A Big, HUGE Microsoft Security FAIL.

(NOTE: This article was written December 7, 2016. Not one word has been changed since that date.  To understand why it can only now be published, read the article on this site called 107 Days: A Microsoft Security Nightmare. -MDG)

For reasons that will become obvious, I am going to delay posting this article until the issue has been resolved.

A few days ago a colleague of mine discovered the password to my Microsoft Account.  I won’t go into the how and why… I knew that my password had been compromised and I took the immediate steps to change it.

image

Ok, I understand that things break… I tried a few times, and then I decided to follow the advice and try later.  I trust my colleague not to actually use my password, so even though I felt uncomfortable with it being compromised, I knew I could wait a couple of hours.

Throughout the evening I tried (unsuccessfully) to change my password.  As I was sitting with my father having dinner, as I had drinks and cigars with my friends… no joy, I still got the same message.  ‘There’s a temporary problem with the service. Please try again. If you continue to get this message, try again later.

I want to be clear… if my network had an error that was preventing users from changing their passwords I would consider it reasonably important, and I would take immediate steps to fix it.  But having trusted Microsoft for so many years, I assumed this would be fixed eventually.

Four Days Passed.

Yes, it was literally four days before I decided that my passivity would not eventually lead to a solution.  I sat down and figured out how to request support. I was hoping to be able to speak with a human being.  Before I could, however, the Virtual Support Assistant got me to try this link and that link.  It then made me go through seventeen steps to finally confirm that the account in question was mine… and once it confirmed that I really am me, it tried to reset my password… and I ended up with the same error message that ‘There’s a temporary problem with the service. Please try again. If you continue to get this message, try again later.

Okay, it’s been nearly an hour… and I am chatting with someone who is quite obviously not their first round draft pick.  After all, I asked for help with Outlook.com, not with something that people actually pay for.  I spent twenty minutes explaining to him the situation, and the added (and I assume rare) complication that I have two accounts with the same address… my Office 365 account and my Microsoft Account are both the same address that are completely different.  ‘Please don’t touch my Office 365 Account, I only want to change my Microsoft Account.’  This led to another five minute discussion on the meaning of the word change.

He had me fill out another form on-line.  I did.  At the end of that form I got a message that said that the product team would contact me within 24-48 hours to help me.  I told the Support Agent that I had filled out the form.  He told me that now I had to wait until they contacted me.

All in all, my Microsoft Account (which is the account I use for my MCT & MCP Benefits, Skype, and myriad other features) will have been compromised for the better part of a week… and there was nothing I could do about it.  Yes, I could have contacted Answer Desk a few days earlier, so it would have been compromised for only three days.  I want to know in what world is that considered an acceptable delay to be able to change a compromised password?

Some time ago I started using Multi-Factor Authentication (MFA) for many of my most important systems, which is why I am never concerned that my blog or my password vault could be compromised.  For various systems I have a hard key (Yubikey) and soft keys (Google Authenticator and Microsoft Authenticator) which keep most of what I do safe.  But most of the Microsoft systems do not support MFA and I am stuck with only a password.  I use reasonably complex passwords so I usually am not concerned, but in a case where my password is compromised and I am not able to change it, I wonder how it is that a company as advanced as Microsoft (in this case) does not allow me to use MFA.  I would love to be able to require my Yubikey in order to log in to Windows and many of the on-line systems I use, but it is simply not an option.

I am disappointed by Microsoft this week… and I hope that they take the lessons learned from this experience to improve.  However I sit here today, thinking of the myriad occasions I stood on stage in over a dozen countries on five continents and defended Microsoft’s security systems as among the best in the world; I was always sure in my knowledge that I spoke the truth.  Today I would not feel comfortable making that claim… and my faith in their systems, like shattered glass, will not be easily fixed.

Advertisements

107 Days: A Microsoft Security Nightmare

I have held off talking about something for quite some time.  I do not mess around when it comes to security, especially for my critical accounts. When the actual security of an account has been compromised, as was the case with my Microsoft Account, I do not advertise it. 

On December 7th I sat in the Second Cup cafe on Bank Street in Ottawa and wrote an article called A Big, HUGE Microsoft Security FAIL.  I wrote about how I had been unable to change my password and that their engine to do so was broken, but that it turned out it was not everyone, it was just me.

There’s a temporary problem with the service. Please try again. If you continue to get this message, try again later.

It took several days for anyone at Microsoft to take me seriously, but my issue was finally escalated to a 2nd Level Support Tech named Gary (who, I want to be clear, was a nice guy, and as helpful as he could be under the circumstances).  Gary and I got to know each other sometime in mid-December.  Remember, the issue started happening the last days of November, I reported it on December 5th, and the case was escalated (grudgingly) around December 9th.

Gary spent a couple of hours trying to help, and then in discussions with the Product Engineering Team trying to get it fixed.  By the end of the day he said something to the effect of: “Yeah, neither I not our engineers have ever seen a problem like this.  It might take some time, but if you are willing we will work with you to get it fixed.”

Some time… It might take some time… that was on or about December 9th.

I am happy to say that the problem has now been resolved… As I sit and write this, with the resolution less than an hour old, it is 1:15pm, Wednesday March 22.

107I spent nearly a decade touting the virtues of Microsoft’s security… and then from the day I informed them that my password had been compromised, and that a glitch in their system was preventing me from changing it, it took 107 days to resolve the issue.

So let’s take a quick rundown of some of the sites and services that are accessed with my Microsoft Account:

  • Skype (One of the ways I communicate with hundreds of people)
  • OneDrive (All of my files!)
  • Microsoft Certified Trainer (MCT) account (including my MCT renewal, courseware downloads)
  • Microsoft Certified Professional (including my MCP Transcripts)
  • MSDN Subscription (including all my software licenses and keys)
  • Windows Store (including credit card information)
  • Microsoft Volume License Center (VLC)
  • Microsoft Store (including credit card information)
  • Bing
  • Microsoft Partner Portal
  • MSN
  • Outlook/Hotmail
  • MY WINDOWS COMPUTERS

And so, you can see, this is not like having my Words With Friends account compromised… This is extremely serious and far-reaching.  This was… everything.

Once a week I would get an e-mail from Gary telling me that they had not yet resolved the issue… but they were still working on it, and he would continue to keep me informed.

Proof Of Hack 2On March 6th a hacker compromised my Skype account, and sent a link to dozens of my contacts with malicious content.  Naturally those contacts let me know, and I reached out to Gary and told him that now that hackers had indeed compromised my account, they needed to resolve the issue and pronto.  Gary replied with: “I have taken a look into your account, to look for any evidence of unauthorized access, and I did not see any. Was any account info changed? Can you still login?”

a few days later that he had not been able to open the embedded picture, and asked that I resend it as an attachment.  Thank Heavens for that, because had he taken the next step immediately I would not have been able to renew my Microsoft Certified Trainer (MCT) credential in time.

So when Gary did finally get the picture (as seen above) he wrote (on March 18th):

If you received that message, then it could be that someone attempted to access the account.

To prevent that, I have placed a suspension on the account that will prevent any login activity. While my engineering team investigates this issue, no one will be able to break into the account. I have also left a note on the account so that the attacker will not be able to attempt to remove it.

Wonderful.  You are suspending my account now, probably after the damage has been done, but all this is doing is punishing me.  FIX THE DAMNED PROBLEM!

On the same day as I received this e-mail I wrote the following one line response:

Gary this is no longer acceptable. I am calling a lawyer.

On Tuesday (March 21) I received Gary’s reply:

In light of this recent reply, I have escalated this issue to a second team within Microsoft, and am awaiting to hear their response.

I understand the frustration, but please know that I cannot do anything to speed up the engineers and Ops teams working on this issue.

Wouldn’t you know it… The following day (that’s today, Wednesday March 22, 2017 – 107 days after I first reported the issue) I received a call from Gary that started with:

Well Mitch, it seems that when you threaten to call a lawyer things get done faster.  I think we have solved your problem.

Indeed, before the phone call ended I had successfully changed my password.

One hundred and seven days after I first reported the problem.

One hundred and seven days since I told Microsoft there was a problem with their security.

One hundred and seven days since I told Microsoft that my account had been compromised, that someone had my password, and that I needed their help to secure my data and reputation.

One hundred and seven days.  Actually it was only 105 days since I wrote the original article (which will be published shortly after this one, untouched since the original writing).

So why didn’t I publish sooner?

There are a handful… maybe four or five people who know the story and who understand some of my frustrations with this case.  These are also people who know I have a great bully pulpit in the form of this blog.  They have all asked me ‘Why didn’t you publish sooner?’  Two of them asked why I did not go to the mainstream technology media to let them know about this.

Simple… I have an account that is easy enough to guess, to which I could not change the password.  If the wrong people knew about that they would have focused on getting that password and, once they had it, they knew I couldn’t change it.  They would have literally owned me. 

And so I sat quietly, seemingly patiently, waiting for Microsoft to fix the problem.  I waited those 107 days knowing that when it was finally resolved I would a) breathe a big, huge sigh of relief, and b) sit down and write this piece, venting my facts and frustrations.

MICROSOFT! HOW DARE YOU? How can you let ANY problem, let alone one as serious as this, fester for so long unresolved?  Do you think you owe me nothing?  At this point I am still considering a lawsuit, and if you don’t think damaging my reputation and peace of mind is worth damages in a court of law then you are seriously misreading the system.  You should be ashamed of yourselves, and you should be tracking down who is responsible for this travesty, this shame, and firing them.

I got that off my chest.  I have, over the past two weeks, asked friends and colleagues for recommendations on lawyers.  I might just reach out to one this afternoon.  We’ll see.

Welcome to What’s Next…

There is irony in the title of this post… What’s next.

I posted on Friday that it was my last day working full time at Yakidoo.  I really enjoyed my time there, and am glad that my next venture will allow me to stay on there on a limited basis.

This afternoon I am meeting a colleague at the airport in Seattle, and that will begin my first day at my new gig.  I will talk more about it in a few weeks, even though today will be my first billable day.  That is what’s Next.

However the reason he and I will be in Seattle – Bellevue/Redmond actually – is the Airlift for Windows Server, System Center (WSSC), and Windows Azure vNext… the next generation of datacenter and cloud technologies that Microsoft is ‘showing off’ to select Enterprise customers several months prior to launching them.  It will be a week of deep-dive learning, combined with the usual Microsoft Marketing machine.  How do I know?  It’s not my first kick at the can Winking smile

It is, of course, not my first such Airlift.  The first one I attended was for System Center Configuration Manager (SCCM) 2007, back in November of that year. It was a consulting firm that had sent me, in advance of my heading off to Asia to teach it.  I have since been to a couple of others, each either as a consultant, a Microsoft MVP, or as a Virtual Technology Evangelist for Microsoft.  I have not given this a lot of thought, but this will be my first Airlift / pre-Launch event that I am attending as a customer.  It will be interesting to see if and how they treat me differently.

I suspect that the versions of WSSC that I will learn about this week will be the first that I will not be involved in presenting or evangelizing in any way dating back to Windows Server 2003.  I will not be creating content, I will not be working the Launch Events, and I will not be touring across Canada presenting the dog and pony show for Microsoft.  I will not be invited by the MVP Program to tour the user groups presenting Hyper-V, System Center, or Small or Essential Business Servers.  I will not be fronting for Microsoft showing off what is new, or glossing over what is wrong, or explaining business reasons behind technology decisions.  It is, in its way, a liberating feeling.  It is also a bit sad.

Don’t get me wrong… I will still be blogging about it.  Just because Microsoft does not want me in their MVP program does not mean that I will be betraying my readers, or the communities that I have helped to support over the years.  I will be writing about the technologies I learn about over the next week (I do not yet know if there will be an NDA or publication embargo) but at some point you will read about it here.  I will also, if invited, be glad to present to user groups and other community organizations… even if it will not be on behalf of (or sponsored by) Microsoft.  I was awarded the MVP because I was passionate about those things and helping communities… it was not the other way around.

What else can I say?  I am at the airport in Toronto, and my next article will be from one of my favourite cities in North America… see you in Seattle!

Skype Collaboration Project, and quick tips to detect Phishing scams

skypeA few days ago I posted a quick post called Free Skype Premium for a year! and I got a few interesting questions about the voracity of the offer.  Some of you were worried that it was a scam, and believe me I am the first person to say you should be skeptical.  However before I posted about it I checked it out.

As one reader noted, the first thing I look at is the domain name.  Behind all of the mess of incomprehensible much, every URL you browse to on the Internet will begin http:// or https:// and will be followed by child domains, sub-domains, and eventually the parent domain – for example I might, if we were larger, have a page with the URL http://we.all.love.mitch.garvis.ca/And?Wish/himAndHisFamily/?Well.  The actual domain is directly to the left of the first (really the third, but I don’t count the two in http://) slash.  So while a phishing scam might use http://24.200.34.12/we.all.love.mitch.garvis.ca/And?Wish/himAndHisFamily/?Well the first slash is after the numbers, which means that it is a scam.

Unless my domain name itself has been compromised – if someone has actually hijacked the DNS (Domain Naming Service) of garvis.ca they cannot create a child domain to it… so they could no easier use http://scam.garvis.ca than I could http://garvis.skype.com.

The link to the Skype offer was https://collaboration.skype.com/promotion/?cm_mmc=AFCJ%7C1250_B1-_-11129583-1225267.  To the left of the first slash is collaboration.skype.com.  This means it came from Skype.

imageNow let’s look at the next objection I got.  ‘This page does not have a Skype logo on it, it doesn’t have Skype’s (or Microsoft’s) branding or look and feel.  That is a big red flag.’

That is something that you would definitely take pause at… the only thing on this page that looks remotely like Skype is the colour they used for the top line.  While this is a good observation, it is something that I throw away when determining the legitimacy of the page.  I have examined hundreds or more phishing schemes and hijacked sites, ranging from banks to credit cards to e-commerce sites to the White House and United States Department of Justice.  No matter how good the look and feel might be, they cannot get beyond the technical – if the domain name is right, then either the domain itself has been compromised… or it’s legitimate.  In truth, most phishing scammers spend more time on look and feel because they understand that most of us would look for that first… if they wanted to hijack your Skype password, they would spend the time to make the site look legitimate, including the colour scheme and logo.

The next concern was that we entered our e-mail address, ticked the appropriate box, and clicked on SEND… and nothing happened.  We didn’t get an e-mail right away (or even ten minutes later) as we were promised.  Actually we were not promised that… we were told to ‘Look out for the voucher codes coming to your inbox in the next 48 hours…’  Well most of us are not that patient, and we assume that while some sites do claim it will take that long, we should really be getting something in the next fifteen minutes.

We shouldn’t be so impatient… especially when out of the blue someone offers us something for free.  In fact, I posted the article just after 1:00am on December 18th (EDT) and received the e-mail at 10:27am on December 20th (EDT)… so in fact it was closer to 58 hours than 48.  Okay, no problem… It was later than they promised, but it came.  Thank you Skype for giving me a free service that I will absolutely use, and I forgive your slight tardiness Smile.

image

imageAs I had been promised in the original invite, I saw this screen – my vouched was successfully redeemed.  However it did say that it would take no more than 15 minutes, so it could still be a scam, right?  Well a few seconds later the bottom-right corner of my screen popped up with this Notification… and I knew I had gotten what I asked for.  Thank you Skype, I will use the Premium services well!

Free Skype Premium for a year!

It looks like this is legitimate, although I will keep an eye out and let you know immediately if it isn’t.  Microsoft is giving away Skype Premium for a year.  Simply submit your e-mail address, and you will receive a code.  Click on the link for more info!

http://microsoft-news.com/get-premium-skype-features-free-for-one-year/

Thanks for your support!

Image representing Microsoft as depicted in Cr...

Image via CrunchBase

Over the past few days I have received an incredible number of you asking what happened, if I am okay, and if I will be alright.  I can assure you I am.  Let me explain.

A great many of you have known me as a Microsoft contractor.  I have been for quite some time, first as a Virtual Partner Technology Advisor, then as a Virtual Technical Evangelist, and most recently as a member of the Server and Tools Business.  So when e-mails to my @microsoft.com account started to bounce (Tuesday this week) a lot of people expressed their concern.  I am quite touched by the outpouring of support!

I have always contracted to Microsoft through its Canadian subsidiary, Microsoft Canada.  In September of this year I accepted a contract with Rakuten, Inc – a Japanese company – that would see me spending most of my time in Tokyo.  Although we tried, there was no good way for Microsoft Canada to keep me on.  It was not done maliciously – in fact, my skip-level (my manager’s manager) did everything he could to a) keep me on, b) communicate the issues with me, and then c) accommodate my request for a timeline extension.

So let me answer some of the ‘Best Of’ questions… the ones that seem to be coing up most often.

1. Did your decision to leave Microsoft have to do with being turned down for a particular position?

No. Although over the past year I have indeed been turned down for a position, it has worked out very well for me in almost every way imaginable.  While taking that role would have been good for me, I have been able to grow in the direction I have wanted to grow.  Because of my independence I have been able to accept the consulting project I am currently working on, which is one of the mot exciting projects I have worked on in years.

2. Did you leave Microsoft because of a disagreement?

No… and yes.  I suppose in the end we disagreed on geography – my consulting role needed me to be in Japan, and Microsoft Canada would have needed me to be in Canada.  Other than that there was no disagreement whatsoever.

3. Did you leave because you did not like the direction in which the company was heading?

Not at all.  In the army I topped out at Staff Sergeant, and as such I learned quickly that some things were above my pay grade.  At Microsoft that was the case as well – I know that a lot of things are out of my control, but I also knew that whatever direction the company would take, my position (should I have elected to keep it) was safe.  Whatever decisions the company made, as a VMware Compete expert I was reasonably safe 🙂

4. Do you feel any disdain toward Microsoft, Microsoft Canada, or anyone you worked for or with?

ABSOLUTELY NOT.  I loved working there, and while I may have had the occasional issue with someone they were always resolved.

5. Did you leave Microsoft to work with competing technologies?

NO.  Although over the past couple of weeks I have made a habit to wear my non-Microsoft branded shirts more than usual, I have not ‘gone over’ to any other competing technology.  With that being said, I am carrying an iPhone now not because I left Microsoft… because Windows Phone 8 is not available in Japan, and this is what the company I am working for gave me.

6. Will you be going back to Microsoft?

That is a very good question. What I once thought of as my dream job no longer holds the same appeal to me.  With that being said, there are a lot of jobs at Microsoft, and should the right opportunity present itself I would be glad to go back, either for the right contract or for the right full time position.  However one thing is for certain: I no longer view Microsoft as the Holy Grail of companies.  I think they are a great company to work for, but there are a lot of other great companies out there.

7. What will you miss most about it?

I had to give this question a little thought.  My first knee-jerk reaction was the people, but then I realized that the people I got to know are still there, and are still available to me.  I am still a Microsoft MVP, a Microsoft Certified Trainer, and an influencer.  My friends are still my friends.  When it comes down to it, I suppose what I will miss most is having Lync… having the ability to call my family from Japan was a great tool!

8. Any regrets?

None at all… for the remainder of my time in Japan I will continue to work closely with Microsoft, but not with the Canadian team.  It is a really exciting project, and I would not trade it for anything.

I want to thank you all again for your concern and support, and hope to be able to continue working with you in the future!

Exchange Issues with iOS 6.1

There has been a lot of chatter over the last few days about the most recent update to the iPhone’s iOS 6.1.

I have been saying for years that Patch Management is one of the most critical steps to protecting your infrastructure, both on the server-side and on the client-side.  However I have also stated that before implementing any patch the IT department should be testing it to make sure that it does not do more harm than good.  Of course, vendors do not release patches that they are not confident with, but they do not always test them in every scenario.

One of the common scenarios we see with the iPhone is with it being connected to an Exchange Server for its mail and such, whether that Exchange Server belongs to the organization or a public cloud solution such as Office 365.  While it works and it fully supported by Microsoft, it is not a scenario that Apple seems to test extensively for.  And so, with this most recent patch, there are issues (excessive logging causing enterprise-wide issues for all users).

It is the very reason that I have always advocated maintaining a lab environment that mirrors your production environment, and testing patches in that setting before approving them for your organization.  However with the iPhone being an unmanaged device end-users are prompted to apply their own patches without waiting for approval from the IT department.

And so this past weekend following this patch release mail server administrators around the world were scrambling to find a solution to the problem.  Unfortunately for many the immediate solution was to block iPhones from syncing to the mail servers until Apple releases a new patch.  I expect this will not make a lot of people happy, but in this case iPhones really are bringing down entire mail server farms.

With Windows Intune and System Center 2012 Configuration Manager there should be a solution to this, although I have not had the opportunity to test it yet.  The latest version of Intune (commonly known as Wave D) allows the management of iPhone and Android devices, and just may allow the IT department to regain control of patch management, preventing such issues going forward.

My friend and fellow Microsoft MVP from Israel.  He is a Microsoft Infrastructure Practice Manager at Ankor Computing Infrastructures, a leading Integration company in Israel.  Although his award category is the same as mine (Windows Expert-IT Pro) he is an expert in several technologies, including Exchange Server.  In 2011 he wrote an excellent paper on P2V Migration for Microsoft Exchange Servers that I published on this blog.  He has written a very interesting white paper about this recent issue, including solutions and workarounds.  You can download his paper by clicking here.

The Microsoft Store: The place to be this week-end

WP_000870If you are in or around the Greater Toronto Area this week-end then there is no better place to be than the Microsoft Store in Yorkdale Mall.

The first international store and the largest in the chain, the opening of Microsoft’s newest retail store can only be descried as a huge success, with literally hundreds of people lined up hours in advance to get their first glimpse of the retail marvel.

Microsoft Canada president Max Long was joined by Tami Reller, Corporate Vice President and CFO of Microsoft’s Windows Division were on hand to open the store with a crowd of 700 onlookers.  They did not only welcome the crowd and talk about the store, they also announced that Microsoft Canada was making a new donation of $1.500,000 to local charities – presented by store manager Alison Evans.

When the curtain dropped the entire staff was leading the cheers, and then lined up to form a passageway into the store where they high-fived the first visitors.  By the time this VIP got in the door (in the first minute) the store was already bustling with activity, a level that has hardly abated at all thus far.

I spoke to a lot of people lined up and they were all here for different reasons – deals on new hardware, Xbox and laptops and accessories… but the two things that drew the most people were the Microsoft Surface and the new Windows Phone 8 devices.

While the Surface has been available since the launch of Windows 8 on October 26th, the only place you were able to see it in Toronto was at the pop-up retail kiosk in the Eaton Centre.  Now that the full retail store is open there are dozens of Surfaces everywhere, as well as Sony, Acer, Asus, Dell Samsung devices ranging in size from 9" ultrabooks and tablets to 27" all-in-one machines.

The greatest thing about the store in my opinion is that the display machines are all available for visitors to try out — as I write this article from a handy Sony Vaio T, complete with multi-touch sreen and reasonably priced at $899.  They are all internet-connected, and nobody is telling visitors not to touch, try, and in the Xbox corner play.  It is a great hands-on experience, and the store associates are as welcoming and helpful as I have ever seen.

In the Windows Phone corner there are representatives not only from a couple of the local carriers but also from the manufacturers as well.  Although the platform released October 26th, this is the first time I have even seen the devices outside the Microsoft offices.

Everywhere you look people of all ages and knowledge levels are asking questions, learning, and trying out great devices.  Of course every PC is running Windows 8, so it is a great opportunity for people to get their first glimpse of Microsoft’s flagship product, barely three weeks old.

In the back of the store there is an area called the theatre where during the regular hours people can play on the Xbox connected to an incredible 103" touch screen.  This afternoon (and tomorrow and Sunday) the Microsoft MVPs are taking over – we will be presenting sessions every hour on topic including Windows 8, Office 2013, Office 365, Xbox, and of course Windows Phone 8.  I have several sessions over the course of the week-end, but am more interested to sit in and listen to what my fellow enthusiasts have to say (I usually know what I am going to say so I am seldom surprised).

It is definitely the place to be this week-end.  Even though the initial ‘line up and wait’ is over, the store has been consistently hopping since it opened, with no signs of slowing down.  I spoke with several members of the management team who are all pleased by the turnout.  Alison Evans, the store manager, told me she is ‘ecstatic about the turnout.’

To make things even hotter, there will be an exclusive concert with the band Train tomorrow evening, and store staff are handing out wristband passes to the lucky few; and this afternoon The Great One – Number 99 himself – Wayne Gretzky will be in the store, and people will be lined up to meet him, get autographs, and get the chance to play Kinect games with him!

So if you haven’t come down yet what is stopping you?  Trust me, you will not be disappointed… your only regret will be if you do NOT come down!

The Shoemaker is No Longer Barefoot!

This post was originally written for the Canadian IT Pro Connection blog, and can be seen there at http://blogs.technet.com/b/canitpro/archive/2012/09/13/the-shoemaker-is-no-longer-barefoot.aspx.

For years I have been espousing the need to and value of locking down client workstations in a corporate environment.  Part of the SWMI Story – the secure, well-managed IT infrastructure for which I named my company – is that every user in the organization should have the rights and permissions to do their job… and nothing more.

Most corporate users are issued a computer that they use in the office (and at home or on the road) that are domain-joined, and because of all of the security threats out there the SWMI Story is very clear that they should be locked down.  If they want a computer to surf websites that are not business-related, play games, watch movies or anything else then they should invest in a home computer (or laptop).  I know that it is not fun to travel with multiple laptops (better than most!) but the bottom line is that unsecure client workstations are a stepping stone on the path to compromised server infrastructures… and that is bad news for everyone but the hackers.

One of the reasons that client machines have to be locked down is because most people do not think about IT security during the course of regular computer use.  Because I am always thinking about security, coupled with the fact that if something goes wrong I am pretty good at fixing it, I have been quite lax with my own laptops over the years.  After all, I own them and the servers; I built and maintain the infrastructure, and of course I am in charge of IT security.  So for the last few years, as I have been advocating otherwise, I have been logging on as the Domain Administrator on every laptop I have carried.

Last week I joined Microsoft Canada’s DPE Team as a Virtual Technical Evangelist.  Although it wasn’t actually a requirement, there were real advantages to reimaging my primary laptop (an HP EliteBook 2740p) with the Microsoft corporate image.  I was all happy once it was done… until I went to perform a simple operation and got a UAC window asking me for administrative credentials.  I entered my corporate credentials… and had a sinking feeling in my stomach when it came back with a DENIED message.

Fortunately the internal image allows you to install Windows with a local Administrator account; I was able to add my corporate account to the Local Administrators group so I don’t have to keep going into that account to make changes.

For the first time in many years I am not an exception to the rule… and rather than trying to find a way around it, I accept that while I need to be a local administrator, there is no way that anyone is going to make me a domain admin.  However this means that I am exactly in line with the statement I made in the opening paragraph… I have the permissions to do my job, and nothing else.  In order to do my job I need to be a local administrator… and nothing more!

The Dawn of a New Day

As I sit in my office getting ready to close up, it is a little after 10pm, September 3rd, 2012.  That makes tomorrow a very important day in the world of IT.

Microsoft has announced that on September 4th, 2012 they will make Windows Server 2012, the newest generation of one of the most successful back-end software franchises in the world, available for purchase – in other words, GA (General Availability).  For those of us on the front line evangelizing the product, it is a very exciting time.

For myself it is doubly exciting, because as of September 4th, 2012 I am officially joining the Evangelism team at Microsoft Canada – albeit in a less direct way.  My new title is Virtual Technical Evangelist – Windows Infrastructure.  I have known about this for some time but have kept it quiet for a couple of reasons, not the least of which is superstition.

For the last year I have begun to work much closer with the Evangelism team, with presentations, tours, and blog articles on Server Virtualization, Windows, and many other topics.  I have surprised many people in the last few months when I told them that I do not actually work for Microsoft Canada, but with them.  My new title simply means that I will be doing more of the same – teaching people and groups about Windows (Server and Client), helping them dispel some of the myths, showing them how to use the technologies better.

It is a very exciting time to be a Technical Evangelist.

Because of the switch I want to put a few things straight.  Very little is actually going to change.  I will still be running SWMI Consulting Group, and will still be available for private engagements.  I will continue teaching both Microsoft and some non-Microsoft technologies in classroom settings.  I have spoken with Stephen Rose and Simran Chaudhry, and have assured them that I will still be a Microsoft MVP, and will continue to be an active member of the STEP (Springboard Technical Experts Panel) team, presenting on Windows 8 across the country and, when invited, around the world.  None of that is changing.

Something else that is not changing is probably what makes me the ideal candidate for this new (I am the first!) position: my passions.  If you have heard me speak or read my articles you know a lot of what I am passionate about, and none of that is changing.  I am still a passionate advocate of Hyper-V and the Microsoft Virtualization story, including the Private Cloud managed by System Center 2012.  I am still a passionate advocate of migrating clients and users off Windows XP, and will continue the countdown right through April 14, 2014 (by the time you read this the countdown will be to 580 days until #EndOfDaysXP!).  You can read it on my blog from time to time, or if you want a running countdown you can follow me on Twitter at @MGarvis.  These passions and focuses are not being redirected because of the position I am taking, rather I was selected for the position because my passions and focuses are exactly where a Technical Evangelist (Virtual or otherwise) for Microsoft should be.  I have not focused because I have been paid to.

Another passion of mine that will align me to the role is my passion and belief in the IT Pro (and other) technical communities around the country.  I will continue to support those communities – whether they are on-line or in person, user groups or otherwise – in the same manner and with the same passionate zeal that I have in the past, dating back nearly nine years.  I hope that going forward I will be able to do so from a more official position than I have, but even if that does not happen my support for user groups and their leaders (and aspiring leaders) will not change.

Over the next few weeks we will be crossing the nation with the launch of Windows Server 2012, and following that we will likely do the same with Windows 8.  Interspersed with both we will be bringing IT Boot Camps and user group events to you in your city, so stay tuned;  it may be an exciting time to be a Virtual Technical Evangelist, but it is a really exciting time to be an IT Pro and community member in the Microsoft ecosystem in Canada.  We look forward to helping you along the journey! 

A Dichotomy of IT Conferences

As I fly south from Toronto I am heading to two separate and very different conferences.  I am new to neither one, and am looking forward to both.  As they are very different conferences, I am looking forward to them both in very different ways.

SBS Migration – A Party with a Conference Theme

The first conference has several different names – the SBS Migration Conference, The IT Conference, or Jeff Middleton’s Conference.  This is a conference organized by Jeff to be by the community and for the community.  Indeed, all of the speakers are MVPs and none of us are being paid for the pleasure, we do it to give back to a group of our peers.

It has been several years since I have touched Windows Small Business Server, but I made a lot of friends while I was involved with that group, and when I can I always accept speaking at both Jeff’s and Harry Brelsford’s conferences.  It gives me the opportunity to see a lot of old friends, make some new ones, and again give back what I can.  If you ask some of the more passionate SBS crowd then may imply that I am actually there to convert people to Enterprise IT products and practices, and while that may not be entirely true I do admit that if I convince just one of them that you need more than one domain controller in your environment, and that wizards are not the panacea some think they are then I am not displeased.

If you have never been to New Orleans then you are missing out on a unique experience.  It is an incredible city that has to be experienced firsthand to understand and appreciate.  I have been there twice, and I admit I am looking forward to it because on my previous (multiple but adjacent) visits I was not able to experience two aspects of the city, owing to the fact that I was there the two weeks before my Black Belt test in 2010; I was neither eating nor drinking, and in a city known for its cuisine and its alcohol in the streets party every night, that was just a shame.

It is now two years later and while I will be watching what I eat and drink, I will not be denying myself good meals and the occasional drink.  I am also bringing my wife, which means we can enjoy what the city has to offer together, and I will not feel guilty (as I so often do) that I am experiencing things without her.

Oh yeah… the conference.  I will be participating in a number of panels, and will be presenting an abridged version of my VDI presentation that discusses Hyper-V, Windows 7, Citrix Xen Desktop, and the whole BYOD (Bring Your Own Device) story for businesses.  I forgot that I have to dance for my dinner, and that is my price of admission 🙂

The conference has a unique twist to it… after three days of learning Jeff feels there is no better way to unwind than for the entire group to get onto a cruise ship and sail to the Bahamas.  While I applaud his sentiment, I bemoan his timing.  After three days ‘with the gang’ Theresa will be flying home, and I will be heading to Orlando for my next conference…

Microsoft TechEd North America 2012

TechEd is considered by many the premiere IT Pro conference every year.  This year will be special for several reasons, not the least of which is that it is the twentieth anniversary of the landmark event, and I am sure that there will be no shortage of festivities commemorating that.

The second (and for me more important) reason why TechEd is going to be special this year is all of the product launches (on the IT Pro side) in 2012.  While end-users will likely focus on the new Windows 8 client that is set to launch sometime this year, IT professionals like myself are probably more excited about the new Windows Server 2012 (set to launch around the same time) and System Center 2012 (which was released in April).  In other words the vast majority of tools that I use and support are new and improved, and it is important to get out there and learn about the new features from the experts.

I will not be speaking at TechEd this year, and for the first time in the five years that I have been going I will not be working either.  Unlike years past I am showing up at the show with a fully paid ticket, and my only obligations are to learn.  That is very exciting for me – no booth duty schedules to coordinate!

That is not entirely true… I actually have three commitments at TechEd.  The first, I have been selected to compete in an event called Speaker Idol.  Modeled after American Idol, contestants compete as public speakers – more accurate, they compete as IT presenters.  There are three criteria to be considered a potential candidate: You must be attending TechEd (nobody is paying your travel or show pass), you must never have spoken at any TechEd event, and you cannot be a Microsoft employee.  The competition is always run by Richard Campbell and his partner in crime.  I do not know who the judges are, but I do know that Sean Kearney is going to be my biggest fan, and that he has already created several promotional videos that are up on YouTube.  The first prize, I understand, is an invitation to speak at TechEd next year, which would be cool.

My second ‘obligation’ at TechEd is the Windows Community Party – or Springboard Party as we usually call it.  For the last three years this has been the most sought after ticket of the week, and for the second year in a row I have been asked to man the door.  I guess Stephen Rose knows that not a lot of people are going to mess with me – either physically or verbally – and get away with it.  Attendance numbers are strictly controlled for several reasons, including cost and venue capacity.  It is always a blast, and I am counting down until Wednesday evening when we get to ‘get jiggy with the Windows fans’.

My last obligation is of my own making.  I do a lot of work with Microsoft Canada, and when I found out that none of the IT Evangelists would be attending the show this year, I asked ‘then who’s going to organize the Canadians Get Together that we all loved last year?’  Damir and Ruth asked if I would be willing to do it, and I agreed.  There is now an open invitation to all Canadians for Tuesday evening (late afternoon really) to join us for drinks and appetizers.  The time has been set, but the venue has not.  It will be one of the hotel bars to be sure, but which one will be determined on Sunday.  This has less to do with mystique and allure than the fact that I haven’t been to Orlando in five years and don’t remember which hotel bars are convenient.

All in all it will be a fun ten days.  I am sure I will be blogging about both events extensively so stay tuned… while I am not doing away with the Taekwondo talk, I am now back on track and focusing on IT and the IT Community!

Quoted by Microsoft Learning!

It is kind of cool when I find out that Microsoft Learning wants to feature a quote of mine on one of their pages.  Veronica Sopher and I met in Redmond (well, Bellevue actually) in February and discussed at length some of the steps that Microsoft Learning is taking to engage the community, specifically MCTs.  Since then we have done a couple of things together, most recently the Tweet-Chat for #20yrs20ways.

A couple of weeks ago when Microsoft Learning announced their new certification model she asked me if I would be willing to give a quote on it for their website, and I did.  That quote is now posted on their new page ‘MCSE: Reinvented for the Cloud’.  Also on the same page is a video overview of the new MCSE: Private Cloud, as well as an FAQ, and links for exam vouchers, the Microsoft Certification Program, and a link to the MCSE: SQL Server 2012.  Check it out!

http://www.microsoft.com/learning/en/us/certification/mcse.aspx

So I was just reminded that the quotes will be refreshed every couple of weeks… so I have taken a screen shot to preserve it for posterity Smile

image

Where Do Ethics Fit?

As a longtime supporter of Microsoft and a believer in and advocate of its products, I have often been confronted by others about the evils of Microsoft, ranging from how historically Microsoft has bullied or bought out competitors to how expensive and flawed their products are.

The products that Microsoft releases are now considered some of the most solid in the world of IT, both with regard to stability and security.  There will always be ‘haters’ who would rather discuss Windows 98 and Vista to XP and 7, but they are traditionally ‘religionists’ who could not be convinced either way.

With regard to the ‘Evil’ moniker, not according to the experts.  For the second year in a row, Microsoft was named to the Ethisphere Institute’s list of 2012’s World’s Most Ethical Companies.  It is an honour that the competition – Google (whose mantra is DO NO EVIL) and Apple (who has never made any such claim) can boast.

The Ethisphere Institute is a think tank that was formed to monitor ethical (and unethical) behaviours in corporations, and began publishing their list in 2007.  Corporations can submit their names for consideration, and this year nearly five thousand companies from over 100 countries were submitted (across 36 industries) did just that.

We live in a world where the almighty dollar was once king, but in order to earn those dollars corporations  rely on the patronage and opinions of people.  In the era of blogs (ahem…), Twitter, and other social media outlets where it is easy to share opinions with anyone who will listen it is crucial to have a good public image; notice the increasing number of corporations who constantly monitor the Twitterverse for potentially unsatisfied clients and see how fast they jump into action to right their wrongs.  The socially conscious activists who once had to print and distribute flyers, get onto soap boxes, and convince the handful of people who showed up about their cause can now reach millions more people on-line, without ever leaving their homes..

The world today has a conscience, and that is a good thing.  For the most part people would rather see others (and by extension corporations) do good than bad, or even than doing nothing.  Witness this week-end, Toronto: A playground that was built by volunteers was burned to the ground, and the Canadian Tire corporation pledged $50,000 toward rebuilding it… on a Sunday.

Some people know the story of when my loyalty to Microsoft began… I will not go into the details, but when I wrote to Microsoft Canada (who owed me nothing in this affair) they made things right… and I have never forgotten that.  I have always been glad to be associated with them, and that is one of the reasons that when they ask me to extend that community outreach – such as doing user group events and so on – I step up every time.

I know that employees at Microsoft are given the chance, if they wish, to take a week off of work every year to donate to working for the charity of their choice.  This is an amazing offer, and a policy that every company in the world should adopt.  Yet I didn’t hear about this because they advertise it… I only know about it because a friend of mine told me that he was taking a week off of work to build a house with Habitat for Humanity, and he explained the program to me.  I was so proud of him, and of Microsoft.

When I read the story of this list earlier today (c/o Twitter, on www.Minyanville.com) it reaffirmed in my mind and heart that I picked a great company to ally myself with… They help me all the time, sure… and I help them.  However for them to be recognized as having a corporate conscience and a tradition not only of excellence but of ethics I am really and truly glad that I work with them.

There are seven other corporations under ‘Computer: Hardware/Software’ that are recognized on this list, and they are (alphabetically):

  • Adobe Systems
  • Hitachi Data Systems
  • Intel Corporation
  • Salesforce.com
  • Symantec Corporation
  • Teradata Corporations
  • Wipro Ltd.

These companies should all be proud of this… not today, but year round.  The companies who did not make the list should take a page from these companies, and rather than trying to outdo them, they should all strive toward a world where we do not need lists like these because all companies are ethical and charitable.

In the meantime… Thank you to every company on the list!

2012 World’s Most Ethical Companies

Original Source:http://www.minyanville.com/business-news/editors-pick/articles/aapl-msft-sbux-ge-pep-tgt/3/16/2012/id/39943#ixzz1pa926S28

It’s About You: Tell Microsoft How They Are Doing!

It is NSAT time! Microsoft Canada has asked me to post this to the site to give you all a way of letting them know how you think they are doing! -Mitch

Every fall and spring, a survey goes out to a few hundred thousand IT folk in Canada asking what they think of Microsoft as a company. The information they get from this survey helps them understand what problems and issues you’re facing and how they can do better. The team at Microsoft Canada takes the input they get from this survey very seriously.

Now I don’t know who of you will get the survey and who won’t but if you do find an email in your inbox from "Microsoft Feedback” with an email address of “ feedback@e-mail.microsoft.com ” and a subject line “Help Microsoft Focus on Customers and Partners” from now until April 13th — it’s not a hoax or phishing email. Please open it and take a few minutes to tell them what you think.

This is your chance to get your voice heard: If they’re doing well, feel free to pile on the kudos (they love positive feedback!) and if you see areas they can improve, please point them out so they can make adjustments (they also love constructive criticism!).

The Microsoft team would like to thank you for all your feedback in the past — to those of you who have filled out the survey and sent them emails. Thank you to all who engage with them in so many different ways through events, the blogs, online and in person. You are why they do what they do and they feel lucky to work with such a great community!

One last thing – even if you don’t get the survey you can always give the team feedback by emailing us directly through the Microsoft Canada IT Pro Feedback email address .

They want to make sure they are serving you in the best possible way. Tell them what you want more of. What should they do less of or stop altogether? How can they help? Do you want more cowbell ? Let them know through the survey or the email alias. They love hearing from you!

Need Help With Software Licensing? Read On…

I have been asked by some friends at Microsoft Canada to post this article (and two others) for you.  Please feel free to provide any feedback, but I hope the resources and information are useful! -Mitch

Figuring out which software licensing options best suit your needs while being cost-effective can be confusing. Some businesses end up making their purchases through retail stores which means they miss out on volume licensing opportunities and others may unknowingly be using unlicensed software which means their business may be at risk. So let me help you make the best decision for your situation.

You may want to review this blog post that lays out licensing basics for any organization that needs to license software for more than 5 or less than 250 devices or users. It details the different ways you can buy a license and what choices are available for volume licensing, which can give you pricing advantages and provide flexible options for your business.

As technology evolves and more organizations move to online services such as Microsoft Office 365, Microsoft Dynamics CRM Online, Windows Azure Platform, Windows Intune and others, it’s important to understand how to purchase, activate and use online service subscriptions to get the most out of your investment. Once purchased through a volume licensing agreement or the Microsoft Online Subscription Program, these services can be managed through web portals:

· Online Services Customer Portal (Microsoft Office 365, Microsoft Intune)

· Dynamics CRM Online Customer Portal (Microsoft Dynamics CRM Online)

· Windows Azure Customer Portal (Windows Azure Platform)

· Volume Licensing Service Center (other services)

Learn more >>

Licensing Resources:

Additional Resources You May Find Useful:

· TechNet Evaluation Center
Try some of our latest Microsoft products For free, Like System Center 2012 Pre-Release Products, and evaluate them before you buy.

· Springboard Series
Your destination for technical resources, free tools and expert guidance to ease the deployment and management of your Windows-based client infrastructure.  

· AlignIT Manager Tech Talk Series
A monthly streamed video series with a range of topics for both infrastructure and development managers.  Ask questions and participate real-time or watch the on-demand recording.