Outsiders might beg to differ, but the winning entries of the 2006 Windows IT Pro Innovators awards show that innovation and IT go hand in hand. This year's winning entries range from the truly cutting-edge "Windows on a Memory Stick" to solutions that automate password rotation, database restores, and medical coding; enhance collaboration and application development; and customize disk-image cloning. The three grand-prize winners and six honorable mentions confirm that innovation flourishes in the Windows IT community. (For a look at some additional noteworthy Innovators entries, see the Web-exclusive sidebar "Windows IT Pro Innovators Special Mentions," InstantDoc ID 93653.)
Siemens Communication Software,
Years in IT: 8
Fun Facts: Has a bachelor's degree in physics and a master's in computer applications; avid fan of cricket and tennis
Notable Quote: "What I enjoy most about the IT industry is the extremely open work culture that goes with it. We get to communicate and exchange ideas with the best in the world."
A Better Sysprep
Sysprep is widely used for deploying Windows on large numbers of systems. But it doesn't always work for deploying disk images on hardware that's different from the machine on which the image was created. Senapathy Kalyanasundaram found a way to adapt Sysprep to create installation DVDs that work with a variety of hardware.
Senapathy's employer, Siemens Communication Software (SCS), provides a product for managing telecommunications switches and switching equipment; the product requires the installation of more than 30 OEM products that work with the base product. A typical installation includes 50 or more distributed, networked Windows Server 2003 servers and Windows XP clients. "We prepare basic disk images that include all the required types of drivers, then run Sysprep to strip away all machine-specific information. At clone-image restoration time, Sysprep runs, finds the appropriate drivers to use on the target system, and does an image restore to bring up the system with the OS, OEM products, and our own product," Senapathy explains. But because Sysprep works only with compatible hardware, "We needed to have as many images are there are varieties of target systems. This meant preparing, storing, and distributing numerous clone images, each running into many gigabytes, all of which the end user would have to manage."
Restoring cloned images on dissimilar hardware caused problems such as continuous restarts or blue screens. Senapathy traced the problem to discrepancies between the hardware abstraction layer (HAL) and core kernel files on the imaged and target systems. "We decided to try isolating all the kernel and HAL files being used during a typical Windows setup," says Senapathy.
He discovered that only six core kernel files vary in Windows 2003 and XP, depending on the hardware. "So we extracted the compressed HAL and kernel files from the Windows installation CD-ROM and packaged them with the image for copying to the target system. We wrote a separate support application that runs in DOS mode and copies the correct and required HAL and kernel files to the target system before Windows boots."
This solution simplifies the cloning process for SCS and installations for its customers. "We reduced the number of image types from 16 to six," says Senapathy. "Additionally, we can adapt the solution to future changes. If a vendor changes a motherboard, instead of creating an entirely new image type from scratch, we can package the additional HAL and kernel files along with the support application so that they can be replaced along with the clone." Senapathy reports trimming installation times from 10 hours for a Windows 2003 server and four hours for an XP client to about two hours for each.
Years in IT: 16
Fun Facts: Microsoft Most Valuable Professional (MVP) in Windows Security; freelance journalist for Denmark's largest computer magazine; attended college in the United States on a football scholarship
Notable Quote: "As a generic, bootable USB solution, Windows XP is actually more plug-and-play friendly than Novell SuSE Linux 10.1."
Windows on a Memory Stick
Denmark's police force has what might be the ultimate in Windows mobile-computing technology: USB memory sticks that run XP. Two years ago, when the Danish National Police asked consulting firm WM-data to develop a state-of-the-art, secure method to let employees access the central system from any computer, Principal Consultant Martin Kiaer ultimately looked to the Linux world for inspiration. Martin devised a way to enable XP (and other Windows OSs) to boot and run reliably from a 4GB or 8GB encrypted USB memory device.
"The police wanted a highly secure and portable platform that looked and felt like the standard Windows desktop," says Martin. "I initially came up with some designs that used Windows Preinstallation Environment (WinPE), but that isn't a supported end-user OS. Then I thought about Linux: You can run it off a CD-ROM or a USB drive. I decided that if I could boot WinPE from a USB stick, it should be possible to boot any Windows OS from a USB stick."
The first time Martin tried to boot XP from a memory stick, he got a blue screen and an error. Undeterred, he spent about three weeks investigating what happens within Windows during the boot process. Martin won't divulge exactly how he got Windows to boot off the USB drive because of Microsoft licensing restrictions and Danish National Police confidentiality requirements. (Microsoft doesn't officially support booting Windows off a USB drive but gave special approval to the Danish police force to do so.)
Martin's next challenge was to make his solution generic so it could run with any make of PC or USB drive. "If you simply install Windows on a USB drive, Windows will be unstable because of the effect it has on removable devices. I had to modify my solution so that it behaves as a nonremovable storage device."
Securing the solution was Martin's final hurdle. Although USB devices have a reputation for vulnerability, "in terms of security, the USB device turned out to be my friend, not my enemy," he says. Martin worked on the solution's security function for almost a year to ensure that security, like other aspects of the system, would function the same regardless of the device on which XP was installed.
Martin determined that the essence of securingthe USB devices was to keep security simple for end users. "Very few security decisions are left to users; everything is controlled centrally. The only thing the user needs is a smart card and PIN code." The 4GB USB key uses full-volume encryption (AES 256) to prevent unauthorized users from accessing the data and applications on the device. Typically, the USB key will be generic, Martin says. "At the start of a shift, a police officer gets a USB key. At the end of the shift, the officer turns in the key. The key is then 'refueled' using a specially designed life-cycle? management solution—the refueling process reinstalls the OS and re-encrypts the USB key in about three and a half minutes."
To boot a computer from the memory stick, a user inserts the smart card and USB device into any computer that can establish a VPN connection, then enters a PIN. Via two-factor authentication, the user simultaneously logs on to Windows, the VPN, and Terminal Services. "We use proactive device security based on white lists, ensuring that any device attached externally or internally to the computer doesn't run if it isn't on a white list," Martin says. The user can connect to the central police department network via a LAN, wireless, or satellite connection or can work offline.
The Danish National Police will go live with Martin's solution in October. "There's nothing new about running an OS on a stick," says Martin. "What's new are the scenarios in which the solution is used and the security and maintenance schemes I developed. This project has been a passion, a lot of fun, and very challenging."
San Mateo, California
Years in IT: 20
Fun Facts: Airplane and helicopter pilot; hang-gliding instructor; shares a birthday with Windows IT Pro Senior Editor Anne Grubb
Notable Quote: "I think our role as IT professionals at the top levels of experience and involvement is increasingly becoming more of a development role."
SOX-Compliant Password System
For Akamai Technologies, attaining compliance with the Sarbanes-Oxley Act (SOX) required developing a new system for rotating passwords and maintaining a history of password versions. Kent Post's answer was to build an application that uses a secret key to automatically generate strong local and administrator account passwords on Windows systems, rotate passwords on a cycle, and track previously generated passwords.
Akamai's legacy system consisted of a flat file containing a list of passwords. Administrators generated passwords and entered them in the file—a process that risked human error and made enforcing a password policy difficult. Unable to find a commercial product to meet his requirements, Kent devised a homegrown solution. A serviced component (i.e., a COM object) acts independently of the operator and in an isolated security context to broker specific requests for password management.
The heart of Kent's solution is the secret key that's used to generate the password. "I used a hashing mechanism based on the local account's unique data, the host name, and a secret key. The secret key is never exposed and is completely held in a private process. Users can request entry points into this process to do very specific things, which are regulated by permissions. But the process takes care of all password management and computation. And the keys are iterated, so when we need to generate a new key, we can retire the old key and create a new one. All the passwords derived from that key are automatically updated."
An administrative UI uses an ASP.NET 2.0 treeview control to let IT staff control which organizational unit (OU) containers are included in or excluded from password management (e.g., OUs that don't contain Windows systems). For local accounts, password information such as the date and status of the last successful password rotation, including failure information but excluding the actual password value, are stored in a Microsoft SQL Server 2005 table; administrators can retrieve information for a particular account via the UI.
Kent is expanding the solution to include domain and local service identity accounts in the password-rotation scheme; tiered access; key, certificate, and password age monitoring with automated email alerts; and revocation. He'd also like to adapt it to manage passwords on non-Windows systems.
Senior Database Administrator,
Christchurch, New Zealand
Faster Database Restores
The New Zealand support and development location of SunGard AvantGard performs 90,000 backups (excluding tape backups), restores, and clones per year of SQL Server and Oracle databases. SunGard IT staff needed to be able to load databases quickly without having extensive database knowledge or elevated security access. To meet this need, Senior DBA Wayne Hewitt created the AutoImport program, which consists of several batch files, a SQL Server stored procedure, and a small text-file job request that specifies details about the database-restore job, including what directory should be monitored, what priority jobs to run, and how long to wait between runs.
"Phase 1 of AutoImport automatically restores SQL Server and Oracle databases by using a simple text file that ends in '.AutoImport,'" Wayne explains. The text file contains the backup filename, the destination database server, and the target database's name. The customizable AutoImport checks for restore requests in the monitored directory, determines the destination-server settings, and restores the database. Restore requests originate either manually (from a staff member who copies and pastes an edited version of the AutoImport text file into the monitored directory) or automatically (via an automated quality assurance—QA—script global call that uses IBM Rational Robot and copies the AutoImport file into the correct monitored directory). The stored procedure builds the necessary restore command for the batch file (which connects via the OSQL utility) by reading the physical SQL Server backup file.
After completing a restore, AutoImport analyzes the results and generates a user-friendly log confirming all the restore details or explaining the cause of errors. "QA scripts can easily automate database restores without human intervention by submitting a job and checking whether the log exists once a minute, then reading the return code to ensure that the QA script can continue," says Wayne. "Initiating a restore manually is also quick and easy for end users, since they just have to put a text file in a directory and wait for the log to be returned."
AutoImport has saved SunGard a huge amount of time on database restores, which translates to better customer service. "The AutoImport program saves around five to 10 minutes per SQL Server database and 10 to 20 minutes for Oracle databases," says Wayne.
Database Analyst, Baylor Health Care System, Dallas, Texas
Automated Medical Coding
After developing an automated procedure-coding system for Baylor Health Care System, veteran DBA Ed Bond probably knows more than many healthcare professionals about invasive-cardiac and peripheralvascular procedure codes. Traditionally, medical coders manually derive the correct codes for more than 300 distinct cardiac procedures from documentation entered in a patient's chart. Missing information often prevents coders from entering the correct codes. The hospital asked Ed to assess whether automating the coding and enhancing electronic charting could eliminate such errors.
Ed first researched charge coding, which took several months, then developed algorithm specifications for all the codes and wrote the application. Data entered into a patient's chart via the hospital's computerized system is sent to the server via FTP. ParserQC, the Visual Basic (VB) utility that Ed wrote, monitors the FTP folder on the server and retrieves data as it appears. ParserQC parses the information necessary to derive codes from the charted notes and temporarily stores the data in a Microsoft Access database. The utility checks for required information, derives the charge codes from information stored in a SQL Server database, produces the patient reports for the medical record, and stores the derived data in the SQL Server database.
After using the new system for more than 18 months, Baylor Health Care System has greatly improved the accuracy of complex cardiac procedure coding. Doctors like the system because they no longer need to dictate procedure reports; ParserQC derives reports from the charted information. Lab staff spend less time manually deriving charge information and have less paperwork to process. "The system has decreased costs associated with charge coding, increased revenue \[by reducing the number of rejected insurance claims\] and accuracy of patient billing, and enabled clinical staff to spend more time on patient care," says Ed .
The Scripps Research Institute,
La Jolla, California
Sharing Outlook Calendars Via SharePoint
Collaboration is the lifeblood of The Scripps Research Institute, a biomedical research organization that consists of a network of geographically dispersed laboratories. Lab members needed an easy way to share information in their Microsoft Office Outlook 2003 calendars. "We use Office 2003 and Microsoft SharePoint Portal Server 2003 like you have no idea, and we like out-of-the box solutions," says Josh Kunken. "But we couldn't use Outlook to post messages on the portal. We wanted to be able to create and modify SharePoint list items, such as events, in our Outlook calendars, and we also wanted those items to appear on the portal."
Josh also assigned each calendar its own email address, so that an Outlook user can post an item in the public folder calendar by sending an email message to it. Posting a calendar item via either method adds the item to the user's Outlook calendar and SharePoint simultaneously. "We also set up links on the DNS tables and used the relay between our Exchange server and the Internet, so that users outside of Scripps Research could post to the calendars as well," Josh says.
"These applications markedly contributed to improving performance of colleagues and external collaborators," says Josh. "By centralizing critical information relevant to our group on our SharePoint portal, we've improved online participation and communication and have become efficient in disseminating information to the group."
First National Bank of Bosque County,
Valley Mills, Texas
NT Network Overhaul
In 2005, senior management of First National Bank of Bosque County approved retiring the bank's legacy Windows NT Server 4.0 network and moving to Windows 2003 and XP. Like most small-to-midsized businesses (SMBs), the community bank had a lean IT budget and limited IT staff. Vice President of Operations Brent Rickels explains his goals for the upgrade: "I wanted a setup that would be secure, offer high performance and reliability, and be easy to manage. I said, 'let's scrap everything, buy new hardware and software, and do this right.' But we don't have a huge IT budget, so every dollar spent needed to be as productive as possible."
Brent's plan was to use a combination of offthe-shelf software, built-in Windows tools, and infrastructure design to accomplish these goals. He started by developing a domain blueprint. Brent created two domains: a root domain that contains two domain controllers (DCs) in different locations for redundancy, has only two user accounts, and is used for routine maintenance; and the bank's primary domain, which has four DCs, each of which also acts as a DNS server for the bank's internal network.
Brent was especially mindful of security. "Our public Web server and mail server are located in offsite data centers with high security and a full-time IT staff," says Brent. The bank actually uses two mail servers—an external POP3 server that uses multiple antivirus engines and spam filters, and an internal Exchange 2003 system—and gives only certain employees public email addresses.
Brent employs a Cisco Systems firewall at the gateway and Windows Firewall on local PCs and uses Surf Control's Web filter product to control users' Internet access. To protect against malware, the bank installed SecureWave's Sanctuary application control software, which creates a database of all bank-approved software, monitors all software that tries to run, and prevents unapproved software from being executed.
The bank makes heavy use of Group Policy in combination with ScriptLogic's Desktop Authority to monitor computers for activity and perform automatic shutdowns. Brent also runs Microsoft Baseline Security Analyzer twice a year and uses DFS for file replication to redundant servers.
Brent implemented the upgrade in stages and was amazed at how smoothly it went. Users and management are happy because security is tighter and access to system resources is quicker. And the new system frees Brent from many administrative tasks he formerly performed. "I now spend a lot less time managing our network, answering questions, and configuring PCs. Remote control alone has saved me countless hours."
Roland Schorr & Tower,
OneNote Collaboration Tool
Field employees for technology consultant Roland Schorr & Tower needed a way to share information to aid in troubleshooting and onsite maintenance for clients. "Because different engineers have different specialties and skill sets, frequently two or more engineers needed to collaborate on a problem," says Ben Schorr, CEO. Ben opted to use Microsoft Office OneNote 2007. "We've been beta testing Office 2007 since last year, and I'm a OneNote MVP, so it was a good choice for us," says Ben.
Ben wanted a system that would let engineers document their client visits and easily and quickly search all documentation when researching solutions to clients' technical problems. "We set up a shared notebook in OneNote on a server drive and had our field people open that folder on their tablet PCs," he says. OneNote synchronizes a copy of the server folder to the engineer's local hard drive. The notebook contains a section for each client, which includes a page for each device the client has and pages for general information, billing notes, open problems, and other documents. Every change made to a page in the local shared folder is synchronized to the main folder on the server the next time the tablet PC connects to the server.
"With this system we have a large, dynamic, fully searchable collection of notes on each client and their environment," says Ben. "We can drag and drop Web content \[onto a page\] or grab screen shots of error messages or configuration screens and save those right in the client notes. If we have a meeting or phone call with the client or a vendor, we can even record the audio so that it's accessible to our entire group." The solution has enabled knowledge sharing among employees and provided better documentation for billing. "I can't imagine any project we've ever done that beats this one in terms of ROI," he says.
Director of Operations, Smooth Fusion, Lubbock, Texas
Decentralizing Web Development
Three years ago, IT pros at Smooth Fusion, a developer of enterprise Web applications, shared a common frustration: The process of developing and staging Web applications was hampered by a centralized environment. Developers used Microsoft FrontPage Server Extensions for Web-site development. Whenever a developer changed a portion of code, all developers' code had to be checked out from the central development server, built, and checked in again. "This process consumed all my time, frustrated the project managers, and robbed the company of productivity," says Justin Selleck, Smooth Fusion's director of operations.
Justin, with help from Heath Bowlin, then director of network operations, decided to revamp the development environment, starting with eliminating the use of FrontPage Extensions in favor of Microsoft Visual Studio and Microsoft Visual SourceSafe, a version control system. "We moved to an isolated development environment where developers write the code on their own systems, check it into a development server, and build the application on that server once all the code is compiled together," says Justin.
Next, Justin created an application that runs on the Web server and lets the developers build their code on that server. Justin's application calls Mobi-Sys Software Products' VisualMake, which performs the build, and provisions build tasks for developers.
The final phase was to modify the staging and rollout processes. "Using the same application, I built a way for the project managers to stage the site out to the staging servers so the clients could see it,"Justin explains "I also added another level \[to the application-testing process\], where we test the Web site against the live database before actually going live. Finally, I created a Web site where our QA people can log in and call a script that rolls out an application that's ready to go live."
"The devprocess (as we call it) has truly revolutionized the way we do development," says Justin. "The solution increased developer productivity and lets project managers deliver changes to Web sites in minutes rather than hours. And now I can go home when it's still light!"