How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
Application compatibility final
1. Everything You Want to Know About Application Compatibility But Were Afraid to Ask Harold Wong blogs.technet.com/haroldwong
2. How much is this app compat thing going to cost me? Why did you break half of my software? All I need to do is run ACT long enough, and it’s fixed, right? Can I just stroke a check and have this problem go away? Should I just stay on Windows XP? The Internets said to just turn off UAC. Doesn’t App-V just fix it all for me? The MED-V brochure said just virtualize it all and migrate. The tool brochure said it fixes 90% of the problems. Why can’t my company afford a chair for me? No, seriously, can I have a chair, please? Listen, I’m not talking about App Compat until I get a chair.
3. App-V Beyond Trust ACT 5.5 Win XP Mode ACF Partners MED-V AppDNA ChangeBase Shims Disable UAC There Are No Silver Bullets
4. Session Objectives and Takeaways Session Objectives: Understand that app compat isn’t easy Understand that app compat is not impossible Key Takeaway: Chris’ home number is a 900 number. Check the bathroom wall for details.
5. Things I Heard on the Internets About… We’re going to be speaking mainly the truth today …but we’ll also be confronting some mistruths along the way Mistruths and misconceptions will be identified with the heading“Things I Heard on the Internet About:…” For those who are not familiar with The Internets, it’s a series of tubes
6. Why Is App-Compat Hard? It never used to be this hard! Backward-compatibility used to win Shell Folders p:productsublic CON, PRN, NUL Starting with XP SP2, not anymore Customers demanded better security Vista was the first major desktop OS release after TWC memo Starting with Windows 7, we’re winning again…
7. How Do I Run an App-Compat Project? Planning, Planning, Planning!!!
8. Automated Analysis Assessment ACT Inventory Rationalize InitialBudget Refine Budget Refine Budget start App Run Green? App Install Green? Yes Yes Install Manual Test Detailed Automated Analysis Runtime Manual Test User Manual Test No No Remediate Ready to Deploy end App Compat Project Plan
9. Planning an App Compat Project TechNet Magazine June 2009 Articles by: Chris Jackson and Chris Corio http://technet.microsoft.com/en-us/magazine/dd799202.aspx
11. Some things that had to changeMicrosoft Agent had to go Productivity killer Users hypnotized by agents’ antics More popular than YouTube Made computers too easy to use Killed market for instructional videos The single biggest app-compat hit, ever
12. Nobody uses the Agent control!Do they? Actual screenshot from a real customer engagement. No consultants were (seriously) harmed in the capture of this screenshot.
13. Some things that had to changeEveryone runs as “standard user” The infamous User Account Control Even admins run as “standard user” The single biggest app-compat hit, ever
14. Things I Heard on the Internet About: User Account Control UAC is… Windows asking me “Are you sure?”… over and over and over again A useless pain in the @$$ Stupid, and smart people disable it Especially smart developers UAC breaks everything It’s OK to say, “We recommend turning off UAC to run this software.” Wrong!
15. The Truth About UAC The first step toward Standard User Required to improve security and TCO Suite of technologies to fix stuff, not break it Running as standard user breaks stuff That’s why no one did it before UAC! Admin-Approval Mode enables legit admins to run as standard user And then perform admin actions using the same account Your end users shouldn’t be admins to begin with And can’t approve elevation prompts Disabling UAC turns off IE Protected Mode
16. We break – we fixUAC’s file and registry “virtualization” Redirects access attempts from protected areas to non-roaming parts of user profile Not related to App-V’s “bubble” This is per-user, not per-application
17. Virtual memory Virtual address space Virtual communities NT Virtual DOS Machine (NTVDM) Java Virtual Machine (JVM) MS Visual Basic Virtual Machine (MSVBVM) Virtual processors (hyperthreading) Virtual reality Virtual teams Virtual private network (VPN) UAC file and registry virtualization Application virtualization Machine virtualization (Virtual PC, Virtual Server, Hyper-V) Virtual Earth MS Enterprise Desktop Virtualization (MED-V) Virtual pets Virtual Desktop Infrastructure (VDI) virtual keyword (C++, C#) Virtual directory (IIS) Virtual device driver (VxD – obsolete!) Virtual overloadIt’s the new “.NET”!
18. We break – we fixUAC’s file and registry “virtualization” Redirects access attempts from protected areas to non-roaming parts of user profile Transparent to the app Fixes many permissions-related issues Does not apply to all apps or all file types New in Win7: Writing to root of C:redirects
19. Things I Heard on the Internet about:Internet Explorer 8 Standards Compliance IE8 breaks the web and makes little girls cry If your site works on IE6, but breaks on IE8, the fix is easy – use Firefox! Wrong!
20. Some things that had to changeInternet Explorer 8 Standards Compliance Meets customer demand, good for the web App compat > 80% Compatibility View is extremely helpful On by default for Intranet Quirks mode also helpful, but no admin UI! Many tools available for troubleshooting Fixes either super easy or require devs Hardest problem: server apps for IE6 only E.g., Oracle, SAP MED-V a great solution
21. Things I Heard on the Internet About:Internet Explorer Protected Mode Almost like running a secure browser! Like Safari! More Microsoft security theater Breaks all my Java Breaks all my ActiveX controls Wrong!
22. Some things that had to changeInternet Explorer Protected Mode IEPM has protected you from exploits …if you left UAC enabled With IE8, off by default for Intranet zone May need to configure to recognize Intranet External sites can be added to Trusted Sites E.g., sites that require Java Other products like the idea! Google Chrome Office 2010
23. Things I Heard on the Internet About:Windows version number changed No earthly reason for doing that! Couldn’t possibly cause any problems! Windows 7 is version 7.0, right? No, Windows 7 is version 6.1 because it’s just a minor upgrade, and therefore probably should be free so go ahead and steal it Wrong!
24. Some things that just changedWindows version number changed The most common bugs we find Making it 6.1 keeps more apps working! “Version lie” shims are easy to apply And now easier to lie to MSIs Still don’t think it can be that common?
25. Check the Windows version! // This program requires WinXP or newer. // Windows XP is version 5.1 // This is easy! If Not (vMajor >= 5 AND vMinor >= 1) Then { DisplayMessage(“This program requires Windows XP or newer”); LayDownAndDie; } Win7 as Windows 7.0? vMajor: 7 >= 5 vMinor: 0 >= 1? Crap! Vista is Windows 6.0: vMajor: 6 >= 5 vMinor: 0 >= 1? Oops! Win7 as Windows 6.1? vMajor: 6 >= 5 vMinor: 1 >= 1! It works!
26. More things that just changedFolder locations We moved the profiles – again! Myth: We did this for no good reason Truth: There was probably a good reason And we changed where files need to go! Myth: No guidance about where to put stuff Truth: Well, yeah, but we’re fixing that Myth: Everything breaks, apps actually cry Truth 1: Correctly-written apps still work Truth 2: Junctions fix many bad apps
27. Directory Junctions Some support for old folder names Can traverse, but cannot list Can directly access files through old names Cannot list contents of these junctions
29. More things that just changedDefault color scheme Question: What happens when a VB6 dev “modernizes” the dialog background using the first white color he/she finds (Active Title Bar Text)?
30. More things that just changedDefault color scheme Occasional mistake by VB6 devs Easy to fix (if you have the source) .NET WinForms made themes easy to use Oops: everyone tested only on Luna Fortunately, we have FakeLunaTheme shim Note: apps that work only with one theme probably violate accessibility laws You WILL go to jail! Push back if developer or vendor insists on “Windows Classic” Theme
32. Things I Heard on the Internet About:Application Compatibility Toolkit It’s all you need for app compat! It must be! Look at the name! If ACT hasn’t found all of your issues, you just haven’t run it long enough We compete directly with the static analysis tools venders, and it’s critical that we WIN! Wrong!
33. Application Compatibility Toolkit Great at inventory Some agent data can be useful …at the right time Standard User Analyzer makes folks happy (LUA Buglight makes engineers happy) IE Compatibility Test Tool makes some AJAX devs happy Setup Analysis Tool makes very few people happy Compatibility Administrator makes people with a lot of free time happy
34. Automated Analysis Assessment ACT Inventory Rationalize InitialBudget Refine Budget Refine Budget start App Run Green? App Install Green? Yes Yes Install Manual Test Detailed Automated Analysis Runtime Manual Test User Manual Test No No Remediate Ready to Deploy end ACT & App Compat Project Plan
35. Things I Heard on the Internet About:Static Analysis Finds and fixes 95% of all problems with all software ever made by anyone anywhere! Humans are no longer a necessary part of the process Static analysis is expensive and not worth the money – unless it does all of the above Wrong!
36. Static Analysis – Reality These tools average 90 – 95% at telling you if the app as a whole will work False “green” the primary accuracy issue Will not detect every issue More impact on setup, less on runtime Complementary to ACT ACT does inventory ACT does runtime analysis ACT does no better than chance at predicting application breakage for the app as a whole
37. Static Analysis – The Ugly Can be hard to set up and configure Setup has to follow written instructions or it doesn’t work Failure of any other component typically results in the app crashing or just vanishing Never, ever use without experienced services accompanying the tools NOT a substitute for knowledge/training! Ensure you tune so that “Red” actually means “broken” and not “could be better in an ideal world”
38. Static Analysis Value Proposition Can give you the data you need to start a project with a reasonable budget Can save millions of dollars in install testing and a percentage reduction in runtime testing Run the numbers!
39. Automated Analysis Assessment ACT Inventory Rationalize InitialBudget Refine Budget Refine Budget start App Run Green? App Install Green? Yes Yes Install Manual Test Detailed Automated Analysis Runtime Manual Test User Manual Test No No Remediate Ready to Deploy end Static Analysis & App Compat Project Plan
41. Things I Heard on the Internet About:Shims Shims are scary and unpredictable Shims reduce the security of the system Shims are unsupported Shims fix everything Shims are useful only in the hands of ShimFreaks SHIMS is an acronym for …? Software Happens to Implode – Magically Solve? See How I’ve Misdirected Sneakily? Wrong!
42. What Are Shims? Applied to specific apps Configured with ACT tools Deployable to enterprise Changes what the app thinks it sees Does not change what app is allowed to do
43. What Are Shims Good For? Great for many kinds of bugs: Bad Windows version checks Writing to HKCU at runtime Unnecessary checks for “am I admin?” Writing to WRP-protected keys and files Windows thinks your app is an installer Some file/registry redirections
44. Shims – The Rest of the Story Some considerations… Not all general purpose shims have the same … “customer love” applied in their creation The tools are … “primitive” Shims management not integrated into other management tools (e.g. Group Policy) You can do a lot with just the Top 10 shims But to becoming a shim ninja takes time and much practice
46. Things I Heard on the Internet About:Application Virtualization If you can’t fix it with shims, you can just use App-V and sequence it on XP! App-V fixes app-to-OS bugs You can’t shim App-V applications Wrong!
47. Application Virtualization Formerly SoftGrid; now part of MDOP Isolates apps from one another Does not isolate it from the OS Side effects (not really advertised): Apps can write anywhere in “the registry” Apps can be allowed to write to specific files in “protected” locations Apps actually write to private copies NOTE: May not be true in future versions of App-V Yes, you can shim sequenced apps
48. Application Virtualization Lots of goodness beyond app-compat Licensing, deployment Key part of larger virtualization vision
49. Things I Heard on the Internets About:MED-V Migrate to Windows 7 today Put all of your apps in MED-V No need to worry about app compat! Wrong!
50. What is MED-V?Microsoft Enterprise Desktop Virtualization Machine virtualization solution App actually runs on an XP OS User sees only the app window Centrally managed Part of MDOP Compelling IE6 app compat story Seamless redirection of the browser
51. MED-VMicrosoft Enterprise Desktop Virtualization Please, use it as a backstop, not as the plan of record… Requires an exit strategy How and when to lose XP dependency Once a VM is deployed, it needs to be managed like any physical machine Makes a great “if all else fails” strategy v1 SP1 coming soon; v2 dates not set yet Neither v1 nor v2 requires Hardware Assisted Virtualization (HAV) MED-V v2 TAP starting soon! Email medvtap@microsoft.com if you are interested in participating!
52. Things I Heard on the Internet About:XP Mode If the app fails, just run it in XP Mode! XP Mode fixes everything! As long as you maintain your Windows 7 host, XP Mode requires no maintenance or anti-malware. XP Mode will be supported as long as Windows 7. XP Mode is as safe as Windows 7. People don’t notice when their XP Mode My Documents is different than their Windows 7 My Documents! XP Mode is a silver bullet! It’s magic! Wrong!
53. Things I Heard on the Internet About:How To Use XP Mode Wrong!
54. What is Windows XP Mode? Windows XP SP3 virtual machine It is not a “mode” within Windows 7 Similar to MED-V, without manageability License included with certain Windows 7 SKUs Designed only for Small Business market Install apps in the XP VM; shortcuts in the All Users’ Start Menu get copied to the host Click on shortcut in host Start menu, app appears in a window …eventually
55. Windows XP Mode – the Good App designed for XP actually runs on XP Windows 7 deployment not held hostage by one app that resists other compat solutions What it’s good for: Web apps that require IE6 Running 16-bit apps on x64 Some types of desktop apps Microsoft Agent
56. Windows XP ModeThe rest of the story You must have an explicit exit strategy XP is out of mainstream support Extended support ends in 2014 Resource requirements Need RAM, CPU to support guest VM Out of the box, requires HAV (hotfix available to support non-HAV) Management requirements It is a separate computer AV, patches, policies, domain not inherited from host VM is hibernated when not running an app
57. Windows XP ModeMore of that story Apps can’t interact with host desktop apps E.g., app wants to send email Does not have MED-V’s IE6 redirection Default XP Mode user is admin Might conflict with enterprise policies
58. Things I Heard on the Internet About:Changing Security Running as standard user on XP? You’re probably modifying ACLs. There’s nothing wrong with doing that forever Security settings that break stuff can’t be turned off If I have given the Users group SeBackup, SeRestore, and SeLoadDriver, oh, and write access to Program Files, it’s OK, because they’re standard users Wrong!
59. Changing Security Only if other options don’t work Loosen file or registry permissions Allow interactive user to start/stop a particular service or driver Disable an IE security feature (e.g. DEP) Must be done surgically Least amount of additional privilege on the smallest number of objects
60. Changing Security Benefits: Results often more predictable than with shims Drawbacks: Risk of elevation of privilege Risk of system instability Requires threat modeling – hard to do right
61. Changing SecurityHow some did “standard user” on XP… ACL loosening scripts Most “required fixes” are now automatic Installing apps to writable folders Exposes EoP and infection risks Granting admin-equivalent rights (What could possibly go wrong?) We can help
62. App doesn’t work – now what?What are those geeks doing? Make sure they don’t debug what they don’t plan to fix (support required) Layer debugging and remediation Tier 1: get the repro, run scripted tests of common solutions Tier 2: leverage tools, configure basic fixes Tier 3: deep debugging, complex remediation (typically just a few per customer) Important: efficient handoff between IT Pros and Developers
64. What can you do? Turn UAC back on No, really, turn UAC back on STOP building Microsoft Agent applications!!! Come on, you just turned UAC back off – I saw that!
65. What can you do? Don’t seek silver bullets Make sure you’re not writing apps today which will become incompatible Start thinking about the problem today Get your developers running your future platform early