A newly discovered flaw in Microsoft’s Passport put another layer of tarnish on the company’s already heavily corroded security image. Microsoft was forced to temporarily shut down its Passport e-wallet service after being warned that hackers could pickpocket individual e-wallets.

Passport and e-wallet
Microsoft’s Passport service provides a centralized database to store and distribute confidential data and a way for users to be identified on the Web. Passport can make Web sites easier to use because you don’t have to keep identifying yourself to gain access to various services.

Of course, this convenience comes at the not-so-minor cost of giving Microsoft control over your personal data, which, because of the company’s spotty security record, is not something I would recommend.

The online shopping feature of Passport, known as e-wallet, is supposed to eliminate all that tedious data input when you place an order online. Microsoft’s promise is essentially this: “Give us your name, address, and credit card number, and we will send that information to merchants on request.” So far, more than 70 online merchants have signed up for Microsoft’s Express Purchase service.

Best Microsoft MCTS Training – Microsoft MCITP Training at Certkingdom.com

Handing over your virtual wallet
Does it really take a highly paranoid security specialist like me to see that this might be a bad idea? Apparently, several million people out of the much larger Passport community have already signed up for this e-wallet service. According to Microsoft, those subscribers may have placed their personal data at risk due to a flaw that could allow a hacker to obtain the contents of their virtual wallet just by clicking on a link contained in a Hotmail e-mail account message.

Microsoft said that it immediately shut down the e-wallet service after learning of the problem and that Passport security has been enhanced. But that leaves open the question of whether any hacker took advantage of this flaw before a white-hat hacker discovered it and informed Microsoft.

Microsoft was quick to point out that this was an “isolated” problem (almost every individual security problem is) and that it patched the flaw immediately. The company also said that no e-wallet user’s credit card information was actually compromised. That may be true, but the cracker would probably leave no trace using this method, so I’m not certain just how Microsoft can know that no personal data was stolen.

Is even one of you surprised by this latest security breach at Microsoft? Did anyone not see this coming? The answer to both questions is probably a resounding “No.” For some time now, many IT professionals have been very cautious about Passport and downright obstinate about e-wallet.

The bottom line
Convincing people to trust Passport is vital to a number of upcoming Microsoft services in the .NET initiative. So if this recent Passport security flaw becomes widely known, it could be a much bigger PR problem for Microsoft than it appears to be on the surface. Indeed, Passport, which has recently been renamed .NET Passport, may be the crown jewel in the .NET crown.

Unfortunately, most average users will know little about this problem, and even fewer will realize that this is only one in a long string of Microsoft security problems. Anyone with any concerns about personal or business privacy and identity theft must place a great deal of trust in a company’s security policies before they give any confidential information to an online service that offers to serve as a gatekeeper for sensitive personal and financial information.

Microsoft must be hoping that average users won’t notice that there were about 100 Microsoft security bulletins in 2000 and that we are well on track to see another 60 or 70 by the end of this year. In addition to credit card information, Microsoft wants people to eventually store other confidential data, such as medical records, in Passport accounts.

Some people will even be foolish enough to provide debit card numbers, which, unlike credit cards, offer little or no fraud protection. While having your credit card stolen is annoying, it isn’t a big problem because credit card issuers limit the amount you can be forced to pay for fraudulent charges. But since debit cards offer direct access to your bank account, having that number stolen can be just like losing a checkbook full of signed, blank checks.

There is also some question as to whether can you continue to use Microsoft software and still avoid Passport. That’s going to become a major problem in the near future. If you haven’t yet installed a copy of XP, you may not realize that anyone running the new Microsoft operating system will be virtually forced to sign up for Passport.

Microsoft is making a big push to get everyone to use Passport as part of the impending .NET initiative, and in the years ahead, it will probably become increasingly difficult to use Microsoft programs if you don’t provide at least a minimum of information to Passport.

Would you like to provide your users with accessibility to your company’s e-mail system no matter where they are? With Microsoft Outlook Web Access for Exchange Server, they’ll never be more than a browser (with frames support) away from their Inbox. They can have secure access to their Inbox and calendar from any PC with Internet access in the world.
This article appears courtesy of TechRepublic’s TechProGuild, the subscription Web resource for IT administration and support professionals. Among other great benefits, TechProGuild offers in-depth technical articles, e-books, and weekly chats moderated by industry experts on hot topics such as the latest OS developments and career advancement. Sign up now for a FREE 30-day trial of our TechProGuild service.
Outlook Web Access (OWA) became available with Microsoft Exchange version 5. Basically, OWA is intended to supplement Microsoft Outlook. It gives users remote access to many of the core components and functions of the client that they use in the office. Unfortunately, most administrators don’t know about it, so they don’t use its great features. In this Daily Drill Down, I’ll discuss how you can put these helpful features to work in your organization.

Best online Microsoft MCTS Certification, Microsoft MCITP Certification at Actualkey.com

Outlook Web Access requirements
For your server, you’ll need the following components:

* Pentium 6/200 single processor
* 256 MB RAM
* Network connection to Microsoft Exchange Server
* Microsoft Windows NT operating system with Service Pack 4 (SP4) or later
* Microsoft Internet Information Server (IIS); Exchange Server 5.0 supports IIS 3.0 only, but Exchange Server 5.5 supports IIS 3.0 or later
* Active Server Pages (ASP), which are available on Microsoft Windows NT 4.0 Service Pack 3 CD-ROM
* Active Server components (which come with Exchange Server 5.0) or Outlook Web Access components (which come with Microsoft Exchange Server 5.5)
* Exchange Server 5.0 Service Pack 1 (SP1) or Microsoft Exchange Server 5.5 Service Pack 2 (SP2); SP1 and SP2 provide enhanced Outlook Web Access components

For your client, you’ll need an Internet browser that’s capable of displaying Active Server Pages. You’ll also need Internet Explorer 3.02 or later (or any third-party browser that’s capable of supporting frames).

Outlook Web Access recommendations
As with most of Microsoft’s server-based products, you ought to dedicate at least one server to performing the foundation that’s needed by Internet Information Server and Outlook Web Access Server components. Microsoft recommends that Outlook Web Access and Microsoft Exchange Server not be installed on the same machine. (Please note that Windows NT Challenge/Response (NTLM) authentication isn’t supported.) Microsoft also recommends that you use load balancing hardware or software in order to serve users better and to improve server response and availability.

The Microsoft Outlook Web Access server performs most of the processing for connected clients. The OWA Server also handles the entire load that’s required by active client connections. Supporting one client on the Outlook Web Access Server is similar to running one instance of Microsoft Outlook. Thus, to support the connections and requests, the Outlook Web Access Server must run many active MAPI sessions to the Microsoft Exchange Server. The overhead that’s created by the Internet browser running on the client computer is small, but the session that’s created by the client connection to the Outlook Web Access Server consumes many resources on that server. Keep this information in mind and plan the potential load on the Outlook Web Access Server accordingly.

When you plan any project, you must address scalability. To ensure that OWA maintains a semblance of scalability and to allow for organizational growth and changes, Outlook Web Access and Internet Information Server must reside on a dedicated server that’s separate from other Exchange Servers. As the number of clients increases, the load on the Outlook Web Access Server will increase, and you’ll need to add more servers. You can add more OWA Servers without affecting the existing Microsoft Exchange Server or the mailboxes in your organization.

When you need to add another Microsoft Outlook Web Access Server to your organization, load balancing makes the process much easier. Load balancing, which is available in hardware and software variations, allows multiple servers to process and handle requests that are intended for a single IP address. Load balancing has several benefits. First, users will need only one URL to access their e-mail accounts; the load balancing software or hardware will determine which Outlook Web Access Server handles the request. Another benefit is its continued availability. If a user makes a request and a member of a server load balancing team is down, the request will be directed to another server automatically. In some cases, load balancing software or hardware can distribute the load that’s placed on servers by noting which servers are busiest at the time of the request and then by directing the new request to a less burdened machine.

To satisfy general load-balancing requirements, Microsoft recommends that you use Windows Load Balancing Service (WLBS) as a load balancing software solution and Cisco’s LocalDirector as a load balancing hardware solution. WLBS supports up to 32 servers; LocalDirector supports up to 64,000. However, WLBS won’t work in OWA scenarios because WLBS uses round-robin DNS: When a request is made to a DNS server, the DNS server points the request to the next available member of the WLBS team. It doesn’t consider server load. Round-robin DNS works only with stateless ASP applications. Each user request is sent to the next server that’s a member of the WLBS team, but the new server interrupts the user’s ASP session. That means that users who try to access their e-mail via the OWA Server must log in every time they make another request.

Functionality
With Microsoft Outlook Web Access for Exchange Server, access to a user’s e-mail account is no longer restricted to a particular operating system. As long as the browser being used supports frames, access to important information is possible. OWA provides a true cross-platform messaging and application collaboration system. OWA is a MAPI application that’s composed of binary, HTML, and ASP script files. The scripts use Collaborative Data Objects (CDO) to access mailbox and public folder information that’s stored on the Microsoft Exchange Server computer. OWA also uses Microsoft Active Server Pages on the Internet Information Server. JavaScript and Java control, which are downloaded to the user’s Internet browser on demand, generate HTML pages.

Although the browser uses the downloaded JavaScript to perform some of the processing on the client computer, the Microsoft Outlook Web Access Server handles most of the processing that the Outlook Client usually completes. This server processing includes MAPI sessions, client logic, state information, address resolution, rendering, content conversion, and Remote Procedure Calls (RPC) communications with the Microsoft Exchange Server. The Exchange Server receives and completes requests that the Outlook Web Access Server makes. (These requests resemble requests from any MAPI client.)

The process
Here’s what happens when users open messages in their Microsoft Exchange Server Mailboxes using a browser with Outlook Web Access. First, a browser with the Outlook Web Access client sends a request to a Microsoft Internet Information Server and the OWA Server. This request includes a cookie that identifies the browser and the user. IIS accepts the request and hands it to Active Server Pages (ASP) for processing. ASP verifies that the cookie points to a valid ASP session and that the user making the request has logged on properly. Next, the Internet Services API (ISAPI) filter determines which language to use when displaying messages in the browser. Then, ASP opens the script that’s named in the URL and executes any server-side Microsoft Visual Basic script it contains. These scripts use CDO to open the message that’s in the user’s Microsoft Exchange Server Information Store. The message GUID is passed on within the query string of the URL. Next, The CDO rendering library (Cdohtml.dll) converts the requested message into HTML format, and IIS sends the HTML to the browser. Finally, the browser renders the HTML, including the embedded JavaScript.

Outlook Web Access security
You can configure Outlook Web Access to support one or more of several different types of authentication. As usual, there are advantages and disadvantages to many of these configuration options. The following configurations will authenticate OWA users:

* Anonymous
* Basic (clear text)
* Basic (clear text) over Secure Sockets Layer (SSL)
* Windows NT Challenge/Response (NTLM)

Anonymous authentication
If Outlook Web Access is set up to accept an anonymous connection, any user with access to the OWA Web page can use Outlook Web Access without specifying a Windows NT account name or password. When a user accesses OWA and makes an anonymous connection, Internet Information Server logs on the user with an anonymous (guest) account, which is a valid Windows NT user account. The default IIS user account is IUSR_computername. Be aware that anonymous authentication grants access only to resources that are anonymously published, such as public folders and directory content. Table A summarizes the advantages and disadvantages of using anonymous authentication.

Table A

Basic (clear text) authentication
When using basic (clear text) authentication, a user who tries to connect to OWA must supply a valid Windows NT account username and password. The user’s account and password are transmitted as clear text over the network to the Internet Information Server/Outlook Web Access Server. Validating users with basic (clear text) authentication gives them the ability to access an unlimited number of resources that are located on machines other than the Outlook Web Access Server. A user can access e-mail on one Microsoft Exchange Server and public folders on another Microsoft Exchange Server.

Since basic authentication transmits clear text passwords across the network, Microsoft recommends that you also use SSL. SSL encrypts all information that passes through IIS. Table B summarizes the advantages and disadvantages of using basic authentication.

Table B

Basic (clear text) over SSL
When using basic authentication over SSL, a user must specify a valid Windows NT user account name and password in order to access OWA. Usernames and passwords are transmitted as encrypted information over the network to the Internet Information Server/Outlook Web Access Server. Basic authentication over SSL allows users to access an unlimited number of resources, which may be located on machines other than the Outlook Web Access Server—just like basic (clear text) authentication does. Table C summarizes the advantages and disadvantages of using basic over SSL authentication.

Table C

Windows NT Challenge and Response (NTLM)
Windows NT Challenge and Response requires a user to specify a valid Windows NT user account name and password in order to access the OWA Server. The username and password are sent from the browser to the IIS as encrypted information. All information that the user wants to access must reside on the same server as IIS and the Outlook Web Access Server. Windows NT Challenge and Response authentication isn’t supported if IIS and the OWA Server are located on the same machine that contains Microsoft Exchange Server. Table D summarizes the advantages and disadvantages of using Windows NT Challenge and Response.

Table D

Multiple users
If multiple users are going to share the same computer and use it to access e-mail via OWA, Microsoft recommends that you disable local caching. Doing so lessens the chances that a message a user accessed via Outlook Web Access still resides on the local disk, where the wrong user could access it. Microsoft also recommends that you disable the Save Password option in Internet Explorer in order to lower the chances that a nosy user will access another person’s e-mail account.

Outlook Web Access installation
Below, I’ve provided a step-by-step guide that will explain how to install Microsoft Outlook Web Access. The test machine is a Windows NT 4.0 Server with Windows NT Service Pack 6a, Internet Information Server 4.0, and Active Server Pages installed.

1. Insert the Microsoft Exchange 5.5 CD-ROM into the machine on which you plan to install Outlook Web Access.
2. In the Setup Selection window, select Set Up Server And Components.
3. In the Choose And Install window, select Microsoft Exchange Server 5.5.
4. Accept the End User License Agreement.
5. In the Exchange Server Setup box, select Complete/Custom.
6. Make sure that the Outlook Web Access option is the only one that’s checked and click Continue. If you haven’t installed IIS 4.0 and/or Active Server Pages yet, you’ll be notified via a pop-up screen. (Setup won’t continue. You’ll have to stop setup and install the missing component(s).) Then, start these steps over. Please note that IIS 4.0, which can be found in the Windows NT 4 Option Pack, requires Internet Explorer 4.01 or later.
7. Exchange Server Setup begins and explains that it will stop the Internet Information Server Service.
8. Microsoft Exchange Server Setup prompts you for the name of the Microsoft Exchange Server to which the Outlook Web Access Server will connect.
9. Files are copied to the local computer. Services that OWA needs are stopped and started, and Outlook Web Access is installed.
10. Upon completion, a pop-up window appears and lets you know if all is well.
11. You’re finished.
12. To test your setup, open your browser, type the name of the computer that’s running Outlook Web Access in the address line, and press [Enter]. (The address probably will be something like https:://computername/exchange.)
13. You’ll be prompted for your username and password. You may need to include your domain name, too (such as domainname\username). Don’t check Save This Password, since that would allow anyone to access your mailbox from your computer.
14. You’ll be welcomed to your Inbox.
15. After successfully reading and sending some e-mail messages, remember to log off and close your browser. That way, you can be certain that no unauthorized users will view your mail.

Conclusion
Microsoft’s Outlook Web Access provides a quick and easy method of increasing the accessibility of your company’s e-mail system. Configuring OWA properly gives you a solid and secure method of remotely accessing e-mail. Of course, you must consider the variables when you’re implementing OWA. All Microsoft installations will be unique to your organization, so you should customize OWA accordingly. For more information on tuning and enhancing the performance of IIS and ASP, please point your browser here.

Microsoft Corp. Chairman Bill Gates has announced he is moving aside to let company president Steve Ballmer take the reins as the company’s chief operating officer. Gates, who will remain chairman, now has the title of chief software architect.

The announcement came amid reports that lawyers prosecuting the government’s case against Microsoft are pushing to split the company into two or three separate companies. However, company officials say yesterday’s change was planned long before Microsoft’s legal troubles.

How is the announcement being interpreted, and what will the change mean for Microsoft? Here are 10 links that explain yesterday’s news.

Best online Microsoft MCTS Certification, Microsoft MCITP Certification at Actualkey.com

* ·  The New York Times gives a thorough overview of yesterday’s announcement . Included is an analysis of Microsoft’s struggles with Internet competitors. The Times also has an article that quotes Ballmer as saying that the breakup of Microsoft into smaller companies would be “reckless.”
* ·  The Washington Post ran a profile of Ballmer this morning that quotes one Microsoft official as calling him “Microsoft’s ‘heart and soul.’“
* ·  MCNBC, which is partially owned by Microsoft, has a lengthy story on Ballmer that includes a “Ballmer-Gates Partnership” timeline.
* ·  If you have a multimedia player, you can listen to a report on National Public Radio’s All Things Considered that includes comments by Ballmer on the breakup.
* ·  Some of the most comprehensive coverage of the announcement has come from CNET, which includes an analysis of Gates’ continuing role in Microsoft as well as Microsoft’s move to Internet-based software.
* ·  A story in the Financial Times focuses on the challenges that Gates will face as the company’s “software architect” in a changing software environment .
* ·  You can also check out a press release on the announcement from Microsoft that includes numbers for the media and investor relations.
* ·  And while it’s not a free site, if you subscribe or have a trial subscription to The Wall Street Journal Interactive Edition, you can check out a thorough analysis of yesterday’s announcement.

What do you think about Steve Ballmer taking on the day-to-day working of Microsoft? What changes do you think are in store for Microsoft? How will this affect consumers? Post a comment below.

Microsoft Corp. Chairman Bill Gates has announced he is moving aside to let company president Steve Ballmer take the reins as the company’s chief operating officer. Gates, who will remain chairman, now has the title of chief software architect.

The announcement came amid reports that lawyers prosecuting the government’s case against Microsoft are pushing to split the company into two or three separate companies. However, company officials say yesterday’s change was planned long before Microsoft’s legal troubles.

How is the announcement being interpreted, and what will the change mean for Microsoft? Here are 10 links that explain yesterday’s news.

* ·  The New York Times gives a thorough overview of yesterday’s announcement . Included is an analysis of Microsoft’s struggles with Internet competitors. The Times also has an article that quotes Ballmer as saying that the breakup of Microsoft into smaller companies would be “reckless.”
* ·  The Washington Post ran a profile of Ballmer this morning that quotes one Microsoft official as calling him “Microsoft’s ‘heart and soul.’“
* ·  MCNBC, which is partially owned by Microsoft, has a lengthy story on Ballmer that includes a “Ballmer-Gates Partnership” timeline.
* ·  If you have a multimedia player, you can listen to a report on National Public Radio’s All Things Considered that includes comments by Ballmer on the breakup.
* ·  Some of the most comprehensive coverage of the announcement has come from CNET, which includes an analysis of Gates’ continuing role in Microsoft as well as Microsoft’s move to Internet-based software.
* ·  A story in the Financial Times focuses on the challenges that Gates will face as the company’s “software architect” in a changing software environment .
* ·  You can also check out a press release on the announcement from Microsoft that includes numbers for the media and investor relations.
* ·  And while it’s not a free site, if you subscribe or have a trial subscription to The Wall Street Journal Interactive Edition, you can check out a thorough analysis of yesterday’s announcement.

What do you think about Steve Ballmer taking on the day-to-day working of Microsoft? What changes do you think are in store for Microsoft? How will this affect consumers? Post a comment below.

Microsoft on Thursday divulged a few more details about its upcoming Internet Explorer 7, and admitted that its implementation of tabs — one of the most-requested new features — will be just “catch-up” to rivals such as Firefox and Opera.
Tony Schreiner, a Microsoft developer with the IE team, posted a lengthiest-yet description to the Redmond, Wash.-based company’s blog of how tabs will be implemented in the upcoming IE 7.

Best Microsoft MCTS Training – Microsoft MCITP Training at Certkingdom.com

The browser is expected to roll into beta sometime this summer.

“Our philosophy for tabbed browsing is to keep the user in control of the experience,” claimed Schreiner at the start of the blog. He then went into detail on some of the tab features IE 7 will sport

Tabs will be turned on by default, Schreiner confirmed. In some situations, windows will continue to open in new, separate frames rather than in a new tab, but ordinary pop-ups will open in a new foreground tab.

“This seems to correlate with scenarios where showing a window on top of the current window is desirable, such as replying to posts on message boards and getting a close-up view of items on shopping sites,” said Schreiner.

Users will be able to open links in a new tab by middle-clicking on a three-button mouse, or Ctrl-clicking links. Keyboard shortcuts will be available for switching between tabs — Firefox, for instance, uses Ctrl-Tab — and users will be allowed to open tabs in the background or foreground, or open them in a new window.

At the moment, the plan is for each tab to operate on its own thread (as will each frame). Each tab is on a separate thread, and the frame is also on its own thread. Schreiner admitted that this would boost the memory footprint of IE, but argued that it would the browser to “feel faster and provide an overall better user experience.”

One of the more surprisingly lines in the blog, however, is an admission that IE is behind the times, something many users — and all Firefox proponents — have been saying for months.

“This core functionality is largely catch-up to other browsers which support tabs,” said Schreiner. “[But it’s] a necessary foundation for future work.”

Schreiner wouldn’t spill the beans on every aspect of tabs in IE 7. When blog readers posted queries about such features as moving tabs (to better arrange the tab lineup) and asked how tabs would look, Schreiner deflected the questions. “The UI and configurability are something we can’t really talk about right now,” he said. “[But] there will probably be another blog post about this closer to or shortly after Beta 1 release.”