Password Policy & Password Fatigue
As a consultant I have been dealing with numerous organisations around the UK and Ireland for the last six years. In this time I have deal with almost as many different password policies as I have clients, and this is before all the web sites I access are taken into account. The 2002 NTA Monitor Password Survey found that intensive computer users had 21 separate accounts requiring a password and, for added security, it is typically recommended that each password is unique to a login and not reused.
This recommendation, which I fully endorse, combined with complex password policies is resulting in growing password fatigue, the main issue of which is that it encourages people to adopt insecure password practices such as using the same password on multiple logins, choosing easy to guess passwords or even writing them down.
A perfect example of this is an organisation I dealt with recently where every user had to have a password with a minimum length of eight characters (mixed case letters and numbers) which needed to be changed every thirty days and could never be reused. Unfortunately, in this instance, password fatigue kicked in both for users and the IT department. Users, after holidays and sometimes even after long weekends, were often unable to remember the strong passwords that they had to change so regularly that they either wrote the password down on a post-it note, stuck to the computer, or they'd forget the password and lock themselves out of the system and then need to ring the IT department to get their password reset. After a fairly short time of dealing with the same repeated call, the IT Helpdesk Manager started to advise users to pick a word followed by a number and just increment the number every thirty days. While technically the password policy in place should have been secure, the reality was very different.
I've spent a lot of time driving round the country to and from client site and I've ended up thinking a lot about password policies (it's something to do on the long journeys). I've come to the conclusion that forcing complex passwords (mixed case letters with numbers) of a minimum length (as longer passwords are harder to crack than shorter ones) is a good policy, I can't accept that forcing the password to be changed at specific intervals is good policy.
Typically, the maximum age password policy requires a password to be changed every thirty, sixty or ninety days. If you suspect someone knows your password you should be changing it immediately and not waiting for the maximum age policy to kick in; if no-one knows your password then what is the benefit of changing it? The usual argument people have used is that it makes the use of dictionary or rainbow table attacks harder, but this is only true if the new password is guaranteed to be stronger than the old one which I'd say is never the case. Certainly my passwords remain of similar strength to the old ones whenever I change one and people I've discussed this wth agree the same for their own.
Technically, the "weakest" password I have is my main credit card as I haven't changed the password for twelve years, but both the username and password (mixed case letters with numbers) have never been used elsewhere and are not words found in the dictionary; as such I'd probably regard it as one of the strongest as I was able to pick both a username (instead of being forced to use an email address) and password.
On reflection, if I was to design a password policy that will avoid contributing to password fatigue I'd go with the following;
- Passwords must be eight characters or longer
- Passwords must be complex (mixed case letters plus at least one number and symbol)
- Passwords can't include the username
- Passwords can't include the user's firstname or surname
- Passwords can't be older than 30 days
- Passwords can't be changed within 7 days
Hybrid Computing Models
A decade or so ago, the main consideration for buying servers was the operating system you used – there was a wide variety of offerings such as Netware, Unix, Windows, not to mention a range of proprietary mid-range systems and mainframes. Whilst there are still choices around operating systems, the variety has reduced and a few clear winners have emerged.
The big question now is, do you get a server at all or do you consider using a cloud solution? Or are you going to choose an application that’s delivered through SaaS (software as a service) so you don’t need a server at all? Or perhaps you want to buy some servers to create your own private cloud? These are far more fundamental decisions that are primarily driven by commercial rather than technical factors.
A mixed, or hybrid, model of infrastructure to deliver your IT needs is going to become increasingly prevalent, because different systems will require different approaches to your infrastructure. For example:
· Best of breed applications that are the best match for your business needs may only be delivered through a SaaS model;
· Increasing demand for access to applications from anywhere on a variety of devices may make cloud or hosted delivery the most appropriate approach;
· Compliance or technical requirements may make traditional, self-hosted infrastructure the only option for some situations;
· Quick fix, tactical solutions or applications where data or processing needs are unclear may be best delivered through cloud solutions.
In short, every situation is unique and you want to pick the best route for your own circumstances. That’s why at Perfect Image we don’t blindly advocate or promote just one approach; we look to provide the best approach for you. We think that increasingly this is the way IT Managers will think about things and for many larger organisations a mixture of approaches will become inevitable.
Microsoft Dynamics GP Roadmap Through To 2016
One of the advantages of dealing with an enterprise focused software company, like Microsoft, is that they try to be transparent about the direction of future development and regularly produce roadmaps for their products to allow partners and clients to plan ahead.
To this end, at the recent GPUG Summit 2011 in Las Vegas, Nevada, Microsoft announced an updated roadmap for Microsoft Dynamics GP with details of releases through to GP "15" in 2016 (screenshot courtesy of Microsoft Dynamics GP MVP Mariano Gomez, the Dynamics GP Blogster);
Microsoft Dynamics GP "12", due for release in 2012, includes a Silverlight based web client, multi-tenancy architecture, enhanced integration with Office 365, Payables remittance reprint (without reprinting the cheques), SSRS as an alternative to Report Writer and Fixed Assets batches which allow depreciation figures to be reviewed before posting to the GL, amongst other enhancements.
Unlike Dynamics CRM and Nav, Microsoft do not intend to provide a cloud hosted solution for Microsoft Dynamics GP and have instead opted to enable partners to provide a hosted solution to their clients using the multi-tenancy architecture, which allows reduced hosting and SQL licensing costs, and web client which allows any Silverlight enabled web browser to access and run Microsoft Dynamics GP (custom screens will also be available in the web client).
According to the roadmap for Microsoft Dynamics GP "14" and "15", development will continue down the route of enhancing the UI and simplifying the deployment and operational workflow.
6 Reasons Why Using IT Contractors Doesn’t Always Work
I’ve got nothing at all against IT contractors per se, and used in the right way they can be extremely useful parts of a team. However, we’ve seen far too many organisations where they’re a significant contribution to the failure of a project or service provision. The problem isn’t usually the contractors themselves, but the way they’re used. In no particular order, here are some common concerns.
1. Companies often seem to assume that contractors are experienced and can be relied on to manage themselves. This may be true for some but it certainly isn’t for all. After all, it’s not always in a contractor’s own interests to get a job done efficiently.2. Having more contractors on a job than permanent staff rarely seems to work. Again, collective self-interest often ends up in projects being “gold-plated” or inefficiently delivered, especially if the senior project members are contractors.3. Some people seem to assume that because you are a contractor you must be good at what you do. This clearly isn’t always the case, so why do so many organisations fail to take as much care in recruiting a contractor as a permanent member of staff?4. What happens when the project is delivered and the solution goes into maintenance mode? If much of the knowledge disappears when the contractor(s) leave then the lifetime of the solution will usually go down and the TCO (total cost of ownership) will go up.5. Motivating contractors can be harder than motivating permanent staff; that’s just human nature. Contractors can sometimes also demotivate permanent staff if they perceive that contractors are paid more and are less committed.6. There is a tendency for some contractors to hold on to their knowledge rather than share it with the others in the team to help protect their position. This can harm both the ongoing project as well as its future support.I’m not suggesting that the alternatives of using permanent staff or engaging an outside company guarantee successful projects, but heavy or inappropriate use of contractors does seem to bring its own, additional risks. If you manage it right and have the right contractors then all can be fine - it just doesn’t seem to work out that way very often.What’s Windows 8 going to do for me?
Microsoft has an unenviable balancing act to perform. Technology professionals and enthusiasts need and want to know about what new technology is coming as early as possible so they can plan for it. However, it also means early Microsoft software previews have a tendency to be changed by the time they get released – sometimes as a result of feedback from testers, but sometimes just because Microsoft can’t reliably deliver some of the features in time. The other danger for Microsoft is that everybody sees the new, shiny, future version and decides to wait for that rather than upgrade to today’s version now.
So with that in mind, what should we make of Microsoft’s “developer preview” of Windows 8? There isn’t even a hint as to when it might be released although many suspect late 2012.
The obvious thing that’s been focused on in most reviews is the new “Metro” interface, which is largely derived from Microsoft’s current smartphone OS. It looks nice and, without a doubt, it’s been designed with one eye firmly on the tablet/touch screen market and taking on the iPad. It’s going to be interesting to see how typical users adapt to it on a traditional PC or laptop though. It’ll take a bit of getting used to but many will no doubt see it as an improvement, whilst others will be resistant to the change. For the latter group, Microsoft has provided the option to run a Windows 7 style interface instead.
The key to the new user interface’s success will be whether applications are written to use it; switching between “Metro” and current styles of programs could become confusing or annoying; time will tell.
So what’s going to encourage organisations to move to Windows 8 – is there more to it than the user interface? Fortunately (for Microsoft) the answer is yes, although many of the benefits are of a technical nature (as you would expect with an operating system). In no particular order, some of the things that stand out are:
- System wide searching and spell-checking built in.
- Improved performance over Windows 7 (although this may be marginal and could change by the release date).
- A better Task Manager that provides an easier interface for most users, but more information for power users who want it.
- An improved way to effectively reinstall a clean version of Windows itself, without removing any installed applications, settings or data which should significantly improve system support and reliability.
- An online application store, much like Apple’s.
- Live cloud syncing to keep multiple PCs current with your data, social network settings etc; again this seems to be following Apple’s iCloud lead.
(Note that we’re only talking about the client version of Windows 8 – we’ll look at the Server edition another time, as that has some other, more significant, changes in it.)
So should you delay any upgrades and wait for 8 to be available? Well, it looks good and should be a big step forward for Windows, allowing it to catch up with features that Apple has been providing whilst keeping compatibility with previous versions of Windows. However, it’s a little way off yet (nobody knows how far, of course) so if you’ve currently using XP or Vista then for most people we’d strongly recommend that you make the move to Windows 7 rather than wait for 8. As always though, everything depends on your own unique circumstances.
Dynamics GP on Windows 8
Windows 8 Developer Preview was made available for download a short time ago and I've just installed it on an old laptop (an Acer Aspire 9301 WMSi with 4GB RAM). I've not bothered with screenshots of the install as it is very much the same as Windows 7, and was as smooth an install as Windows 7 as well.
Once Windows 8 finished installing it booted into a Metro configuration screen where I filled in the Computer Name, Connected to the wireless network, and had an option for Express or Customized settings; I just wanted to get to the good stuff so went Express. Maybe over the weekend I'll redo this and try the Customized settings (I wish after picking English (United Kingdom) it allowed me to Customise my settings).
The next step, and slightly unusual, is to setup a Log on by entering a password to create a Windows Live account; I already have one but no option was easily apparent to use an existing one. I entered my current Windows Live ID to see what would happen.
Well, it recognised it as an existing Windows Live ID and prompted for the password and moved to 'Finalizing your settings' (couldn't it finalise my settings?). It's definitely logged into Windows Live as it's pulled back my full name. Also just noticed it's all green instead of blue as Microsoft have traditionally done. BSODs are still blue though (I tried installing it into Windows Virtual PC earlier and got one).
Once all preparation is finished it loads up the Metro UI (a brief flicker of Windows 7 style desktop on the way in).
With the first stage, installing Windows 8 Developer's Preview, completed I could then start on the second stage which is to install SQL Server 2008 R2. This installation was slightly easier than normal as I didn't need to install third party virtual drive software, but simply right click on the iso and select Mount.
Once mounted in the built-in virtual drive, the iso becomes available as if it were a standard DVD drive.
Microsoft SQL Server 2008 R2 Setup detected the absence of the required .NET Framework and prompted to install the .NET Framework Core role, I think phrased more like Windows 2008 Server than Windows 7.
The rest of the SQL Server installation went as normal and I then moved onto installing Microsoft Dynamics GP 2010 R2. Once installed GP was easy to find using the Metro Home Screen, which replaces the Windows Start Menu but works exactly the same way. Hit the Start key and start typing the program name.
I encountered no problems whatsoever with either installing or running Microsot Dynamics GP 2010 R2. My natural cynicism had me thinking that there was going to be some sort of issue, but none.
Windows 8 is quite a while from release but it is nice to see that a release, which I think lies somewhere between Alpha and Beta, functions and in fact works quite well. Windows 8 is snappy and responsive, and the traditional Desktop works as it always did.
I think the Metro applications will take a little getting used to; I'm used to closing programs when I'm done with them rather than just switching out of them (which sends them into a suspended mode).
Ian Grieve
The Hidden Cost of Tablets & Smartphones
Tablets and smartphones aren’t just cool consumer devices; they’re now something we all see people using every day for work. Whether employees have bought them themselves or they’ve been provided by the company, the IT team has been given a new support headache whether they wanted it or not.
Not so long ago an IT department typically had to support Windows based PCs and, perhaps, some Macs. Yes, there are plenty of versions of those operating systems and it’s not an easy job, but at least you knew what technical skills were required and what systems your applications had to be compatible with. Crucially, the rate of change was also controllable and you had established software management tools that helped automate some of the support processes.
So, whilst users are getting great benefits from the new devices that are available, IT teams now have a new set of challenges to solve and these, ultimately, are going to lead to increased support costs. Not only do you need the additional knowledge of how to configure and manage each of these different types of device, you also have to accept that the rate of change and diversity of them is an order of magnitude higher than it is for desktops/laptops.
Of course, it’s not just end-user support that’s affected – all of a sudden you need to try and support your business applications on these new devices. Even applications that are already web-based often need browser compatibility issues resolving and pages often have to be significantly altered to keep them usable on a smaller screen.
The genie’s already out of the bottle and people, rightly, want to use these devices at work. The question is, how to best support them and establishing clear guidance and expectations for everybody. There’s also a lot of user education needed in this process – you may have plenty of security controls around your core systems, but protecting data on a tablet or phone that’s easily lost or stolen is a whole new problem.
If you haven’t started thinking about these issues yet, then you need to. We’re already providing our clients with practical advice and support services so if you want some help, get in touch!
Integrating MS Project with SharePoint
Any successful project has always involved smooth communication and sharing of information within the team.
Microsoft Project has been a boon to Project Managers to plan out their projects. It may be easy to discuss this plan and track the progress of the project if the entire team is based on the same site. What to do if the project involves a large team of people working from different sites or even different locations?
It has not been possible to distribute the project plan to all the team members without a server version of MS Project or without the client software being installed on each of the machines or without sending out large quantities of e-mails. Project reporting has been even more difficult.
This topic was much debated about during the SharePoint 2003/ SharePoint 2007 days and with the introduction of MS Project Publisher it became possible to publish .mpp files to SharePoint lists through the Publisher software.
This has now been further simplified! All you need is MS Project Professional 2010 and a SharePoint 2010 site!
MS Project 2010 now fully integrates with SharePoint and the project plan can be shared with an entire team of members anywhere and everywhere using a single click.
SharePoint is one of the best collaboration solutions available and MS Project is the best Project Management system available on the market. The integration between the two – fantastic for all the Project Managers out there!
Similar to the way the SharePoint works with other Microsoft Office Suite of products such as Word, Excel, and PowerPoint, SharePoint 2010 it now works efficiently with MS Project 2010. Due to this integration, it has now become possible to expose the project plans created using Microsoft Project as SharePoint lists and create views such as Gantt charts to resemble the MS Project software. The Chart web part which is available in the Enterprise version of SharePoint 2010 with the Enterprise Site Collection Feature activated can be used to create charts based on the list items.
The integration works both ways, meaning any changes to the SharePoint list updates in the MS Project and any changes to the MS Project document can be synchronised with SharePoint. The custom fields can be synchronised as well and these can be used to act as information updates from resources/ Project Manager or information for reports.
There are third party add-ons that are available to link the MS Project Standard and Professional 2007, the older versions of MS Project to SharePoint lists.
There are also third party web parts to show a dashboardy view of the Project plan and progress using graphs, charts, tables etc. but not all of these are bidirectional in updating content.
See the link http://www.microsoft.com/project/en/us/sync-sharepoint.aspx to find out how the synchronisation works in detail.
My experience of getting trained at Perfect Image
Apart from a short period of experience as a Developer few years ago, I have not had much of an exposure to the software industry.
Having entered Perfect Image as a Trainee Consultant, I have worked here for more than 6 months now. I am just looking back and wondering how quickly this time has passed and how much better a professional I am developing into. Every single day, I have picked up something that is new.
Perfect Image has been different from most of the previous places I had worked for. The mantra here has been ‘the better you are trained, the better you deliver’ as opposed to ‘work, work, work, do it all yourself’! There has not been a single day I have felt Oh no! What do I do?
I have been sent on quality classroom based training courses to give me a rich idea of the different products like SharePoint and Qlikview I have been learning. In addition to these, there has also been a lot of scope to get involved in the on-going projects and shadow the more experienced consultants. I have had the chance to accompany them to the client sites for on-site face to face requirements gathering and training sessions which has been a great experience. They have been extremely supportive and have always been ready to answer my queries. These have given me an insight on what to expect and prepare myself for the future client interactions I will be involved in.
I believe all these have lessened my stress levels to a great extent! The more you are prepared to do something, the better you perform.
The consultant team also holds weekly discussions of the upcoming projects and reviews of on-going projects where a project is broken down into components and discussed fully in detail. This is when each individual shares the tips and tricks and lessons learnt from his/her previous projects with the team. These provide valuable ideas and a wholesome understanding not only to the people involved in the project but also to the entire team, especially the new members.
Training and learning and discussing – what next? More training and learning and discussing and more projects and more experience!
After all these, I was given my own project to manage. Butterflies in my stomach, I started working on it. A lot of information came pouring in. Thanks to all the training and discussions, I was fully prepared to take the project head-on. I was comfortable with the technical elements of the project whilst the team gave me all the required support to manage the project effectively.
Now, with several projects under my belt, I approach each of them with complete confidence of my ability to deliver. This is confirmed by the great feedback from clients. I now look forward to larger, more complex and challenging projects to come.
BPOS and Office 365
What is BPOS?
BPOS is “Business Productivity Online Suite”. I hear a chorus of “And what does that mean?” Basically it is a set of useful business tools including the following:
- Exchange for providing email, access to calendar and tasks.
- SharePoint online for collaborating on project and documents, not only internally but with customers and partners as well.
- Microsoft Office Live Meeting for having meetings, hosting training sessions and conferences over the internet.
- Microsoft Office Communications online for instant messaging with work colleagues.
All of this is done paid for through a monthly subscription service with no upfront licence costs.
What are the benefits?
- Businesses spend a lot of money on their IT systems. TCO or Total Cost of Ownership includes buying, installing, maintaining systems as well as training staff. It also includes things you may not think of such as the increased power consumption meaning higher electric bills. BPOS saves a company buying large amounts of hardware including new servers. It can easily be installed on your PC or laptop providing it has an internet connection and it is a fairly recent model. Most PCs built in the last three years should have no problem running it.
- Installation is straight forward, once BPOS itself is set up for your organisation. You simply need to download and run two files then sign in. BPOS does the rest of the configuration for you. This simple installation and lack of on-going server support needs means less technical know-how is needed in house can be a big cost saving over the long term.
- Another great advantage is that the subscription model means you’re always using an up-to-date version of the software. No more agonising over whether to spend the money to upgrade to the latest and greatest version of Office!
- Backup software and the maintenance of it can be expensive and time consuming but BPOS is automatically backed up and offers redundancy across several datacentres. This saves you administering the backup system or the expense of having a third party do it for you. It also means that as long as you have access to a computer and an internet connection, you can access BPOS.
What is Office 365?
Office 365 is effectively the new version of BPOS. It uses the latest server software including Microsoft Exchange 2010. There are different plan levels on Office 365, allowing you to choose the applications you need so you are not paying for software you do not want.
What advantages does Office 365 have over BPOS?
There are many improvements with the new version as the newer versions of Exchange, SharePoint and the like have all got much improved functionality and ease of use. However, one of the most obvious changes is the provision of online web app versions of familiar applications such as Word and Excel. These are browser based versions of the usual Office applications and whilst they don’t have all the features of the full version they can be accessed from anywhere through a browser. Of course, many users will use the usual versions of Microsoft Office to work with their Office 365 system and you can now ‘rent’ Office as part of your monthly subscription, again helping your cashflow by avoiding the upfront licence payment.
Another advantage is that, unlike BPOS, there are no lower limits on the number of users so even a one person business can benefit from Office 365.
I already have BPOS, how do I make the change to Office 365?
Microsoft is giving BPOS customers one year to make the transition to Office 365. The server side of the transition is handled by Microsoft including the migration of all your data. You would need to download the latest version of the Single Sign On application which is now called Lync client. And you will have to download and install the latest version of the sign on application. This should all be straightforward but we’ll have to wait and see!
