I’ve been using Windows as a network administrator for just over 6 years now. I’ve used NT4 servers, 2000 servers, and Windows 2003, and there has been a tremendous improvement with each version. There are still some things that drive me nuts in my job, though, and this is a chronicle of the top five.
First off, let me get this out of the way – none of these are going to be about security. An OS is usually a better reflection of the administrator than of the manufacturer. This recent article at InfoWorld suggests that it’s poor administration that causes many system comprimises, and I firmly believe that a good administrator can keep Windows just as secure as Linux or UNIX with the proper skill and care. System patches and updates should be applied, application updates should be diligently monitored, and the proper filtering and gateways should be activated. So, given that security is, at least in this article, more a product of the admin than the environment, I have not included any reflection of security or the politics of the company.
One: Folder Options
“Folder Options” is the name of the dialog box that controls Explorer options (Explorer is the default file manager for Windows). On a workstation, this is purposely configured to do some simple things like hide file extensions, hidden files, core OS/system files, and configure the behavior of title and address bars. On a server, however, it’s very important for an admin logged in at the console to have as much access as possible. A server is not a desktop system, or rather, should not be, and as a result, the default options should be configured for server use.
Two: Internet Connection Wizard
The concept of the “Wizard,” which walks you through a configuration in simple, easy to understand steps, has gone through some revisions. Most of the time, wizards tend to aggravate power users these days. There was a time not too long ago when wizards were very helpful and many appreciated them. Having built countless Windows workstations, I can tell you that the Internet Connection Wizard (ICW), is by far the most annoying of all wizards. As a network administrator, you should understand the concepts of gateways and proxy servers. These days, a server should expect to connect through a LAN and not need proxy authentication. The few people who need those options should know where to configure it.
As if to add insult to the matter, the ICW asks you with EVERY setup, which, incidentally, is once PER PROFILE, per machine, to setup an “internet e-mail account,” which is Hotmail/MSN based, of course. No one using a server and configuring IE for the first time should be thinking, “I wonder how to set up an e-mail account — ooh! Here’s a way!” Again, if they are, then they probably aren’t qualified to configure a server. The fact that Microsoft invites this bahvior by making Windows servers accessible to people like this does not bode well for the quality of network admins.
Three: Windows Media Player
I can swallow that IE is tied to the core code of the file manager and thus cannot be stripped out of the OS easily without sacrificing some functionality. I think the desired behavior, which I witness with Konquerer too, is that if I type a URI into my file manager that it passes it off to a browser of some kind (it should be noted though, that Konq is not a pre-requesite to installing Linux.) I’m not thrilled that I HAVE to have a browser on my servers, which shouldn’t be used for internet surfing – even Windows Update should have a stand alone piece for servers, but that aside, there’s a bigger issue.
Why must I have a media player on my server? And why are the codecs so important? How come just to install this media player, I have to reboot my server? Anyway, who out there is using WMP on their servers? This appears to be a case of using the same code base for their Server line as their workstation line. If I’m wrong, which I could be, as I’ve not audited any of Microsoft’s code nor am I qualified to review it, then I ask, WHY? And if I’m right, then why haven’t they removed the functionality? And if it’s tightly integrated, why haven’t they changed that? I don’t see a reason why multimedia capabilities should be buried and tied so deeply to the core of your operating system. Dump WMP from the server line. One way or another. Period.
Four: Licensing
Hands down the absolute worst part of using Windows Servers in a domain is the Licensing application. For a company that is to determined to stump the pirates, who makes my life a living hell with endless activations or steep entry fees for corproate licensing, this is the saddest part of their OS. There is a little known application, simply called “Licensing,” which runs on your designated Licensing server in your domain. This can be totally separate from your Terminal Services Licensing server.
Licensing is completely unintuitive and behaves unlike any other Windows application. Right clicks bring up useless menus. The terms are not well explained, the help files are useless, and here’s the best part: the microsoft.com site is mostly useless. It contains virtually no documentation. So, in an effort to get more information, I called Microsoft, whose support techs told me that if I needed help, I’d have to open an incident (for those not “in the know,” am individual support ticket, or “incident,” with Microsoft costs $245). So I replied, “I need help making sure the software I bought from you, which is properly configured as far as I can tell, is legit, something I know your company takes seriously. Your program is telling me otherwise. You have provided no documentation, and your technet site is bare.” Still, no love from Redmond. Later I fixed the problem by revoking every single license that Licensing had doled out. No service was interupted for any user. What’s the purpose of this thing?
Licensing is important to those of us who run large enterprises. There should be a really high quality, easy to use AD (Active Directory) snap-in or stand-alone app to track licensing, report problems, and help the sysadmin rectify legitimate problems. If Microsoft intends to push licensing and activation and combine that with lawsuits for corporations that don’t comply, the least they can do is provide a means for tracking the licenses when the enterprise starts getting to big to do in Excel.
Five: Updates and Maintenance
While this complaint lies much more in the architecture of the software rather than the behavior, it’s the biggest pain. If you’ve ever had to maintain more than about 3 servers at once, you’re familiar with exactly how much work goes into keeping Windows Servers updated. In fact, there’s a running joke with some of my collegues that running Windows Update is a full time job. The thing is, Windows Update, even version 5 so far, still requires a reboot the vast majority of the time.
In fact, simply installing Windows Update version 5 took two reboots for me. Then there were two reboots running the updates. Sure, it’s a nice interface, by why can’t Windows shut down just a few services yet? With their new GDI+ Detector, they used Windows update to install a piece of software that checks if you’re running apps that are vulnerable to the recent JPEG execution comprimise. Can’t Microsoft write something into Windows Update that downloads a piece of software, executes, shuts down networking, replaces/updates components, restarts the services, and resumes the Windows Update? How come a bunch of geeks have pretty much mastered distributed computing with BitTorrent, eDonkey, jigdo, GFS, etc and online updates via yum, apt-get, Red Hat Network, YAST, etc, but Windows Update still has to do one piece at a time, punctuated by several reboots?
We run terminal services via thin clients (running Windows CE) at my company. At any given time, there might be 150 active profiles on a terminal server, and the registry can bloat up to 300 megabytes. I’ve even seen it top out around 800 MBs, which is pretty crazy when it can sustain itself around 15-35 MBs on a server. Terminal servers require a nightly reboot to work well. So important is this, so much does it drain a server to handle this load multiple days, that we have scripted reboots into the normal routine just to assure that the servers get a “fresh start.” This practice has been validated by the Microsoft people I deal with. (Sidenote: investigation into our specific registry bloat was researched exhaustively by very capable higher level Microsoft techs who man their profile support department. An 800 MB registry is not typical.)
In the end, Windows still has some pretty amazing stuff. The GUI management tools for domains are unmatched by anything in the Linux/Unix world (except perhaps by Novell’s NetWare Admin, which will probably, in some form, be running on Linux for Linux soon enough). There’s no way to real standard in alternate realms for joining computers the way that Microsoft domains do. I haven’t seen failed dependances in years, save one component that required an MDAC update, something you probably wouldn’t need on most computers anyway. Furthermore, Microsoft truly offers, for better or worse, an end-to-end solution that requires very little “futzing” to make work. I could easily name dozens of things that make me crazy: buried admin tools (try to find “Remote Desktop Connection”), the “Show Files” warning in system directories, the presence of Outlook Express in servers, the painstaking effort it takes to setup lockdown policies, the lack of administrate-ability from the command line, the lack of SSH support, and until WUS is released, the lack of a good update distribution application. Despite some shortcomings and a lengthy wishlist, Windows does make an increasingly capable server product.
>Oh, yeah. Please, no more damn posts about “Linux just being
>a kernel”. No sh*t. Post something constructive.
Mike,
You must understand that LInux is just a kernel and a distro a set of programs/utils are build around this kernel by calling everything in a box Linux you are not helping to clear things up. Windows is a complete program like Redhat Linux is.
Same goes for Free and open-source software its fundamentaly
different from each other yet everybody talks about them like if they are the same…….
If a core lib like e.g. glibc is updated, you migth as well just reboot.
glibc is an exception though most of the time this isn’t true. I’ve even replaced X and had little trouble. To be extra cautious, I restart the service and dependent parts — though updating a service tends to restart that service (say, Samba, sshd, or NFS). In the case of GUI libs (gtk/qt + Gnome/KDE), I often logout of the desktop and press ctrl-alt-backspace to force a restart of X.
Rebooting is rarely needed except for switching to a different kernel — even adding or removing a module to the current kernel does not reqire a reboot.
doesn’t really require a reboot, either. when it’s updated in cooker i urpmi it from runlevel 1 or runlevel 3, it automatically restarts most of my services, and everything carries on working.
To manage a server — to make it secure, reliable, and controlable — you should know in detail exactly what is on it and how each part works. You should know when it is acting strangely, and be able to track down what the cause of that behavior is.
Every part of the server that does not support the reasons for having the server in the first place uses resources, adds complexity, and adds another vector for attack or hiding active exploits.
Complexity is evil. Simple is good. The admins who know this don’t need to be told it. For the rest of you, don’t expect me to hire you!
With regards to installing WMP, IE and OE etc on the server, having these “tester” apps on the server can help diagnose network faults or test config changes.
Last time I checked, regedit, ping, and tracert were installed on Windows Server. If you need to diagnose an external web or file server, you shouldn’t be using another server to do it; use a client from the same subnet that is having difficulties. (If the client’s network is the Internet itself — well, that doesn’t really change anything, does it?)
From the article: I think the desired behavior, which I witness with Konquerer too, is that if I type a URI into my file manager that it passes it off to a browser of some kind (it should be noted though, that Konq is not a pre-requesite to installing Linux.)
This in my opinion ignores an important fact everyone should keep in mind: Internet Explorer with all its security issues is practically unremovable simply because there is no (official and/or obvious) separation between the code handling IE’s use area and the rest of the system (aka Windows Explorer). Meanwhile the internet jobs (rendering sites and executing javascript) in Konqueror are done by separate libraries for each (libkhtml.so respectively libkjs.so, both located at /usr/lib/kde3/lib/ on my machine), which can be easily be removed.
(Of course like with removing IE removing these libraries may break applications depending on them, but if securing/hardening a computer takes priority over not yet patched exploitable critical vulnerabilities the choice should be obvious nevertheless.)
I appoligize to those who know this already…
User profiles are useful when you expect a variety of users to login to a system. Servers should only be touched by a small and fairly stable set of users, though.
Remove the software that is not required from any system and you eliminate the possibility that the removed part can cause any problems. Servers have a limited scope and a larger impact on many users if they fail or do not perform properly. Because of that, the list of software required on them is much smaller — and the list of parts that should not be there is much greater.
Less is more.
@AC Internet/Windows Explorer
was this app installed on every windows os and easily removable a few years ago???
Was this very same app installed on NT alpha boxes
Was/Is this very same App still installable on MAC boxes….??? I know one of my MACs had it installed
If IE is so highly intergrated into Windows how come it can ported outside of a Microsoft OS???
MS wanted to keep IE tied to Windows as it hoped to create market share for IE… a very un-usable poor immitation of a product when MS purchased it… like everything MS does it improves things slowly and if its around long enough the market falls into the MS defacto…
=======
I have always found it funny that people find it reasuring that there are more MS boxes then anything else in the world…
I do believe that MS have had their meat out of the WINDOWS OS WORLD and the code itself is probably in the most unimanagible state known to programming… The fact that most of the bulk of it has been contracted out for many decades…..
Its the only way I can explain away the billions billions billions billions billions MS tells us it takes to go from
win95 -> win95se -> win98 -> win98se ->winME
NT3.5 -> NT4 -> NT4sp1 -> NT4sp2 -> NT4sp3 -> NT4sp4 -> NT4sp5 -> NT4sp6 NT4sp6a -> NT2000 -> XP -> NT2003
wake me up in 2100 and let me know if anything has changed…. probably will only be up to IE8 by then lol
It seems to me that a lot of these complaints about managing hundreds of Windows servers effectively without a good CLI, licensing system problems and other things are already addressed by Microsoft in its SMS (Systems Management Server) and MOM (Microsoft Operations Manager) products. One of the primary reasons SMS exists at all is to manage enterprise licensing properly – so why are people trying to use Excel spreadsheets and Access databases to do this? Ignorance?
I’ve read through this entire thread and I find it interesting that not one single post here, so far, mentions SMS and MOM, which together probably make most of the gripes here completely moot…
Was/Is this very same App still installable on MAC boxes….??? I know one of my MACs had it installed
If IE is so highly intergrated into Windows how come it can ported outside of a Microsoft OS???
IE for Mac is a separate code base.
Even if it wasn’t, being an integrated component of OS A (or, more accurately, the shell of OS A) doesn’t mean that *component* can’t be ported and put inside a wrapper application for OS B. For example, khtml.
“I’ve read through this entire thread and I find it interesting that not one single post here, so far, mentions SMS and MOM, which together probably make most of the gripes here completely moot…”
I completely agree. They can in the right hands take away nearly all of the issues covered above. However, most shops don’t have access to these applications due to declining budgets. The budget for many/most IT depts. is about enough to buy two rubber bands and a box of paper clips. My previous position had an IT budget consisting of daily/weekly begging and pleading, occassion tears and lots of whining. That experience is far from uncommon in this field.
I’m now much more fortunate than most and can purchase nearly anything I can justify.(cool tools and toys) It’s far from what the average admin has access to.
I have just read through every comment here and the article and i have two things to say.
1. Good job on the article i think it highlights some of the more annoying things in windows and windwos servers in particular while still remaining reasonably unbiased.
2. All you windows server fanboys, please actually use linux before you start crapping on about it needing a gui or it installs a media player by default also. Any system admin who does not use the custom install to select/deselect packages for install is not someone i would even consider hiring or trusting.
KDE
You are of course absolutely right; I understand that Linux is just the kernel. In the context of the converstation it’s being used to refer to the Linux kernel and and the support files — the distro as a whole, or more simply GNU/Linux. What irritates me is when someone pops on only to point that out without contributing to the conversation. Those posts come off sounding like a cry for attention.
Okay, ICW isn’t in Windows 2003 when you attempt to browse the web. And neither is the licensing service configured automatically. And it’s called “Windows Help”, which has been excellent and complete ever since Windows 2000.
>> Was/Is this very same App still installable on MAC boxes….??? I know one of my MACs had it installed
There also used to be HP-UX and Solaris versions of Internet Explorer and Outlook Express (I think 5.0 was the last version, Mac version is still going strong).
WHY, WHY do we have to reboot to get the updates done. AHHH?
All they’d to do is reload the registry and forget it!!
drsmithy:
On the Overhead of a GUI:
Are you saying that loading a complete graphics subsystem which is always loaded requires no memory, interrupts, semaphores, and CPU? Are you saying that a graphics driver NEVER crashed a Windows Server?
On the Log File stuff:
Ok, let’s see – I want to find all the users who failed authentication between the hours of 2:30 and 4:30 PM on Friday, September 24th, 2004. Then I want to find the IP addresses from which they attempted to logon from and feed that to nmap to see if they are Windows or Unix computers.
Are you saying that loading a complete graphics subsystem which is always loaded requires no memory, interrupts, semaphores, and CPU?
No, I’m saying those requirements are insignificant on any remotely capable hardware.
An idle login screen will be paged out and, as it doesn’t do anything, should consume no processing power.
Are you saying that a graphics driver NEVER crashed a Windows Server?
No.
However, the chances of the bog standard VGA driver, (which *I’ve* never heard of crashing a machine) while doing nothing more than displaying the login screen crashing the machine is miniscule. About as likely as a serial port driver crashing a Linux box.
Ok, let’s see – I want to find all the users who failed authentication between the hours of 2:30 and 4:30 PM on Friday, September 24th, 2004. Then I want to find the IP addresses from which they attempted to logon from and feed that to nmap to see if they are Windows or Unix computers.
Filter the Security events (use a “New Log View” if you prefer). Export to a list, run a script over that list to look up the machine IPs and feed them into nmap.
At least that’s my response after taking 30 seconds to look at the problem. If it was something I was going to be doing regularly I might try and find something more efficient. The data you want to get at is probably obtainable via WSH, it’s certainly viewable and filterable in event viewer.
“Ok,
For those of you that are actually working to solve these issues:…”
So, you’re telling us that we have to go to 3rd party vendors and pay possibly EXTRA licensing fees? For some basic functionality? For a server OS that already costs $3,999 (according to MS website, Windows Server 2003, Enterprise Edition, 32-bit version)??
That’s just outright _insane_.
And yes, I know the tools you mentioned are available freely, but the fact that their functionality isn’t included in a $4000 Enterprise Server OS is just flat out ridiculous.
Aparently not since soooo many individuals/institutions are buying it.
But yes I do agree. NW 6.5 is $500 + $10 per seat, and a much better product to boot.
Anyways, this is McAmerica, what do you expect?
And yes, I know the tools you mentioned are available freely, but the fact that their functionality isn’t included in a $4000 Enterprise Server OS is just flat out ridiculous.
Most of the things he listed _are_ included. The rest of them really aren’t even necessary.