Adventures in home working

• Clearing the nights email. I’m not well ( a feet, knees, ankles and elbows day) so it’s time for a long walk - it helps that its sunny #
• Called back to Lincoln to talk with consultants #
• Ferrybridge services, trying to relax for a while and have some breakfast. Managed to get myself lost but Blackberry GPS saved me! #
• In Cafe in lincoln. Now need to wait till 16:00 to see consultant who is now delayed 2 hours #
• Home! Last night the Docs had given up on Dad. Today he woke up full of fight, they were amazed, we were thrilled. Futures still unknown. #

Powered by Twitter Tools.

• Trouble sleeping, so trying to get email blogging to work with WordPress, without much luck #
• Just clearing my emails before driving to Lincoln #
• Talking to Mark Luter about which windows mobile devices to buy #
• Listening to IT conversations podcasts while driving to Lincoln #
• At the hospital #
• Just left my Dad (still very ill, now also has chest infection) and stopped at Little Chef for a break #
• Home at last - heavy traffic, reading feeds while watching Heroes #

Powered by Twitter Tools.

• Talking to Doug when I should be asleep #
• Finished Emails, now going for a walk and then later to Chorley for the day #
• Reading my feeds from last night in the Cafe Nero in Lytham #
• Just got a report from my Brother that my Dads doing a bit better in hospital, setting off for Chorley now to meet Stu and Charlie #
• On my way home after a fun session with Stu and Charlie #
• Waiting for Stephie at the School #
• My email volumes faily low as well, due to always on IM and a weekly highlight report and lots of rules in Lotus Notes #
• Dropped Stephie off at Tae kwon do and now swimming with the twins. Jens operation went very well #
• Finished swimming, 40 lengths tonight feeling much better than yesterday. Chilling out by the pool for a while #
• Watcing stephie finish her training after a quick shop at sainsburys #
• Scanning feeds while watching Spooks on TV. The swims this week have helped my ankles and knees ready for the long drive tomorrow #
• Making my Twitter feed private, ie not part of the public timeline. I made it public because of Facebook but using twittersync instead now #
• Finished for the night. Now going to read a good book in a hot bath. Red Rabbit by Tom Clancy #

Powered by Twitter Tools.

Four main areas:

• Inspect the document, to make sure comments, review, meta-data etc is not left in by accident
• Mark as final
• Signatures
• Digital rights management

Document inspector,  replaces the “remove hidden document” tool which is a free add-on and optionally removes the following:

• Comments and revisions
• Document information, document properties etc
• Headers and footers
• Hidden text

Finalise document:

• Sets the document to read-only mode
• Switches off all editing capabilities in the UI
• Switches off spell and grammar check
• The “final mode” can be switched off later,  if you or others want to edit it, it is not a security feature, it is a usability feature

Signatures:

• “In document signing”.  Inserts a Signature line, that specifies who needs to sign the document, the visual experience looks like a paper signature area.  The document can be crypto-graphically signed, and then the only change that can be made is that the signatories can sign the document.  The signatories have a visual representation of their signature as well as a cryptographic one.
• When people open the document,  the “business pane” shows the fact that the document has been finalised and is waiting for signature.
• Every element of the above is pluggable, ie can be replaced by third parties
• This is clever,  because it lets the author finalise and sign the document and then send it to other parties, the only changes these other signatories can make is to sign the document.
• It is now a reality to sign documents electronically
• This capability is provided in Word, Excel and PowerPoint (Infopath? – need to check)
• In older versions of Office the signing line still appears and can be printed but the document can not be signed in Office

Protecting documents:

• Builds on Office 2003 Information Rights Management
• SharePoint document libraries can now implement IRM policies – wow this is really powerful
• Because IRM gets applied during download,  the documents on SharePoint can be indexed and archived in un-encrypted form
• The IRM policy can time out, for example for documents that are only sensitive until a particular date
• The IRM policy for a document library can prevent a user from uploading a document type that can not be rights managed if desired
• Password protection is still available and the encryption is now strong,  in fact the same as IRM.  Use password protection for sharing documents securely between third parties where Internet facing IRM is not available, but remember once you know the password you can do anything you like with the document
• If IRM is available its best to turn passwords off
• Infopath now supports IRM.  The IRM policy applies to the Infopath form template
• Outlook now supports IRM protection of email threads, ie the reply gets the same IRM protection as the initial message
• No desktop search of IRM protected documents

This post is being written as it happens at the Office System conference

Workflow was essentially un-usable in WSS v2, for most real world business scenarios, so this session is key to positioning the role of Office System 12.

This is the process they are trying to support:

• Create
• Edit/review
• Ready to publish, sign off and approve
• Publish
• Archive

Key points

• Workflow is at the item  level,  it works for any list items, for example it could be used for a change request, a risk, a purchase order, a document review
• Items have a workflow view, which lists competed and active workflows for the item
• Infopath forms are used for workflow forms,  web rendered for the browser or native InfoPath for office 12 client
• Workflow actions are sent via email, and are also available from the Tasks view in the SharePoint web UI
• when you open a document that has a workflow associated to it,  it displays the “business bar” in Office client.  If you click Edit Task from the business bar in say Word then you can approve, reject etc, directly from Office.
• A status page is available for each active workflow
• Reports are available to provide workflow metrics,  for example reports to analyse duration, errors, conditional branches etc
• Workflows automatically appear on task lists,  for example a team could use a common task list for all activities including workflows that are associated with the team

Four roles

• The participants in the workflow
• The initiator of the workflow
• The observer, who is tracking status and performance
• The process owner who is designing workflows.  Sometimes a developer might be needed to translate the process owners requirement into SharePoint

Lists are all over workflow:

• List items that have workflows associated with them
• Lists of workflow tasks
• History lists that store information about previous workflows
• Custom lists that contain items generated by workflows, for example a calendar entry

Email is key:

• When workflow tasks are assigned or changed
• When workflows start or end
• If errors occur

Reports:

• Web reports
• Access reports that allow you to Join together multiple SharePoint lists to create more complex reports

Custom stuff:

• More complex workflows can be created using FrontPage and Visual Studio

Admin and management:

• Old tasks can be cleaned up
• Instrumentation data is captured
• Tracking active workflows
• Reporting of metrics for completed workflows

This post is being written as it happens at the Office System conference because I won’t have any time to catch up with my note taking tonight, going out for a meal with the Partner Architecture group.

Document management was essentially un-usable in WSS v2, for most real world business scenarios, so this session is key to positioning the role of Office System 12.

This is the process they are trying to support:

• Create
• Edit/review
• Ready to publish, sign off and approve
• Publish
• Archive

This post is about the Create, edit and review process. 

• A tree control has been added to help users navigate around a large collection of documents.  This replaces the shortcut bar in v2.  Much more useful for navigating large document collections.
• The NEW button lets you create a new document with the option of selecting from a list with as many different TYPES of documents as you setup.  These new “content types” include a template, standard meta-data, policies, workflows and auditing.
• A property panel is displayed at the top of the page when you create a new document, this meta-data is now captured as part of the authoring process.
• The meta-data requested is specific to the document type you choose to create
• The property panel is actually an automatically generated Infopath form.  An Infopath client install is not required!
• You can make properties mandatory
• The properties that you enter can be inserted into the document contents anywhere and they can be changed in either the document or in the document properties
• The properties are also promoted into the WSS store, and can also be displayed in WSS web views, and can be edited in WSS as well and these changes will also be reflected in the document
• Properties can be edited off-line as well which was not possible in V2
• Checked out documents can also be taken off-line and saved,  which was not possible in V2
• Whole document libraries can be taken off-line in Outlook
• Outlook provides a preview view of the documents that are taken off-line,  it’s quick! and supports Word, Excel and PowerPoint,  an API is available for other document types.
• Offline data uses outlooks scheduled replication
• Outlook only synchronises the current versions, and also provides access to YOUR checked out documents, provided they are stored on your PC
• There are some issues with editing Outlook synchronised documents off-line, not sure what the final shipping experience will be.
• Outlook NOT Groove is Microsoft’s strategic client for working with SharePoint information off-line

Control features

• Document libraries can be setup, using IRM, to only allow people to download read-only documents.  If they check it out then you will be allowed to edit it, assuming you have the priv to do a check-out.  This read-only status travels with the document wherever it goes.
• Check-in options are now,  new major version, new minor version, over-write existing minor version
• When you check-in a document you can automatically check it out again and continue working
• Word now allows you to compare current and previous versions, very simply.  You compare in a 3 pane view,  current, previous, and track changes.
• If you try and check-out a document that is already checked out then it tells you who has it checked out,  lets you take a read-only “fork” or lets you wait and sends you an email when the document is checked in again
• If you try and work on a document from another PC,  that does not have your checked out off-line “cached” copy then this is handled.
• Web parts are available for:
• My tasks, aggregated
• My checked out documents
• My documents – authored by me

All of these features are switched on as standard in the Enterprise Document Repository template.  However you can start very simple – for example a Team Site – and gradually switch on features.

Document types are very powerful,  they allow you to define:

• Templates
• Optional and Mandatory properties
• Workflows
• Associations
• Retention and policy
• Custom behaviours
• Multiple content types can be stored in the same library
• Document types are defined at the SITE level,  if you change the document type at site level the change is propagated to every document library

Examples of document types:

• Contacts
• Specifications
• Meeting Minutes
• Agendas

The client features are supported in Word, Excel and PowerPoint.

The Infopath property panel can be customised, for example:

• Style
• Logo
• Custom business logic,  for example validation, interactions with web services etc

It is now possible to define the number of major and minor versions that need to be retained

Most of the client features are only available in Office 12.  However you can use the web site UI to get the same capabilities if you don’t use Office 12 client.

Scale:

• Testing target is 10 Million per document library
• You can have multiple document libraries in a site
• Views are optimised for 2000 documents
• Search should be used for getting access to “views” of more than 2000 documents

It’s clear from the keynote today that the impact of Office 12 is, as expected, going to be considerable.  Here are some of the key points:

• The integrated value proposition “integrated innovation” is ever stronger with each release,  it is very impressive with Office 12.  There is no comparison between the user experience of the integrated Vista OS, Office 12 Client and Office 12 and related servers and any other products on the market in terms of the integrated user experience.  Whether you you are convinced of the business case and strategy is another matter,  which I will address as I write these articles
• The Information worker market is estimated by Gartner to be $100B
• Microsoft have taken a comprehensive look at the product suite and addressed many of its weaknesses in innovative ways
• There is going to be a lot of information to cover
• The role of partners is much much richer with Office 12 than with any previous Office product and this presents a great opportunity for us

Because there is so much to cover I intend to write up a number of articles that describe different themes,  as more information arrives I may update the articles,  but I will post the work in progress as I get it.  The articles I need to write so far will be:

• The Office 12 User Experience
• The changing nature of Office
• Transparency and involvement in our interactions with customers
• The new world of work
• XML and Office
• The partnership opportunity

A few of the longhorn technologies seem great for branch offices which we can assume to lack physical security and the high levels of management required for enterprise class service integrity.  if we string together Secure Startup (lack of security), read-only Domain Controllers (lack of service integrity, but resiliance to network outages) and Lonhorn Core (minimum attack surface and maximum up-time) we start to see the beginings of a good solution.

Here is a bit more on read-only domain controllers:

Read-only

An RODC holds all the Active Directory® directory service objects and attributes that a full domain controller holds, but clients are not able to write changes directly to the RODC. This means that changes that are made at branch locations cannot pollute or corrupt the forest. Local applications requesting Read access to the directory are satisfied, while Lightweight Directory Application Protocol (LDAP) applications requesting Write access are referred to a full domain controller at a hub location.

Unidirectional Replication

Because no changes are written directly to the RODC and therefore do not originate locally, full domain controller replication partners do not have to pull changes from the RODC. This reduces bridgehead load in the hub as well as the effort it takes to monitor replication.

RODC unidirectional replication applies to both Active Directory and File Replication service (FRS) replication. The RODC performs normal inbound replication for Active Directory and FRS changes.

Credential Caching

Credential caching is the storage of user or computer credentials. Credentials consist of a small, well-defined set of approximately 10 encryption keys that are associated with each user or principal.

By default an RODC will not store user or computer credentials except for its own computer account and a special krbtgt account. The RODC is advertised as the Key Distribution Center (KDC) for the branch office. The RODC uses a different krbtgt account and password than the KDC on a full domain controller uses when it signs or encrypts ticket-granting ticket (TGT) requests. This makes it possible for the RODC to identify authentication requests and forward them to a full, writable domain controller.

When the RODC processes a successful authentication request, it attempts to contact and pull the user’s credentials from a full domain controller at the hub location. The full domain controller acknowledges the request based on the special krbtgt account of the RODC. The credential-caching policy that is enforced at the full domain controller determines if a user’s or computer’s credentials can be replicated from the full domain controller to the RODC. If the credential-caching policy allows it, the full domain controller replicates down the credentials. After a user’s credentials are cached on the RODC, the RODC can service that user’s logon requests directly until the credentials change.

Credential caching limits the potential exposure of users’ credentials in the branch office because typically only a small subset of the user base will have their credentials cached on any given RODC. Thus, in the event that the RODC is stolen, only those credentials that are cached can potentially be cracked.

I have promoted the concept of standard corporate PC builds for over a decade,  in fact my first standard PC’s were in fact Unix workstations back in the late 1980’s.  However I have become increasingly unsure of the approach as we find more and more uncontrolled devices connecting to the network (customers, partners, contractors etc), more home devices being used and more IT literate users who want to take on the burden of management in return for flexibility.

In all of these senarios it’s not standard builds that are important but policy compliance and enforcement. Enter NAP, I first came across NAP in SSL VPN’s but now I see it being much more universally used on corporate networks, and heralding improved security and greater freedom and flexibility, especially for innovators, developers and other creative professionals.   Here’s how Microsoft describes their Longhorn implementation:

NAP, a set of components in the Microsoft® Windows® Code Name “Longhorn” client operating system and in the Microsoft Windows Server™ Code Name “Longhorn” operating system, helps protect access to a private network by enforcing health policies. System administrators establish health policies, which can include such things as software requirements, security update requirements, and required configuration settings. NAP enforces health policies by inspecting and assessing the health of client computers, restricting network access when client computers are deemed unhealthy, and remediating unhealthy client computers for full network access. NAP enforces health policies on client computers that are attempting to connect to a network; NAP also provides ongoing health compliance enforcement while a client is connected to a network.

To help protect network access, NAP relies on four key processes.

Policy Validation

NAP uses health policies to determine whether a client computer is allowed access to a network. The system administrator defines health policies, which include such things as virus signature requirements, security update requirements, and firewall configuration settings. NAP deems a client computer as healthy if it complies with current health policies and unhealthy if it does not comply.

Network Restriction

NAP denies unhealthy client computers access to the network or allows them access only to a special restricted network (sometimes known as a quarantine network or a remediation network). Set up properly, a restricted network provides client computers with access only to servers that can update them to a healthy state.

Remediation

Unhealthy client computers that are put into a restricted network might undergo remediation. Remediation is the process of automatically updating a client computer so that it meets current health policies. For example, a restricted network might contain a File Transfer Protocol (FTP) server that automatically updates the virus signatures of unhealthy client computers that have outdated signatures.

Ongoing Compliance

NAP can enforce health compliance on client computers that are already connected to the network. This functionality is useful for ensuring that a network is protected on an ongoing basis as health policies change and the health of client computers change. For example, NAP will determine that the client computer is in an unhealthy state if a health policy requires that Windows Firewall be turned on and an administrator inadvertently turns it off on a client computer. NAP will then put the client computer into the restricted network until Windows Firewall is turned back on.

NAP enforces health policies for the following network access technologies: Dynamic Host Configuration Protocol (DHCP) address configuration, network connections based on virtual private networking (VPN), and communication based on Internet Protocol security (IPsec). NAP also provides a suite of application programming interfaces (APIs) that allow companies other than Microsoft to integrate their software into the NAP platform. By using the NAP APIs, software vendors can provide end-to-end solutions that validate health and remediate unhealthy clients.

I would add only a little to this description and that is that in many cases the resticted network that non-compliant devices have access to needs to provide access to the internet, this means that visitors who connect to your network then can get “home” without impacting on the integrity of your network.

This is a great example of a feature that needs MDS, MCS, MNS and GISS to work together!

More information is in the attachment.

For years, in fact since the beginning,  Microsoft have been critisised over the complexity of their serviver operating system and recently over the resulting large attack service.  The response is Longhorn Server Core:

Server Core is a new minimal server installation option for Windows Server “Longhorn” Beta 1. Server Core provides an environment for running specific Server Roles, reducing the servicing and management requirements for those Server Roles. Server Core supports the following Server Roles:

·      DHCP server

·      File Server

·      DNS

·      Active Directory®

The Server Core installation option is designed to provide a minimal environment to run the above Server Roles and reduce:

·      Required servicing

·      Required management

·      Attack surface

To accomplish this, the Server Core installation option installs only a subset of the Server binaries, those that are required by the above four server roles. For example, the Explorer Shell is not installed as part of Server Core. Instead, when using a Server Core based server, the default user interface is the command prompt.