|RSS | MY PROFILE | PRIVACY|
Vol. 20, #20 - May 18, 2015 - Issue #1030
In last week's newsletter we included an Ask Our Readers request from a reader who wanted to know more about how to support Java applications in an enterprise environment. Many organizations are wary about running Java applications because of ongoing security concerns with the platform. In this week's issue we'll hear from two individuals who address this matter in detail. We also have other news, tools, tips and fun stuff to enlighten and entertain our almost 100,000 IT pro subscribers around the world.
But while we're at it how about letting your colleagues know about our newsletter? Tell them they can subscribe to WServerNews by going here:
How's that for some "hard sell" in action? Remember, (A)lways (B)e (C)losing!
But if you want to see some real "hard sell" at work, check out how Dogbert mercilessly flogged his new technology magazine in this classic Dilbert comic strip from 2001:
Ask Our Readers: WServerNews has almost 100,000 subscribers worldwide. That's a lot of expertise to tap into. Do you need help with some issue or need advice on something IT-related? Got a question you'd like us to toss out to our readers to try and answer? Email us at email@example.com
In Issue #1029 The latest on Windows 10, we included the following section:
Ask Our Readers - How to support Java in the enterprise?
In the Mailbag section of the previous Issue #1028 IT salaries: good, bad or ugly? we included some reader suggestions for tools you can use to determine what's filling up the disk on a Windows client or server system. One of our readers named James recommended Java-based utility called JDiskReport but I responded that this wouldn't work for admins who have security concerns about having the Java JVM on systems they manage. When this week's issue of WServerNews appeared he sent us another email containing an important question that some of our readers may want to try and respond to:
Reading today's issue of WServerNews I noticed you mentioned my recommendation for a volume usage analyzer and concern over using Java in the enterprise. Sadly, as I'm sure is true for other readers, Java is a necessary evil as a number of standalone and web applications here at the university require this platform. Oracle has tried of late to mitigate security risks, which is great, but in the process has created new headaches for administrators and end users. Now that Google announced dropping support for NPAPI in version 45 of Chrome, things will only get worse. We're already fielding support calls as NPAPI is disabled in current version.
I would be interested in hearing how other enterprise admins are handling Java and other high risk third party software. We have been able to uninstall on a handful of system but in general our strategy has been protect workstations (firewall/IPS, blacklists, EMET, GPO's, virus protection) and keep Java up to date using App Deployment Toolkit through SCCM. Speaking of keeping Java updated… Is it just me or is Oracle intentionally making Java more difficult to support in an enterprise?
Several readers responded to this request and we wanted to feature two of them in this issue. The first contribution is from David Morris, an IS Systems Manager from the USA who says:
Avoiding applets, and a reliance on the Java browser plugin, will plug nearly all major vulnerabilities. Our enterprise development has been largely Java for well over a decade now, and we've avoided applet development like the plague. Browser plugins introduce a much larger "surface area" to be attacked than a local client or server installation of a Java runtime. They essentially punch a hole in your firewall and allow rogue remote code to execute within your browser -- if the sandbox is compromised due to an exploit, you've just granted the enemy access to your local environment and the corporate network.
We've developed and deployed many dozens of Java applications across our enterprise, but none are run from a browser -- that was a conscious decision we made from the start. Unfortunately, we do have some purchased 3rd party solutions that require applet support, and those have been our only real pain point. When faced with a mandatory Java upgrade to patch a security hole (as with Java 7 prior to Update 51 a couple years ago), we've struggled to find a secure, compatible Java version that all of these apps were compatible with, since you can only have a single "system" JRE active (which happens to also provide the plugin). We're leaning on our vendors to reduce or eliminate the applet requirement, and I would love to see Oracle drop support for applets and deprecate their use. Unlikely, considering they now push it as a selling point for JavaFX, the successor to Swing that allows you to write your GUI once and run as thick client or web -- my fear is shops will be attracted to this "feature" without understanding its consequences.
Outside of the browser, with proper traditional client and server security (firewalls, ACLs, etc.), Java runtimes have historically carried very little risk (nearly all such risks were of internal attack, not external). Unlike with the browser plugin, which is owned by the one-and-only "system" JRE, you can deploy multiple Java client runtimes and point each application to their own version if necessary, making Java upgrade impact less of an issue. We've adopted this model with our enterprise Java deployments, where the app bundles its desired JRE and runs independent of the "system" JRE or any other JRE on the same host.
Our second contribution on this topic comes from Jeremy Moskowitz, a long-time Microsoft MVP in the technical expertise area of Group Policy. Jeremy runs a popular site called GPanswers.com and is the Founder of PolicyPak Software. Here's what Jeremy had to say on this topic:
So, as a Group Policy MVP, when I was posed the question of "How are we supposed to manage X in the enterprise?" I built a company around it. And we've been going like gangbusters since 2012. We manage hundreds of applications, like Java, Firefox, Flash and everything else nearly-impossible to manage.
Here are some videos on how we manage Java:
And we have hundreds of thousands of seats under management doing it this way.
Other popular Paks are available for managing Firefox:
and Microsoft Lync Client:
We also have one for managing Internet Explorer:
where we manage more than Group Policy normally can do.
So PolicyPak doesn't REPLACE Group Policy or SCCM or what people are using to DEPLOY software. We simply manage it. And keep it locked down so users cannot work around the settings. While our tool is general purpose, we have dozens and dozens of pre-configured Paks:
Be sure to also check out Jeremy's site GPanswers.com where he maintains a blog and has some additional resources on Group Policy and offers both live and online training:
Readers who have further thoughts or questions about managing Java or anything else in enterprise environments can direct their comments to us at firstname.lastname@example.org
And now on to some other news that might be of interest for IT pros...
KoreLogic has a blog post that suggests that removing an SSD from a computer and keeping it on the shelf without any power source may cause it to start losing data after only a few weeks have passed:
The above blog post also refers to a presentation from the Joint Electron Device Engineering Council (JEDEC) also suggests that for each 5 C increase in temperature the data retention period for SSDs is approximately halved--see page 27 of this PDF:
This may have interesting legal implications for using SSDs for archival storage that organizations might want to think about as SSDs gradually replace HDDs. What do you think? Email us at email@example.com
Here's how a few tech commentators have summed up everything Microsoft announced at Ignite 2015:
Michel de Rooij
What do you think were the most important announcements (or omissions) at Ignite? Let us know at firstname.lastname@example.org
Schneier on Security has article on how to detect man-on-the-side Internet attacks like the NSA's QUANTUMINSERT:
The comments at the bottom of this blog post make for some interesting reading...
Is Microsoft or Amazon or Rackspace or some other company building a datacenter for their cloud on the asteroid Ceres? It sure looks like it on this photo from NASA's Dawn spacecraft which is currently orbiting Ceres:
Got any other ideas what this strange artifact might be? Email us at email@example.com
Got feedback about anything in this newsletter? Let us know at firstname.lastname@example.org
The Microsoft Press Blog has an announcement about a new book:
Virtualizing Desktops & Apps with Windows Server 2012 R2 Inside Out
Dive into Windows Server 2012 R2 virtualization—and really put your systems expertise to work. Focusing on both virtual desktop infrastructure and virtualized applications, this supremely organized reference packs hundreds of timesaving solutions, tips, and workarounds. Discover how the experts tackle Windows virtualization— and challenge yourself to new levels of mastery.
Some announcements from the Microsoft Virtual Academy:
On-demand: Azure IaaS for IT Professionals
Check out these free on-demand courses to get technical insights and tips from Microsoft Azure experts. Build on your foundational cloud skills, and prepare for Exam 70-533: Implementing Microsoft Azure Infrastructure Solutions:
On-demand: Windows 10 Technical Preview Fundamentals for IT Pros
For a sneak peak at Windows 10, watch this course as our expert instructors explore improvements to help you meet your enterprise IT and security challenges:
Free Microsoft Press Ebook - Introducing Windows 10 for IT Professionals, Preview Edition
Get a head start evaluating Windows 10—with early technical insights from award-winning journalist and Windows expert Ed Bott. This guide introduces new features and capabilities, providing a practical, high-level overview for IT professionals ready to begin deployment planning now. Details and download link here:
This white paper details three critical steps for maintaining compliance with external regulations and internal security policies: assess the environment and controls; audit and alert on unapproved user activity; and develop remediation procedures.
It then goes on to discuss four key external regulations that are driving companies to prepare for an IT compliance audit. Finally, we discuss the best practices for implementing a compliance solution that will minimize stress during an organization's next IT compliance audit.
"Just because something doesn't do what you planned it to do doesn't mean it's useless." --Thomas Edison
Until next week,
Get the info, find the issues and pro-actively fix them. Simplify and automate day-to-day, time-consuming tasks or get an update on that global project you are running, Lansweeper offers you the tools.
Veeam Endpoint Backup FREE is a standalone solution for backup of your physical computers. At no cost, you can protect your home or work Windows-based desktops, laptops and tablets. Download now!
Read this free eBook and find out how to calculate the true return on investment (ROI) involved in maintaining traditional storage solutions for email archiving and Exchange management.
Microsoft's free Rights Management Services Analyzer Tool lets you check the settings, configuration, and behavior of your RMS infrastructure and client applications that use RMS.
Azure DocumentDB Data Migration Tool enables movement of data from various data sources into DocumentDB.
To reclaim disk space on a Windows system you can run Disk Cleanup by opening the properties of your system drive. But is it possible to automate this process? Yes you can by using the below Windows PowerShell script which was provided to us by Amrinder Singh Chadha, a Senior IT Program Manager at Microsoft. The script should work on any version of Windows that has PowerShell v3 or higher. Note that this script is provided "as is" with no warranties or guarantees, so use it at your own risk. You can download it here:
While you can manually change the zoom level of an email in the Reading pane of Outlook 2010 or 2013 by using the zoom slider on the right of the Status bar, the new setting you select doesn't persist and you'll have to change the zoom each time you read a new email message.
Fortunatley there's a workaround as this article on Slipstick Systems explains. The workaround is to run the Visual Basic for Applications (VBA) macro outlined in the section "Set the zoom level using VBA" on this page:
Jose Barreto, a Principal Program Manager on the File Server team at Microsoft, tweeted that the image named "Windows Server Technical Preview" in the Microsoft Azure library is actually build 10074 or Technical Preview 2 of the product. So if you have an MSDN subscription and have activated your free Azure benefits you can test drive the latest version of Windows Server without needing to install it on a physical server system. And even if you don't have an MSDN subscription you can still try out Microsoft Azure for one month at no cost by going here:
While you're at it be sure to check out Jose's blog:
You can also follow him on Twitter:
GOT TIPS you'd like to share with other readers? Email us at email@example.com
Microsoft Worldwide Partner Conference (WPC) on July 12-16 in Orlando, Florida USA
AWS re:Invent on October 6-9 in Las Vegas, Nevada USA
Microsoft TechDays 2015 on May 28-29 in the Hague, Netherlands
PLANNING A CONFERENCE OR OTHER EVENT you'd like to tell our 100,000 subscribers about? Contact firstname.lastname@example.org
Windows Server 2003 End of Support presents a number of challenges for your business. Ignoring the problem isn’t a great strategy as no more support and no more updates will put your organization at risk sooner or later.
Hear from our expert panel on:
And learn how a real life customer embarked on their new journey.
Date: Tuesday, 19th May 2015
Time: 3pm GMT & 10am EST
Duration: 45 minutes
PLANNING A WEBCAST you'd like to tell our subscribers about? Contact email@example.com
Securing a NetScaler (Johannes Norz)
Installing and Configuring Citrix XenApp/XenDesktop 7.6 (Part 4) (VirtualizationAdmin.com)
Cisco ACI - Switch Profiles and Interface Policies (VirtualizationAdmin.com)
Interacting with TCP/IP Through PowerShell (Part 2) (WindowsNetworking.com)
Set Lockdown Mode in vSphere 6 via PowerCLI (vTagion)
vCloud Air DRaaS – Improvements (VMFOCUS)
Use PowerShell to Extract Zipped Files (Hey, Scripting Guy! Blog)
PowerShell Essentials (Part 9) (WindowsNetworking.com)
Getting Started With Azure Pack (Part 1) (VirtualizationAdmin.com)
Reporting Application of GPOs on Remote Computers and Generating A Report (Part 2) (WindowsNetworking.com)
Cloud Data Jurisdiction: The provider, The Consumer and Data Sovereignty
Importing a Virtual Machine into Amazon EC2 (Part 3)
Sharing the Load – Securely
Getting Started With Azure Pack (Part 2)
Interacting with TCP/IP Through PowerShell (Part 3)
Zero trust security policies can be difficult to scale in physical implementations due to the fact that a single device has to filter all traffic. Fortunately, if you choose to utilize virtualization and cloud, IT can overcome that challenge and scale them successfully. Find out how to achieve zero trust security in the cloud today.
Microsoft is continuing to push for Docker with new Hyper-V Container tools for greater application isolation, casting a wider net and targeting security concerns with it. Still, despite Docker's popularity, lingering questions remain. Get an exclusive look at what the experts are saying about Microsoft's big push for Docker.
Admins used to focus solely on the back-end infrastructure necessary to deliver desktop services, and not on client endpoints. Today, they can now provide users with the hardware that makes it possible to access their virtual desktops. Get an inside look at three varieties of hardware you can deploy for virtual desktop users so you can deliver solid VDI from the back end to the front.
CPU affinity is an often misunderstood resource control in vSphere. Controlling the delivery of CPU resources to a VM is a key part of performance management, but it's usually unwise to configure a CPU affinity on a VM for a variety of reasons. Learn more in this helpful guide today.
GOT FUN VIDEOS or other fun links to suggest you'd like to recommend? Email us at firstname.lastname@example.org
Aviation showreel featuring the Patrouille Suisse, Red Arrows, Breitling Super Constellation, Swiss Airbus A330, Rimowa JU-52 and many others:
An amazing, realistic 3D drawing of a glass of water that will blow your mind:
A beautiful performance by the 'China Youth' team showing the elegance of Chinese traditional martial arts culture:
Queen's Bohemian Rhapsody played by a 81 key Marenghi Organ built in 1905:
Mitch Tulloch is Senior Editor of WServerNews and is a widely recognized expert on Windows administration, deployment and virtualization. Mitch was lead author of the bestselling Windows 7 Resource Kit and has been author or series editor for almost fifty books mostly published by Microsoft Press. Mitch is also a ten-time recipient of Microsoft's Most Valuable Professional (MVP) award for his outstanding contributions in support of the global IT pro community. Mitch owns and runs an information technology content development business based in Winnipeg, Canada. For more information see www.mtit.com.
Ingrid Tulloch is Associate Editor of WServerNews and was co-author of the Microsoft Encyclopedia of Networking from Microsoft Press. Ingrid is also manages research and marketing for our content development business and has co-developed university-level courses in Information Security Management for a Masters of Business Administration program.