| Author | Messages | |
jjarava
Posts:0
 | | 03/26/2007 4:55 AM |
| Just a little question: What about those computers that are *truly*
isolated (ie, they don't have and won't have any kind of connection to
the 'net?) I guess they won't be able to *ever* use Vista, am I
right??
We do quite a bit of work with the military and defense-related
companies. Most, if not all, of the different security guidelines
specify no internet connection at all, ever, for *any* of the
computers on the network.
If the company does defense-related work, the computers that are used
for each project usually are required to be in a different, isolated
network (one for each project). I have a client that has had to build
a tempest-proof secured room (and that's quite impressive to see, I
can tell you: isolated metal double walls, with a sort of "compression
chamber" with double doors that can't be opened at the same time, etc
etc...) for their defense projects.
If my understanding of Vista activation is correct, even IF the work
group involved more than 25 computers (and that's not too common, but
let's leave that problem for later), the MKS server has to connect to
the Internet at least once to start activating... Then the rules would
prevent that server from being part of the secure network, so we're
back at square one...
And then we have the (most common) case when there are maybe 5-10
engineers working on a given project... no MKS for them, but MAK
activation is out of the question too...
I know that this scenario might seem a little far-fetched, but it's
not that uncommon / strange. This is not a problem ATM as most secured
networks I've worked with lag quite a bit in technology; most of them
are on Windows 2000 right now (there are quite a bit on NT, and
supporting them is a pain, but that's for another thread ;), and
they're secured using a modified version of the NATO INFOSEC/NACOSA
guides, and the one for XP was released only a few months ago ;)...
But although right now most defense orgs I know are wondering if this
new XP thing will bring anything interesting to the table, on the
engineering companies that work for them they use XP...
So, has this scenario been considered and rejected? Or is there a
solution on the works? Or maybe it's just a problem of my improper
grasp of how Vista activation works?
And just to give an example of how seriously these people take the
issues raised, I'll give you an example: I know of a network (~30
computers, I believe) that was deployed to support operations of a
NATO-Classified comms system in one military base. When the auditors
came a few weeks later to certify the network, they found that the
file server (W2K Server) had been built from a Ghost image of a server
that had been connected to the Internet just to download Windows
Update patches). Even though it was "just" file server and that server
itself hadn't connected to the Internet, they had the entire network
rebuilt from scratch. I won't go into the argument if that behaviour
is sensible or not, I just wanted to point out how this outfits work.
Just my 0,002
Javier J
On 23/03/07, Laura A. Robinson wrote:
> The rationale was to attempt to thwart hackers. It was believed that by
> requiring 25+ machines activate before the KMS would "work", that hackers
> wouldn't be able to set up and use a bogus KMS for activation because they
> wouldn't have enough machines to activate against it (VMs don't count
> towards the n-count, and Microsoft actively scours the 'net to find exposed
> KMSs and shut them down). It had nothing to do with company size. In fact,
> I've spoken with numerous very large customers who have complaints about the
> 25 machine requirement due to various restrictions in their environments
> (isolated test labs, small remote locations, pilot deployments, etc.).
>
> Whether or not it was the wisest design decision, the limitation was
> implemented as an attempt at piracy defense, not as a money-making effort.
> Customers' licensing pricing has nothing to do with whether or not they have
> a KMS. There is also not a one-to-one mapping of license to activation.
> Everything on the KMS side is "honor system"; Microsoft does not track
> KMS-activated machines.
>
> Laura
>
> > -----Original Message-----
> > From: ActiveDir-owner@mail.activedir.org
> > [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Al Garrett
> > Sent: Friday, March 23, 2007 4:16 PM
> > To: ActiveDir@mail.activedir.org
> > Subject: RE: [ActiveDir] OT: KMS on Win2k3 sp1
> >
> > I've read all the documentation....several times....it just
> > doesn't make any sense as to WHY.
> >
> > What is the underlying rationale for this concept? Is it a
> > money thing?
> > A company with less than 25 workstations must pay for a
> > license for each vs a company with more than 25 that can buy
> > a volume license?
> >
> > I'm so confused!!
> >
> > Al
> >
> > -----Original Message-----
> > From: ActiveDir-owner@mail.activedir.org
> > [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Laura A.
> > Robinson
> > Sent: Friday, March 23, 2007 1:04 PM
> > To: ActiveDir@mail.activedir.org
> > Subject: RE: [ActiveDir] OT: KMS on Win2k3 sp1
> >
> > That is correct. KMS maintains an "n-count", which is a count
> > of the current number of machines either requesting or having
> > already received activation.
> > Once you have 25 machines requesting activation, the KMS will
> > activate them all (technically, they'll all be able to
> > activate because they retrieve the n-count from the KMS
> > before they try to activate, and if it's less than 25, they
> > don't activate until it is 25+). From that point on, as long
> > as there are consistently 25 or more machines activated
> > against the KMS, it will continue to [re]activate. If,
> > however, you drop below 25 machines that have activated
> > against the KMS, the KMS will stop activating until it has an
> > n-count of 25 again.
> >
> > The simple answer is this: you must have 25 or more machines
> > "using" the KMS at all times.If you drop below 25 machines
> > and activations begin to expire, your clients will not be
> > able to renew unless and until there are 25 of them out there
> > requesting activation.
> >
> > This is explained in the Windows Volume Activation Technical
> > Guidance, which can be found here:
> > http://www.microsoft.com/downloads/details.aspx?familyid=9893F
> > 83E-C8A5-4
> > 475-
> > B025-66C6B38B46E3&displaylang=en
> >
> > Sorry, mobile users, I can't paste an entire page of
> > downloads in here so that you don't have to click the link.
> > :-) However, the short copy and paste is this:
> > http://www.microsoft.com/technet/windowsvista/plan/faq.mspx
> > "Volume License Policies
> > Q. What is n-count?
> > A. N-count is the minimum number of computers that have to
> > connect to a KMS host before any KMS client computers are
> > activated. This value is stored in the license policy of the
> > client computer, and the activation decision is made by the
> > computer based on the count that KMS returns. The n-count for
> > Windows Vista is 25. This value is not configurable. A
> > Windows Vista client computer will activate itself if the KMS
> > returns an n-count equal to or greater than 25."
> >
> > Actually, I think the FAQ answer is better than mine. :-)
> >
> > Laura
> >
> > > -----Original Message-----
> > > From: ActiveDir-owner@mail.activedir.org
> > > [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Al Garrett
> > > Sent: Friday, March 23, 2007 3:42 PM
> > > To: ActiveDir@mail.activedir.org
> > > Subject: RE: [ActiveDir] OT: KMS on Win2k3 sp1
> > >
> > > KMS loaded and operating fine, but what does the sentence about "25
> > > workstations" mean? Activation doesn't take effect until I have at
> > > least
> > > 25 Vista workstations online?
> > > I can't find an explanation anywhere.
> > >
> > > -----Original Message-----
> > > From: ActiveDir-owner@mail.activedir.org
> > > [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Susan
> > > Bradley, CPA aka Ebitz - SBS Rocks [MVP]
> > > Sent: Friday, March 23, 2007 12:06 PM
> > > To: ActiveDir@mail.activedir.org
> > > Subject: [ActiveDir] OT: KMS on Win2k3 sp1
> > >
> > > http://www.microsoft.com/downloads/details.aspx?familyid=81d1c
> > > b89-13bd-4
> > > 250-b624-2f8c57a1ae7b&displaylang=en&tm
> > > > > cb89-13bd-
> > > 4250-b624-2f8c57a1ae7b&displaylang=en&tm>
> > >
> > > Key Management Service for Windows Server 2003 SP1 and
> > later enables
> > > enterprise customers to activate Windows Vista Volume
> > Licensing client
> > > machines. (36)
> > >
> > > http://www.microsoft.com/downloads/details.aspx?familyid=03fe6
> > > 9b2-6244-4
> > > 71c-80d2-b4171fb1d7a5&displaylang=en&tm
> > > > > 69b2-6244-
> > > 471c-80d2-b4171fb1d7a5&displaylang=en&tm>
> > >
> > > Key Management Service for Windows Server 2003 SP1 and
> > later enables
> > > enterprise customers to activate Windows Vista Volume
> > Licensing client
> > > machines. (64)
> > > List info : http://www.activedir.org/List.aspx
> > > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > > List archive: http://www.activedir.org/ma/default.aspx
> > > List info : http://www.activedir.org/List.aspx
> > > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > > List archive: http://www.activedir.org/ma/default.aspx
> > >
> > > --
> > > No virus found in this incoming message.
> > > Checked by AVG Free Edition.
> > > Version: 7.5.446 / Virus Database: 268.18.17/730 - Release
> > > Date: 3/22/2007 7:44 AM
> > >
> > >
> >
> > --
> > No virus found in this outgoing message.
> > Checked by AVG Free Edition.
> > Version: 7.5.446 / Virus Database: 268.18.17/730 - Release Date:
> > 3/22/2007
> > 7:44 AM
> >
> >
> > List info : http://www.activedir.org/List.aspx
> > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > List archive: http://www.activedir.org/ma/default.aspx
> > List info : http://www.activedir.org/List.aspx
> > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > List archive: http://www.activedir.org/ma/default.aspx
> >
> > --
> > No virus found in this incoming message.
> > Checked by AVG Free Edition.
> > Version: 7.5.446 / Virus Database: 268.18.17/730 - Release
> > Date: 3/22/2007 7:44 AM
> >
> >
>
> --
> No virus found in this outgoing message.
> Checked by AVG Free Edition.
> Version: 7.5.446 / Virus Database: 268.18.17/730 - Release Date: 3/22/2007
> 7:44 AM
>
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx | | | |
|
|