| Author | Messages | |
ken
Posts:59
 | | 03/26/2007 8:29 AM |
| If you don't have a lot of machines, then you could activate over the phone.
Cheers
Ken
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Javier Jarava
Sent: Monday, 26 March 2007 6:55 PM
To: ActiveDir@mail.activedir.org
Subject: What about isolated networks, how will MKS et al work? (was: Re:
[ActiveDir] OT: KMS on Win2k3 sp1)
Just a little question: What about those computers that are *truly*
isolated (ie, they don't have and won't have any kind of connection to
the 'net?) I guess they won't be able to *ever* use Vista, am I
right??
We do quite a bit of work with the military and defense-related
companies. Most, if not all, of the different security guidelines
specify no internet connection at all, ever, for *any* of the
computers on the network.
If the company does defense-related work, the computers that are used
for each project usually are required to be in a different, isolated
network (one for each project). I have a client that has had to build
a tempest-proof secured room (and that's quite impressive to see, I
can tell you: isolated metal double walls, with a sort of "compression
chamber" with double doors that can't be opened at the same time, etc
etc...) for their defense projects.
If my understanding of Vista activation is correct, even IF the work
group involved more than 25 computers (and that's not too common, but
let's leave that problem for later), the MKS server has to connect to
the Internet at least once to start activating... Then the rules would
prevent that server from being part of the secure network, so we're
back at square one...
And then we have the (most common) case when there are maybe 5-10
engineers working on a given project... no MKS for them, but MAK
activation is out of the question too...
I know that this scenario might seem a little far-fetched, but it's
not that uncommon / strange. This is not a problem ATM as most secured
networks I've worked with lag quite a bit in technology; most of them
are on Windows 2000 right now (there are quite a bit on NT, and
supporting them is a pain, but that's for another thread ;), and
they're secured using a modified version of the NATO INFOSEC/NACOSA
guides, and the one for XP was released only a few months ago ;)...
But although right now most defense orgs I know are wondering if this
new XP thing will bring anything interesting to the table, on the
engineering companies that work for them they use XP...
So, has this scenario been considered and rejected? Or is there a
solution on the works? Or maybe it's just a problem of my improper
grasp of how Vista activation works?
And just to give an example of how seriously these people take the
issues raised, I'll give you an example: I know of a network (~30
computers, I believe) that was deployed to support operations of a
NATO-Classified comms system in one military base. When the auditors
came a few weeks later to certify the network, they found that the
file server (W2K Server) had been built from a Ghost image of a server
that had been connected to the Internet just to download Windows
Update patches). Even though it was "just" file server and that server
itself hadn't connected to the Internet, they had the entire network
rebuilt from scratch. I won't go into the argument if that behaviour
is sensible or not, I just wanted to point out how this outfits work.
Just my 0,002
Javier J
On 23/03/07, Laura A. Robinson wrote:
> The rationale was to attempt to thwart hackers. It was believed that by
> requiring 25+ machines activate before the KMS would "work", that hackers
> wouldn't be able to set up and use a bogus KMS for activation because they
> wouldn't have enough machines to activate against it (VMs don't count
> towards the n-count, and Microsoft actively scours the 'net to find exposed
> KMSs and shut them down). It had nothing to do with company size. In fact,
> I've spoken with numerous very large customers who have complaints about
the
> 25 machine requirement due to various restrictions in their environments
> (isolated test labs, small remote locations, pilot deployments, etc.).
>
> Whether or not it was the wisest design decision, the limitation was
> implemented as an attempt at piracy defense, not as a money-making effort.
> Customers' licensing pricing has nothing to do with whether or not they
have
> a KMS. There is also not a one-to-one mapping of license to activation.
> Everything on the KMS side is "honor system"; Microsoft does not track
> KMS-activated machines.
>
> Laura
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx | | | |
|
|