Yes, they are regular monthly patches. That means that they are withholding completed patches until the chosen day comes. Thats a bit disingenuous.
MS moved to the monthly patch cycle because the vast, vast majority of windows sysadmins preferred taking a bigger unit of patches once per month than a trickle of them continuously.
In other words, they did this because thats what the overwhelming majority of their customers want.
I agree with you that the elevated permissions is a problem of legacy. Microsoft is long overdue in cleaning out their APIs. To be clear, the legacy issue being referred to here has nothing to do with the win32 APIs.
It is legacy in the sense of old software that was written before the NT days, and tries to do 'bad things' like write to HKLM, C:\Program Files\, C:\windows\, etc.
In every case, those software developers could update their software to be vista compatible without a single change from MS coders.
instead of developing any sort of system, you simply specify every possible parameter on every single file. If that's how you're doing it, then you may want to consider getting some books or something, and reading up on it.
For 99% of the uses, there are 3 options:
Read Modify Full
The difference between Modify and Full is that full can do everything that Modify can, but can also change ACLs.
As far as a system, its easy. You set the perms at the highest possible level you can, and then set them to inherit down to all children.
Simple, elegant, neat.
Now mind you, there are a whole ton of other options in there, should you need them (sometimes you do, but not often). But when you dont need them, you dont use them.
Of course, that would require a sensible architecture in which software can be installed by users, for themselves, without superuser permissions. Windows has this now. I've got several significant pieces of software that were not 'installed' at all, and have never been run as an admin user account.
Eclipse Tomcat FileZilla 7-Zip
There are many others.
And, unfortunately, it would need secure software as a basis to avoid needing unnecessary privileges to accomplish mundane tasks in insecure applications. Sorry Microsoft, you missed the boat on this one. This has some truth to it. More software developers need to learn to do things right.
But ISVs doing the right thing has very little to do with anything that MS does. Any ISV can do it now (and some do).
This may be a failure of MS marketing and evangelism, but its NOT a failure or limitation of the technology.
The simple script, MakeMeAdmin is a closer comparison to sudo.
Adds the current logged in user (who is running the script) to administrators, launches a cmd.exe shell with that elevated (but same account) process, then removes the account from local admins.
So it basically gives you a command prompt shell with the current user's profile, but under elevated privileges.
Have you run Regmon and Filemon on XFire to figure out why its triggering UAC?
What file & registry locations is it writing to, or special user privileges is it leveraging, to cause UAC to fire?
Have you googled about this? There are several solutions documented out there, which is to force XFire to always run in a privileged mode from the get-go, so it doesnt require elevation.
X-Fire triggering UAC isnt something 'useless' about UAC, its X-Fire doing things to your computer that would be 'really bad' when done by malware.
I have used Altiris, though it was a few years back. It worked great, but was not cheap/free (except for very expensive values of cheap/free).
Using GPOs for distribution (in non-huge and non-hugely-complex environments) is free and works quite well. Note its not actually free. In both cases you have to snapshot the changes from an install, so net zero diff there. Using GPO requires a little bit more work to script your reboots and validation. Thats a non-zero cost, but also has benefits, such as better training on how MSIs are built, and how to script activities in your domain.
I wont argue that for certain very-large and/or very-complex installations, GPO based distributions isnt appropriate.
I didnt place any values on imaging, remote control, and inventory because the original poster didnt ask for them. However, I will say this:
I'd suggest not using a third-party solution for imaging, exception in special circumstances (labs, kiosks, etc). This is because it makes your skills non-portable. If you learn how to do imaging using WDS, RIS, Sysprep, etc then you can do imaging anywhere you go, without having to buy new software.
And for remote control, there's been no reason to use 3rd party remote control software since windows2000. Remote desktop and remote assistance work just fine, for non-interactive and interactive support, respectively.
Anyway, while I agree that Altiris is a comprehensive and effective package, I would argue that in most cases its cost is not worth it, as 75% of its functionality is already included in windows, and just requires a little bit of scripting and learning the guts. And that is a re-usable skill (scripting for administration and knowing windows & AD internals).
Lastly, when its time for your org to move to Vista (if ever) the imaging situation has changed dramatically. The new WinPE based installer and server component (the successor to RIS) are really, really well done. It's going to be hard for third-party tools to make something compelling enough to spend big bucks on, IMO.
The biggest thing is, you don't know if the installation succeeded or not -- no reporting. This is true to an extent. It's no big deal to write a little script to walk all the machines, and look for the right kind of error log on the Installer type within a time-frame. In my experience, thats the kind of thing most groups end up doing. It builds your scripting skills, and its a one-time-ever cost, and once its written, you can use it forever.
Secondly, you have little control over when the user reboots. It could be a day or a week. You can trivially force a reboot to all workstations in the domain, in an OU, etc in a few seconds.
So you set the policy, give it a few minutes to replicate to all the sites and DCs (or force it), and then do a massive reboot.
Now mind you, its easy to saturate your various site & central networks and/or file server when doing this an entire domain at a time. So we wrote a little script around it to reboot them in batches of 10 separated by a couple minutes.
The other thing I ran into was that people didn't appreciate it when their computer took 10 minutes to install software x and finish booting. Usually they're standing there, looking at the screen, waiting to get their day started. That's why you do the installs after hours.
Did you even read more than one page down the link that you just linked?
Count up all the shares sold by Bill Gates in Feb 2007 and then count up all the shares sold by Bill Gates in Nov 2006.
He sold more MS shares in November than in February.
In fact, if you go back in time you'll notice this surprising pattern, every quarter these kinds of folks that own huge sums in businesses sell off a percentage, and diversify.
It's so common and not-unusual/not-suspicous that it just about puts me to sleep.
I'm not an OEM, but it appears that for the end-user Vista Business is exactly the same price as XP Pro. At least configuring identical dell latitudes and optiplex's, one with Vista Business the other with XP Pro, they come out exactly the same price.
And a quick look at NewEgg puts them at exactly the same price for OEM/System Builder versions:
It is going to take us several months to fix this. Microsoft is aware of the issue (CSS differences) and has no plan ot address it. How is that even possible? Does the software follow the guidelines in the logo program? If it was, unless your business is in hardware drivers or anti-virus, the whole XP to Vista should have just been a big yawn-fest.
And how can CSS changes break software? At most, it should just make it more ugly, but how can a CSS change break functionality?
Microsoft completely divorced backwards compatibility in Visual Basic leaving many developers stranded unless they could swing a.net job. Yes, and it was the right thing to do. VB6 wasnt an OO language, it was a hodge-podge of 4GL, OO, and procedural. It was a career and learning death-trap.
And besides, its not like VB6 doesnt work anymore. It's not like MS is stopping VB6 programs from running or being developed. They just released something orders of magnitude better.
Should they have not ever made something better just because some people were comfortable with the old tried & true?
Just to add to this, getting a cert to sign your code isnt that expensive, even for the smallest of ISV's. On the order of $200 (per year if you need to sign new code, which is the case for most ISV's).
And MS doesnt sign the cert, or make any decision about who can or cannot get one. They simply created one trusted root, gave signing-certs to 8 or 10 cert-vendor companies, who then will sell you a cert that is signed from a trusted root.
It's theoretically possible for MS to revoke any given cert signed from that trusted root, but as far as I know, its only happened once to a malicious group who spoofed another company's name.
Overall, getting your apps signed is simple, painless, and SOP for any ISV that makes windows software.
Are you serious? Well, lets see, here are just the immediate possibilities that leap to mind.
You already have a windows machine available with IIS, but dont have a Unix machine around, or dont want to put Apache on Windows.
The work you're going to do is ASP or ASP.NET based, or based on/assuming an IIS install.
Your admins are skilled on Windows but no Unices, so you know you can lock down and secure the IIS box effectively, but can't guarantee that you can do the same for the Unix box.
As for Windows 2003 Web Server Edition, what languages does it include besides ASP.NET and.NET? Can I run other services (mail, ftp) on it? As for the free stuff, why should I download when Linux distros already have such software, including PHP, Python, and Perl? Windows just ships by default with ASP (VBScript & JScript), ASP.NET (C#, VB.NET, and J#). So only the MS stuff.
I'm not sure that spending a couple minutes downloading and installing another language is really that big of a barrier, but if it is critical to you then you're right, it doesnt come included.
Even on the Linux distros though, isnt it regular practice to update whatever version of PHP (say) to the current version, anyway? So depending on the distro, a couple minutes of work (apt-get, or whatever) to update to the current version. And then, I believe, you have to modify apache to bind the language (install mod_perl, etc). I know its not much work in either case, but frankly neither is downloading and installing Perl or PHP on Windows. Even Python is just an MSI on Windows, and ActiveState has a great windows package as well.
I guess my point is that on either platform, once you are up to speed and familiar with the platform, this stuff is easy. There's no question that the Linux package managers (particularly the debian ones) are much more elegant. But the time/effort difference is very minor, for adepts on either platform.
Uggh, look. Yes, you know your unix skills, but you dont have a clue what you're doing on windows.
So you go make the assumption that your very limited knowledge of how to do things reflects the actual extent of possibilities?
How about the possibility that the straw man you've setup here (doing everything the easy way on unix, then doing everything the hard way on windows) isnt the way anyone with half a year of experience would do it?
So lets break it down how to do it properly on windows.
Get laptop and connect to internet: working over crappy DSL line, 2Mb top speed 8( run ssh to get to a suse server I had installed earlier in the week for the project, (the server was also running some other services so could not be restarted during the working day)
Same on the windows side, even a crappy dsl line is more than enough to support RDP, which works pretty cleanly over dial-up, once it caches any bitmaps you might encounter.
Use Yast to install apache and php requiremements from up-to-date suse internet repository.
Use Add/Remove Programs to install IIS and WWW on windows. Due to the way windows is setup, as long as your base OS is patched, then your IIS/WWW is already patched. So that was easy.
(and although you dont need the install media to install IIS on an installed server, if you dont have install media on your network or on the server, then you're not doing a good job of setting up your environment. alternatively, you can just use the RAC/ILO on the server to remote mount the CD or an ISO. Whatever works best for you.)
Use vi to edit the apache config to create virtual server.
Use IIS Admin to do this, or use the command line tool, or modify the metabase.xml directly. Whichever way is more comfortable for you, there are lots of options.
Use rsync to copy the php application to the server. (for windows users, rsync is a little like FTP, but over an ssh connection, and can easily replicate a full folder structure)
Use XCOPY to copy the php application to the server. (for unix users, XCOPY is a little like rsync, but will run over any CIFS connection (including an RDP connection), and can easily replicate a full folder structure)
Test, debug, then secure access to only http, https and ssh. Approx 4 hrs for the whole job.
Test, debug, then secure access to only http, https, and rdp from inside the network (ie, requires vpn).
Compare that to what you wrote:
To do the same thing in Windows - Take Previously installed Windows 2K3 server, enable remote desktop access, oh hang on, that wasn't done initially so will have to call someone at the office to do it for me,
Why didnt you do it right the first time?
Oh, and have to install whole citrix gateway infrastructure to support secure encrypted remote access.
I have no idea what you're talking about here. The SOP way to do this is to VPN into your protected network and RDP from there.
Add software - IIS, hang on, no network repository for i386 directory, get someone at the office to stick in a CD, then restart.
Why dont you have a network repository for i386? Thats SOP for this kind of environment when done by competent admins. CD? And why would you restart? You dont need to restart after installing IIS.
And I'm about 80% sure that you dont need the CD or media at all to install IIS on a box that is already installed and setup.
Add php services to IIS - umm, haven't done that before so I don't know how hard it is to do.
Thats one of the nice things about how Microsoft does pretty much every single server product they have.
There's the GUI for light-weight admin, or entry-level folks, or one-off admin.
There's the command line clients for batch style automation when you need.
There's the WMI/ADSI/COM interfaces for real programmability when you really need to get down and dirty.
Pretty much every single product in the MS stable exposes all three of those interfaces. So if you want to start editing the metabase.xml directly for IIS, and therefore your first learnings arent wasted, then just do that! Dont use the GUI at all.
And for small to medium-sized uses, you can just download SQL Server 2005 Express, for free.
You can also do the same thing on your XP Pro box with no additional costs whatsoever, but with some scalability limitations (ie, good for dev box, no good for real production box).
Just for fun I'm going to answer your questions, as I think most folks just dont know all of what you can do with IIS, so lets see how we fare.
What are IIS' equivalents of the and directives?
Is there a word missing here, or is apache lingo that I just dont know? What is an 'and directive'?
Do you mean what is commonly referred to as 'security modules and directives'?
The 'allow' and 'deny' directives are largely present in IIS. Not so simple to do partial host-names and partial-IP addresses in quite the way that apache directives do them, but its doable. An IIS filter written in C# is always your fallback here.
'AuthGroupFile' equivalent functionality is also present, you just stick the user/pass pairs in the metabase.xml (iirc).
All of the 'AuthName', 'AuthType', etc functionality is there, its just configured differently than apache does it. Same for the 'options' directive.
You've got me there. But be patient, SNI is very young, and from what I found in a quick google, isnt well integrated into apache yet either. In a pinch, as I said earlier, you could always write a filter yourself if you wanted to.
Then again, how about just use one IP for each SSL enabled domain. It's not that big of a barrier. Or am I missing something? I'm not hugely up to speed on the driving force behind this.
How do I use IIS as a backend for a subversion server?
Do you mean as a front-end to a subversion server? As I am not aware of a way to use apache as a backend to a subversion server. You either stick it in the file system, or use BerkeleyDB.
If you mean use IIS as a front-end to SVN, then there's no easy way to do it without writing some code. IIS supports WebDAV but I'm frankly not sure how much support there is for DeltaV, which SVN over a web server requires.
So here the answer (to the probably correct modification of your question), is no. There is no software currently written to allow you to use IIS to host SVN. Like so many things, probably very doable if you want to do the code, but no one is doing it yet.
How can I set up filters that deny requests based on the occurance of suspicious strings in their headers?
Now mind you, using URLScan on IIS6 isnt as common as it was on previous versions, but its very doable, and gives you this nice of control.
Another thing to mention, URLScan is just an ISAPI filter written and loaded into IIS, anyone can write similar modules.
How can I have an IIS server publish its virtual hosts via DNS-SD?
Not that I can find. Though in all honesty, DNS-SD and TLS-SNI is some pretty esoteric stuff at the moment.
How can I set it up to fire off requests for different virtual hosts as different system users, so that I can grant different priviliges to different web applications?
Trivially. Each host uses its own application pool, which can run as whatever user account you want. So if you want 600 different sites, each running under its own unique user-account, then you just do it. Thats how shared-hosting services on IIS are done.
How can I have IIS get the value that it uses for the Content-Type header of its responses from an extended attribute on the file being served, rather than a dumb lookup in a table of file extension (god, don't get me STARTED on file extensions!) to media type?
Well, no, but this isnt much to do with IIS, its more of a windows philosophy thing.
In addition, not everyone buys into determining content-type via magic numbers. And its definitely not how its done in the windows world. So even if IIS offered this, it wouldnt do you much good, as not much in the windows world
Now, when you start using a corporate pc and start installing applications made by VisualStudio, how do you fine tune the installation of dlls and executables so they dont mash up another app? Is there an easy way to fine tune the AutoInstaller or do you have to go down to the Microsoft "Autoconf" files and read a stack of documentation? It's not all that bad. In the end, everything is just a file or a registry entry. And really the only complicated part is if you have multiple conflicting versions of COM components on the system, and you need to make sure that each app only works with its correct version. And there is very specific, relatively straightforward guidance from MS on how to do this.
Search on registration-free COM and similar terms in google.
In Windows world, that isn't the case, because Windows development is a mess. That is mostly Microsoft's fault. Thats not really true. It is absolutely trivial to write windows apps that work fine in Win98 - Vista. What you find though is that most ISVs are LAZY and incompetent, and cant be bothered with reading up the open and available documentation for how to do so.
Basically, the easy way to make things compatible is to make your software Windows Logo Certified, or at least satisfy all the logo cert requirements.
And with each new release of windows, they release a big change document, a new logo program, and go to massive lengths to inform and prepare the ISV community about what they need to do to make their apps compatible. They often even create numerous testing and migration utitilies to make people's lives even easier.
The problem with app compatibility is _not_ microsoft. They go to absolutely extraordinary (and costly) lengths to make it easy as possible to make apps compatible.
Proper user permissions makes it both easy to install software and stop trojans. People complain because M$ has yet to implement the simple read write execute and user flags common and effective in Unix since the 1970s. Instead they use annoying warnings that cry wolf and make the user think it's their fault when they turn those off. I'm not sure what you're talking about here, but windows does have proper user permissions. Windows does support RWX perms on files and folders, and ships with them correctly configured by default (ie, users only have write access to their profile directory, and read to system directories).
Now windows takes the simple owner/group/world + RWX much farther, and lets you set very powerful file/folder permissions for an arbitrary number of users/groups, rather than just the three.
But if you want to just use RWX on Owner and a single group, you're more than welcome to do that, its pretty trivial.
People have got to really stop quoting this guy as if he is speaking biblical truth.
He read some pre-release technical documentation, made some assumptions about how those would be implemented in the real world, then made some large logical leaps about how this hypothetical implementation would affect other tertiary industries/populations, and then wrote it all up as if it were fact.
It is not. Zero of his assertions are actually based on Vista. They are based on some technical documents that were written long before Vista was released, mostly targeted at external IHVs.
So he's never been bothered to go to the trouble to actually see if any of his hypothetical problems exist in the actual product.
So he's basically built up this huge mythical straw-man, which may or may not reflect reality, and then is trying to use it as an anti-clue-stick to beat people with.
Slashdot Mirror
MS moved to the monthly patch cycle because the vast, vast majority of windows sysadmins preferred taking a bigger unit of patches once per month than a trickle of them continuously.
In other words, they did this because thats what the overwhelming majority of their customers want.
It is legacy in the sense of old software that was written before the NT days, and tries to do 'bad things' like write to HKLM, C:\Program Files\, C:\windows\, etc.
In every case, those software developers could update their software to be vista compatible without a single change from MS coders.
Says me: Grandma, need to change the ACLs to keep Junior out of your email directory (or whatever).
sudo su -
cd
chmod g+w .
chmod u+w .
chmod o-r .
chown . grandma
chgrp . crazy_grandmas
Last, set umask 700 in your
Got it grandma?
(yes, I know my example isnt really syntactically correct, but I think we all see the point here)
For 99% of the uses, there are 3 options:
Read
Modify
Full
The difference between Modify and Full is that full can do everything that Modify can, but can also change ACLs.
As far as a system, its easy. You set the perms at the highest possible level you can, and then set them to inherit down to all children.
Simple, elegant, neat.
Now mind you, there are a whole ton of other options in there, should you need them (sometimes you do, but not often). But when you dont need them, you dont use them.
Eclipse
Tomcat
FileZilla
7-Zip
There are many others. And, unfortunately, it would need secure software as a basis to avoid needing unnecessary privileges to accomplish mundane tasks in insecure applications. Sorry Microsoft, you missed the boat on this one. This has some truth to it. More software developers need to learn to do things right.
But ISVs doing the right thing has very little to do with anything that MS does. Any ISV can do it now (and some do).
This may be a failure of MS marketing and evangelism, but its NOT a failure or limitation of the technology.
The simple script, MakeMeAdmin is a closer comparison to sudo.
Adds the current logged in user (who is running the script) to administrators, launches a cmd.exe shell with that elevated (but same account) process, then removes the account from local admins.
So it basically gives you a command prompt shell with the current user's profile, but under elevated privileges.
Though it lacks the sudoers concept.
Have you run Regmon and Filemon on XFire to figure out why its triggering UAC?
What file & registry locations is it writing to, or special user privileges is it leveraging, to cause UAC to fire?
Have you googled about this? There are several solutions documented out there, which is to force XFire to always run in a privileged mode from the get-go, so it doesnt require elevation.
X-Fire triggering UAC isnt something 'useless' about UAC, its X-Fire doing things to your computer that would be 'really bad' when done by malware.
I have used Altiris, though it was a few years back. It worked great, but was not cheap/free (except for very expensive values of cheap/free).
Using GPOs for distribution (in non-huge and non-hugely-complex environments) is free and works quite well. Note its not actually free. In both cases you have to snapshot the changes from an install, so net zero diff there. Using GPO requires a little bit more work to script your reboots and validation. Thats a non-zero cost, but also has benefits, such as better training on how MSIs are built, and how to script activities in your domain.
I wont argue that for certain very-large and/or very-complex installations, GPO based distributions isnt appropriate.
I didnt place any values on imaging, remote control, and inventory because the original poster didnt ask for them. However, I will say this:
I'd suggest not using a third-party solution for imaging, exception in special circumstances (labs, kiosks, etc). This is because it makes your skills non-portable. If you learn how to do imaging using WDS, RIS, Sysprep, etc then you can do imaging anywhere you go, without having to buy new software.
And for remote control, there's been no reason to use 3rd party remote control software since windows2000. Remote desktop and remote assistance work just fine, for non-interactive and interactive support, respectively.
Anyway, while I agree that Altiris is a comprehensive and effective package, I would argue that in most cases its cost is not worth it, as 75% of its functionality is already included in windows, and just requires a little bit of scripting and learning the guts. And that is a re-usable skill (scripting for administration and knowing windows & AD internals).
Lastly, when its time for your org to move to Vista (if ever) the imaging situation has changed dramatically. The new WinPE based installer and server component (the successor to RIS) are really, really well done. It's going to be hard for third-party tools to make something compelling enough to spend big bucks on, IMO.
So you set the policy, give it a few minutes to replicate to all the sites and DCs (or force it), and then do a massive reboot.
Now mind you, its easy to saturate your various site & central networks and/or file server when doing this an entire domain at a time. So we wrote a little script around it to reboot them in batches of 10 separated by a couple minutes. The other thing I ran into was that people didn't appreciate it when their computer took 10 minutes to install software x and finish booting. Usually they're standing there, looking at the screen, waiting to get their day started. That's why you do the installs after hours.
Thank you! While everyone is going on about Altiris (gag) and SMS, there's a completely free solution, and its already present in your domain!
o ws2000serv/howto/winstall.mspx
Just use Group Policy and Veritas WinINSTALL LE (free and included with your windows server CD).
Everything you need to know is here:
http://www.microsoft.com/technet/prodtechnol/wind
Free and easy, no muss no fuss.
How about instead of just making up arbitrary numbers that support your hypothesis, lets take 30 seconds and go to NewEgg.com and see for sure.
8 2E16832116213
8 2E16832116207
8 2E16832116202
8 2E16832116195
Windows Vista 32-bit Ultimate - $189.99
http://www.newegg.com/Product/Product.aspx?Item=N
Windows Vista 32-bit Business - $139.99
http://www.newegg.com/Product/Product.aspx?Item=N
Windows Vista 32-bit Home Premium - $111.99
http://www.newegg.com/Product/Product.aspx?Item=N
Windows Vista 32-bit Home Basic - $94.99
http://www.newegg.com/Product/Product.aspx?Item=N
The 64-bit versions are a few dollars more expensive, and if you buy the 3-packs, the per-unit is a few dollars less expensive.
Figure that Dell gets a higher volume discount than this, so they pay even less.
Are you kidding me?
Did you even read more than one page down the link that you just linked?
Count up all the shares sold by Bill Gates in Feb 2007 and then count up all the shares sold by Bill Gates in Nov 2006.
He sold more MS shares in November than in February.
In fact, if you go back in time you'll notice this surprising pattern, every quarter these kinds of folks that own huge sums in businesses sell off a percentage, and diversify.
It's so common and not-unusual/not-suspicous that it just about puts me to sleep.
I'm not an OEM, but it appears that for the end-user Vista Business is exactly the same price as XP Pro. At least configuring identical dell latitudes and optiplex's, one with Vista Business the other with XP Pro, they come out exactly the same price.
8 2E16832116207
8 2E16832116059
And a quick look at NewEgg puts them at exactly the same price for OEM/System Builder versions:
Vista Business
http://www.newegg.com/Product/Product.aspx?Item=N
XP Pro
http://www.newegg.com/Product/Product.aspx?Item=N
And how can CSS changes break software? At most, it should just make it more ugly, but how can a CSS change break functionality? Microsoft completely divorced backwards compatibility in Visual Basic leaving many developers stranded unless they could swing a
And besides, its not like VB6 doesnt work anymore. It's not like MS is stopping VB6 programs from running or being developed. They just released something orders of magnitude better.
Should they have not ever made something better just because some people were comfortable with the old tried & true?
Just to add to this, getting a cert to sign your code isnt that expensive, even for the smallest of ISV's. On the order of $200 (per year if you need to sign new code, which is the case for most ISV's).
And MS doesnt sign the cert, or make any decision about who can or cannot get one. They simply created one trusted root, gave signing-certs to 8 or 10 cert-vendor companies, who then will sell you a cert that is signed from a trusted root.
It's theoretically possible for MS to revoke any given cert signed from that trusted root, but as far as I know, its only happened once to a malicious group who spoofed another company's name.
Overall, getting your apps signed is simple, painless, and SOP for any ISV that makes windows software.
I'm not sure that spending a couple minutes downloading and installing another language is really that big of a barrier, but if it is critical to you then you're right, it doesnt come included.
Even on the Linux distros though, isnt it regular practice to update whatever version of PHP (say) to the current version, anyway? So depending on the distro, a couple minutes of work (apt-get, or whatever) to update to the current version. And then, I believe, you have to modify apache to bind the language (install mod_perl, etc). I know its not much work in either case, but frankly neither is downloading and installing Perl or PHP on Windows. Even Python is just an MSI on Windows, and ActiveState has a great windows package as well.
I guess my point is that on either platform, once you are up to speed and familiar with the platform, this stuff is easy. There's no question that the Linux package managers (particularly the debian ones) are much more elegant. But the time/effort difference is very minor, for adepts on either platform.
So you go make the assumption that your very limited knowledge of how to do things reflects the actual extent of possibilities?
How about the possibility that the straw man you've setup here (doing everything the easy way on unix, then doing everything the hard way on windows) isnt the way anyone with half a year of experience would do it?
So lets break it down how to do it properly on windows.
Get laptop and connect to internet: working over crappy DSL line, 2Mb top speed 8( run ssh to get to a suse server I had installed earlier in the week for the project, (the server was also running some other services so could not be restarted during the working day)
Same on the windows side, even a crappy dsl line is more than enough to support RDP, which works pretty cleanly over dial-up, once it caches any bitmaps you might encounter.
Use Yast to install apache and php requiremements from up-to-date suse internet repository.
Use Add/Remove Programs to install IIS and WWW on windows. Due to the way windows is setup, as long as your base OS is patched, then your IIS/WWW is already patched. So that was easy.
(and although you dont need the install media to install IIS on an installed server, if you dont have install media on your network or on the server, then you're not doing a good job of setting up your environment. alternatively, you can just use the RAC/ILO on the server to remote mount the CD or an ISO. Whatever works best for you.)
Use vi to edit the apache config to create virtual server.
Use IIS Admin to do this, or use the command line tool, or modify the metabase.xml directly. Whichever way is more comfortable for you, there are lots of options.
To install PHP, take 30 seconds and read this:
http://www.php.net/manual/en/install.windows.php#i nstall.windows.installer.msi
Use rsync to copy the php application to the server. (for windows users, rsync is a little like FTP, but over an ssh connection, and can easily replicate a full folder structure)
Use XCOPY to copy the php application to the server. (for unix users, XCOPY is a little like rsync, but will run over any CIFS connection (including an RDP connection), and can easily replicate a full folder structure)
Test, debug, then secure access to only http, https and ssh. Approx 4 hrs for the whole job.
Test, debug, then secure access to only http, https, and rdp from inside the network (ie, requires vpn).
Compare that to what you wrote:
To do the same thing in Windows - Take Previously installed Windows 2K3 server, enable remote desktop access, oh hang on, that wasn't done initially so will have to call someone at the office to do it for me,
Why didnt you do it right the first time?
Oh, and have to install whole citrix gateway infrastructure to support secure encrypted remote access.
I have no idea what you're talking about here. The SOP way to do this is to VPN into your protected network and RDP from there.
Add software - IIS, hang on, no network repository for i386 directory, get someone at the office to stick in a CD, then restart.
Why dont you have a network repository for i386? Thats SOP for this kind of environment when done by competent admins. CD? And why would you restart? You dont need to restart after installing IIS.
And I'm about 80% sure that you dont need the CD or media at all to install IIS on a box that is already installed and setup.
Add php services to IIS - umm, haven't done that before so I don't know how hard it is to do.
Go to php.net, download the msi, run it. Yawn.
Here's the link to make it easier:
Thats one of the nice things about how Microsoft does pretty much every single server product they have.
There's the GUI for light-weight admin, or entry-level folks, or one-off admin.
There's the command line clients for batch style automation when you need.
There's the WMI/ADSI/COM interfaces for real programmability when you really need to get down and dirty.
Pretty much every single product in the MS stable exposes all three of those interfaces. So if you want to start editing the metabase.xml directly for IIS, and therefore your first learnings arent wasted, then just do that! Dont use the GUI at all.
I think you may be misunderstanding the server products.
a luate/features/compare.mspx
8 2E16832116114
You cannot buy IIS, and there is no enterprise version.
If you're looking for a webserver, you dont want Windows 2003 Server Enterprise, you want Windows 2003 Web Server Edition. Both of which include IIS6.
Getting the enterprise version of server would be way overkill.
http://www.microsoft.com/technet/windowsserver/ev
And it'll run you a few hundred dollars ($380 at newegg):
http://www.newegg.com/Product/Product.aspx?Item=N
And for small to medium-sized uses, you can just download SQL Server 2005 Express, for free.
You can also do the same thing on your XP Pro box with no additional costs whatsoever, but with some scalability limitations (ie, good for dev box, no good for real production box).
What are IIS' equivalents of the and directives?
Is there a word missing here, or is apache lingo that I just dont know? What is an 'and directive'?
Do you mean what is commonly referred to as 'security modules and directives'?
The 'allow' and 'deny' directives are largely present in IIS. Not so simple to do partial host-names and partial-IP addresses in quite the way that apache directives do them, but its doable. An IIS filter written in C# is always your fallback here.
'AuthGroupFile' equivalent functionality is also present, you just stick the user/pass pairs in the metabase.xml (iirc).
All of the 'AuthName', 'AuthType', etc functionality is there, its just configured differently than apache does it. Same for the 'options' directive.
I pulled all of these from here.
How can I use TLS SNI with IIS?
You've got me there. But be patient, SNI is very young, and from what I found in a quick google, isnt well integrated into apache yet either. In a pinch, as I said earlier, you could always write a filter yourself if you wanted to.
Then again, how about just use one IP for each SSL enabled domain. It's not that big of a barrier. Or am I missing something? I'm not hugely up to speed on the driving force behind this.
How do I use IIS as a backend for a subversion server?
Do you mean as a front-end to a subversion server? As I am not aware of a way to use apache as a backend to a subversion server. You either stick it in the file system, or use BerkeleyDB.
If you mean use IIS as a front-end to SVN, then there's no easy way to do it without writing some code. IIS supports WebDAV but I'm frankly not sure how much support there is for DeltaV, which SVN over a web server requires.
So here the answer (to the probably correct modification of your question), is no. There is no software currently written to allow you to use IIS to host SVN. Like so many things, probably very doable if you want to do the code, but no one is doing it yet.
How can I set up filters that deny requests based on the occurance of suspicious strings in their headers?
This one is easy. URLScan.
Now mind you, using URLScan on IIS6 isnt as common as it was on previous versions, but its very doable, and gives you this nice of control.
Another thing to mention, URLScan is just an ISAPI filter written and loaded into IIS, anyone can write similar modules.
How can I have an IIS server publish its virtual hosts via DNS-SD?
Not that I can find. Though in all honesty, DNS-SD and TLS-SNI is some pretty esoteric stuff at the moment.
How can I set it up to fire off requests for different virtual hosts as different system users, so that I can grant different priviliges to different web applications?
Trivially. Each host uses its own application pool, which can run as whatever user account you want. So if you want 600 different sites, each running under its own unique user-account, then you just do it. Thats how shared-hosting services on IIS are done.
How can I have IIS get the value that it uses for the Content-Type header of its responses from an extended attribute on the file being served, rather than a dumb lookup in a table of file extension (god, don't get me STARTED on file extensions!) to media type?
Well, no, but this isnt much to do with IIS, its more of a windows philosophy thing.
In addition, not everyone buys into determining content-type via magic numbers. And its definitely not how its done in the windows world. So even if IIS offered this, it wouldnt do you much good, as not much in the windows world
Search on registration-free COM and similar terms in google.
Basically, the easy way to make things compatible is to make your software Windows Logo Certified, or at least satisfy all the logo cert requirements.
And with each new release of windows, they release a big change document, a new logo program, and go to massive lengths to inform and prepare the ISV community about what they need to do to make their apps compatible. They often even create numerous testing and migration utitilies to make people's lives even easier.
The problem with app compatibility is _not_ microsoft. They go to absolutely extraordinary (and costly) lengths to make it easy as possible to make apps compatible.
Now windows takes the simple owner/group/world + RWX much farther, and lets you set very powerful file/folder permissions for an arbitrary number of users/groups, rather than just the three.
But if you want to just use RWX on Owner and a single group, you're more than welcome to do that, its pretty trivial.
People have got to really stop quoting this guy as if he is speaking biblical truth.
He read some pre-release technical documentation, made some assumptions about how those would be implemented in the real world, then made some large logical leaps about how this hypothetical implementation would affect other tertiary industries/populations, and then wrote it all up as if it were fact.
It is not. Zero of his assertions are actually based on Vista. They are based on some technical documents that were written long before Vista was released, mostly targeted at external IHVs.
So he's never been bothered to go to the trouble to actually see if any of his hypothetical problems exist in the actual product.
So he's basically built up this huge mythical straw-man, which may or may not reflect reality, and then is trying to use it as an anti-clue-stick to beat people with.