Certified Mail
September 2003
Security Roles, Uniting Technology and Controlling Windows Remotely
Remote
Control
Don Jones’ July article, “Windows Management from Afar,” gave a great
overview on the new technology in Windows Server 2003. I’m wondering where
I can find the Remote Desktop Console snap-in, so I can install it on
my workstation.
—David Loor, MCSE
Los Angeles, California
Hi, David. It’s located in AdminPak.msi, which you can find
on any Windows Server 2003 CD.
—Don Jones
I’m the IT manager for the City of Lafayette in Colorado, and we’re in the process of installing Windows 2003 enterprise as our standard desktop operating system. We currently have about 100 staff members on terminal server. These users are in public works engineering, finance, courts, parks and recreation, waste water plant, water treatment plant, and the service center. And we’ll soon be adding about 50 users from the police department. In addition, we’ll then add our library staff and public computers to terminal server.
Our network consists of a Windows 2000 domain with 20 Windows NT/2000 servers, about 200 computers and 25 laptops. This is spread over 10 different sites and nine different departments. In 2001, we were replacing 25 percent of our desktops each year. Our desktop rotation cycle was 37 percent of the total IS budget.
In 2001 we considered a thin-client environment. We researched the technology, and Windows 2000 terminal server was our best choice, due to the low cost of implementation and the fact that we wouldn’t need to rotate our desktops any longer.
We’ve already seen some benefit from our terminal server implementation.
In 2002, we took the same dollar figure that had gone to our desktop rotation
and purchased our terminal servers. In 2003, we purchased Office XP and
other software updates with the dollars that we would have spent on desktop
hardware. As we rolled out terminal server, we also rolled out the latest
software that we could. Without implementing terminal server, we never
would have been able to consider purchasing the upgrade software like
Office XP.
We’re also taking advantage of the “Remote Control” desktop in Terminal Server Manager. We’ve hired an application support specialist, who supports all staff remotely. We can respond to more staff requests instantly, rather than having to set up an appointment. This has greatly reduced the number of visits to each desktop to support the applications.
We’ve had some challenges as we implemented Windows 2003 terminal server, however. One challenge was to get the whole staff on the same version of software. This required us to open up communications with all departments to do our software inventory. We also needed to find a way to manage the software license. We accomplished this through KeyServer from Sassafras. And the biggest challenge was to balance the security of terminal services with the needs of the end users. We did that through Active Directory and Group Policy Objects.
The City of Lafayette has set Windows 2003 Terminal Server as our standard
desktop for our staff. In fact, instead of replacing or adding any computers,
we plan on installing a true thin-client piece of hardware. These hardware
costs are much lower than desktop hardware.
—Dennis Marquardt, MCSE
Lafayette, Colorado
The article on remote connectivity missed the best feature of all. No, not the Time Zone remapping (though that is great) but the console mode—MSTSC /console. The MSTSC Help and Support topic incorrectly states that you can use the /console switch to connect to the console session (session 0) of a specified Windows 2000 Server (mstsc.exe is the Remote Desktop Connection client, earlier known as TS Client). You can’t use the /console switch to connect to the console session of a Windows 2000 Server-based computer. However, you can use the /console switch to connect to the console session of an XP Professional or Windows 2003 computer.
I’m working on a system right now that I’ll have to support in Russia
long distance from Alabama. Connecting directly to the console will be
perfect when or if they get an error on screen.
Because you can connect twice with Remote Desktop and once with Console
at the same time, the numbers for 2003 were off. You can have three connections
at a time.
—Rodney R. Fournier, MCSA, MCSE +Internet, MCT
Huntsville, Alabama
What a great article on Windows Server 2003 remote administration! One
additional feature that wasn’t mentioned is the ability to use the Remote
Desktop Connection to connect to the Console on a Windows 2003 server
(Knowledge Base article 309375). This has been one of my biggest complaints
on the earlier version of TS Admin.
—Roger Prestine, MCSE
Milwaukee, Wisconsin
You're absolutely right, and a number of folks spoke up
to point that one out! I'm actually planning to talk about the new console
connection—and some other new RDP features—in an upcoming “Tips and Tricks”
column. Thanks for the heads up!
—Don Jones
Security Roles
Regarding Dian Schaffhauser’s “Editor’s Desk” column, “A Simple Plan,”
I spent a lot of time and effort on the Security+ exam. A lot of industry
people respect it as a benchmark for entry-level security. The kind of
statement Andy Barkl made about the exam disparages a certification many
have worked hard to obtain.
Think about the employers who get this magazine. Somebody who’s hiring
might read the article and Barkl’s quote a day before reviewing a résumé
for a job candidate who lists the Security+ designation. And, based on
that one opinion, he might toss the candidate’s résumé to the side. Meanwhile,
that candidate probably has two to three years of experience and spent
the last four months studying to hone his or her skills for such a test.
—James Bohling, MCP, Security+, CCNA
Chesapeake, Virginia
I understood the reasoning behind the “+ Internet” designation, as well as “+Site Building”—if you had the skills from the TCP/IP and IIS exams, you could demonstrate an aptitude for such a moniker on your certification. I also agree that if you master the skills for Microsoft’s security-related exams, adding a “Security” designator is warranted.
But I also believe it’s not justified. Security isn’t about placing an ISA Server in your structure or configuring your machines to a hardened state. Security the Microsoft way isn’t enough, which is why I applaud the Security+ certification option. Instead of jumping on the bandwagon, Microsoft should take more than a “patch this” approach.
I might pursue it after Security+ and SANS GIAC. I want to keep my system
administration skills intact. I’m trying to be less cynical without losing
my basic level of paranoia!
—Kevin Shaw, MCSE, MCP+I
Martinsburg, West Virginia
Uniting Technology
My guess is that the intrusive, unusable scenario Em C. Pea envisioned
for telephone/PC integration in her July “Call Me Certifiable” column,
“That Pesky Convergence Stuff,” is a bit off the mark. The scenario assumes
the lowest-quality software providers will have a monopoly on the user
interface for the PC phone. Thus, pop-up advertising, crashes and misdials
abound. This won’t be the case, because competition among UI providers
will eliminate overly intrusive advertising.
As for misdials, there’s no reason to think the PC-phone will be only voice-activated. Any number frequently dialed will probably be mapped to a quick-dial function, available via mouse-click or some code.
Regarding computer crashes, it would apply to all uses of a computer, and it’s increasingly unlikely as Microsoft continues to improve the reliability of its OSs.
PC features (a big monitor, Internet connection) could enable many enhancements
to current phone functionality, all while dramatically lowering the price.
I’d buy that.
—David Vestal, MCP
Statesville, North Carolina
I take issue with the hacking on Microsoft’s stability, especially in
comparison to the telephone. If I took a computer, installed most any
flavor of Windows and told it to do one thing and gave it no capability
to do anything else, I’d have a system that was as stable as an analog
phone. The reason I’ve tried to rebuild my PC every so often is that I’m
constantly messing with it by installing and uninstalling software. When
we have phones that can run multiple applications, then we’ll start to
see stability problems.
—James Riley, MCSE
Noblesville, Indiana
The Pleistocene was a time during which climates shifted dramatically—just as the climate shifted from having separate data and voice networks to one that converges voice, data and video over a single infrastructure. This convergence has provided opportunities for new integration of PC and telephone services, but Internet Protocol (IP) telephony over a converged network doesn’t require a PC interface in order to provide new services. Vendors provide applications that arrange hotel reservations, order takeout food or check the status of airline arrivals and departures—all from an IP telephone keypad. Users can be alerted of emergencies that activate a message light on the phone, display a message on the phone’s video display or stream an emergency alert over the telephone that only the intended recipient hears.
The telephone has become a network appliance, much like the PC. It can receive software updates automatically from its call processing server. It can be unplugged from its network connection and relocated within the customer’s organization, where it reboots, downloads its configuration and continues operating as before. The user can configure services, speed dials and so forth without needing the help of an administrator or telephone repair person.
Microsoft recognizes the success that companies have had in implementing
this technology and wants to participate. The alternative is to not weather
the climate change and become extinct.
—Ginger Kavan, MCSE, MCSA
Sacramento, California
How to Land the Next Job
I was one of the people referenced in the “Editor’s Desk” in the August
issue, “A Different Take.” I still haven’t landed a position, but I’m
waiting on the results from one interview and not holding my breath on
another.
I have three pieces of advice for people who are unemployed or who may feel unemployment coming in the near future.
Keep every business card you receive from those you talk to. Even if you don’t get a card, keep a little notebook and write down names and companies (and any other information you obtain). Try to write down any conversation piece that sticks out, for example, “How is the project coming along?” Or, “Did you get that Exchange server fixed?” Every month or so, write a short note bringing up that conversation, remind the recipient who you are and where you last spoke, and then indicate that you’re still seeking job leads.
Spend time exercising and focusing on your career. Figure out if this
line of work is for you. I’ve jumped from programming to databases to
security and a lot of places in between. Set goals after you’ve determined
in what direction you want to head and stick to them. The small successes
in accomplishing short-term and long-term goals will keep you from becoming
a couch potato and giving up. My latest direction has been security for
Microsoft platforms. I’ve just passed the 70-214 exam and will be taking
70-227 (ISA Server) within the next few weeks so that I can add “+Security”
to my MCSE.
Last, keep your spirits up. No matter how bad it gets—and chances are
it may get pretty bad—things never last forever. Keep what’s important
in front of you: Family and friends. Lean on them for support.
The IT industry is picking up, slowly. The great thing about technology
is that it keeps advancing. I see the end of my unemployment coming.
—Robert F. Murphy, MCSE+I, MCT, A+, N+
Austin, Texas
Correction
In her August column, “A Different Take,” Dian Schaffhauser
ran an incorrect number for Dell salaries. The number referenced by the
reader in Austin, Texas should have been $12 an hour, not $12,000 a year.