Microsoft Asks: Who
Are You?
I’ve been in IT since 1993, and that
seems like an eternity some days. I
work for a Microsoft Certified Partner
that develops custom software.
We’re a Microsoft shop. I’ve spent
10 years working for my current
employer, so I would say I’m pretty
familiar with the history of Microsoft
and IT. I find Microsoft wanting
in many ways, mostly because the
company continues to make my job
difficult.
In response to Karen Forster’s editorial, “Microsoft Asks: Who Are You?” (December 2007, InstantDoc ID 97478), I have to say I find no compelling reason to share any of my personal information with Microsoft. Maybe I’m just old and grouchy, but I don’t see how celebrating my ability to play the kazoo translates into helping me do my job. I have a firm grip on who I am and have never confused myself with my profession. Honestly, Microsoft’s initiative seems like a marketing gimmick. If this kind of email message arrived at my company, it would probably get tagged as spam.
—Curt Hayes
Custom Logon-
Tracking Solution
Insecure?
The Custom Logon-Tracking Solution
(“Windows IT Pro Innovators
Share Their Successes,” November
2007, InstantDoc ID 97204) struck
me as rather insecure. Any time
you have a shared Microsoft Access
database that is writeable by large
numbers of individuals, you have a
potential nightmare.
First, the logon script runs under the user’s ID, which means he or she must have write access to the Access database. Nothing prevents the user from deleting, creating, and modifying records. Anyone with access can forge entries, purge entries, and otherwise modify records. Also, depending on how administrators access the account-logging database, an even bigger vulnerability is possible. In Access 2003, when I open .mdb files, the system warns me that if this .mdb file contains code intended to harm me, it can do so! If non-privileged users modify that .mdb file, opening it allows dangerous Visual Basic for Applications (VBA) code to run. If administrators are careful and never open the .mdb file itself—and always interact with it through table links from another .mdb file—they’re probably safe. If not, they’re vulnerable.
I’m no security guru, but I would suggest using a restricted SQL Server database instead of an .mdb file. Then, I’d create SQL Server stored procedures for creating the logon records and updating the logout time. Those stored procedures would use SQL Server functions to enumerate the machine, the username (using integrated security), the logon time, and so on. I wouldn’t be able to prevent people from trying to insert false data, but I’d know what account was used, what IP address they came from, and when it happened (based on the server’s clock). I’d also restrict the database growth size, set up alarm notifications, and so on.
—Anonymous
There are security vulnerabilities that could lead to problems, especially if the solution is used to store mission-critical or highly sensitive data. In our case, the solution was purely a tool for us to learn which computers were being used and to what extent. Even so, our Access database is stored on a separate share that is completely locked down with several layers of security, including firewalls, file permissions, and GPOs. Only administrators have rights to browse to the location, and only authenticated users on our domain have read/write access to the database. An authenticated user would have to know the exact path and filename of the database to even try to tamper with it. That information would be very difficult for our users— none of whom have local administrative rights—to obtain. Migrating the solution to a SQL Server database would certainly increase security, and I would strongly recommend that option if higher security is needed.
—Brandon Jones
IT as a Career
Choice
I read Jeff James’s article, “Windows
IT Pro: A Good Career Choice
for Your Kids?” (December 2007,
InstantDoc ID 97408). Maybe I just
got lucky, but my son has been at
a keyboard since he could sit up
straight on his own. He spent his
whole childhood tinkering with
hardware to software and everything
in between. I don’t see the point of
recommending or not
recommending IT as a
career choice for your
kids. It’s like being an
artist: Either you can
paint or you can’t.
Sure, you can go to
school and learn how
to paint. But that
won’t make you a
great painter.
I never recommended my son get into IT, but IT got into him from an early age. Too often, kids choose IT solely for the money. Bad decision. IT sucks unless you really, really like it. My son likes it. Right out of high school, he got a position with a high-profile social-networking site making the kind of money I started making only a few years ago. Life just isn’t fair.
—Scott Gutauckis