Microsoft Terminal Services provides an important set of functionality for remote administration and centralized application management. This service allows administrators to log in remotely and with full access to the system. Similarly, users can log in and run specific applications, which are centrally managed by IT personnel. The standard client for Linux systems is rdesktop. Rdesktop is shipped with many Linux distributions and this paper briefly looks at common security considerations around using this client application in Windows environments.
Wednesday, May 6, 2009
Tuesday, May 5, 2009
Windows Server 2008 R2 RC Evaluation VHD Images (for Hyper-V)
The Microsoft VHD format is the common virtualization file format for Hyper-V that provides a uniform product support system, and provides more seamless manageability, security, reliability and cost-efficiency for customers.
This VHD release is available in English only and is for evaluation and testing purposes. The VHD images are current set to expire to on March 1st 2010 (at which time the OS will become inoperable.As this installation requires Hyper-V, you will need to have a base install of Windows Server 2008 (64bit edition) or Windows Server 2008 R2 RC, running Hyper-V.
For more information on obtaining and installing the latest version of Hyper-V, please visit the Hyper-V Homepage.Both virtual machines available here are running Windows Server 2008 R2 Enterprise Edition Evaluation. One is the default full installation, and the other has been configured as a default Core installation. For more information on the difference between full and core installation please see the Windows Server 2008 Editions Overview pages.
For download options please see the IMAGE SELECTION section in the instructions below.As both virtual machines do not have anti-virus installed, they should not be connected to any network until it has anti-virus installed.
This VHD release is available in English only and is for evaluation and testing purposes. The VHD images are current set to expire to on March 1st 2010 (at which time the OS will become inoperable.As this installation requires Hyper-V, you will need to have a base install of Windows Server 2008 (64bit edition) or Windows Server 2008 R2 RC, running Hyper-V.
For more information on obtaining and installing the latest version of Hyper-V, please visit the Hyper-V Homepage.Both virtual machines available here are running Windows Server 2008 R2 Enterprise Edition Evaluation. One is the default full installation, and the other has been configured as a default Core installation. For more information on the difference between full and core installation please see the Windows Server 2008 Editions Overview pages.
For download options please see the IMAGE SELECTION section in the instructions below.As both virtual machines do not have anti-virus installed, they should not be connected to any network until it has anti-virus installed.
Windows Server 2008 Hyper-V - is it any good?
I was presenting SQL server 2008 at a NextGen community event and there was a Windows Server 2008 given by Alun Rodgers of Risual (a gold partner specialising in server infrastructure and unified comms). His session was so well received I thought it would be good to get him to share his experiences in a series of short blogcasts.
In the first of these Alun talks about what he has been doing with Hyper-V, both internally and for his clients.
Windows Server 2008 Failover Clustering Lab
If you haven't already tried out the Failover Clustering, there is now a great hands on lab available via TechNet. Enjoy!
TechNet Virtual Lab: Windows Server 2008 Enterprise Failover Clustering Lab
"For the exercises in this lab, you will be responsible for the configuration of Windows Server 2008 Enterprise failover clustering for your organization."
Overview:
• Create failback policies for the cluster
• Make Windows Internet Naming Service (WINS) highly available on a Windows Server 2008 Enterprise Failover Cluster
• Make a Dynamic Host Configuration Protocol (DHCP) server highly available with a Windows Server 2008 Enterprise Failover Cluster
• Add nodes to Windows Server 2008 Enterprise Failover Cluster
• Create file share cluster
• Create print share cluster
Windows Server 2008 NPS Technical reference
The Windows Server 2008 Network Policy Server (NPS) Technical Reference provides information describing what NPS is, how NPS works, and NPS tools and settings. NPS is the Microsoft implementation of Remote Authentication Dial-In User Service (RADIUS), which provides authorization and authentication services for remote access clients. This technical reference also contains information about Network Access Protection (NAP) and its relationship to NPS, as well as some planning and deployment information about NPS.
Top Reasons to upgrade to Windows Server 2008
| Reason | Key Feature | |
| 1 | Protecting your network from viruses and enforcing compliance | Network Access Protection - NAP |
| 2 | Providing efficient, low – overhead core services with a reduced attack surface | Server Core |
| 3 | Meeting next generation security threats to your network, data and business | Windows Server 2008 security |
| 4 | Consolidation, compatibility and centralisation | Windows Server Virtualization |
| 5 | Providing flexible centralised application access for remote and mobile users | Terminal Services |
| 6 | Enabling more secure collaboration | Federated Rights and Identity Management |
| 7 | Easing administration, management and automation | Server Manager and PowerShell |
| 8 | Delivering rich web content, applications and streaming media | Internet Information Services 7.0 |
Windows Server 2008 Terminal Server vs Citrix XenApp
On a regular base customers ask me when to choose for Windows Server 2008 Terminal Services instead of adding the additional functionality of Citrix XenApp (aka Presentation Server).
Citrix and Microsoft have collaborated and articulates the value that XenApp provides over and above Terminal Services to help you decide which technology is the most suitable for your project.
Citrix Presentation Server on Windows Terminal Services- A Feature Analysis
Windows 2008 upgrade paths
With the Windows 2008 finally being released to manufacture this past month, we will now be expecting a whole bunch of questions surrounding the Windows 2008 migration process. This part of the newsletter is looking at what you need to know to answer all your questions.
The following table lists upgrade paths that are supported.
| From | To |
| Windows Server 2003 Standard (SP1, SP2, R2) | Windows Server 2008 Standard |
| Windows Server 2003 Standard (SP1, SP2, R2) | Windows Server 2008 Standard without Hyper-V |
| Windows Server 2003 Standard (SP1, SP2, R2) | Windows Server 2008 Enterprise |
| Windows Server 2003 Standard (SP1, SP2, R2) | Windows Server 2008 Enterprise without Hyper-V |
| Windows Server 2003 Enterprise (SP1, SP2, R2) | Windows Server 2008 Enterprise |
| Windows Server 2003 Enterprise (SP1, SP2, R2) | Windows Server 2008 Enterprise without Hyper-V |
| Windows Server 2003 Enterprise (SP1, SP2, R2) | Windows Server 2008 Datacenter |
| Windows Server 2003 Enterprise (SP1, SP2, R2) | Windows Server 2008 Datacenter without Hyper-v |
| Windows Server 2003 Datacenter (SP1, SP2, R2) | Windows Server 2008 Datacenter |
| Windows Server 2003 Datacenter (SP1, SP2, R2) | Windows Server 2008 Datacenter without Hyper-V |
| Windows Server 2008 Standard | Windows Server 2008 Enterprise |
| Windows Server 2008 Enterprise | Windows Server 2008 Datacenter |
Upgrades from Windows 2000 Server to Windows Server 2008 are not supported.
To assist in the planning and currently tested best practices, we have released a tool to take the pain away from our customers, the Microsoft Assessment & planning beta toolkit is available here: http://connect.microsoft.com/site/sitehome.aspx?SiteID=297
Top 10 Overlooked Features of Windows Server 2008
Windows Server 2008 is on its way. With the first release candidate in the pipeline, it shouldn't be long before release to manufacturing and general availability.
With such a long development time (it's the first new Windows Server OS since 2003,) the showstopping new features have been well publicized: Most IT pros are familiar with at least some of the details of Server Core, PowerShell and Windows Server Virtualization (codenamed Viridian). But Windows 2008 includes a lot more than those headliners.
The remaining part is here :
http://redmondmag.com/news/article.asp?editorialsid=9129
10. The Print Management Console (PMC).
9. Auditpol.
8. Windows Remote Shell (WinRS).
7. Event forwarding.
6. Active Directory Rights Management Services (AD RMS).
and here : http://redmondmag.com/news/article.asp?EditorialsID=9130
5. New password policies.
4. Group Policy (GP) improvements.
3. Ability to attach comments to GP settings.
2. "tools to successfully deploy, update and maintain Windows Server 2008."
1. Potentially huge network speed increases.
Windows 2008 Server Admin Tools for Vista
The long-awaited Remote Server Administration Tools (RSAT) have been released for Windows Vista. These will allow administrators to use their Vista machines to manage their Windows 2000, Windows Server 2003, and Windows Server 2008 infrastructure from the comforts of the cubicle. Come and get 'em.
Microsoft Remote Server Administration Tools for Windows Vista for x86-based Systems
http://www.microsoft.com/downloads/details.aspx?FamilyID=9ff6e897-23ce-4a36-b7fc-d52065de9960&DisplayLang=en
Microsoft Remote Server Administration Tools for Windows Vista for x64-based Systems
http://www.microsoft.com/downloads/details.aspx?FamilyID=d647a60b-63fd-4ac5-9243-bd3c497d2bc5&DisplayLang=en
After you install this, open Control Panel and start Programs and Features. Click Turn Windows Features on or off then scroll down to the Remote Server Administration Tools. From there you can turn on everything, certain things, or... nothing. Your call, unlike the old ADMINPAK.MSI...
Windows Server 2008 Power Management White Paper
In Windows Server 2008, Microsoft introduced new features and technologies, some of which were not available in Windows Server 2003, that will help to reduce the power consumption of server and client operating systems, minimise environmental by products, and increase server efficiency.
The WS08 Power Management White Paper describes the benefits of some of these features and technologies, including:
Out-of-the-Box (OOB) Power Savings: Windows Server 2008 OOB achieved power savings of up to 10 percent over Windows Server 2003.
Picking up on 'Green IT', our group manager has started a second blog focusing on 'Dynamic Work' which has a green theme. It looks at how IT can make a company greener rather than how a company can make IT greener: http://blogs.technet.com/brucelynn/default.aspx.
::Download:: Performance Tuning Guidelines for Windows Server 2008
This guide describes important tuning parameters and settings that can result in improved performance for the Windows Server 2008 operating system. Each setting and its potential effect are described to help you make an informed judgment about its relevance to your system, workload, and performance goals.
This information applies for the Windows Server 2008 operating system.
What's New:
| • | Added "Power Guidelines" under Server Hardware section and added "Performance Tuning for Virtualization Servers" section. |
Included in this paper:
| • | Performance Tuning for Server Hardware |
| • | Performance Tuning for Networking Subsystem |
| • | Performance Tuning for Storage Subsystem |
| • | Performance Tuning for Web Servers |
| • | Performance Tuning for File Servers |
| • | Performance Tuning for Active Directory Servers |
| • | Performance Tuning for Terminal Server |
| • | Performance Tuning for Terminal Server Gateway |
| • | Performance Tuning for Virtualization Servers |
| • | Performance Tuning for File Server Workload (NetBench) |
| • | Performance Tuning for Network Workload (NTttcp) |
| • | Performance Tuning for Terminal Server Knowledge Worker Workload |
| • | Performance Tuning for SAP Sales and Distribution Two-Tier Workload |
Windows Server 2008 Technical Overviews
These technical overviews provide IT Professionals with information about how a Windows Server 2008 technology works. They may also cover design and planning considerations and basic setup and operating instructions.
The download contains the following documents:
- DNS Server Global Query Block List
- Installing and Configuring and Troubleshooting the Microsoft Online Responder
- What's New in Failover Clusters
- What's New in Terminal Services for Windows Server 2008
Download: WS2008 Technical Overviews
Shrinking a volume in Windows Server 2008
I'm getting ready to work at the Microsoft booth at the Storage Network World next week in Dallas, TX and I learned about this great little feature in Windows Vista and Windows Server 2008 (currently in Release Candidate 0 state): you can now shrink a volume.
The scenario for this is quite common: you created a few volumes and you tried to estimate what the ideal size of the volume would be. And you guessed it wrong :-(. Windows Server 2003 already allows you to increase the size of a volume to use the entire partition, which covers the scenario where you underestimated your storage needs. Now you can also shrink a volume to free up partition space for other uses, in case you initially allocated too much space to a volume.
The main tool here is the DISKPART command line utility. Below is an example of how you would do this, starting with a 50MB simple volume on a 100MB partition that get extended and then shrunk by 25MB.
Microsoft Windows [Version 6.0.6001] Copyright (c) 2006 Microsoft Corporation. All rights reserved. C:\Users\Administrator>diskpart Microsoft DiskPart version 6.0.6001 Copyright (C) 1999-2007 Microsoft Corporation. On computer: WS2008RC0N1 DISKPART> list volume Volume ### Ltr Label Fs Type Size Status Info ---------- --- ----------- ----- ---------- ------- --------- -------- Volume 0 C NTFS Partition 64 GB Healthy System Volume 1 G Extra NTFS Partition 50 MB Healthy Volume 2 F FS1 NTFS Partition 48 MB Healthy Volume 3 H FS2 NTFS Partition 48 MB Healthy Volume 4 E Witness NTFS Partition 8 MB Healthy Volume 5 D DVD-ROM 0 B No Media DISKPART> select volume 1 Volume 1 is the selected volume. DISKPART> extend DiskPart successfully extended the volume. DISKPART> list volume Volume ### Ltr Label Fs Type Size Status Info ---------- --- ----------- ----- ---------- ------- --------- -------- Volume 0 C NTFS Partition 64 GB Healthy System * Volume 1 G Extra NTFS Partition 100 MB Healthy Volume 2 F FS1 NTFS Partition 48 MB Healthy Volume 3 H FS2 NTFS Partition 48 MB Healthy Volume 4 E Witness NTFS Partition 8 MB Healthy Volume 5 D DVD-ROM 0 B No Media DISKPART> shrink desired=25 minimum=10 DiskPart successfully shrunk the volume by: 25 MB DISKPART> list volume Volume ### Ltr Label Fs Type Size Status Info ---------- --- ----------- ----- ---------- ------- --------- -------- Volume 0 C NTFS Partition 64 GB Healthy System * Volume 1 G Extra NTFS Partition 75 MB Healthy Volume 2 F FS1 NTFS Partition 48 MB Healthy Volume 3 H FS2 NTFS Partition 48 MB Healthy Volume 4 E Witness NTFS Partition 8 MB Healthy Volume 5 D DVD-ROM 0 B No Media DISKPART> exit Leaving DiskPart... C:\Users\Administrator>
You can also use the command "SHRINK QUERYMAX" to figure out how much you can shrink on a specific volume.
The "Disk Management" tool under "Storage" in Windows Server 2008's "Server Manager" also allows you do this using a GUI.
If you SAN storage vendor supports it, you might also be also to shrink an actual LUN after freeing up space using this Windows Server 2008 new feature.
More information about the SHRINK command in DISKPART at:
http://technet2.microsoft.com/windowsserver2008/en/library/ec87cc7c-9846-465e-a10d-4ee10db4f4e61033.mspx
Download a copy of Windows Server 2008 RC0 yourself and start playing with this new feature. The download is available (since September 25th) from:
http://www.microsoft.com/downloads/details.aspx?FamilyId=0818D425-CD47-4279-BE8D-24ABA14530A3
Remote Apps in Windows Server 2008
Happy New Year! After a few days break to celebrate the New Year I'm now back in the office with new energy! I'm right now trying to go through emails and catch up on things and one thing I want to tell you about is a new Windows Server 2008 project that has been going on in Singapore.
As you might know, we are running something called the "Windows Server 2008 Insiders" group in some Southeast Asia countries where the members learn about Windows Server 2008 every month and get the chance to try it out within the IT Pro Momentum Program. In Singapore, Dennis recently came blogged about one of the members, Bernard, that has piloted RemoteApps in Windows Server 2008.
Read more about the project and his findings here
Read more about Terminal Services in Windows Server 2008 here
Survival Guide of Windows Server 2008 Documentation
If you're in the process of evaluating the upcoming Windows Server 2008 and looking for a one-stop location for information on planning, deploying, maintaining, or supporting the new environment, bookmarking the Documentation Survival Guide is a great place to start. And here's some of that great new content I'm referring to:
The latest Windows Server 2008 Webcasts and Virtual Labs
It's simple: no complex setup or installation is required to try out Windows Server 2008 running in the full-featured TechNet Virtual Lab. You get a downloadable manual and a 90-minute block of time for each module. You can sign up for additional 90-minute blocks any time.
Virtual Labs
On-Demand Webcasts
Prepare yourself for the next release of Microsoft's server operating system—Windows Server 2008. Tune in and learn how you can leverage the new features to improve your organization's networking infrastructure and security, server performance and reliability, remote resource access, and client deployment. Subject matter experts break down what these upgrades mean for your environment and how to take advantage of them.
How Microsoft Does IT - Deploying Virtual Machines using Hyper-V
Again another great set of materials showing how we do Virtualisation and the potential value of this technology.
Microsoft IT virtually deploys more than 80% of new servers using Windows Server 2008 Hyper-V. To ensure optimal performance, Microsoft IT has developed configuration best practices, based on the application workloads or services being provided by the virtual machines.
IPD Guide Release Announcement: Microsoft Enterprise Desktop Virtualization
The Infrastructure Planning and Design team has released a new guide: Microsoft Enterprise Desktop Virtualization.
This guide outlines the critical infrastructure design elements that are crucial to a successful implementation of Microsoft Enterprise Desktop Virtualization (MED-V). The reader is guided through the four-step process of designing components, layout, and connectivity in a logical, sequential order. Identification of the MED-V server instances required is presented in simple, easy-to-follow steps, helping the reader to deliver managed virtual machines to end users. Following the steps in this guide will result in a design that is sized, configured, and appropriately placed to deliver the stated business benefits, while also considering the performance, capacity, and fault tolerance of the system.
Download the guide by visiting http://www.microsoft.com/ipd and selecting "Microsoft Enterprise Desktop Virtualization" under the IPD One-click Downloads, listed on the bottom right of the page.
Infrastructure Planning and Design streamlines the planning process by:
- Defining the technical decision flow through the planning process.
- Listing the decisions to be made and the commonly available options and considerations.
- Relating the decisions and options to the business in terms of cost, complexity, and other characteristics.
- Framing decisions in terms of additional questions to the business to ensure a comprehensive alignment with the appropriate business landscape.
Join the Beta
Additional Infrastructure Planning and Design guides are available as beta releases on the Connect Web site. They are open beta downloads. See below for instructions on how to access the beta guides.
To join the Infrastructure Planning and Design Beta, follow these steps:
- Visit the Infrastructure Planning and Design Beta at http://connect.microsoft.com.
- Sign in using a valid Windows Live ID to continue to the Invitations page.
- Scroll down to Infrastructure Planning and Design.
If you have not previously registered with Microsoft Connect, you might be required to register before continuing with the invitation process. If the link in step 1 does not work for you, copy the link and paste it into the Web browser address bar.
Related Resources
Check out all the Infrastructure Planning and Design team has to offer! Visit the IPD page on TechNet, http://www.Microsoft.com/ipd, for additional information, including our most recent guides.
Reinvent your desktop? BumpTop 3D
I came across this UI for Windows desktops, as the video suggests that the UI for the way we work has evolved over the past 20 years. Here is a completely new way for interaction with your desktop space. I am thinking that this will be a must when I get hold of some new Windows 7 tablet's, which are touch enabled later this month to play with.
I have yet to install, however its on my to-do list. I would be interested in your comments.
What Do You Know about IT
Really powerful, key points I picked out :
- 35 Million people in the world are employed in IT
- Passion for technology, is what drives us
- Fastest growth area for employed
- We impact the world we live in
- Talent, we are all talented
- Software is key to connectivity
- Software is everywhere
- Technology is now an expectation
- Technology level's the playing field
- Community are built
- for every 1$ Microsoft earns a partner earns 8$
- Microsoft provides a platform for innovation
What's new in Windows Server 2008
So one of the key pillars in Windows Server 2008 is our new virtualisation story. Want to know more about what's coming?
Register for this Webcast on Thursday 12th July for more information
Microsoft Webcast: Overview of Windows Server 2008 (Level 200)
Windows Server 2008 R2 Beta - download and keys
This software is for evaluation and testing purposes. Evaluating any version of Windows Server 2008 R2 Beta software does not require product activation or entering a product key. Any edition of Windows Server 2008 R2 Beta may be installed without activation and evaluated for an initial 30 days.
If you need more time to evaluate Windows Server 2008 R2 Beta, the initial 30 day evaluation can be extended to August 1st (at which time the OS will become inoperable) by entering the product key below for your selected edition.
Windows Server 2008 R2 Beta Product Keys for Evaluation
- Windows Server 2008 R2 Beta Enterprise (7000.0.081212-1400_server_en-us-GB1SXFRE_EN_DVD.iso) – Product key = TFGPQ-J9267-T3R9G-99P7B-HXG47
- Windows Server 2008 R2 Beta Standard (7000.0.081212-1400_server_en-us-GB1SXFRE_EN_DVD.iso) – Product key = 2T88R-MBH2C-M7V97-9HVDW-VXTGF
- Windows Server 2008 R2 Beta Datacenter (7000.0.081212-1400_server_en-us-GB1SXFRE_EN_DVD.iso) – Product key = GQJJW-4RPC9-VGW22-6VTKV-7MCC6
- Windows Server 2008 R2 Beta for Itanium Based Systems (7000.0.081212-1400_serverenterprise64_en-us-GB1SIAIFRE_EN_DVD.iso) – Product Key = CQ936-9K2T8-6GPRX-3JR9T-JF4CJ
- Windows Web Server 2008 R2 Beta (7000.0.081212-1400_serverweb_en-us-GB1WXFRE_EN_DVD.iso) – Product key = GT8BY-FRKHB-7PB8W-GQ7YF-3DXJ6
Download the .ISO's @ http://www.microsoft.com/downloads/details.aspx?FamilyID=85cfe4c9-34de-477c-b5ca-75edae3d57c5&DisplayLang=en
Cool Terminal Services Demo
You have to check out Naren's cool video that is now hosted on TechNet Edge. It's showing the integration between Silverlight, Terminal Services and Robotics...
Green IT Webcasts
Beginning in May there will be a web cast series on Green IT with topics like "Transforming the Data Center with Energy Efficiency" and "Cloud Computing Futures: Creating Greener Clouds with Microsoft Research".
On the Microsoft Environment site you can also read more about how Windows 7 is improving power management and there is also a web cast coming up on that topic on May 8.
Remember that even if the web casts might not be at the best timing for us in Asia you can always watch them on demand afterwards.
Password policies in Windows Server 2008
In Windows Server 2008 we get something called Password Settings Objects or PSOs that makes it possible to have different password policies within one domain, which you couldn't do in previous versions. So now you can actually give the administrators in your domain stronger password requirements than the standard user. More information about it here
Quick and Dirty Large Scale Eventing for Windows
One of the least known yet most powerful management features to ship with Windows Vista and Windows Server 2008 is built-in Event Forwarding which enables large scale health and state monitoring of a Windows environment (assuming health and state can be determined from Windows Events - which they usually can). Not only is this feature built into the latest versions of Windows, but it's also available for down-level OSs like Windows XP SP2+ and Windows Server 2003 SP1+ (here).
Note: True enterprise class Windows eventing is included with enterprise monitoring solutions like System Center Operations Manager.
This new Windows Event Forwarding (also known as Windows Eventing 6.0) is exceptional for the following reasons:
- Standards Based: No really! It leverages the DMTF WS-Eventing standard which allows it to interoperate with other WS-Man implementations (see OpenWSMAN at SourceForge).
- Agentless: Event Forwarding and Event Collection are included in the OS by default
- Down-Level Support: Event Forwarding is available for Windows XP SP2+ and Windows Server 2003 SP1+
- Multi-Tier: Forwarding architecture is very scalable where a "Source Computer" may forward to a large number of collectors and collectors may forward to collectors
- Scalable: Event Collection is very scalable (available in Windows Vista as well) where the collector can maintain subscriptions with a large number of "Source Computers" as well as process a large number of events per second
- Group Policy Aware: The entire model is configurable by Group Policy
- Schematized Events: Windows Events are now schematized and rendered in XML which enables many scripting and export scenarios
- Pre-Rendering: Forwarded Windows Events can now be pre-rendered on the Source Computer negating the need for local applications to render Windows Events
- Resiliency: Designed to enable mobile scenarios where laptops may be disconnected from the collector for extended periods of time without event loss (except when logs wrap) as well as leveraging TCP for guaranteed delivery
- Security: Certificate based encryption via Kerberos or HTTPS
This implementation will walk through the following example design where via Group Policy a domain computer group will be configured to forwared Windows Events to a single collector:
Implementation steps are as follows:
- Step 1: Create Event Forwarding Subscription
- Step 2: Configure WinRM Group Policy
- Step 3: Configure Event Forward Group Policy
- Step 4: Test
Step 1: Create the Event Forwarding Subscription on the Event Collector
In the Windows Event Forwarding architecture, the subscription definition is held and maintained on the Collector in order to reduce the number of touch-points in case a subscription needs to be created or modified. Creating the subscription is accomplished through the new Event Viewer user interface by selecting the 'Create Subscription' action when the 'Subscriptions' branch is highlighted. The Subscription may also be created via the "WECUTIL" command-line utility.
Note: Both Windows Vista and Windows Server 2008 can be event collectors (this feature is not supported for down-level). Although there are no built-in limitations when Vista is a collector, Server 2008 will scale much better in high volume scenarios.
Although the above subscription is configured to leverage Group Policy, the subscription can be configured in a stand-alone mode (see the "Collector Initiated" option). In addition, this subscription is designed to gather all events from the "Application" and "System" logs that have a level of "Critical", "Error", or "Warning". This event scope can be expanded to gather all events from these logs or even add additional logs (like the "Security" log).
Lastly, the subscription is configured to forward events as quickly as possible with the advanced settings delivery option of "Minimize Latency". The default setting of "Normal" would only forward events every 15 minutes (which may be more desirable depending the the Collector and Source Computer resources).
If Group Policy is not being used, configure the "Subscription type" to be "Collector Initiated". In this case Source Computers will need to be manually added to the Subscription either through the Subscription configuration or the "WECUTIL" command-line utility (which can also be scripted using PowerShell, but that's another topic).
Note: In cases where there Source Computer is generating a large volume of forwarded events (e.g. Security events from a Domain Controller), use WECUTIL on the collector to disable event rendering for the subscription. The task of pre-rendering an event on the source computer can be CPU intensive for a large number of events.
Step 2: Configure Group Policy to enable Windows Remote Management on the Source Computers (clients)
Group Policy can be used to enable and configure Windows Remote Management (WinRM or WS-Man) on the Source Computers. WinRM is required by Windows Event Forwarding as WS-Man is the protocol used by WS-Eventing. The following shows the Group Policy branch locations for configuring both WinRM and Event Forwarding:
The following GP setting will enable WinRM on the client as well as configure a Listener that will accept packets from ANY source.
Note: This Listener configuration should only be used in a trusted network environment. If the environment is not trusted (like the Internet), then configure only specific IP Addresses or ranges in the IPv4 and IPv6 filters.
To configure WinRM outside of Group Policy, run the following command on the Source Computer (also see the above Note):
winrm quickconfig
Step 3: Configure Group Policy to enable Windows Event Forwarding on the Source Computers
As with WinRM, Group Policy can be used to configure Source Computers (Clients) to forward events to a collector (or set of collectors). The policy is very simple. It merely tells the Source Computer to contact a specific FQDN (Fully Qualified Domain Name) or IP Address and request subscription specifics. All of the other subscription details are held on the Collector.
If Group Policy is not being used, then there is nothing to do here as the "Collector Initiated" Subscription will proactively reach out to the Source Computer.
Step 4: Test Event Forwarding
If all of the Event Forwarding components are functioning (and there's minimal network latency), a test event created on the Source Computer should arrive in the Collector's "Forwarded Events" log within 60 seconds. Create a test event with the following command:
eventcreate /id 999 /t error /l application /d "Test event."
This event should appear on the Collector as follows:
If the event doesn't appear, perform the following troubleshooting steps:
Troubleshooting Step 1: Has Policy Been Applied to the Source Computer?
This can be forced by running the following command on the Source Computer:
gpupdate /force
Troubleshooting Step 2: Can the Collector Reach The Source Computer via WinRM?
Run the following command on the Collector
winrm id /r:<Source Computer> /a:none
Troubleshooting Step 3: Is the Collector Using the Right Credentials?
Run the following command on the Collector
winrm id /r:<Source Computer> /u:<username> /p:<password>
Note: These are the credentials defined in the Subscription on the Collector. The credentials don't need to be in the local Administrators group on the Source Computer, they just need to be in the "Event Log Readers" group on the Source Computer (local Administrators will also work).
Troubleshooting Step 4: Has the Source Computer Registered with the Collector?
Run the following command on the Collector
wecutil gr <subscription name>
This will list all the registered Source Computers (note if the Subscription is "Collector Initiated" then this will list all configured Source Computers), their state (from the Collector's perspective), and their last heartbeat time.
Deployment Security Designs for Forefront IAG/UAG Virtual Appliances
One of the most compelling capabilities being added in IAG SP2 (which will also be available in UAG) is the 'virtual appliance' installation option. A virtual appliance is a preconfigured, ready to use Virtual Machine that already has Windows Server and IAG / UAG installed. Microsoft will build the VHD and make it available for customers to download. Customers will then take the Virtual Hard Drive (VHD) and drop it into a child partition on a Hyper-V host. At this point, the VM would function like a classic IAG installation, with all the normal features and capabilities customers have come to expect. The reason we've added this capability in IAG is to give customers options for how they want to deploy IAG in their networks. For many customers, the pre-tuned, dedicated hardware appliances available from our partners are a great option that fit in well with their overall management methodology. For other customers, they prefer a more standardized hardware platform in their datacenters and thus the virtual appliance on Hyper-V is preferred. Note that it's not a question of which is 'better'; the two options allow customers to chose the solution that best fits their environment.
For customers looking at deploying the virtual appliance, a common question is what is the best way to provide a secure virtualization environment for the IAG/UAG VM? There are three primary design options to choose from. Again, it's not a question of what option is best; rather, customers should look at each model and decide which best aligns with their management approach.
Option 1: Classic Physical Appliance
It may seem strange to list a physical appliance as an option here, but arguably the dedicated physical appliance is the most hardened configuration out of the box. The reason for this is that the OEM appliance vendors take Windows Server and IAG and really mold the entire hardware platform around them. In doing so, they reduce the attack surface of the machine by disabling services not critical to IAG, ensure necessary updates are installed, and then put that image on top of a hardware platform designed for them. Because IAG is built on top of Windows Server, it's possible for a customer to take many of the same software steps the OEMs do, but the benefit of the appliance is that it's all been done and tested for you. For customers looking for the most secure out of the box experience with IAG, physical appliances provide some unique benefits.
Pros: minimal configuration; pre-hardened operating system; hardware designed specifically for remote access gateway
Cons: limited hardware choice; potentially non-standard device and software configuration in an otherwise rationalized datacenter
Option 2: VM on Dedicated Hardware
While one of the key benefits of virtualization is the ability to run multiple operating systems simultaneously on the same physical hardware, it's by no means a requirement that a Hyper-V machine have more than 1 child partition. In other words, it's fully supported to run a Hyper-V system with only a single child. Why would you do this? If you want to have the manageability benefits of virtualization, but have workloads that can scale up and maximize an entire physical server, this approach is an effective model for getting the best of both worlds. Particularly when you use the Server Core option of Windows Server 2008 to run the parent partition, you have very minimal overhead incurred by doing so. In fact, key Microsoft web sites like TechNet and MSDN use this exact model in their production environments. When you think about this model for hosting IAG, the benefits are that you don't have concerns about resource contention between VMs (though Hyper-V has resource management controls available) and you don't have to worry about sharing the remote access gateway physical platform with any other workloads. Because Hyper-V supports the same huge catalog of server hardware that Windows Server 2008 does, you have great flexibility in what the physical layer looks like. Whether you prefer 1U, 2U, blades, and regardless of OEM, you'll be able to easily integrate the Hyper-V host and its IAG child partition into your existing datacenter. Finally, because you can use whatever hardware you prefer, it's easy to place the server wherever it needs to go within your network. For example, it is often easier to provision a new blade into the DMZ network to host IAG than it is to securely route traffic from the DMZ to a larger virtualization system in the internal network.
Pros: great choice in hardware; can use existing organization standards for hardware and operating system images; with Server Core, very low overhead for parent partition; great flexibility in network placement
Cons: may require greater setup effort to configure hardware and parent partition operating system
Option 3: VM on Existing Virtualization Environment
For customers that already have a Hyper-V environment, they may wish to simply add the IAG VM to the existing hosts. This is particularly true if a customer has already invested in building a highly reliable, well tuned hosting environment, using tools like Failover Clustering. In these cases, there's no problem with running IAG in a child partition on an existing physical server already running other VMs. So long as the traffic is properly routed to the VM, IAG can function perfectly well in such a configuration. However, when sharing physical resources with other child partitions, it's particularly important to allocate sufficient capability to the IAG VM. This should be done both by allocating enough memory and CPU capability to VM, as well as ensuring that Hyper-V prioritizes requests through the IAG VM appropriately. Additionally, there are significant performance and security benefits to dedicating physical network adapters solely to the IAG VM, rather than sharing them with other VMs. Having dedicated NICs ensures that IAG will not need to compete for network IO and simplifies the routing of remote access traffic to and from the VM.
Pros: efficiency of reusing existing investments in Hyper-V physical platform, such as Failover Clustering
Cons: more planning required to ensure sufficient resources for IAG child partition; potentially more complex network routing needs if the existing environment does not already receive traffic from internet hosts
Virtual appliances are all about customer choice; providing you with the right options for security and placement while allowing you to chose your own hardware platform or reuse one you already have. There's no right choice that applies to all situations, so think about your environment and goals, and chose the option that fits your network best.
Network Access Protection Using 802.1x VLAN's or Port ACLs - Which is right for you?
Given that the NAC (Network Access Control) market is one of the hottest segments in the industry (I think virtualization has that distinction at the moment) it is fitting to take a look at the variety of options available from Microsoft's Network Access Protection (NAP). NAP supports a variety of what we call enforcement methods. In the NAP space, and enforcement method is simply a term that defines the way a machine connects to a network. In NAP, these are DHCP, 802.1x (wired or wireless), VPN, IPsec, or via a Terminal Services Gateway.
The most common method of the list is 802.1x for a variety of reasons. First, the industry has been selling 802.1x network authentication for the last 10 years. 1x gained tremendous popularity as wireless networking became prevalent in the late 90's and early 2000's and has been proven to be a viable solution to identifying assets and users on your network. For customers that have invested in 802.1x capable switches and access points, NAP can very easily be implemented to complement what is already in place. The Network Policy Server (NPS) role Windows Server 2008 has been dramatically improved to make 802.1x policy creation much simpler to do, however, what many people don't realize is that there really are 2 rather distinct ways to deploy 802.1x based NAP, and this is what we will be discussing today. These 2 methods are commonly referred to as the use of VLAN's or Port ACL's.
VLAN
Since we are talking about this in the context of NAP, this would be a good time to introduce the fact that taking the VLAN approach essentially requires that you involve the folks that own your switching infrastructure in your NAP plans. Why you ask, because you will now be asking them to touch all the switches and AP's on the network to create the VLAN structure that you will need for your NAP deployment. At a minimum, you would want to create 3 different VLAN's. One for 'healthy' or compliant computers, one for 'unhealthy' or non-compliant computers, and a third VLAN for guests, or unknown devices that cannot pass the ports requirement to do 802.1x authentication.
In the VLAN scenario, on your RADIUS server (i.e. our NPS server) you would create a policy that had a set of attributes with values that matched the VLAN you have created on the switch. The most common attributes used are Tunnel-Private-Group-ID, Tunnel-Tag and Filter-ID. The values for these attributes usually would match the VLAN name, or number you created on the switch.
As an example, let's say on your switch VLAN 100 is the compliant VLAN and VLAN 200 is the non-compliant VLAN.
To make this work when you walk through the wizard in NPS to create 802.1x policies you will create a compliant and non-compliant policy. When prompted to insert values for these attributes you will enter "100" for your compliant policy (i.e. Tunnel-Private-Group-ID = 100) and "200" for the non-compliant policy. Our wizard based configuration makes this very easy.
Once completed, when a machine comes onto your network and meets the criteria of one of the policies you created, the NPS will send back this tunnel information to the switch to instruct the switch to put that machine in the proper VLAN. Pretty simple and straight forward.
Port ACLs
There are 2 approaches here.
- You send the switch a 'reference' to an ACL you have already created on the switch
- You send the switch vendor specific attributes with values that tell the switch how to ACL the port
In scenario 1, you would do the heavy configuration on the switch by creating the ACLs you would want for compliant and non-compliant machines. Most likely those ACL's would restrict protocols and ports and access to only certain IP addresses. For this example let's say you have named your ACL's "compliant" and "non-compliant".
In your RADIUS server you would use something like the Filter-ID attribute (this is the most commonly supported attribute) with a string value of "compliant" or "non-compliant". When received the switch will then know what ACL to apply to that port.
In scenario 2, instead of configuring and sending the Filter-ID attribute, you would create Vendor Specific Attributes (VSAs) (this is a common concept in the RADIUS protocol) that tell the switch explicitly what ACL's to apply to that port. For example, the HP ProCurve line of switches will accept the following Vendor Specific Attribute (VSA)
permit in udp from any to 10.10.10.2 53
This essentially says 'allow any DNS traffic on this port to IP address 10.10.10.2'. The assumption is that 10.10.10.2 is your DNS server.
The pros and cons of the 2 port ACL approaches are fairly similar as well.
- Pros, simplified RADIUS server configuration, less prone to mistakes in the RADIUS server configuration; Cons, required to touch your entire switching infrastructure, ACL configuration isn't centralized
- Pros, doesn't require you to touch your entire switching infrastructure, configuration can be centralized on your RADIUS servers; Cons, more complex RADIUS server configuration, prone to mistakes in ACL configuration on the RADIUS server
Comparing the 2 approaches
Now that everyone understands what is required for each approach, let's take a look at some of the pro's and con's of each.
VLAN
+ The concept of VLAN's is one that is easy to explain that even a manager can figure out!
+ Doesn't require extensive knowledge of the RADIUS protocol to set up and anyone who's anyone at a switch CLI could get this set up pretty easily
+ Makes helpdesk troubleshooting a bit simpler by being able to quickly find out why a machine can't connect to (insert your answer here). It would go something like "Oh, you can't get to your mail because you're in VLAN 200!"
- The user experience can be very poor if the machine is being dynamically moved from VLAN to VLAN (which is what NAP does essentially). The reason why is because when a machine changes VLAN's the interface on the machine is torn down and essentially does an ipconfig /release /renew
- If not properly designed, this can be a real helpdesk nightmare. A common mistake here is to ACL down the non-compliant VLAN to not have any corporate access, which is a mistake since that machine may need to re-authenticate itself with the network after NAP has remediated it
- Requires you to touch all of your switches and AP's to do the VLAN creation and management.
- For NAP, your AP's and switches will need to support the ability to do dynamic VLAN assignment and not all switches and AP's support this concept. In fact, not all firmware versions from the same manufacturer support this, so an upgrade may be required.
Port ACL
+ Can possibly be implemented without having to touch all your switches and AP's since the configuration would reside on the NPS Server. This can also be seen as a political positive as well since infrastructure folks and server folks are commonly separate teams with separate objectives that rarely overlap.
+ The actual enforcement of the ACL is done at the switch or AP and thus offers the user a more pleasant experience since even if the machine is moving from a compliant to a non-compliant state (or vice versa) it is handled at the switch and not on the client machine (no ipconfig /release /renew)
+ The attributes and values required in your NPS policy to make this scenario work are commonly supported and have been for some time, so the chance of having to do a hardware upgrade in this scenario are less likely
- To really make this work effectively in an enterprise you really need to know the ins and outs of your switches and what is and is not supported, not to mention you must be a pretty good RADIUS geek as well to get this working (we are a dying breed these days… J)
- Troubleshooting and helpdesk support in this scenario is a bit more complicated since your NPS policy for this could have multiple ACL's in it that look like this (permit in udp from any to 10.10.10.2 53). It would not be uncommon to have 10-12 lines like this in your policy and trying to figure out why a machine can't connect to a resource on the network
- Finding accurate documentation on exactly what attributes and values are supported for your device(s) can be a challenge
In conclusion
Hopefully now you have a better understanding of what 802.1x authentication support in NAP can offer you. 1x is a very powerful means of maintaining and safe and healthy network, but it's not the ultimate solution by any means. Network security and health is an ongoing exercise that may require multiple solutions to achieve your business goals (like using 1x and IPsec together for instance).
Subscribe to:
Posts (Atom)
