Microsoft Asks: Who Are You?
I’ve been in IT since 1993, and that seems like an eternity some days. I work for a Microsoft Certified Partner that develops custom software. We’re a Microsoft shop. I’ve spent 10 years working for my current employer, so I would say I’m pretty familiar with the history of Microsoft and IT. I find Microsoft wanting in many ways, mostly because the company continues to make my job difficult.
In response to Karen Forster’s editorial, “Microsoft Asks: Who Are You?” (December 2007, InstantDoc ID 97478), I have to say I find no compelling reason to share any of my personal information with Microsoft. Maybe I’m just old and grouchy, but I don’t see how celebrating my ability to play the kazoo translates into helping me do my job. I have a firm grip on who I am and have never confused myself with my profession. Honestly, Microsoft’s initiative seems like a marketing gimmick. If this kind of email message arrived at my company, it would probably get tagged as spam.
Custom Logon- Tracking Solution Insecure?
The Custom Logon-Tracking Solution (“Windows IT Pro Innovators Share Their Successes,” November 2007, InstantDoc ID 97204) struck me as rather insecure. Any time you have a shared Microsoft Access database that is writeable by large numbers of individuals, you have a potential nightmare.
First, the logon script runs under the user’s ID, which means he or she must have write access to the Access database. Nothing prevents the user from deleting, creating, and modifying records. Anyone with access can forge entries, purge entries, and otherwise modify records. Also, depending on how administrators access the account-logging database, an even bigger vulnerability is possible. In Access 2003, when I open .mdb files, the system warns me that if this .mdb file contains code intended to harm me, it can do so! If non-privileged users modify that .mdb file, opening it allows dangerous Visual Basic for Applications (VBA) code to run. If administrators are careful and never open the .mdb file itself—and always interact with it through table links from another .mdb file—they’re probably safe. If not, they’re vulnerable.
I’m no security guru, but I would suggest using a restricted SQL Server database instead of an .mdb file. Then, I’d create SQL Server stored procedures for creating the logon records and updating the logout time. Those stored procedures would use SQL Server functions to enumerate the machine, the username (using integrated security), the logon time, and so on. I wouldn’t be able to prevent people from trying to insert false data, but I’d know what account was used, what IP address they came from, and when it happened (based on the server’s clock). I’d also restrict the database growth size, set up alarm notifications, and so on.
There are security vulnerabilities that could lead to problems, especially if the solution is used to store mission-critical or highly sensitive data. In our case, the solution was purely a tool for us to learn which computers were being used and to what extent. Even so, our Access database is stored on a separate share that is completely locked down with several layers of security, including firewalls, file permissions, and GPOs. Only administrators have rights to browse to the location, and only authenticated users on our domain have read/write access to the database. An authenticated user would have to know the exact path and filename of the database to even try to tamper with it. That information would be very difficult for our users— none of whom have local administrative rights—to obtain. Migrating the solution to a SQL Server database would certainly increase security, and I would strongly recommend that option if higher security is needed.
IT as a Career Choice
I read Jeff James’s article, “Windows IT Pro: A Good Career Choice for Your Kids?” (December 2007, InstantDoc ID 97408). Maybe I just got lucky, but my son has been at a keyboard since he could sit up straight on his own. He spent his whole childhood tinkering with hardware to software and everything in between. I don’t see the point of recommending or not recommending IT as a career choice for your kids. It’s like being an artist: Either you can paint or you can’t. Sure, you can go to school and learn how to paint. But that won’t make you a great painter.
I never recommended my son get into IT, but IT got into him from an early age. Too often, kids choose IT solely for the money. Bad decision. IT sucks unless you really, really like it. My son likes it. Right out of high school, he got a position with a high-profile social-networking site making the kind of money I started making only a few years ago. Life just isn’t fair.