Microsoft Asks: Who
Are You?
I’ve been in IT since 1993, and that
seems like an eternity some days. I
work for a Microsoft Certified Partner
that develops custom software.
We’re a Microsoft shop. I’ve spent
10 years working for my current
employer, so I would say I’m pretty
familiar with the history of Microsoft
and IT. I find Microsoft wanting
in many ways, mostly because the
company continues to make my job
difficult.
In response to Karen Forster’s
editorial, “Microsoft Asks: Who Are
You?” (December 2007, InstantDoc
ID 97478), I have to say I find no
compelling reason to share any
of my personal information with
Microsoft. Maybe I’m just old and
grouchy, but I don’t see how celebrating
my ability to play the kazoo
translates into helping me do my
job. I have a firm grip on who I am
and have never confused myself
with my profession. Honestly,
Microsoft’s initiative seems like a
marketing gimmick. If this kind of
email message arrived at my company,
it would probably get tagged
as spam.
—Curt Hayes
Custom Logon-
Tracking Solution
Insecure?
The Custom Logon-Tracking Solution
(“Windows IT Pro Innovators
Share Their Successes,” November
2007, InstantDoc ID 97204) struck
me as rather insecure. Any time
you have a shared Microsoft Access
database that is writeable by large
numbers of individuals, you have a
potential nightmare.
First, the logon script runs under
the user’s ID, which means he or she
must have write access to the Access
database. Nothing prevents the user
from deleting, creating, and modifying
records. Anyone with access
can forge entries, purge entries, and
otherwise modify records. Also, depending on how administrators
access the account-logging database,
an even bigger vulnerability is possible.
In Access 2003, when I open
.mdb files, the system warns me
that if this .mdb file contains code
intended to harm me, it can do so!
If non-privileged users modify that
.mdb file, opening it allows dangerous
Visual Basic for Applications
(VBA) code to run. If administrators
are careful and never open the .mdb
file itself—and always interact with
it through table links from another
.mdb file—they’re probably safe. If
not, they’re vulnerable.
I’m no security guru, but I would
suggest using a restricted SQL Server
database instead of an .mdb file.
Then, I’d create SQL Server stored
procedures for creating the logon
records and updating the logout
time. Those stored procedures would
use SQL Server functions to enumerate
the machine, the username
(using integrated security), the logon
time, and so on. I wouldn’t be able
to prevent people from trying to
insert false data, but I’d know what
account was used, what IP address
they came from,
and when it happened
(based on
the server’s clock).
I’d also restrict the
database growth
size, set up alarm
notifications, and so
on.
—Anonymous
There are security
vulnerabilities that
could lead to problems,
especially if the solution is used
to store mission-critical or highly
sensitive data. In our case, the solution
was purely a tool for us to learn
which computers were being used and
to what extent. Even so, our Access
database is stored on a separate share
that is completely locked down with
several layers of security, including
firewalls, file permissions, and GPOs.
Only administrators have rights to browse to the location, and only
authenticated users on our domain
have read/write access to the database.
An authenticated user would
have to know the exact path and
filename of the database to even try
to tamper with it. That information
would be very difficult for our users—
none of whom have local administrative
rights—to obtain. Migrating the
solution to a SQL Server database
would certainly increase security, and
I would strongly recommend that
option if higher security is needed.
—Brandon Jones
IT as a Career
Choice
I read Jeff James’s article, “Windows
IT Pro: A Good Career Choice
for Your Kids?” (December 2007,
InstantDoc ID 97408). Maybe I just
got lucky, but my son has been at
a keyboard since he could sit up
straight on his own. He spent his
whole childhood tinkering with
hardware to software and everything
in between. I don’t see the point of
recommending or not
recommending IT as a
career choice for your
kids. It’s like being an
artist: Either you can
paint or you can’t.
Sure, you can go to
school and learn how
to paint. But that
won’t make you a
great painter.
I never recommended
my son
get into IT, but IT
got into him from an
early age. Too often, kids choose IT
solely for the money. Bad decision.
IT sucks unless you really, really like
it. My son likes it. Right out of high
school, he got a position with a high-profile
social-networking site making
the kind of money I started making
only a few years ago. Life just isn’t
fair.
—Scott Gutauckis
Register
