Unluckily for you, this vulnerability will still affect you. If you read the security announcement by Microsoft, a possible workaround is to block all TNEF / winmail.dat attachments, which will break all incoming RTF mail. Depending on what your business exactly does, this might not be a viable workaround.
My old ThinkPad had a Core 2 Duo 1.83 Ghz had issues when playing 720p with LOTS of movement on the screen (like particle effects). This applied both to mplayer and CCCP/MPC.
With 1080p video, the machine was even worse.
I now have a new ThinkPad with a Core 2 Duo 2.53 Ghz, and it's a lot better for playing hires movies.
But either way: more CPU power and cores are a good idea. I like having a desktop machine where i can offload CPU intensive tasks, but i would prefer to have only a single, powerful laptop, instead of needing to have two devices.
Vendor lock-in sure has lots of disadvantages, but it also has it's advantages: if it didn't people wouldn't do it as often.
In general, what you want to do is what is best for your company.
Start out by defining what you want to achieve, and then compare what solutions are on the market to fulfill those definitions. Forget about OSS vs. non OSS.
If you define exactly what you need, you will see which solutions matches that: For example, if you have a requirement x which may already be built into MS Office, but not yet into OpenOffice, so it would require y hours of work to add. The same goes the other way: 99% of proprietary source software allows excellent extensibility through APIs, Plugins, etc.
At the end, make a tally which will fulfill your needs better and is cheaper: MS Office Licensing for x dollars per seat and y dollars development initial, z dollars development maintenance per month, or OpenOffice.org with 0 dollars per seat and y dollars development, z dollars development maintenance per month.
Please make sure you consider the whole end to end: You have to ensure security updates, deployments, vendor hardware support (or you might decide to build your own hardware, which most probably does not make sense with a site as small as the OPs).
Also make sure to consider the track records certain vendors have regarding upgradability and migration paths. For example, running Domino & Exchange side by side with interop is easily possible with already premade solutions, but migrating from Exchange to a Linux based solution may require a lot of development for custom software that allows side by side migration.
If project independence takes off and businesses don't need a windows license on each workstation to make it work then look out. This obstacle will stand like a sandcastle in a rising tide.
Doing this won't have any influence on how much licenses you need to pay for.
Why don't you just post a list of supported devices?
For example, we only support the better ThinkPad devices (i.E. everything except the SL series).
They all come with Vista Business minimum, we have a standardized Vista image that can be deployed to most of them, we have a single vendor to deal with regarding tools (presentation manager, etc.).
Makes support a lot easier, and still leaves the users with lots of flexibility with what they want to buy.
Yes, but the majority of the price you pay for a car is not for the raw materials of the car and the work needed to put it together, but for the work needed to design the car, it's engine, and the parts that make it up.
Yes, the raw material / work per unit cost for Windows is a lot cheaper than for a car, but it's still the same: Adding extra features costs more money, because someone needs to write them, test them, document them, etc.
I'm not a big fan of the Vista split up the way they did it - i especially hate that Vista Business does not include Bitlocker, which is a bad thing for small businesses without SA. Also, the split up between Home Basic and Home Premium is stupid. Ultimate is okay - it adds the business features to a home version, so i can live with that.
Yes, letting untrusted and potentially malicious users run arbitrary software from an USB stick sounds a great idea for a secure computing environment.
That sounds like a support nightmare in the making.
But our Exchange system now is creaking under its own weight, fails to backup shockingly often, and is down more than 99.9% monthly SLA [google.com] that Google Apps offers. Scaling up the Exchange server would require a significant cash outlay, and I'm not convinced it would be any cheaper over the lifetime of the system.
I guess it only works when you have admin privileges to the local machine (which is common for some programs to function). Apparently it would allow the override of any domain policy restrictions on the domain if invoked in this way.
Doesn't sound like an exploit to me. If you have local admin privileges, getting SYSTEM privileges is easy, as a local admin is intended to have permissions to do that.
Of course with full local administrative privileges, you can override GPOs at will - this is also perfectly normal and intended behaviour.
You are not supposed to have users running with local admin privileges - if a program requires them you can either try to fix the permission mess yourself using process monitor or similar programs, tell the software vendor to fix it, or use another program. If you let other vendors dictate your security policy, you CIO is doing something very, very wrong.
I don't exactly see where Office comes into play here, though.
Or another example: Assume you administrate a Linux box. Now you want the users be able to edit a file in/etc. Instead of adjusting said files permission, you add an entry in sudoers, allowing users to do sudo vim. Now an user can do sudo vim, and then:!bash. And bam - he has root privileges. vim's fault? No. sudo's fault? No. Linux's fault? No. Admin's fault? HELL YEAH.
How would this work? Office runs as a standard user, with no special privileges. How can you escalete your privileges from standard user to SYSTEM using Office?
If you already have Admin privileges, escalating from Admin to SYSTEM is easy.
So what was the issue and what was the solution to the issue?
In my experience, most AD problems come from user errors - for example using improper software to backup/restore AD (e.G. non-AD Aware Imaging Software), or error with virtualization (e.G. rolling backs snapshots on a virtual DC).
There never was an Office 2005. And Office runs as your user - there is no way it would allow privilege escalation. If you already had admin rights (which might be), and software restriction policies where in use, it was an admin error.
If you have physical access, any machine can be considered compromised.
A few solutions in a school environment come to mind:
* Use a computer with a TPM Chip and secure the hard drives using Bitlocker -> This will require a very sophisticated attack of cooling and removing the memory in order to get the key -> It will kill all attempts to boot off a CD and modify the existing environment
* Use a computer with case open detection, and set it to no longer boot after tamper has been detected
* Use an Intel AMT enabled machine to alert administrators at invalid BIOS passwords, case tampering, etc.
* Ensure that all students/teachers run as normal users without any special privileges
* Use 802.1x with EAP-TLS to ensure that only authenticated machines can access the network. This will make it impossible to plug a laptop into the school network, or boot from a Linux Live CD and gain access to the network
This will kill most attempts. It might still be possible to boot a Linux Live CD, but it won't have network access. It will also trigger the tamper detection, which together with proper video surveillance can be used to find out who has to be kicked out from school.
Slashdot Mirror
BES supports all three major groupware suites:
http://na.blackberry.com/eng/services/server/
Exchange is a Groupware Server, not just an MTA.
Unluckily for you, this vulnerability will still affect you. If you read the security announcement by Microsoft, a possible workaround is to block all TNEF / winmail.dat attachments, which will break all incoming RTF mail. Depending on what your business exactly does, this might not be a viable workaround.
You realise that the topic is about Exchange.
None of the products mentioned provide the functionality Exchange has.
No, that's not what he said.
The Wii is aiming at the casual gamer (-> People with a life).
The Xbox 360/PS3 are aimed at gamers. People that play games online and aren't satisfied with super mario party 2357.
My old ThinkPad had a Core 2 Duo 1.83 Ghz had issues when playing 720p with LOTS of movement on the screen (like particle effects). This applied both to mplayer and CCCP/MPC.
With 1080p video, the machine was even worse.
I now have a new ThinkPad with a Core 2 Duo 2.53 Ghz, and it's a lot better for playing hires movies.
But either way: more CPU power and cores are a good idea. I like having a desktop machine where i can offload CPU intensive tasks, but i would prefer to have only a single, powerful laptop, instead of needing to have two devices.
Vendor lock-in sure has lots of disadvantages, but it also has it's advantages: if it didn't people wouldn't do it as often.
In general, what you want to do is what is best for your company.
Start out by defining what you want to achieve, and then compare what solutions are on the market to fulfill those definitions. Forget about OSS vs. non OSS.
If you define exactly what you need, you will see which solutions matches that: For example, if you have a requirement x which may already be built into MS Office, but not yet into OpenOffice, so it would require y hours of work to add. The same goes the other way: 99% of proprietary source software allows excellent extensibility through APIs, Plugins, etc.
At the end, make a tally which will fulfill your needs better and is cheaper: MS Office Licensing for x dollars per seat and y dollars development initial, z dollars development maintenance per month, or OpenOffice.org with 0 dollars per seat and y dollars development, z dollars development maintenance per month.
Please make sure you consider the whole end to end: You have to ensure security updates, deployments, vendor hardware support (or you might decide to build your own hardware, which most probably does not make sense with a site as small as the OPs).
Also make sure to consider the track records certain vendors have regarding upgradability and migration paths. For example, running Domino & Exchange side by side with interop is easily possible with already premade solutions, but migrating from Exchange to a Linux based solution may require a lot of development for custom software that allows side by side migration.
Wait what? You have to go to jail for smoking and/or having pot in the US?
And i thought the fines here are bad.
Doing this won't have any influence on how much licenses you need to pay for.
Why don't you just post a list of supported devices?
For example, we only support the better ThinkPad devices (i.E. everything except the SL series).
They all come with Vista Business minimum, we have a standardized Vista image that can be deployed to most of them, we have a single vendor to deal with regarding tools (presentation manager, etc.).
Makes support a lot easier, and still leaves the users with lots of flexibility with what they want to buy.
Uh, no! You can't use MSDN downloaded software in a production environment, except for a few extra cases.
But you certainly can't use an MSDN Exchange to host mail for your clerical staff.
Yes, but the majority of the price you pay for a car is not for the raw materials of the car and the work needed to put it together, but for the work needed to design the car, it's engine, and the parts that make it up.
Yes, the raw material / work per unit cost for Windows is a lot cheaper than for a car, but it's still the same: Adding extra features costs more money, because someone needs to write them, test them, document them, etc.
I'm not a big fan of the Vista split up the way they did it - i especially hate that Vista Business does not include Bitlocker, which is a bad thing for small businesses without SA. Also, the split up between Home Basic and Home Premium is stupid. Ultimate is okay - it adds the business features to a home version, so i can live with that.
Enterprise Edition can only be purchased by people who know what they're doing, you need VL/SA to get it.
It's Ultimate minus the Media Center.
Yes, letting untrusted and potentially malicious users run arbitrary software from an USB stick sounds a great idea for a secure computing environment.
That sounds like a support nightmare in the making.
This, of course, assumes that you can execute programs from any location, which shouldn't be the case in a proper corporate environment.
Let me guess, you're still running Exchange 2003?
Doesn't sound like an exploit to me. If you have local admin privileges, getting SYSTEM privileges is easy, as a local admin is intended to have permissions to do that.
Of course with full local administrative privileges, you can override GPOs at will - this is also perfectly normal and intended behaviour.
You are not supposed to have users running with local admin privileges - if a program requires them you can either try to fix the permission mess yourself using process monitor or similar programs, tell the software vendor to fix it, or use another program. If you let other vendors dictate your security policy, you CIO is doing something very, very wrong.
I don't exactly see where Office comes into play here, though.
Or another example: Assume you administrate a Linux box. Now you want the users be able to edit a file in /etc. Instead of adjusting said files permission, you add an entry in sudoers, allowing users to do sudo vim. Now an user can do sudo vim, and then :!bash. And bam - he has root privileges. vim's fault? No. sudo's fault? No. Linux's fault? No. Admin's fault? HELL YEAH.
How would this work? Office runs as a standard user, with no special privileges. How can you escalete your privileges from standard user to SYSTEM using Office?
If you already have Admin privileges, escalating from Admin to SYSTEM is easy.
Why don't the branch offices have their own DC?
With WS08 RODCs, there isn't even much of a security concern.
SBS08 Premium can have a backup AD controller.
So what was the issue and what was the solution to the issue?
In my experience, most AD problems come from user errors - for example using improper software to backup/restore AD (e.G. non-AD Aware Imaging Software), or error with virtualization (e.G. rolling backs snapshots on a virtual DC).
Password policies only worked at the domain level until 2k8 came out (and the PSO is quite clunky, but it works well).
Of course you could place password policies at any OU. It just didn't do anything ;)
Software restriction policies using digital signatures to verify the software should work, as long as the user does not have admin privileges.
There never was an Office 2005. And Office runs as your user - there is no way it would allow privilege escalation. If you already had admin rights (which might be), and software restriction policies where in use, it was an admin error.
If you have physical access, any machine can be considered compromised.
A few solutions in a school environment come to mind:
* Use a computer with a TPM Chip and secure the hard drives using Bitlocker
-> This will require a very sophisticated attack of cooling and removing the memory in order to get the key
-> It will kill all attempts to boot off a CD and modify the existing environment
* Use a computer with case open detection, and set it to no longer boot after tamper has been detected
* Use an Intel AMT enabled machine to alert administrators at invalid BIOS passwords, case tampering, etc.
* Ensure that all students/teachers run as normal
users without any special privileges
* Use 802.1x with EAP-TLS to ensure that only authenticated machines can access the network. This will make it impossible to plug a laptop into the school network, or boot from a Linux Live CD and gain access to the network
This will kill most attempts. It might still be possible to boot a Linux Live CD, but it won't have network access. It will also trigger the tamper detection, which together with proper video surveillance can be used to find out who has to be kicked out from school.
Samba is stuck at being an NT4 DC.
It offers some AD features though, but in general it's very spotty.