Secure Devices with NDES

I've just read Russell Smith’s “Setting Up Network Device Enrollment Service” (August 2010, InstantDoc 125385). This information comes at a great time for us. We just implemented a new enterprise certificate authority (CA) and are starting to get requests for issuing certificates to cell phones and Linux machines. Do you have any experience or know of any success stories about folks using Microsoft NDES for other devices outside of routers and firewalls? Can I assume that if the device supports Simple Certificate Enrollment Protocol (SCEP), we should be good to go? Many thanks. I appreciate the great article.

—Thomas Harder

I'm glad you found the article useful! Actually, I wouldn't assume that you’re good to go if that device supports SCEP. Different SCEP implementations might not be compatible with one another, so you should test each device that you want to issue a certificate to. Windows Mobile has its own mechanism for deploying certificates (i.e., ActiveSync or the Windows Mobile Device Centre in Windows Vista and later). Apple iPhone (iOS 3.0 or later) is the only mobile device I know of that supports SCEP natively, but it has known issues. Please let me know if you have success with your SCEP deployment; your story might be something we can feature in a future edition of Windows IT Pro.

—Russell Smith

EFS and Kon-Boot

In his FAQ, “How do I stop tools like Kon-Boot?” (InstantDoc ID 125801), John Savill suggests that one of the mitigations for Kon-Boot is to use Encrypting File System (EFS). But if you have access to local files using cached credentials, wouldn't you also have access to the EFS encrypted files belonging to this user?

—Robin Penny

EFS doesn't really help with the specific Kon-Boot attack because of the cached credentials in use. However, it does help with other types of attacks that focus more on the file system. The FAQ in question refers to “tools like Kon-Boot,” so EFS is still a great extra layer of defense. We always want defense in depth where possible. But, for Kon-Boot specifically, BitLocker is king.

—John Savill

Dual-Booting Windows 7and Windows XP

Regarding Michael Otey’s “Upgrading from Windows XP to Windows 7” (January 2010, InstantDoc ID 103144)—as well as Robert Schor’s comment in the Letters column in the March 2010 issue (InstantDoc ID 103507)—I think both methods are a bit messy. I have used the following method, which is simple and works perfectly.

  1. Create three partitions—The first two partitions will be the OS partitions, and the third will be the data. Adjust size accordingly. Note that XP will be installed first. You can use the (limited) partition manager when you install XP to set up the three partitions. All three partitions are created and should be formatted. This way, the CD/DVD drives won’t change between OSs.
  2. Install XP—The middle partition will be the XP installation. When you're done, the C drive will be blank (except for the NT boot files), the D drive will have XP, the E drive will be your data drive, and the F drive will be the DVD drive.
  3. Move your My Documents folder to the E drive—This step requires a bit of tinkering. I also move the Favorites folder into My Documents. That way, they'll get backed up, and both OSs can access the same My Documents and Favorites.
  4. Install Windows 7 (or Windows Vista, if you wish)—Note that if you're using the 64-bit OS, you must boot off the DVD because you can’t (normally) start the 64-bit installation from a 32-bit OS. When prompted, don’t upgrade, and aim the installation to the C drive. When you're done, the C drive will be Windows 7, the D drive will have XP, the E drive will be your data drive, and the F drive will be the DVD drive.
  5. Move My Documents into the same folders where XP was moved—Do the same for Favorites. In Windows 7, it’s as easy as right-clicking the folder in your user file and changing the location.

Now, both OSs will have the same drive sequence. I’ve encountered only two problems with this method. First, every time you boot into XP, it will kill the Windows 7 System Restore points. To correct the situation, you either “hide” Windows 7 from XP or enable BitLocker in Windows 7. For more information, see the Microsoft article "No restore points are available when you use Windows Vista, Windows 7 or Windows Server 2008-based operating systems in a dual-boot configuration together with an earlier Windows operating system" (support.microsoft.com/kb/926185). Also, when you hide Windows 7 from XP, you can’t access the XP boot.ini file. However, you don't really need it because both OSs use the Windows 7 boot manager.

—Ed Braiter

Highly Opposed to the Cloud

In his Exchange and Outlook blog post, “IT Pros Resist Moving Messaging to the Cloud,” (www.windowsitpro.com/blogs/exchangeandoutlook.aspx), Brian Winstead asks, "It also makes me wonder why, if the IT pros are still so set against cloud computing, the industry analysts and tech speculators continue to tout this as the next big thing?" Frankly, I find this to be a common occurrence. Although I want to read about the latest technology and its potential benefits, I'm sometimes annoyed when articles slant toward the mindset of "This is the best thing ever, everybody else is doing it, you should too!" All these new technologies—the cloud, VDI, host VoIP—offer exciting new features and might well be the way of the future, but they're new and they still have drawbacks. Sometimes they lack features we take for granted in our legacy systems. So although they might be a fit for some companies, they're not a fit for many—at least not yet. Maybe in 10 years, when it's matured,cloud-based email will be the norm. Until then, journalists and analysts need to remember that most of us have entrenched legacy systems that will be slowly phased out as new technologies mature.

—Richard Van Alstine

Thanks for the response. I’m probably as guilty as anyone of making some of these technologies sound too exciting, but I usually try to look for the loopholes at the same time—which is part of the reason I posted the poll question about hosted Exchange in the first place. I’ve long sensed a disconnect between what Microsoft and other vendors are saying about hosted messaging and what’s really happening in the field. On the other hand, I’m not sure it will take as long as 10 years for the cloud world to mature enough to gain general acceptance; the technologies just improve too quickly these days. That doesn’t necessarily mean that all companies will find it feasible to move all their systems to the cloud, either. As you say, there are many legacy systems in place, and you’re not going to abandon something that’s working.

In my blog, I've recently posted a short piece that's a slight expansion of what I originally wrote: I’d like to encourage you and other readers to post comments there—it’s important to continue this discussion and let the IT pro voice be heard!

—Brian Winstead