While the IC’s research organization looks into adding security to cloud environments, in the here and now, intelligence agencies are sharing more data.
In times of shrinking budgets, organization may have trouble affording an upgrade to the latest version of Microsoft Windows in one fell swoop. Instead, some take a staged approach.
This is especially true with Windows XP, a relatively stable platform, and Windows Vista, a product associated with under-the-hood changes. The problem with phased migrations is that there will be a period of time, often many months, when you may need to work to ensure the two platforms can coexist happily on the same network.
Here are five best practices to help your staged migration from XP to Vista take place with a minimum of problems.
1. Make sure your XP apps will run on Vista.
If you’ve developed custom applications for your agency that run on Windows XP computers, you need to ensure that they will run properly on Vista before you migrate computers to the new platform. There are several architectural changes in Vista that can cause problems for apps coded for earlier versions of Windows. For example, the user profile folder structure has been completely overhauled in Vista. My Documents is now named Documents and is now found under C:\Users instead of C:\Documents and Settings. The same goes for My Pictures, My Music and My Videos.
In addition, these profile folders are now peers of the Documents folder instead of subfolders. So if your apps have hard-coded profile folder paths, you may need to replace these with paths that use environment variables to make sure the custom apps can access profile locations properly. For more info on Vista profiles, see Chapter 14, “Managing Users and User Data,” in the Windows Vista Resource Kit, Second Edition.
Another change that can affect older custom apps is Session 0 Isolation, a new feature of Vista that isolates all services in Session 0 while running apps in other sessions so services can be protected from attacks originating in application code. Gov Maharaj, a software design engineer on the Windows team at Microsoft, says any custom apps that depend on a service on the desktop will likely not work because of Session 0 Isolation.
“That means you need to make sure that any services that your application uses do not prompt any user interface notifications,” Maharaj says. “Also, during early testing, you will want to make sure services work in a real terminal server environment rather than the local console.”
2. Set up users so they can roam the network as needed.
The changed profile folder structure in Vista compared with XP also impacts how Folder Redirection (FR) and Roaming User Profiles (RUP) work on the two platforms. Storing settings and data for users on network file servers helps ensure this information can be backed up easily and lets users roam the network using different computers if needed. But getting FR and RUP to work properly in a mixed Vista-XP environment takes some planning. According to technology author Jerry Honeycutt, “Things can get confusing in a free-seating environment, where users roam from PCs that are running Windows XP to PCs running Windows Vista.”
Chapter 14 of the Windows Vista Resource Kit, Second Edition, is also a good source of information on how to make FR and RUP work together in mixed environments. Another useful guide is the Managing Roaming User Data Deployment Guide.
3. Consider network connectivity and sharing issues.
The implementation of a new least-privileged user account security model in Vista can impact network connectivity and file and print sharing between XP and Vista computers. For example, mapped drives that work under XP may not be accessible from Vista and vice versa. The underlying issue here, according to Maharaj, is that when accessing the share of a remote machine, if you are in a split token account, you will by default use your lower level token to access the share. “That means even if you are part of the Administrators group and you access an admin-only share, you will be denied access unless you are also granted explicit access by name,” he says.
Another networking issue is that Vista’s new Network Map won’t even display your XP computers unless you download and install the Link Layer Topology Discovery Responder on your XP computers.
4. Use WMI filtering.
If possible, you may want to group XP and Vista computers into different organizational units so you can apply separate Group Policy Objects (GPOs) to each platform. But if this arrangement isn’t feasible for your organization, don’t fret — you can use Windows Management Instrumentation (WMI) filtering to control the version of Windows a particular GPO applies to. Honeycutt says that some customers might stumble initially on the differences in Group Policy.
“But there’s really no need for this,” he says. “Filtering policies based on which Windows version is made easy by using WMI filters, so it’s not hard to keep unique settings targeted specifically at PCs running Windows Vista.”
5. Watch your software agents.
Finally, network backup and antivirus software that work on XP may have difficulty running on Vista. Maharaj says when it comes to backup apps, the agents they use to install on XP may not install at all on Vista and may require a tweak or replacement of your backup solution.
“Remember that NT backup has been completely removed from Vista,” Maharaj says. “Tape backup support has also largely been removed from Vista. Virus-scanning agents have similar issues and may require an update or a complete change.”