NSA's guide for Windows XP - the Security Configuration Guides are extremely detailed
The Center for Internet Security's Benchmark/Scoring Tools

For more on how ScriptLogic solutions fit into the assessment of Windows security, see my previous posting on How Much Does Data Theft Really Cost.

7 Security Best Practices: (2) Security Awareness

2007-04-25T08:08:00.000-04:00

In my last blog, I discussed establishing security policies. Following Gary Miliefsky's article, the next step I'd like to discuss is the issue of security awareness organization-wide. Even with the best desktop management solution in place that patches systems, protects against malware, restricts access to removable storage, and locks down the desktop to limit user ability, users still need to be aware of a few issues that will enhance the security you've established as well as help users understand why the security is in place:

Corporate Security Policies - Cover password policies (such as how often passwords are changed, minimum complexity requirements, etc), use of "confidential" information, discuss the security configuration of their desktop and why it is the way it is, etc.
Online Do's and Don'ts - discuss the threat of phishing scams, questionable sites that attempt to install malicious software, etc.
Acceptable Use Policies - Often performing business tasks online never puts the organization at risk (the users are going to known sites to perform tasks, etc) so the issue of "can I pay my bills online from work" etc. should be addressed.
Legal Concerns - if you have a General Counsel in-house, have them discuss any issues they are aware of that can impact the organization. For example, if you are a publically traded company, ensuring information that can be misconstrued as insider information needs to be sent via trackable methods (e.g. and email system that is being archived).
Security Breaches - discuss what to do in the event a user recognizes security has been broken - a shared password, the "accidental" installation of suspected malware, etc. Letting users know they won't lose their job for telling the truth can often lead to a faster resolution of the situation and a more secure network overall.

So how are you suppose to convey these messages? There are a few "old school" methods such as:

Scheduled Meetings
Acceptable Use Handbooks
Company-wide Email Blasts

But the company of today faces challenges in getting everyone into one room to ensure the message is heard. Here are several other more high-tech methods:

Setup a Security Awareness Portal - use Windows SharePoint Services, Microsoft's free version of SharePoint Portal Server. You can host this on any modern Windows server OS. You can also use products like Drupal and WordPress are free blog/portal sites you can install on just about any web server.
RSS Feeds - if you can't make the users come to the portal, take the portal to the users. Outlook 2007 supports RSS Feeds, as well as about a thousand more feed readers. Users can pull down updated content relevant to them. This provides for a more custom experience for the user.
Webinars - Use GoToMeeting, LiveMeeting or Webex to setup a live webinar to promote your security message. These solutions allow for asking questions, showing slide decks, a computer desktop (for demonstration of any security do's and don'ts).

Use these methods to keep employees up to date on not just the latest corporate policies, but on the lates scams, viruses, patches that will be placed on their systems (and when), etc. Putting all of this together will make your employees a part of your security strategy, not the reason for it.

7 Security Best Practices: (1) Security Policies

2007-04-23T13:38:00.000-04:00

I recently read an article in Network Word entitled "The 7 best practices for network security in 2007" written by Gary Miliefsky, who founded NetClarity and was involved in the founding of the U.S. Department of Homeland Security.

He breaks network security into 7 basic Steps:

1) Roll out corporate security policies
2) Deliver corporate security awareness and training
3) Run frequent information security self-assessments
4) Perform regulatory compliance self-assessments
5) Deploy corporate-wide encryption
6) Value, protect, track and manage all corporate assets
7) Test business continuity and disaster recovery planning

I'm going to spend my next few posts and discuss each of these aspects of security, beginning with the first step, Roll Out Corporate Security Policies, in this post.

In his article, Gary lays the foundation of network security by discussing security policies. Several industry-accepted standards can be used as a basis for establishing company security policies:

Additionally, often I find organizations are willing to adhere to regulatory standards established for the US government, such as Federal Information Security Management Act (FISMA), now merged with the FIPS 200 standard.

The key to these standards is to remember that none of them are technology-specific, vendor-specific, solution-specific or implementation-specific; they are guidelines to establishing a secure infrastructure and are open to some interpretation.

I unfortunately can say that I have actually read each and every word of those standards (to figure out where ScriptLogic's solutions fit) and can tell you that they all boil down to a few key issues you need to address:

Assessment - determine the current state of security
Assignment - establish standards for implementing security consistently
Auditing - validate security controls and testing access
Accountability - establish processes that utilize justifications and approvals
Availability - build a business continutiy and/or disaster recovery plan
Assurance - maintain an environment not prone to outside influence via malicious code

The combination of these basic concepts makes up ScriptLogic's Security Lifecycle Map which we use to denote where our solutions fit in the security "big picture."

What is a "Virtual Desktop" Anyway?

2007-04-19T10:44:00.000-04:00

If you've paid one bit of attention to the IT industry at all, you've been bombarded with the concept of a "virtual desktop." To some it means streaming applications down to the desktop so users can run any app anytime. To others it means running an entire Guest OS desktop inside a virtual machine that can be hosted on a standard desktop or on a server (using solutions such as VMWare's VDI, or Microsoft's upcoming "Vista Enterprise Centralized Desktop"). Still to others it means accessing published apps via a Terminal/Presentation Server environment. Let me give you a good example of how blurred the lines are becoming.

Take a published app from a Citrix Presentation Server - the user experience is they click on an icon on the desktop and the application appears (it is actually running on a Presentation Server but is displayed in a frame around the application window). Now take a technology I saw at VMWorld where a virtual machine image is sitting on the desktop (but behind the scenes) and is accessed by VMWare's Player. The trick is the user doesn't see the entire VM player, they see only a windowed app (that is actually running within the VM). Sound familiar? It should - the user experience is exactly the same - it is only the underlying technology that differs.

So there in lies a perfect example of the confusion the IT industry as a whole is facing.

To simplify this confusion down a bit, I believe the question organizations should be asking themselves isn't "what is a virtual desktop?" but instead "what benefit will I get from a virtual desktop?" The answer is organizations perceive a virtual desktop will give them user productivity in the form of instant access to a consistent, secure and functional working environment. While that may not help you decide which type of virtualization is right for you, it should provide som clarity as to why you even care (or should care) about desktop virtualization.

While virtualization is potentially simplifying the lives of end-users by delivering a desktop that allows them to work anytime, anywhere, it is also causing more work for IT:

IT now needs to deal with users that have a physical desktop, but sometimes connect from home into a Terminal or Presentation server environment, or even perhaps utilize a virtual machine running on their personal desktop from their home that connects to work over a VPN. How is IT supposed to keep all of these desktops and user environments consistent when a given user can be using a physical, virtual or terminal desktop?

The answer lies in a desktop management solution that can not only function across all three environments, but one that also (and more importantly) can distinguish between them so that each environment can be not only appropriately configured for use, but also secured.

For example, Desktop Authority's Validation Logic has the ability to differentiate when a user is logging on from a Terminal/Presentation server, from within a VMWare Guest OS, or from any of 7 classes of physical machines (laptop, desktop, server, etc). This gives IT a tremendous amount of power to properly configure each user based on (among other things) the type of environment (physical/virtual/terminal) the user is currently using.

So while the industry continues to jump on the Virtual Desktop bandwagon, adding in "yet another form of virtual desktop" to expand the already confused borders of definition, keep in mind that you will be needing, no matter the virtualization method, a way to manage those desktops.

How Much Does Data Theft Really Cost?

2007-04-17T07:52:00.000-04:00

Any security software company touting protection against data theft always has some amazing ROI to show how much a potential buyer will save. But what is the real cost? Insurance underwriter company Darwin has a specialty insurance product - Tech//404 - that addresses "the technology and information risks of providers and technology-dependent organizations." This special policy protects against exposure in the areas of network security, data privacy, compliance, and more all revolving round data loss.

As part of their value proposition, thay have built a data loss calculator using numbers of records as the basis for calculation. I used the smallest number yielding results, 1000 records, and found the results to be surprising as to the amount of loss, and impressive in regards to Tech//404's attention to the detail of a loss.

Just 1000 records yields an average loss of over $166K, or $166 per record! Forrester Research did a survey of 28 companies and found the cost per record to span from $90 to $305 per record! So what is an organization to do? First, let's discuss where the security breaches exist in a typical organization:

Lenient permissions to resources
Unmanaged group memberships providing access
Convenient access to writeable and removable data mediums (USB, CDR, etc)
Insecure endpoint open to external malicious attack

To protect against these points of security failure, you will need a good security plan. I look at security as three basic processes:

Assess - Determine the state of your security: see who has access to what resources, who has membership in groups with access, what resources are exposed to "everyone", determine which endpoints provide access to steal data (via USB, CD/DVD burners, bluetooth, FireWire, etc), and determine the security of endpoint OSes from malicious attack.
Assign - Based on your assessment, establish appropriate levels of security: Lock down permissions to resources, restrict group memberships, eliminate access to "Everyone" and "guest" groups and users, lock down endpoint devices and protect endpoints from malicious code with antivirus, antispyware and antiphishing solutions.
Audit - Watch (or at least be alerted to) the activity on sensitive systems. This includes auditing the usage of sensitive data, the management of group memberships, management of resource permissions, auditing access to removable storage, and monitoring the state of your patching and virus/spyware/phishing scanning efforts.

One of the many value propositions we make at ScriptLogic is the protection against data theft. Following the security lifecycle of "Assess, Assign, Audit", our solutions help in the areas of:

Assessment:

Active Directory - Active Administrator searches for permissions in AD to determine who can make changes that affect access to data, such as the ability to change passwords or modify group memberships.
Windows File Servers - Security Explorer searches for in appropriate permissions on NTFS Volumes. Enterprise Security Reporter reports on groups and their membership that have been granted permissions on NTFS Volumes.
Windows Clients - Desktop Authority scans managed systems for the latest patches and the presence of spyware.

Assignment:

Active Directory - Active Administrator establishes consistent delegations to ensure no inappropriate permissions are granted via group memberships.
Windows File Servers - Security Explorer consistently assigns permissions across multiple servers.
Windows Clients - Desktop Authority patches insecure systems, removes spyware, locks down endpoint devices and provides the ability to maintain a consistent, secure and functional working environment for your users without the need to granting them administrative privileges to be able to work.

Auditing:

Active Directory - Active Administrator centrally audits the management of AD, making IT aware of changes as they occur.
Windows File Servers - Enterprise Security Reporter reports on security changes using its' "Delta Reporting" capability, making you aware of inappropriate modifications to security.
Windows Clients - Desktop Authority audits access to endpoint devices, informing IT of inappropriate activities.

In the world of Microsoft Windows it is possible to proactively protect your network from data loss by establishing a simple security plan of "Assess, Assign, Audit" and using the right solutions to put that plan comprehensively into action.

Will Apple ban iPods?

2007-04-16T14:35:00.000-04:00

In a recent Network World article, Cara Garretson talks about a new "proof of concept" iPod virus (which is very harmless - but it proves the point that it is possible for an iPod to carry a virus). The issue at hand is, of course, the iPod's ability to serve as a portable drive which can potentially deliver malicious code.

I remember reading about how Samsung banned its own cell phone in the production plant (because of the phone's ability to take pictures and email them) so I wonder will mp3 player manufacturers like Apple ban their own players?

The answer isn't banning the device, but in securing the end point, for both eliminating the introduction of malicious software, but also the stealing of company information (80GB is a ton of information, folks!).

The answer is the policy-driven securing of end-point devices. Desktop Authority's USB & Port security option is a good example of how this can be accomplished.

With over 20 device types supported, this option to Desktop Authority ensures secure end points. But because it also touts a granular permissions model that can deny access as well as allow read-only or read/write access, users can be allowed to access those devices that are required to accomplish their work (such as making a CD Burner function like a CD-ROM drive so data can be read from a CD), which raises user productivity.

Desktop Authority - Security with Productivity.

The Disaster-Ready Desktop

2007-04-16T09:44:00.000-04:00

Virtual Strategy magazine posted an interesting article today on how most companies are at financial risk due to a lack of disaster planning. It cites that organizations lose anywhere from $84,000 to $90,000 per hour of downtime in trying to get their servers back up and running.

The interesting part about disaster planning is that noone ever seems to plan for the disaster-ready desktop. Think about it: It's all well and wonderful if you have all your AD, servers, and services back up and running because of a DR plan, but what about the desktops that will connect to those servers?

There are a few possible situations most will plan for (and some of the relevant desktop considerations that should be taken):

Server Failure (think single server) - If a failover server is utilized, desktops may need to be reconfigured to point to a new server. This can mean reconfiguring of drive mappings, printers, registry entries, INI file entries, Outlook profile settings, and more all in the name of a server name change. Having a solution that reconfigures every related aspect of the desktop to point to the alternate server(s) would save countless hours of manual reconfiguration and lack of productivity.
WAN Failure - If a remote office cannot access their data center, IT can be inundated with calls regarding failing applications, errors when attempting to connect to a resource (even one as simple as a drive mapping or network printer), etc. Having a solution that removes the error-proned desktop elements (drives, printers, shortcuts, etc) along with message boxes on the desktop informing users of the outage and reconfiguration would save lower support calls, raise employee awareness and, assuming users can work on something during the outage instead of spending time calling IT, user productivity should be raised.
Site Failure (power outage, natural disaster, chemical spill, etc) - All servers and desktops in the office would be unavailable, requiring a comprehensive failover site. The good news is this scenario has the best opportunity to be tested, as it should be self-sufficient once up and running. Having a solution that comprehensively deploys the desktop configuraiton meeting the business needs at the time of disaster is critical. It can be part original configuration, but it stands to reason (and experience) that not every system will work flawlessly and therefore some alternate configuraiton will be necessary to resume user productivity.

In all these cases, the desktop requires some amount of reconfiguration. A desktop management solution that closely meets the needs during a disaster cannot simply focus on deploying applications; it must focus on the whole desktop - apps, drives, printers, profiles, registry tweaks, security settings, etc. Anything IT needs to manipulate, the desktop management solution needs to deploy easily.

File System Auditor 2.0 Public Beta

2007-04-12T14:48:00.000-04:00

We recently released a public beta 1 of File System Auditor 2.0. This new verison touts some exciting new features:

New easier-to-use interface
Installation without the need for Server reboots
Ships with canned Process Exclusion Filters (which you can optionally enable) for common Anti-Virus, Anti-Spyware, Backup and File Replication Software
Auditing of permission changes
Centralized configuraiton of audited file systems (version 1.x required installtion and configuraiton of each server separately)
Improved cluster support

If you're new to FSA, it audits, reports, and alerts Windows file server activity, showing who touched which files and folders, when, and on what server, all from a centralized console.

The public beta is available at our Beta Site. You can also read more about the current version of File System Auditor.

ScriptLogic wins Redmond Reader's Choice 2007 Awards!

2007-04-02T12:03:00.000-04:00

Well, OK, not all of them, but we did win a few. For those of you not entirely familiar with these awards, every year Redmond Magazine asks its readership to vote of the solutions they feel best meet the daily needs of IT.

Desktop Authority was the recipient of the "Best Network Automation and Batch Processing Tool" category. This is the third year in a row we've won this award.

Active Administrator won the "Best Group Policy Manager-ISV" category for the second year in a row. To clarify, anywhere Microsoft has a product in a given category, Redmond separates out the ISVs to show beyond native solutions, what the IT industry is using.

This is not only a win for ScriptLogic, but judging by the fact that so many administrators are using Desktop Authority for desktop management and Active Administrator for group policy management and have voted for our solutions, IT is a winner as well.

Desktop Authority 7.6 Released!

2007-04-02T11:40:00.000-04:00

The latest version of our Desktop Authority platform was released to the public late last night after weeks of beta testing by our customers. Version 7.6's primary focus was to be completely Vista compatible to assist those migrating to Vista by first extending DA's Validation Logic to support detecting the Vista OS, then by adding Vista-specific features, such as managing User Account Control settings and then finally by ensuring every aspect of Desktop Authority works with Vista as well as it does for 95-XP desktops.

Having a management platform that works equally well with Vista as it does with older OSes is key to ensuring a smooth Vista migration, which is why nearly all the feature focus in Desktop Authority 7.6 is on Vista.

One other feature that is extremely notable is the addition of a VMWare Validation Logic entry. To support those environments that are running a mix of physical and virtual desktops (in varying ratios), Desktop Authority can be used to identify VMWare-based virtual clients and, if need be, configure them differently from their physical counterparts, making Desktop Authority equally a valid management platform for organizations migrating from Physical to Virtual.

If you've never tried Desktop Authority before, a 30-day, fully functional trial is available for download.

"I Can Script That!"

2007-03-26T12:22:00.000-04:00

Whenever I'm discussing the various configuration features of Desktop Authority, our Desktop Management solution for Windows-based desktops and laptops, I often am stopped by the "scripting guy" who states that he can do it all with scripting. While 100% true (As there are so many powerful scripting languages today out there - MS' PowerShell, WinBatch, KiXtart, and many, many more) - it CAN be done - the question is SHOULD it be done that way?

Let me put it a different way for those who are keen on scripting by asking a question - how did you get to work today? Most would say "I drove" to which I ask "Why didn't you walk?" Think about it:

It is less expensive (no need to buy a car in the first place)
There is no cost for maintenance, gas or insurance
You have far more options on how to get to where you're going (through people's yards, jump over fences, etc.)
You don't need to find a good parking spot when you arrive

The obvious answer is "it is too slow to walk" but that's not the root of the reason - it is really about productivity. You are far more productive at work and home if you spent only 30 mins driving each way instead of a good 8-10 hours walking to and from work.

Walking simply isn't a productive enough means of travel in this case.

The same stands true for scripting as your desktop management solution - while you CAN script just about anything a desktop management solution can conjur up, your time is far more precious and can be used on more strategic initiatives than mapping a drive letter for the Accounting Department.

Take a simple drive mapping, but only have it apply to users in the Accounting group, when they log on from a Windows XP machine, from the 10.1.1.0 subnet, and only when they have a specific app installed (assume as defined by presence of the .exe). How long would it take you to script that, sandbox it, test it and put it out into production? I'm going to guess at least (including the testing part) 30 minutes to a few hours (depending on your skill set). With a solution like Desktop Authority, it would be done in the time it took you to answer my question!

So we're back to the driving vs. walking discussion - yes, you CAN script anything, but purchasing and utilizing a desktop management solution does make sense if you are looking for a far more productive means to reach your goal.

And to boot, keep in mind you also drive because it is air conditioned, has music, a place to hold your drink, etc. - basically there are perks in using a car vs. walking. The same is true with Desktop Authority - you are not only purchasing a replacement solution for scripting, you are getting a full Desktop Management solution, complete with software deployment, inventory, reporting, remote management/control, patching, anti-spyware, USB/Port lockdown, role based administration and more.

Walk or drive... it's your choice.

The Need for a Vista Migration Plan

2007-03-23T15:38:00.000-04:00

Just read another article on migrating to Vista that underpins the need for a strategy. This article, at Digit Online, speaks of why UK firms are wary to move to Vista.

"The lack of enthusiasm was reflected in the fact that few organizations had a Vista migration strategy in place. The survey found that 78 percent of respondents across all industrial sectors had no migration strategy, with the proportion rising to 80 percent among financial institutions and 96 percent in the retail, distribution and transport industries."

A Vista migration strategy is NOT "slap in the DVD and hit Setup". You need a plan. Read my last post on the DoT not moving to Vista for more on this and the link to our Vista Migration whitepaper.

Will Vista be Costly?

2007-03-23T13:05:00.000-04:00

The Associated Press released an article today about how the Department of Transportation will not be migrating to Vista, citing upgrade costs and compatibility issues. I have to believe that most IT shops have these same two concerns: "How much is this going to cost?" and "Will my users be productive once we get there?"

Microsoft has resources available to address some of these concerns:

Microsoft has also provided quite a number of resources on Application Compatibility:

Application Compatibility Toolkit 5.0 - one of the coolest tools in this kit is the Standard User Analyzer. Remember when W2K came out and you had issues running some of your apps becuase of permissions issues in the registry or file system? You probably (like most) gave the user either Local Admin or Power User rights (whichever worked) to get them running, but never addressed the issue. This was becuase there was no easy way to figure out which reg keys and NTFS permissions were keeping the app from running. Enter in the Standard User Analyzer (SUA) - this tool checks for and recommends which premissions in the registry and file system will need to be changed in order for an app to work. Killer!
Guidance on "Getting Started" with App Compability

I recently completed writing a ScriptLogic whitepaper, "The Proactive Migration to Windows Vista" in which I not only cover how to migrate to Vista with ScriptLogic's Desktop Management solutions, but also discuss having a proactive mindset towards your migration so that the migration itself is nothing more than moving "Sally's" PC to Vista instead of you spending countless nights and weekends in front of "Sally's" machine post-migration trying to get her environment close to what it was on XP and getting her apps to function.

Even if you have no plans to use a ScriptLogic solution as part of your Vista Migration Strategy, give the whitepaper a read, as it truly gives the migration to Vista a VERY different twist - one where some of the migration actually occurs potentially MONTHS before Vista is ever rolled out.

IT are Gluttons for Service Account Punishment

2007-03-23T09:57:00.000-04:00

I recently spoke at a conference about security, and like always, I ask for a show of hands to see how many companies have password policies (e.g. changing the password every X days, etc) and then ask (with the hands remaining raised) how many change the passwords on their service accounts - nearly all the hands drop!

I don't get it - the most powerful accounts (alot are members of the Domain Admins group) in the company and the passwords aren't changed on a regular basis. The reason is, of course, the fact that noone (including me when I was a consultant) wants to manually modify 20 services on each of 80 servers (replace with your own numbers, of course). That's a ton of work. It is far simpler to just assume your passwords are secure.

ScriptLogic recently released Security Explorer 6 which included the absorbing of Service Explorer (which BTW can still be licensed as a "Workstation" license of Security Explorer). The service management functionality in Security Explorer automates the entire service account password headache, reducing the amount of time to literally less than a minute of one's time.

So why am I calling IT a glutton for punishment? Because a solution exists that takes away this pain, and yet IT folks today STILL either ignore the problem or manually address it. 50 licenses of Security Explorer (limited to managing services and tasks on servers only) would only cost an IT shop $200!!!!

As a fellow techie (I've been an MCSE since 94) knowing the pains IT goes through - get a copy of Security Explorer and secure your service accounts.

There should be some "Power" in your Desktop Management

2007-03-22T15:40:00.000-04:00

Microsoft put out an article today "Why PCs should get more sleep" which does a fantastic job at making the case for power management for desktop (and laptop) PCs. Microsoft had an independant UK firm - PC Pro Labs - do a study on how much would be saved by implementing power management - about 200 tons of carbon dioxide and about $92/year per desktop! Microsoft has had power scheme management all the way back to Windows 98 (can't remember if 95 had it or not), so the numbers would be as impressive, if not identical.

ScriptLogic has been on this bandwagon since Desktop Authority version 7 (we're releasing version 7.6 within weeks) with both management of Power Schemes for Windows 98-Vista, but also one other facet of power management - shutting down inactive users after business hours. It's one thing to put a monitor in sleep mode during the day, becuase it is easy to bring back to life without disrupting the PC user's productivity. But if you were to put the machine in Hibernation, it would take about as long as booting up the PC where the user's productivity is lowered (well, OK, the hibernation is a bit less than a boot up, but you get my point).

So it makes sense to have one group of settings that balance saving energy with user productivity throughout the business day (as the EPA estimates that a given PC is inactive about 58% of the work day), and a completely different strategy after hours - the EPA estimates that only 36% of all PCs are shut down at night! This is the real energy waster.

So we implemented an Inactivity Timer to monitor keyboard and mouse activity and allow IT to shut down the computer after a specified amount of time during a time range one would assume is after hours.

The result is a true balance of saving energy costs, the environment and users' productivity.

If you'd like to see how much you can save by implementing Power Management on your desktops, try ScriptLogic's Power Management Calculator.

You can also read our Power Management Whitepaper.