After Slow Start, Windows 2000 Takes Off
After Slow Start, Windows 2000 Takes Off<@VM>On the Cheap<@VM>Plugging the Holes
By Heather Hayes
Microsoft Corp.'s Windows 2000 survived a slow start following its introduction in March, and now is taking hold among federal agencies eager to use the operating system's advanced capabilities, according to industry observers.
Government agencies, flush with new fiscal year funding, are enthusiastically ramping up the planning and pilot phases of an anticipated mass migration to both Windows 2000 desktop and servers. And in August, the possibilities increased with the much anticipated release of Microsoft's Datacenter Server, an Intel-based, enterprise-level server system.
"The question is not really are federal agencies going to move to the new platform, but when they're going to move," said Susan Turpyn, director of Microsoft business development for Unisys Corp., a systems integrator with federal offices in McLean, Va. "Our expectation is that we're going to see these major deployments occur in a big way, probably within the next 12 months."
Windows 2000 is the follow-on operating system to the robust ? but not always stable ? Windows NT 4.0. Microsoft's latest product family features four versions:
? A desktop and laptop system known as Windows 2000 Professional;
? Windows 2000 Server, which with four processors and four gigabytes of random access memory, or RAM, is designed for e-commerce and departmental-level application processing;
? Advanced Server, which offers eight processors and eight gigabytes of RAM, is positioned to perform load-balancing and failover;
? The Datacenter Server, which boasts eight times as much processing power as Advanced Server. The first three versions were released in March.
Surprisingly, government organizations are not being as conservative as everyone initially predicted in early spring.
"Windows 2000 is being adopted ever so slightly faster by government agencies than we had projected," said Dan Kuznetsky, program director for operating environments and serverware at International Data Corp. (IDC), a market research firm in Framingham, Mass.
Indeed, at least 15 federal agencies have undertaken Windows 2000 pilots or test-beds, according to Market Access International Inc., a market research, sales and marketing firm in Chevy Chase, Md., which recently conducted a survey on Windows 2000 migration.
Among those making the move early are the Air Force, Army, Navy, Environmental Protection Agency and departments of Agriculture, Interior, and Health and Human Services. Still others are just getting started on planning for anticipated migrations and development of testing laboratories, including the Internal Revenue Service, Social Security Administration, NASA and the National Credit Union Association.
And the No. 1 reason why agencies like Windows 2000?
"Far beyond anything else, it's stability," said John Linn, Microsoft Tech Team and business development manager for GTSI Corp., an information technology solutions provider in Chantilly, Va., that is helping several military organizations plan their migrations.
The company unveiled its Tech Team in early June to help agencies with Windows 2000 planning and deployment issues.
"A lot of our customers have remarked how astonishingly stable and reliable it is," Linn said. 'They just don't have the problems they had previously with Windows NT 4.0 and Windows 98."
Other compelling benefits that the new platform offers to government agencies include its power management for notebooks, robust plug-and-play capability, scalability and security features, which include an authentication protocol called Kerberos and enough encryption to make it compliant with the Federal Information Processing Standard 140-1.
At this point, most agencies are beginning their migration to Windows 2000 at the desktop level, according to Quazi Zaman, technology specialist manager for Microsoft Government. The impending server migration, however, promises to be more difficult and complex, especially for large and highly decentralized agencies.
For this reason, industry observers expect government organizations to lean strongly on systems integrators and consultants for help, especially during the planning, assessment and design of the architecture, as well as planning the actual deployment.
"For most agencies, this is going to be a pretty big effort," said Turpyn. "You have to go out and touch every desktop, and if you're implementing it at the server level, which is where the real management benefits accrue, you've got to go out and work all the servers as well."
The Market Access International survey found that many agencies expect a one-year delay in deployment in order to provide for testing, roll-out planning and training. One reason is the complexity involved with the Active Directory, a highly touted but very centralized enterprisewide directory service that stores information about users, applications and network resources.
"Active Directory is not something that you just load up and go with," said Zaman. "With Windows 2000, we have scaled our directory services to have incredibly large numbers of data sets. We have tested up to 87 million users in Active Directory."
That provides customers the opportunity to centralize their enterprise IT infrastructures in single domain and streamline their environments.
As a result, "you're providing one central information point for everything," said Joe Vitiello, a systems architect for Unisys. "Moving to that for agencies is especially tough, because they've databases galore, and you've got the same information in multiple places.
"You think about an agency as big as
the Army," he said. "Let's say they had
50 different directories before. Now they will have just one. So that means that those 50 groups have to now be in sync. It's a tough task to take on and can be a real mess if you don't do it correctly to begin with."
In fact, the Social Security Administration is so concerned about properly setting up its Active Directory that, like many other agencies, it is developing a Windows 2000 laboratory.
"We want to spend as much time as we believe necessary in developing Active Directory," said Austin Smallwood, director for client-server configuration in the office of telecommunications and systems operations at Social Security. He said his team has recently identified an area within the agency's National Computer Center to house the lab.
At present, Social Security tech employees support in excess of 4,000 servers and 100,000 devices, a fact that will make a mass migration particularly difficult.
"We know that any transition to a new system will not take place overnight, so part of our lab proposes to take into consideration that we may have a mixed environment for a period of time. This may mean having a Windows NT 4.0 backup to the main controller configuration to support both Windows NT and Windows 2000 while we're going through the transition," Smallwood said.
He added that the agency will do a pilot once that it's satisfied with the performance of the operating system in the lab.
The IRS, meanwhile, is taking things even slower, despite the fact that the agency had initially planned to be part of Microsoft's Windows 2000 Rapid Deployment program. They pulled out eventually out of uncertainty over the year 2000 crisis.
Tom Hoffman, senior technical manager and adviser and director of the information systems field operations for the IRS, is shooting for a full migration of Windows 2000 across the agency by January 2002. In preparation, however, his office is standardizing all of its servers and workstations on Windows NT 4.0 even while testing and using Windows 2000 in a lab environment and training its technical staff.
At the same time, the agency is
working with Computer Sciences Corp.,
El Segundo, Calif., to develop a potential Windows 2000 architecture and plan the Active Directory.
"It's a fairly extensive design, as you can imagine, and not something that you step into lightly," he said, adding that the agency will benefit especially from the mobility features of the new operating systems and the Active Directory, which will link a lot of its disparate systems together.
Vitiello said that integrators will be called upon to play a key role in helping agencies in their Windows 2000 planning exercises, especially the Active Directory.
"It's not so difficult to do technically as it is politically and culturally," he said. Everyone will have to work in the same method. But integrators can provide the outside objectivity and lessons learned that will be required. And that means you have to bring all the stakeholders together around one table and really get them talking and working together."
Another cultural problem agencies will face is the especially close tie-in that Windows 2000 has with the network layout. Again, integrators can help bridge the gap between client-server specialists and the networking group.
"Your design people have to be cross-bred," Vitiello says. "It's not just knowing my file servers and workstations anymore, you have to know the name servers and the network topology, how the network is put together. All that comes into play when you're designing the Active Directory. Integrators will have to bring those two worlds together."By Heather Hayes
Datacenter Server, the last and biggest member of the Windows 2000 family of products, offers a new choice for agencies in need of hard-line enterprise server software.
With Datacenter Server, Microsoft Corp. is aiming for performance and stability on par with major competitors such as Unix, Solaris and Linux, but at a lower cost.
How can Microsoft build a lower-cost server?
"It's standard Intel chip technology. It's not proprietary," said Susan Turpyn, director of Microsoft Business Development for Unisys Corp., a systems integrator in McLean, Va.
Datacenter boasts 32 processors and 64 gigabytes of RAM. It is intended for agencies looking to perform server consolidations, especially those that handle large amounts of data sets, applications and voluminous databases and need to provide at least 99.9 percent availability, according to Quazi Zaman, technology specialist manager for Microsoft Government.
Unlike other Windows 2000 servers, Datacenter is not available on every corner. Microsoft is selling the product only through a few select original equipment manufacturers, including Compaq Computer Corp., Dell Computer, Hewlett-Packard, IBM Corp. and Unisys.
Turpyn said Microsoft also has developed a joint support program with its certified partners for this product.
"When a problem exists at a customer site, there's one place to call, and Microsoft and the [original equipment manufacturer] will both staff that call center and manage all the problems," she said. "There's no fingerpointing. We're in it together, and we commit together to at least 99.9 percent uptime on the basic platform, depending on what the customer wants. That is totally unique for an Intel platform with a Microsoft operating system."by Heather Hayes
As operating systems go, Microsoft Corp.'s Windows 2000 boasts some of the best security features around, including application layer authentication. But that doesn't mean users aren't vulnerable to attacks, especially from a network connectivity point of view.
Not to worry: Network-1 Security Solutions recently came to the rescue with CyberWallPlus, the first distributed firewall and intrusion detection product on the market for Windows 2000.
"Unfortunately, operating systems do not have very good network axis control," said Avi Fogel, president and chief executive officer of Network Security Solutions Inc., a developer and distributor of distributed network intrusion prevention products based in Waltham, Mass. "That weakness is what was at the heart of all the major attacks that occurred on all those large e-commerce sites last February."
In fact, in late August, Microsoft announced a vulnerability in its new
platform that leaves networks with
external firewalls susceptible to
internal attacks, and those sites with
no host-resident embedded firewalls
vulnerable to both external and internal attacks.
Microsoft has since released patches to fix the problem, but Fogel said
CyberWallPlus takes care of the problem as well, even while providing a kind of hardening layer to the Windows 2000
The product, based on advanced, multilevel packet filtering technology, provides granular network access controls and intrusion detection by recognizing the signatures of known network attacks against both Microsoft NT 4.0 and Windows 2000 systems.
CyberWallPlus can defeat such attacks in real-time, according to Fogel, even before alerting personnel.
Already, CyberWallPlus has been picked up by several military and civilian agencies, all of whom Fogel said are looking for a second line of defense against both outside and inside attacks. In fact, the Computer Security Institute and the FBI have both estimated that 75 percent of security breaches come from internal sources, and the cost of such attacks are nearly 50 times higher than external strikes.
"Even if you put in multiple layers of perimeter defense, there are still insiders that have access through the local network to resources that they
shouldn't have access to," Fogel said. "This is especially so when you start
gluing networks together in this age of