IE 9 Beta

Internet Explorer has come a long, long way.  Perhaps that’s because it had a long, long way to come.  IE9 is another step in the journey that started with IE4, the first Microsoft browser with DHTML and any significant JavaScript support (IE3’s abysmal implementation doesn’t count).

At the time, IE4 was actually a leap forward, and easier to work with than the horror that was Netscape.  But Microsoft was surpassed by faster, more secure products in less than 5 years, inexplicably silent during the reign of IE6.

I’ve worked with almost every major browser in the past 10 years.  I’ve also written HTML DOM implementations, web proxies, theme engines, rendering engines, etc. and I can appreciate the effort that goes into a performant, stable web browser that implements every nuance of ever-evolving standards.  IE9 delivers on the most important points, though it falls short in a few areas that will hopefully be resolved prior to release.

PROS

- CSS 3 support; deemphasis on proprietary extensions (though optional OS integration is possible).

- DOM performance is excellent.  So is advanced drawing (http://ie.microsoft.com/testdrive/Performance/FishIE%20tank/Default.html).  2-3x faster than Chrome in my informal tests.

- HTML 5 support.  Right now, HTML 5 is a tantalizing but not always practical option.  Internet Explorer users are notoriously slow to upgrade, which means we can’t assume HTML 5-friendly browsers for months or years to come.  But this is the first step.

- Fewer annoying setup options than IE 8.  Pretty much click and run.

CONS

- Address bar and tab strip on the same line.  Why oh why? This increases mouse travel, hides long URLs, and still consumes as much space as Chrome.

- One of the well-tested jQuery UI components (a slider control) only works in compatibility mode.  Given that this control works flawlessly on every other browser I’ve tried, I have to assume this is a bug.

- Gradient filter doesn’t appear to recognize clipping regions. It is also implemented using proprietary syntax.  It’s been a while since I read the last CSS3 draft; in fairness, I’m not sure there is a standardized equivalent.

Summary

In conclusion, stable enough on Windows 7 x64 to at least play with as a casual user, and a “must-see” for any web developer.

Author: tmedora
Published on September 16, 2010 3:08 pm.
Filed under: Browsers
Tags: ,

Service Accounts and Least Privilege

There are three local Windows service accounts that you will encounter on a very regular basis.  These accounts are intended to provide the appropriate amount of privilege necessary to services or applications running in their context.

They are:

  1. Local Service
  2. Network Service
  3. Local System

Scan through the Service Manager in Windows and you will see these three accounts being used on most or all services.  This is typically the best practice, although there are cases where creating another account with more finely grained permissions may be suitable.

Privileges Granted

  1. Local Service – Provides a low level of privilege on the local machine only, and is treated as an anonymous account on the network.
  2. Network Service – Provides the same low level of privilege on the local machine, but is presented to network resources as the local machine.  This requires that Active Directory be configured to allow this machine account to function on the network.
  3. Local System – Fully privileged local account that has complete control over the operating system and all resources.  It also has the same network rights as Network Service.

Least Privilege

All engineers must be acquainted with the concept of tuning permissions so that an application or service has only the rights it needs to execute; nothing more and nothing less.  This is a pretty basic concept.  However, we can take it to another level by thinking about a multi-tiered environment, particularly an environment with outward facing web servers.

Consider ASP.Net; it also runs in the context of some account, whether it is the logged in user or a default account (such as IUSR).  A web server (as a logical role, not necessarily a physical machine) should fundamentally be dedicated to interacting with a user.  This means collecting information and presenting information.  As a best practice, the web server’s security context should not allow writing to the file system, launching executables, connecting to sensitive systems, etc.  Connection to a database is often necessary (via a business tier) but this should be done with (once again) a Windows or database account that has the least amount of privilege required to do its job.

So how can we allow our web applications to be fully functional while still executing in the context of weak accounts? Quite simply; use private services to accomplish privileged tasks.

For example, suppose a web site needs to read accounting data from an internal system to present public year-end numbers.  Allowing the web server to communicate directly with the accounting server would be a terrible idea; the web server should be in a DMZ and the local accounts should not even have rights to access network resources.  That way, even if the entire server is compromised, the hacker controls a machine that can’t do anything other than serve web pages and request (but only request) data from inside the network.

In this theoretical scenario, the architecture would look something like this:

  • Web Server – Not a domain member; sits in a DMZ with only a few ports open (minimizing potential attack footprint).
  • Web Server makes a request to a service inside the network: “Can you send me those public year-end numbers?”
  • Proxy Service – has privileges to access whatever it needs in the accounting system, but only responds to requests for data it is allowed to share.  If you compromise the web server, and make a request to the service for anything else, it will simply ignore you.  Better still, it could identify the rogue request and immediately deny all subsequent traffic until reset by an authorized administrator.
  • Accounting System – only accessible to trusted local resources inside the network.

Now let’s add another dimension to the situation, one that is all too common.  The network perimeter may be properly secured, but what about internal access? Data loss often occurs due to malicious or inadvertent actions on the part of employees, not fabled hackers sitting on the other side of the globe.  The administrator that configures our Proxy Service in this example should only give the developers of the service the rights that they need to make the application function correctly.  If they grant too great a degree of access, the problem is manifold.

  1. The developer may write code that doesn’t actually work when permissions are tightened.
  2. Permissions may never be tightened; “Hey, it works, let’s not break anything.”
  3. The developer is now responsible for the access he or she has been granted.  They may inadvertently compromise data, they may steal it, or they may simply be a logical suspect–because they had access.

Conclusion

Ultimately, it all comes down to three major principles:

  1. Grant only the permissions an entity needs to perform its task.
  2. Make sure that tasks are broken out into a components that can be placed behind appropriate security boundaries.
  3. Lastly, don’t remove functionality in the name of security.  Find the correct ways to secure rich, interactive, insightful applications.

Author: tmedora
Published on June 27, 2010 2:17 pm.
Filed under: ASP.Net, Windows Server
Tags: , , , , ,

Temp Table vs. Table Variable Based on Plan Reuse

I came across a white paper a while back that has got to be one of the most descriptive and informational documents I’ve ever read on the plan cache and plan reuse in SQL Server 2000/2005 today. Here’s the link for it:

http://technet.microsoft.com/en-us/library/cc966425.aspx

One of the most interesting parts of this document has to do with something called “optimality-related recompilations.” This is a category of reasons for which a cached execution plan is recompiled. It’s very technical, and can be a little bit dull, but there’s a lot of great information in it. For example, why using temp tables in stored procedures is not always a good idea.

When the query processor is executing a stored procedure, it evaluates several different statistics to determine if a “recompilation threshold” has been reached. This threshold is partially responsible for determining the frequency that queries referencing the table are recompiled. The recompilation threshold is dependent on two things: The type of table (temporary or permanent) and the cardinality, or number or rows, in the table when the query plan was last compiled.

In a permanent table the following rules apply where n is the table’s cardinality:

If n <= 500 the recompilation threshold is 500
If n > 500 the recompilation threshold is 500 + 0.2 * n

In temporary tables the following rules apply where n is the table’s cardinality:

If n < 6 the recompilation threshold is 6
If 6 <= n <= 500 the recompilation threshold is 500
If n > 500 the recompilation threshold is 500 + 0.2 * n

A threshold crossing test is used by the query processor to compare some value to the recompilation threshold when a query is executed. That value is basically a difference in table modifications now, and the last time the query was executed (these are data related modifications from INSERT, UPDATE or DELETE statements, not schema related). So if there are enough data modifications to exceed a recompilation threshold defined by one of the above functions, the execution plan is recompiled.

Now consider how temp tables are used in stored procedures many times. I’ve seen a ton of code where the temp table is used to avoid a complex SELECT statement with a bunch of joins in it. Instead, one or two temp tables are created and populated. Data might be modified or the tables joined to each other, or to a permanent table.

Each INSERT, UPDATE or DELETE made to those temp tables has an impact on the threshold crossing test. It is not uncommon for the number of rows impacted on a query to query basis to vary significantly, thus exceeding the recompilation threshold and causing a query plan to be recompiled.

Notice that only two types of tables have a recompilation threshold associated with them: permanent and temporary; table variables however do not. This means that changes in the cardinality to a table variable cannot cause the recompilation of a query plan. The trade off is the fact that statistics are not maintained for table variables, which means non-optimal plans could be generated.

At the end of the day, there is no single good rule of thumb when deciding to use table variables or temp tables in a stored procedure. In one case the statements within a procedure may have to be recompiled on a very frequent basis, and in the other slower execution may result from an execution plan that isn’t optimized for the current data. The best way to find out which option gives superior performance is to evaluate both.

There is much more detailed information in the actual white paper. It’s a dry read, but worth the time.

Author: cszabo
Published on June 22, 2010 8:36 am.
Filed under: Database, SQL Server

IT Priorities and the Cloud

No infrastructure discussion today is complete without mention of the cloud.  The “cloud” can mean various things:

  • Colocation in a Data Center
  • Hardware as a Service
  • Software as a Service
  • Storage/Backup as a Service
  • “Black Box” Services, e.g. an outsourced help desk

While cloud services may reduce the burden on the IT staff of a company, the need for professional and managed services may be greater than ever.

Information Technology can be a tremendous force within a company.  IT departments experience a unique cross-section of the business and often have the ability to suggest changes that other departments can’t see.  I have worked with CIOs who have an amazing grasp on the purpose of the business, the offering of the business, and the future of the business.  And not just CIOs–I have worked with software engineers, network engineers, and even entry-level technicians who are full of progressive knowledge and ideas.

That potential is wasted if you’re consumed with managing utilitarian functions, in the cloud or not.

Does this mean that members of existing IT departments should sit and wait to be outsourced? I believe the inverse is true; the motivated IT professional who is willing to learn and adapt should expect more responsibility and more opportunity.  The concept of infrastructure optimization is not new; IT should seek to fill a highly strategic role within the business and shed every tactical encumbrance it can.

Cloud computing can provide the infrastructure and the applications.  Managed/professional services can handle the baseline management and the human elements (such as a help desk).  This leaves corporate IT departments–large and small–able to focus on things that will improve the company, not just keep it running at status quo.

So what should IT focus on? The biggest strategic opportunities I see are around automation and repeatability.  Businesses crave the ability for things to just happen, and happen correctly.  This desire permeates every level of an organization; no one likes doing extra work.  Implementing systems that promote business process is a concept dear to almost any manager; again, automation and repeatability.  A shocking amount of inefficiency and inconsistency exists in even the best organization.  IT has the tools and the knowledge to greatly impact these issues.

Cloud computing is only going to grow in significance, and combined with judicious outsourcing, it can give IT departments something they haven’t had in a decade: the chance to take a deep breath and to focus on implementing systems for the long term.

Author: tmedora
Published on June 16, 2010 1:11 am.
Filed under: Cloud Computing
Tags: , , ,

Alienware for IT Professionals?

Alienware computers are well-known to the video game aficionado. Love them or hate them, they are known for their price and cutting edge components. Dell acquired Alienware in 2006, allowing them to keep their messaging and branding while providing access to a wider audience (and my guess is, to better prices on components due to Dell’s purchasing power).

A few months ago, I began looking for a new home machine for running Visual Studio, SQL Server, Photoshop, various diagnostic tools, etc.  I confess I also wanted a killer gaming rig.

I’ve been a Mac Pro user for almost three years now (composing this article on one, in fact). Due to my background in Microsoft technologies, I run Windows using multiple boot partitions. The Mac Pro is a beautifully designed, incredibly reliable product that I highly recommend. However, I had a few reservations about purchasing one for the aforementioned purposes.

  • Price: take a look at the Apple store and start adding options.  It’s not cheap.
  • Limited number of approved video cards available.  I don’t know if other cards might work with some tweaking, but I’m too busy to piece together a solution.
  • Issues with Bootcamp, primarily installing Windows 7 64-bit.  One of our Net Fusion techs solved the problem, but ultimately we had to remove a hard drive to make it work.

I opted for an Alienware Aurora instead.  Dell lists their starting price at $999, but expect to pay at least $500 more than that if you want more than a basic machine.  I added:

  • Intel 3.33 GHz Quad Core processor (overclocked)
  • 1TB RAID 0 array for OS and applications, additional 1TB drive for data storage.  All drives are 7200 RPM SATA.  Unfortunately, a RAID 5 or config wasn’t offered, which would be a better use of multiple drives in my opinion.
  • 6GB RAM
  • ATI Radeon HD 5970
  • Sound Blaster X-Fi Titanum
  • Windows 7

This brought the total to about $2200, not including shipping or tax.  The machine arrived about a week earlier than estimated, which was a nice surprise.  I’ve now put the machine through its paces for about 2 weeks.  Here are some notes.

Construction

  • The case is solid and heavy, with only a few cheap plastic parts.  It’s well organized inside, though not as good as a Mac Pro which exposes no internal cables at all.
  • There are ample connectors on the front and back of the case.
  • Fans are incredibly loud by default.  You can configure the system fans quite extensively, but the utility for doing so did not always seem to work correctly.  I now have the fans at about 30%, which is pretty quiet, but I don’t trust the ambient sensors; I’ve seen one report a huge swing in temperature in mere seconds.
  • Despite glitches with the sensors and temperature controls, the cooling systems seem to keep the case around 30° C no matter what.  The CPU is water-cooled, and the case is designed so that the video card sits in a tunnel between a fan and a vent.

All of this equates to a design that should allow those 12-14 hour sessions of work with multiple instances of Visual Studio open and a dozen other applications running.

Performance

  • The processor is hyper-threaded, so it shows 8 cores to the Task Manager.  No matter what you do, I found it hard to push the processor anywhere close to the max.  Photoshop CS5 generates some sharp spikes when a complex transform or filter is calculated.
  • Visual Studio 2010 performed smoothly, with launch times under 5 seconds and crisp responses throughout, even in the WYSIWYG designer which is notoriously slow in some cases.
  • The ATI Radeon HD 5970 claims to be the fastest video card in the world, and I believe it based on Photoshop’s performance and the half-dozen or so games I’ve tried so far.
  • Windows Experience Index: I was disappointed with the performance of the RAID 0 array which only scored a 5.9.  Everything else was in the high 7′s.  I’m guessing the index is designed to accommodate SSDs.

Even if game performance doesn’t factor into your decision making process, video performance should.  More and more content is delivered over the web as video, and high-definition sources put a tremendous demand on both the CPU and video card.

Primary Applications Used

  • Visual Studio 2010
  • Office 2010
  • Photoshop CS5
  • Chrome, IE, Firefox
  • Windows RDP client
  • NCP VPN client
  • Steam w/ assorted games

Reliability

It’s too soon to tell how the Aurora hardware will hold up long-term.  But since I have been testing with the latest version of popular tools like VS 2010, Photoshop CS5, and Office 2010, I suspect that the performance will be acceptable for at least a few years.

Conclusion

Sadly, most engineers don’t get to pick their work PCs and build a cost justification for better hardware.  Regardless, here’s my plug for putting a traditionally media-oriented platform to work for IT professionals.

Author: tmedora
Published on June 14, 2010 5:01 pm.
Filed under: Hardware
Tags: , , , , , ,

Visual Studio 2010

I completed my first production Visual Studio 2010 project this weekend, and wanted to share some thoughts on the product.  In brief, it’s a worthy entry in the venerable Visual Studio family, improving upon things such as Intellisense that lead the business (Microsoft or otherwise) and strengthening support for newer technologies such as Silverlight and ASP MVC.  I’m using VS 2010 Premium.

A few caveats come with the endorsement, primarily around performance.  I upgraded my hardware over the course of the project, in part due to the mediocre performance of VS 2010.  With a brand new machine, it works like a champ and never falters.  On an older dual core machine with 2GB of RAM, it stutters badly in places.  For example, clicking on the name of a file or trying to highlight text would result in a significant (2-5 second) pause.  My guess is that this is due to the amount of intelligence that it applies to every file you work with.  I also experienced one or two CTDs, but no data was lost.

Silverlight is deeply integrated with VS 2010, and you can have a Silverlight control up and running with all the trimmings by simply choosing the correct project template.  This is a big improvement.  Project templates in general seem to be more comprehensive; pick a web project and a complete website will automatically be created for you.  I wasn’t terribly excited about this, because I like to lay out my projects in a certain way but I was pleased to find that jQuery libraries were added by default.  Intellisense for Javascript is pretty solid and is helpful in navigating a large function library like jQuery.

VS 2010 is also meant to integrate with Azure, no surprise considering Microsoft’s “we’re all in” cloud strategy.  Team Foundation Server 2008 is fully supported, and I had no problem connecting to my current TFS 2008 project structure.

The user interface has been modified to include better support for multiple monitors.  You can detach a tab and put it wherever you want on the desktop.  Also, each tab now includes an X to close it (rather than the X being on the right side of the whole tab strip.  This is confusing at first, especially switching between 2008 and 2010 on different projects, but ultimately is the more efficient way to manage tabs.  VS has also been given a new color scheme (which works for me as a visual designer) with a new icon that is purple (which confuses me).  Strange as it sounds, I’m so used to seeing the orange VS logo on my taskbar that I’m just not looking for a purple icon.

To me, a product is ready for prime time when you can put it through a production development and release cycle.  VS 2010 has served me well, and I’ve instructed the team to plan on using it whenever they start a new project.

Author: tmedora
Published on June 13, 2010 10:37 pm.
Filed under: ASP.Net, SQL Server, Tools

First Thoughts on Adobe Photoshop CS5 Extended

I’ve been a loyal Photoshop user for about 10 years now. Prior to that, I spent time using various 3D tools and Microsoft Image Composer (surprisingly powerful for the time). Photoshop CS2 has been my workhorse for several years, with a fair amount of time spent in Photoshop CS4.

Photoshop CS5 presents a compelling reason to upgrade for serious users. I have logged a substantial number of hours in it to date, mostly creating designs for the web and editing photos.

Adobe has done a good job advertising some of the more appealing new features, like a content aware transform and smarter edge refinement. Reading through their feature list will give you a solid idea of what to expect. Photo repair in general has been enhanced, although it’s not a silver bullet. For example, the content aware transform will allow you to increase an image along one axis by 10-20% without too much distortion to objects or faces, but beyond that it sometimes looks worse than just stretching the whole thing.

Puppet Warp

CS5 also introduces Puppet Warp, a point based warp tool that calculates a mesh for the layer and allows you to define points and subsequently drag those points around. This will take some time to master. I did some minor adjustments to a layer and got great results; I tried making significant changes and ended up with a very unnatural looking result. I expect that there will be more options added to this tool in the future.

CS5 adds two new blending options, Subtract and Divide. Both are a welcome addition if you are a constantly experimenting with blended layers like I do. Disappointingly, gradients generated with blending options (and gradients in general) can still experience serious banding in low contrast situations. Conversely, I was extremely pleased with the JPEG compression quality achieved by the “Save for Web” option. “Save for Web” is not a new feature, but the compression algorithms may have been improved.

The product was extremely stable on the 2 machines I have tried it on. As expected, it will consume vast amounts of RAM, though you can set a cap on this using Edit -> Preferences -> Performance. I expect the RAM consumption to be high, but I was surprised to see that closing all open files didn’t decrease the memory footprint. Perhaps this is for faster reloading of those same projects. A powerful CPU is a must for serious work. I’d recommend 4 cores and 4GM of RAM at a minimum, with a good video card (Photoshop can leverage the GPU to speed up certain processing).

The Creative Suite seems to be getting heavier and heavier on 3D support, but none of my recent work has called for any of those capabilities so I can’t comment. If you are new to Photoshop, don’t expect to open it up and start creating Pixar films (or 2D artwork, for that matter). The learning curve is just as steep as always, but that’s the price of a powerful tool.

In summary, go download the completely functional 30 day evaluation, and there’s a good possibility that you’ll find it to be a compelling upgrade.

Author: tmedora
Published on June 1, 2010 11:23 pm.
Filed under: Tools
Tags: , ,

SQL Server and AWE Allocation

I came across some interesting information that took me a lot of digging to find. I thought I would share in case anyone runs into a similar situation. This applies specifically to SQL Server 2005 Enterprise edition. The results are slightly different in 2008.

In a 64 bit environment, Microsoft’s documentation on SQL Server indicates that enabling the use of AWE memory allocation is not necessary, and will in fact be ignored by SQL Server. When AWE is disabled, if you look at the SQL Server process in task manager, you will see that the working set allocates as much memory as possible, or whatever the configured values are.

While administering a client’s environment the other day, I found that the process was consuming approximately 180 MB of memory. This was on a server that had 6 GB of memory available. When I saw this, the first thing I did was execute the following command:

DBCC MEMORYSTATUS

Here is part of the result set:

Memory Manager KB
—————————— ——————–
VM Reserved 8519776
VM Committed 114064
AWE Allocated 6397784
Reserved Memory 1024
Reserved Memory In Use 0

Notice that a great deal of memory is allocated using AWE, something that is contrary to the documentation that Microsoft provides. After some further digging I found out why.

In a 64 bit environment, it is recommended that the Lock Pages in Memory user right is assigned to the SQL Server service account. This user right allows SQL Server to allocated memory and refuse to give it back to the operating system when requested. SQL Server can choose to release the memory, but granting this user right allows SQL Server to control what happens, not the operating system. As a result of this, the operating system cannot page out SQL Server’s buffer pool when it thinks it’s necessary.

What you won’t find easily in any documentation is that this user right actually compels SQL Server to use AWE for memory allocation, which is consistent with the results above. This was apparently confusing to someone because if you execute the same command in a 64 bit environment using SQL Server 2008, you’ll get the following results:

Memory Manager KB
—————————————- ———–
VM Reserved 10583068
VM Committed 76928
Locked Pages Allocated 65536
Reserved Memory 1024
Reserved Memory In Use 0

The point of all this is that AWE memory allocation in a 64 bit environment is still used by SQL Server. It is not just a setting used in 32 bit environments to allocate more than 2GB of memory to SQL Server. It’s actually how pages are locked in SQL Server after being allocated.

Author: cszabo
Published on June 19, 2009 11:00 am.
Filed under: SQL Server
Tags: , ,

Creating a Genericized Type with Reflection in C#

Reflection in .Net is fairly commonplace and I’ve written it into dozens of applications.  Tonight I found a new case that I had not yet encountered: Creating a type that has a generic template parameter such as MyType<T>.

Without reflection, you would simply say: MyType<string> = new MyType<string>();.  But it is a bit more complicated creating the class dynamically at runtime, albeit very doable.

I found some helpful information online, but I really wish someone had just posted the following:

Activator.CreateInstance(Type.GetType(typeName).MakeGenericType(typeof(string)));

Let’s deconstruct.

- Activator.CreateInstance() creates an object from a type definition.  There are several ways of creating an object on the fly; this is only one of them.  You will need to add a reference to System.Reflection.

- Type.GetType(typeName) creates an object from a string definition of a type.  Again, many ways of doing this, but in this example, typeName = “namespace.namespace.className`1, fully-qualified assembly name”, e.g. “NFC.Web.CustomType`1, NFC.Web”.  Of course, your type name will be different, just make sure to use the fully-qualified class name and assembly name, seperated by a comma.

Note the red-highlighted code above; a generic class string must contain the `1 to indicate that it is a parameterized class.  If you had three generic parameters, you would mark it as `3 and so on.

- .MakeGenericType(params) – the crux of this solution.  Retrieves a type as a generic with the specified list of arguments.  In this example, we know the template argument and use typeof(x) to return its Type, but you could easily pass any (valid) type to this method.  In addition, as this method takes a params[], you can pass as many different template types into it as you need.

Author: cszabo
Published on September 21, 2008 10:49 pm.
Filed under: C#
Tags: , ,

Manage Terminal Services Sessions from a Command Prompt

Here’s a handy way to view and manage sessions from the command prompt.

To List All Sessions

Start->Run->cmd

query session /server:xxx.xxx.xxx.xxx

To End a Session

Start->Run->cmd

reset session 1 /server:xxx.xxx.xxx.xxx

Note that “1″ represents a session id. You can see all available sessions from the previous “query” command. Insert the correct number to terminate it.

Once you know these few commands, its actually quicker to manage remote sessions from the command prompt than using a GUI.

Author: tmedora
Published on August 2, 2008 2:09 am.
Filed under: Windows Server