Spam has become a bit of a sore subject at work. We've been using what was Sybari Antigen (now a Microsoft product) on our Exchange server for years. However, it's just not managing all our spam issues at an acceptable rate any more. It certainly blocks a lot, but about 15-20 messages are still getting through to my Outlook client every day, where only about 80% of those are being caught with Outlook junk mail filtering.
And since I'm a BlackBerry user, it means that those 15-20 messages are delivered to my mobile device regardless of what my Outlook client does with them at my desktop. So I've started a search for another solution.
Our first decision was "appliance" vs "SaaS". From a network admin perspective, there is a lot to like about moving anti-spam services into the cloud. I liked the idea of offloading spam traffic to an outside network, thus only having my network support legitimate mail delivery. I liked not having yet another box to plug in and wire into my LAN racks. I liked being about pay monthly/annually for exactly the services we were using. And I liked the possibility of being able to add on some email archiving and discovery services at a later time.
So I compared a few services, kicked my results up to management and was ready to sign up. But there was one roadblock - SAS70 II certification. As a company that does fall under HIPAA, SAS70 certification was something I was asking about while I was researching vendors, but now it was time to prove that certification to our auditors.
SAS70 II certification involves a variety of areas: Physical Security, Environmental Protection, Computer Operations, Information Security, Data Communications, Customer Access Controls and DR/Business Continuity Assurances. Many of the vendor we were considering were using data centers of major telecommunications companies/ISPs and while those companies were certified for themselves, that certification doesn't necessary mean that the anti-spam vendor (a client of theirs) was also fully certified - especially in the areas outside of physical security and environmental protection. SAS70 certification is not transitive, so to speak.
Ultimately, our auditor recommended that we NOT use services based in the cloud for our email, because there was a chance (either by later using them for archiving or by them quarantining a legitimate message, etc), that they could be storing our company data. This was a risk my company was not willing to take.
This isn't to say that their aren't SaaS vendors who are SAS70 certified. But my company is a little spooked by the whole "cloud computing" idea right now. So it's back to drawing board for me, this time looking at appliances.
Friday, May 22, 2009
Wednesday, May 20, 2009
The Joys of SPNs
Last week I was at TechEd in LA and spent some of my time listening to Mark Minasi talk about Kerberos in Active Directory. He spent some time talking about SPNs (Service Principal Names). The takeaways were:
a) They needed some love and care when creating them manually.
b) That you really didn't want duplicates of them lying around in AD.
I've dealt with SPNs on occassion when dealing with delegating connections between SQL servers for one of our in-house applications and always remember it being a confusing process that I never spent enough time to seriously understand. So I nodded to myself in agreement with the speaker and moved on.
Then I came back to work. One of our on-going projects required serveral of our company SQL servers to be moved from one domain to another. Our DBA was responsible for planning this work, since he'd ultimately be the one fielding the support calls if things went bad. And he decided to work on this yesterday, tapping me to help out with anything that fell into the realm of Active Directory.
The key troublemaker in all of this? SPNs.
It can be tricky to find old SPNs when you aren't really sure where to look, and since we were never really sure of what we'd done in the past, knowing where to look was a factor. It's also hard to tell if you are doing things correctly using the SetSPN Tool that comes with Server 2003, as it lacks some of the improved features of the Server 2008 version. Also, we had a lot of moving parts involved - changing the domain membership of the servers, changing the service account that runs the SQL Services on each server and the additional issue of forgetting to check that DNS was updated properly.
The big helper in all of this? ADSIEdit.
Once we realized where we were supposed to look (at the service accounts, not the servers themselves), it made adding the new SPNs and remove the duplicates really easy. And now I really think I understand how SPNs work - instead of my previous attempts of just mucking around and getting lucky.
a) They needed some love and care when creating them manually.
b) That you really didn't want duplicates of them lying around in AD.
I've dealt with SPNs on occassion when dealing with delegating connections between SQL servers for one of our in-house applications and always remember it being a confusing process that I never spent enough time to seriously understand. So I nodded to myself in agreement with the speaker and moved on.
Then I came back to work. One of our on-going projects required serveral of our company SQL servers to be moved from one domain to another. Our DBA was responsible for planning this work, since he'd ultimately be the one fielding the support calls if things went bad. And he decided to work on this yesterday, tapping me to help out with anything that fell into the realm of Active Directory.
The key troublemaker in all of this? SPNs.
It can be tricky to find old SPNs when you aren't really sure where to look, and since we were never really sure of what we'd done in the past, knowing where to look was a factor. It's also hard to tell if you are doing things correctly using the SetSPN Tool that comes with Server 2003, as it lacks some of the improved features of the Server 2008 version. Also, we had a lot of moving parts involved - changing the domain membership of the servers, changing the service account that runs the SQL Services on each server and the additional issue of forgetting to check that DNS was updated properly.
The big helper in all of this? ADSIEdit.
Once we realized where we were supposed to look (at the service accounts, not the servers themselves), it made adding the new SPNs and remove the duplicates really easy. And now I really think I understand how SPNs work - instead of my previous attempts of just mucking around and getting lucky.
Customer Focus Design for Window Server with PacITPros
On May 5th, I helped organize a special event for the Pacific IT Pros user group in San Francisco. Customer Focused Design is a process used by Microsoft to collect feedback about features and requirements that need improvement in future product development.
The goal of this event was to provide Microsoft with feedback related to the future of the Windows Server operating system. The Customer Focused Design team was very appreciative of the time PacITPros spent brainstorming together to during the session. They saw a lot of really good ideas and value come out of the session. Overall, the three groups provided over 300 individual requirements and close to 50 high level requirements where improvements could be made.
That information was distilled into the following series of slides:Group 1 (Kevin Lane) - 15 high level requirements, with 97 individual sticky requirements.Group 2 (Robert DeLuca) - 18 high level requirements, with 54 individual sticky requirements.Group 3 (Pat Fetty) - 16 high level requirements, with 174 individual sticky requirements.
The slides highlight the following information:
"Customer Importance" - this provides the prioritization of the requirements that were generated.
"Current Ability" - This is the PacITPros ranking of Microsoft’s ability to deliver this requirement right now based on the technology Microsoft provides in Windows Server 2008 and Windows Server 2008R2. The ranking numbers are:
1 = Microsoft doesn't deliver this at all
2-3 = you can do this with significant workarounds and/or 3rd party solutions
4-7 = Mircosoft delivers this with minimal workarounds or other applications
8-9 = Microsoft delivers this with no workarounds
10 = Microsoft couldn’t do this any better
"Improvement Pareto" - The requirements and the ability rankings are calculated together to determine the improvement areas needed for focus. Areas with high importance but low ability are areas that Microsoft needs to put some work into. Areas that are low mean that Microsoft needs less investment and effort to deliver what is needed.
Kudos to all the PacITPros members who participated. This was a hands-on way to have our voices heard directly by Microsoft.
The goal of this event was to provide Microsoft with feedback related to the future of the Windows Server operating system. The Customer Focused Design team was very appreciative of the time PacITPros spent brainstorming together to during the session. They saw a lot of really good ideas and value come out of the session. Overall, the three groups provided over 300 individual requirements and close to 50 high level requirements where improvements could be made.
That information was distilled into the following series of slides:Group 1 (Kevin Lane) - 15 high level requirements, with 97 individual sticky requirements.Group 2 (Robert DeLuca) - 18 high level requirements, with 54 individual sticky requirements.Group 3 (Pat Fetty) - 16 high level requirements, with 174 individual sticky requirements.
The slides highlight the following information:
"Customer Importance" - this provides the prioritization of the requirements that were generated.
"Current Ability" - This is the PacITPros ranking of Microsoft’s ability to deliver this requirement right now based on the technology Microsoft provides in Windows Server 2008 and Windows Server 2008R2. The ranking numbers are:
1 = Microsoft doesn't deliver this at all
2-3 = you can do this with significant workarounds and/or 3rd party solutions
4-7 = Mircosoft delivers this with minimal workarounds or other applications
8-9 = Microsoft delivers this with no workarounds
10 = Microsoft couldn’t do this any better
"Improvement Pareto" - The requirements and the ability rankings are calculated together to determine the improvement areas needed for focus. Areas with high importance but low ability are areas that Microsoft needs to put some work into. Areas that are low mean that Microsoft needs less investment and effort to deliver what is needed.
Kudos to all the PacITPros members who participated. This was a hands-on way to have our voices heard directly by Microsoft.
Subscribe to:
Posts (Atom)
-small.jpg)
