Fix it — great idea!

fixit.jpg

If you’re hav­ing a prob­lem with a Microsoft prod­uct, then the first stop for find­ing a solu­tion pret­ty much needs to be the MS Knowl­edge­base. It’s solved prob­lems for me and for clients times with­out num­ber. Often how­ev­er this has involved print­ing out the arti­cle in ques­tion in order to fol­low a series of steps on the com­put­er with the prob­lem.

A new, and very wel­come addi­tion to some arti­cles on the Knowl­edge­base removes the need for this — a “Fix it” but­ton, shown above, has been added. When this but­ton is avail­able, it will down­load a small file that con­tains a script or exe­cutable that per­forms all the steps for you. For exam­ple, if Inter­net Explor­er is miss­ing from your desk­top, the “Fix It” but­ton down­loads a small installer file con­tain­ing a script to put it back.

I can see this going far, and hope it’s a major change in fix deliv­ery. Help Desks in par­tic­u­lar should gear up to build local libraries of these script­ed fix­es, in order to push them out where required. And build­ing the serv­er-spe­cif­ic fix­es into Sys­tem Cen­ter Oper­a­tions Man­ag­er for auto­mat­ed behind-the-scenes prob­lem res­o­lu­tion would be a great next step too.

UAC Flaw — MS listens, promises to fix.

Good news on the User Access Con­trol flaw I wrote about a few days ago — the Win­dows 7 engi­neers have promised to fix it in the release can­di­date, and have gone even fur­ther in the fix than was asked.

The addi­tion­al pro­pos­al is to run the User Access Con­trol pan­el in a mode where oth­er pro­grams can­not manip­u­late it with­out first gain­ing ele­vat­ed rights. This should put and end to any poten­tial exploit via this route.

Good to see the engi­neers respond­ing to this. The fact that they had to, how­ev­er, leads me to won­der if they’re not a lit­tle insu­lat­ed – they talked about “Cus­tomer Dri­ven Engi­neer­ing” in their pre­vi­ous post clar­i­fy­ing their views on the flaw (now changed of course) but sure­ly a lit­tle bit of com­mon sense and engi­neer­ing expe­ri­ence should have told them that this was wrong, regard­less of what the behav­iour­al mon­i­tor­ing they per­formed sug­gest­ed?

UAC flaw “by design” says Microsoft

Microsoft dis­miss­es Win­dows 7 UAC secu­ri­ty flaw, con­tin­ues to insist it is “by design”:

Just because it’s by design does­n’t mean to say it’s right. This is exact­ly the blink­ered think­ing that we heard from the peo­ple work­ing on UAC in the Vista time­frame — “This is the way it’s going to be, we know bet­ter than you.”

Since that atti­tude was prov­ably incor­rect last time, what makes it any more right this time?

(Via I Start­ed Some­thing.)

User Access Control security flaw in Windows 7 beta

Sac­ri­fic­ing secu­ri­ty for usabil­i­ty: UAC secu­ri­ty flaw in Win­dows 7 beta:

By default, Win­dows 7’s UAC set­ting is set to “Noti­fy me only when pro­grams try to make changes to my com­put­er” and “Don’t noti­fy me when I make changes to Win­dows set­tings”. How it dis­tin­guish­es between a (third par­ty) pro­gram and Win­dows set­tings is with a secu­ri­ty cer­tifi­cate. The applications/applets which man­age Win­dows set­tings are signed with a spe­cial Microsoft Win­dows 7 cer­tifi­cate. As such, con­trol pan­el items are signed with this cer­tifi­cate so they don’t prompt UAC if you change any sys­tem set­tings.

The Achilles’ heel of this sys­tem is that chang­ing UAC is also con­sid­ered a “change to Win­dows set­tings”, cou­pled with the new default UAC secu­ri­ty lev­el, would not prompt you if changed. Even to dis­able UAC entire­ly.

Whoops. This one is a bit of a show­stop­per. I’m very hap­py with the re-imag­ined User Access Con­trol in Win­dows 7 (I believe it’s pret­ty much what it should have been in Vista) but this def­i­nite­ly needs fixed. I agree com­plete­ly with Long Zheng’s pro­posed solu­tion:

Microsoft can imple­ment with­out sac­ri­fic­ing any of the ben­e­fits the new UAC mod­el pro­vides, and that is to force a UAC prompt in Secure Desk­top mode when­ev­er UAC is changed, regard­less of its cur­rent state. This is not a fool-proof solu­tion (users can still inad­ver­tent­ly click “yes”) but a sim­ple one.

(Via I Start­ed Some­thing.)

Windows 7 can be added to domains offline!

I have been wait­ing for this to hap­pen for twelve years, ever since my first mul­ti­ple-thou­sand-seat Win­dows desk­top roll­out — Win­dows 7 (and Win­dows Serv­er 2008 R2) can be added to domains with­out phys­i­cal­ly being con­nect­ed to that domain over a net­work

This is done with a new com­mand — djoin.exe — added into these prod­ucts. It’s used (on an exist­ing machine in the domain) to gen­er­ate a block of infor­ma­tion in a file, that can be used on anoth­er machine to auto­mat­i­cal­ly join the domain with­out being con­nect­ed at that time.

This is fan­tas­ti­cal­ly use­ful for any­one per­form­ing big cor­po­rate roll­outs – where it’s not always pos­si­ble to build the machines in situ. Any con­sul­tan­cy work­ing on a build-and-cus­tomise desk­top project for a client is going to absolute­ly love this.

Found on bink.nu.

How to install Vista Upgrade editions in Parallels

Installing MS Win­dows Vista into Par­al­lels is a bit of a chore if you’ve only got an upgrade edi­tions of the soft­ware. This how-to tells you the steps in order to make it work.

First­ly, make an image of your Vista DVD. This will make the install run much faster, and you’ll need to be doing two of those. Insert the vista DVD, then in Disk Util­i­ty, select the DVD UDF Vol­ume and press “New Image”. Call it Vista, save it to the desk­top, and change the image type to “DVD/CD Mas­ter”

Once that fin­ish­es, it’s time to pow­er up Par­al­lels. Make sure you’re run­ning at least Release Can­di­date 1 — down­load it from the Par­al­lels web­site if not. Cre­ate a new VM and select “Cus­tom”. On the next page, make sure the OS ver­sion is set to Win­dows Vista. Leave the mem­o­ry, hard disk set­tings and the net­work set­tings alone. Name the Vir­tu­al Machine (or again just accept the default).

On the next page, where you’re asked to insert the instal­la­tion CD, open up “More Options”, select “ISO Image” and press “Choose” to select the image cre­at­ed ear­li­er — saved to your desk­top. Press “Fin­ish” to begin the Vista instal­la­tion.

Well, actu­al­ly, your first Vista instal­la­tion. Because we’ll be doing two here. The trick is that we don’t enter your licence key the first time around, thus fool­ing Vista into installing. Unlike XP upgrades, which just need­ed a look at a CD or a pre­vi­ous instal­la­tion to pro­ceed, licenced Vista won’t install unless it’s being installed over the top of a pre­vi­ous OS. Luck­i­ly, “pre­vi­ous OS” includes unli­censed Vista!

Start the instal­la­tion going. The first thing it will ask you is your inter­na­tion­al set­tings. Set them as appro­pri­ate. Click onto the next page, then click “Install Now”. On the fol­low­ing page, it will ask for your prod­uct key. Do not type in your prod­uct key — instead, press “Next”, say “No” to the fol­low­ing dia­log box, then on the next page choose the ver­sion of Vista you’re installing.

(I have no idea what the dif­fer­ence between, say, Busi­ness and Busi­nessN is — can some­one enlight­en me? I just chose from the non‑N ones.)

Tick the box on that page, press Next, accept the licence terms, press Next. On the fol­low­ing screen the type of instal­la­tion will be set to “Cus­tom”. That’s fine. Press Next to choose where to install it, the default is fine so press Next again.

At this point the instal­la­tion of Vista will start. The VM will reboot sev­er­al times — just let it do so. Instal­la­tion will run to com­ple­tion just fine, go away for 30 min­utes.

(time pass­es)

Choose a user­name and on the next page, a com­put­er name. These aren’t vital but you’ll need to remem­ber the user­name for the next 30 min­utes. Then, on the secu­ri­ty updates page, select “Ask me lat­er” — one of the cur­rent Vista updates breaks Par­al­lels, and we don’t want that to hap­pen. Final­ly, set your time­zone, then press “Start”.

Vista will then check the VM’s per­for­mance, then start up. Con­grat­u­la­tions, it’s installed. Log in, and

Do not install Par­al­lels Tools right now. It will cause you pain lat­er.

Now we’re going to do all of this over again, this time with a licence key.

From the Start Menu, choose Com­put­er, then dou­ble-click on the DVD dri­ve. Dou­ble-click on Set­up. Allow the pro­gram to run. Click on “Install now”.

On the next screen, don’t get the lat­est updates for instal­la­tion at this time, because it might crash Par­al­lels. On the next screen, enter your prod­uct key. Accept the license, as before.

On the fol­low­ing screen, again click on “Cus­tom” for type of instal­la­tion. Accept the default for the instal­la­tion disk, as before, then click “OK” in the dia­log box.

Instal­la­tion will then start. Anoth­er 30 min­utes here.

(time pass­es, again)

This time, when asked for a user­name and com­put­er name, choose ones you wish to stick with as this is final. Choose “Ask me lat­er” for the secu­ri­ty updates, then set the time­zone as before.

Vista will again check per­for­mance, then start.

That’s it. We’re done. Just tidy-up to do now.

First­ly, install Par­al­lel Tools from the Mac “Action” menu. This will give prop­er inte­gra­tion between your Mac and the Vista VM. It’ll need a reboot. After that, nav­i­gate from “Com­put­er” on the Start Menu to your hard disk, then delete the “windows.old” direc­to­ry. That was the ini­tial install.

Now, from the Mac’s “Action” menu, run the Par­al­lels Disk Com­pres­sor, in order to neat­en up the VM’s hard disk. This takes a while. But once it’s done:

Con­grat­u­la­tions. You have a per­fect­ly fresh work­ing installed copy of Vista, from a Vista Upgrade CD, in a Par­al­lels VM.

Now go and enjoy before Par­al­lels bring out a new ver­sion, forc­ing this to become incor­rect and me to write out a cor­rect­ed ver­sion.

Enjoy!