Final session of the day was on "Upgrading to Exchange 2007". Sadly, it was primarily about upgrading FROM Exchange 2003, but it did raise a couple of significant tid bits worth knowing.
Firstly, Exchange 2007 apparently doesn't have any mail routing configuration - it uses the Active Directory Sites and Servers configuration to determine which site is which, and follows the same replication topology that AD uses. This means that we'll need to consider this when designing the AD structure, and also lock down the topology against changes. If we went down the Exchange path, routing and replication changes would need stricter change controls involving both teams.
Secondly, Exchange cluster/failover changes require having the same operating system on both halves of the cluster. And, in-place upgrades of the OS are NOT supported for Exchange 2007 servers. In practical terms, this would mean that a ceentralised Exchange cluster built on Windows 2003 servers would have a lot of challenges when the time came to upgrade to OS to Server 2008. We'd basically need to build a new cluster, set up connectors and migrate the mailboxes individually. The user mailbox would be unavailable during the move.
So, to defer the pain, it would be easiest to deploy onto Windows 2008 servers, so we'd want a WST supported 2008 build first.
Tuesday, November 4, 2008
Microsoft TechEd 2008, Day 2, 15:30
Attended a session with Steve Riley, Senior Security Strategist with Microsoft Security. The session we called "Privacy: Who, What, Where?"
Most of the content covered was general in nature, and more covered risks associates with spyware, RFID chips, security breaches and such. The key message was that, in general, customers to a company don't seemed to be aware or concerned about information disclosure. As such, there is currently not much economic incentive for companies to take privacy and data security seriously. Often, it's cheaper to take the risk and pay government imposed fines rather than do the right thing.
Bitlocker, of course, rated a mention. Steve did say that now BDE supports additional fixed disks and removeable drives (as of Windows 7) that there is little benefit in using both BitLocker and Windows Encrypted File System - both mitigate against the same risks. Neither, though, will protect against documents being e-mailed or taken off a system using unencrypted devices.
One of the technologies to look at would be Windows Rights Management Server. Having a policy enforced by RMS would help manage the risk of a document "escaping" the network (or CTM.)
Most of the content covered was general in nature, and more covered risks associates with spyware, RFID chips, security breaches and such. The key message was that, in general, customers to a company don't seemed to be aware or concerned about information disclosure. As such, there is currently not much economic incentive for companies to take privacy and data security seriously. Often, it's cheaper to take the risk and pay government imposed fines rather than do the right thing.
Bitlocker, of course, rated a mention. Steve did say that now BDE supports additional fixed disks and removeable drives (as of Windows 7) that there is little benefit in using both BitLocker and Windows Encrypted File System - both mitigate against the same risks. Neither, though, will protect against documents being e-mailed or taken off a system using unencrypted devices.
One of the technologies to look at would be Windows Rights Management Server. Having a policy enforced by RMS would help manage the risk of a document "escaping" the network (or CTM.)
Microsoft TechEd 2008, Day 2, 12:30
The last session was on Exchange 2007 troubleshooting. Most of it was too techy to blog here, and primarily of interest only if we move to Exchange.
But they also covered off the general troubleshooting fundementals, these being (and I'm paraphrasing here):
Know your stuff;
Have a baseline, and proactively monitor systems to check for changes;
Think of the implications before you make a change.
We all know these things, but it's still good to be reminded occasionally.
Oh, and the other thing is that most of Exchange 2007 - and Windows 7 - advanced administration involved scripting in PowerShell. So, it's time to learn yet another scripting language!
But they also covered off the general troubleshooting fundementals, these being (and I'm paraphrasing here):
Know your stuff;
Have a baseline, and proactively monitor systems to check for changes;
Think of the implications before you make a change.
We all know these things, but it's still good to be reminded occasionally.
Oh, and the other thing is that most of Exchange 2007 - and Windows 7 - advanced administration involved scripting in PowerShell. So, it's time to learn yet another scripting language!
Microsoft TechEd 2008, Day 2, 10:15
First session was about Windows 7. A few new things, but evolutionary not revolutionary (tick that one off!)
One key technology is "DirectAccess" - need to get more information about this but apparently this, when used in conjunction with Windows Server 2008 R2, will allow seamless and secure access to corporate networks without needing a VPN. I have my doubts on what their definition of "secure" is, but will research further while I'm here.
Bitlocker encryption is being extended to removable disks/USB drives, and can be enforced by group policy - you can prevent a user writing to a USB device unless it's BitLocker protected. Someone should tell the UK Government this. Another advantage, of course, is that recovery keys can be backed up to Active Directory for easy recovery in the event of a forgotten password.
They've also made the Application controls (allowing only whitelisted applications) more flexible, - still could be a nightmare to implement first time, but would help prevent users from self-installing apps down the track.
One key technology is "DirectAccess" - need to get more information about this but apparently this, when used in conjunction with Windows Server 2008 R2, will allow seamless and secure access to corporate networks without needing a VPN. I have my doubts on what their definition of "secure" is, but will research further while I'm here.
Bitlocker encryption is being extended to removable disks/USB drives, and can be enforced by group policy - you can prevent a user writing to a USB device unless it's BitLocker protected. Someone should tell the UK Government this. Another advantage, of course, is that recovery keys can be backed up to Active Directory for easy recovery in the event of a forgotten password.
They've also made the Application controls (allowing only whitelisted applications) more flexible, - still could be a nightmare to implement first time, but would help prevent users from self-installing apps down the track.
Subscribe to:
Comments (Atom)
Posts
