WindowsNetworking.com Monthly Newsletter of July 2010 Sponsored by: Softinventive Lab
Welcome to the WindowsNetworking.com newsletter by Debra Littlejohn Shinder, MVP. Each month we will bring you interesting and helpful information on the world of Windows Networking. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to: firstname.lastname@example.org
I just completed an article about the consumerization of IT and its security implications for our sister website, WindowSecurity.com. Look for it to be published soon. But in the meantime, security isnít the only problem that the consumerization trend has created for network administrators. I read recently that during the recent World Cup, the "March Madness" NCAA basketball tournament and other popular sports events, employees watching web video of those games in the workplace brought some networks to their knees.
Workersí expectations that they will be allowed to use company computers - or their own devices, plugged into or wireless connected to the company network - for a certain amount of personal use have gradually crept into the corporate culture. The employee sees it from the perspective of ďIím not behind on my work and Iím on my fifteen minute break or my lunch hour, so whatís the difference between me watching the game (or the YouTube videos of my grandkids) and the employee who spends his/her down time standing around the water cooler, gossiping about the boss, or in the lounge, watching the news on TV"?
In a nutshell, the difference (along with security) is bandwidth. Employees A, B and C might be on break, but if they spend that break streaming high-bandwidth videos, how does that impact employees D, E and F who are trying to get real work done and whose connections are slowed by the congestion? This might not be a problem when weíre talking about three employees, but multiply that by several hundred or several thousand who are taking their lunch breaks at the same time and those who lunch early or late might find themselves sitting and waiting when theyíre trying to get a rush project done.
Many employees who wouldnít use the companyís computers to do their personal business think nothing of using its network. They bring in their smart phones, laptops or iPads and then connect them via wi-fi to the company network. Itís a lot cheaper than buying a high priced data plan from a cellular provider or, if you do have such a plan, using up some of your precious data allocation now that some carriers are eliminating their unlimited plans. Some of them may not have fast Internet connections at home so they bring their laptops to the office to connect and download those big files or watch online video that doesnít work well over their slower connections.They figure theyíre using their own devices and ďonlyĒ using the company network to get to the Internet, so no harm is done.
Streaming media is a bandwidth hog that some companies didnít take into consideration when they formulated their employee-friendly usage policies. After all, it all started with employees wanting to be able to check their personal email when on break, something that (unless large attachments were involved) didnít use much bandwidth. If your corporate network has bandwidth to spare, no problem - but some small and medium size businesses are already straining the limits. If you pay for Internet usage on a metered basis, the bandwidth hogs cost you money.
Other consumer oriented applications, such as peer-to-peer (P2P) file sharing and multi-player online games, are also big bandwidth users. Itís not just consumer apps and devices that consume excessive amounts of bandwidth, though. Some legitimate business applications are being misused or overused, resulting in strains on the company bandwidth. For example, sometimes when a company implements a new technology such as video conferencing, they go overboard with it and start using it when itís not necessary or even desirable, just out of fascination with the ďnew toy.Ē Firing up a video conference for every communication that could be just as efficiently handled by a phone call is a waste of bandwidth.
You can, of course, filter particular web sites or block certain protocols on the corporate network.You can use an edge device, in which case you should have one that can identify and report users for all protocols by requiring authentication at the gateway, such as Microsoft TMG and some (but not all) other edge firewalls. You can also block apps/protocols on each computer. You can either block protocols or applications completely or you can use bandwidth shaping to allocate (a.k.a. traffic shaping or packet shaping) bandwidth by giving priority to protocols that are more mission critical. Windows 7/Vista and Windows Server 2008/R2 include support for bandwidth shaping via policy-based Quality of Service (QoS). There are also numerous third party solutions for traffic management.
Windows QoS is built into Group policy, and with it you can control network usage based on applications, users and computers. You can set policies to prioritize traffic according to values within the Type of Service field in IPv4 packet headers and the Traffic Class field in IPv6. You can configure a user-based policy on the domain controller and propagate it to the userís computer, no matter where or how the user logs onto the network. To find out more about policy based QoS, follow this link.
An edge device is most effective if you want to block everyone on the network from using the specified Internet protocols or applications. In some cases, however, there will be some legitimate business use (even for YouTube). Then youíll need to either block by user or use the traffic shaping method to prioritize bandwidth use.
Of course, the technological solutions are only part of the solution. You need an acceptable use policy that addresses the excessive bandwidth consumption problem, as well. Heavy-handed policies that attempt to completely ban all personal use often backfire; the key is to set reasonable rules and to educate employees as to the rationale behind the restrictions. People are much more willing to accept and support rules that they understand.
By Debra Littlejohn Shinder, MVP
3. WindowsNetworking.com Articles of Interest
How to hide the Public shortcuts on the folder and favorites list
Removing the shortcut from the Favorite Links is easy. Just open your Links folder: C:\Users\username\Links. Then delete the Public.lnk.
Taking the shortcut off of the Folders List, however, requires a registry change. You need to delete the following registry key:
For more administrator tips, go to WindowsNetworking.com/WindowsTips
Something Iíve learned from talking to a number of people who have rolled out DirectAccess in their organizations is that some of the wireless carriers are not allowing IP Protocol 41 over their networks. I have no idea why they arenít allowing this, but itís causing a problem with wireless DirectAccess clients who need to use 6to4 when assigned a public address when connected to the Internet. Whatís the solution? Well the fact is that while 6to4 is the default used when connecting over the Internet, that doesnít mean you have to use 6to4. Instead, you can use Teredo or even IP-HTTPS. This monthís tip is that you disable the 6to4 IPv6 transition technologies throughout your network. You can do this via Group Policy. This also solves the problem with 6to4 when you use public IP addresses on your intranet, something you see sometimes in large corporate networks and in academic networks. Itís safe to disable 6to4 and doing so will save you a ton of trouble.
I know that you get a lot of DirectAccess questions and I will understand if you do not want to answer this one in the newsletter. But I went to TechEd in New Orleans this year and saw a lot of the talks on DirectAccess, including two of them that your husband did. DirectAccess really looks like the answer to a lot of problems we have had in our company regarding VPN and user productivity when theyíre out of the office. My boss thinks itís a great idea and his boss has a friend who is already using it and he thought it was fantastic! So now itís my job to figure out what I need. Right now my network is using Windows Server 2003 domain controllers and we have a mix of Windows 2000, Windows 2003 and Windows Server 2008 servers. We do not have any Windows Server 2008 R2 servers and we do not use IPv6 on our network. Our client machines are mostly Windows XP, but weíre planning on moving to Windows 7 by the end of the year. Do you think that DirectAccess will work for us?
Thanks! - Donny K.
Great question. Any chance you saw me at TechEd? I was at the Remote Desktop Server booth and I got to meet a lot of great people there. If not, I hope to be at TechEd in Atlanta next year so maybe weíll cross paths there.
Overall, I think you're in great shape for providing your users DirectAccess connectivity to your corporate network. Let me know if you have any problems getting things set up and Iíll make sure to connect you to the right resources to make things go as smoothly as possible.