Archive
Get on the Bus!
For those of you in the U.S. (and for your students in the U.S.), here’s a great opportunity to get to TechEd and have a fun, unique experience along the way:
My team is hitting the road, hoping to meet up with those of you along our route!
Are you proud of your MCP/MCT status? Do you want to win a free trip to Tech·Ed 2009?
Enter the Microsoft Learning Get on the Bus contest and you could display your pride and attend Tech·Ed for free!
We are seeking six MCT/MCPs passionate about Microsoft certification to join us on the Career Express bus. MCPs who attend the events in Atlanta, Philadelphia, Kansas City, Denver, Phoenix, and Las Vegas will have the chance to compete to win a seat on the bus and a free trip to Tech·Ed 2009 in Los Angeles with the Microsoft Learning Community team.
Get on the Bus winners join the Career Express in their city and accompany the Microsoft Learning crew as we stop to visit with the Microsoft Learning community along the way. We will blog, Twitter, video blog, and have a great time! If you can’t join the trip, then come out and meet us along the route!
More info here:
http://blogs.technet.com/mslcommunity/archive/2009/03/19/how-to-get-on-the-bus.aspx
Hope to see you along the way!
—————————
Note from me:
I am a MCT and I would like to say that this is really a great idea and I could list at least 4 reasons for the MCT’s to join:
– share their experience about certifications and about teaching Microsoft courses with Microsoft staff, Microsoft CPLS, other’s MCT’s, Students;
– Learn about how to improve their certifications;
– Have fun along the trip;
– Teched
I expect that this promo could be extended to others countries.
Edvaldo Alessandro Cardoso
MCT | MVP : Virtual Machine
blog pt-BR : http://cardosoalessandro.spaces.live.com
blog en-AU: http://itaustralia.spaces.live.com
SCVMM R2 : New Features
New features in R2 include:
· Support for Live Migration: With Windows 2008 R2 adding support for Live migration, it’s now added as a new migration option in VMM R2. Live migration requires the source and destination host to be part of a failover cluster and that the VM is on a shared storage. Live migration means that there is no user perceived downtime; since the VM’s memory pages are being transferred, the hosts’ processors need to be the same (manufacturer and processor architecture). Our competition claims that Vmotion doesn’t require clustering but this only works for planned downtime and not for unplanned downtime. By combining Live migration and clustering, Hyper-V addresses both planned and unplanned downtime.
· Multiple VMs per LUN: VMM 2008 didn’t allow placing multiple VMs per LUN even though Hyper-V allowed it and the reason was that the LUN ownership was on a per host basis. This meant that migrating any VM on that shared LUN would result in all other VMs being migrated as well which can result in a confusing user experience (I’ve blogged about this at length). With CSV (Clustered Shared Volumes) in Windows 2008 R2, a single LUN is accessible by all hosts within a cluster. This enables a VM that’s on a shared LUN to be migrated without affecting other VMs on that LUN. As a result, with VMM R2, we’ll allow multiple VMs to be placed on the same LUN if CSV is enabled on the cluster.
· SAN related enhancements: We’ve done a number of SAN related enhancements in VMM R2.
o SAN migration in and out of clusters: With VMM R2, you can migrate a VM from one cluster to another or from a standalone host into a cluster or vice versa. Especially useful when you are deploying a VM from a test cluster to a production one.
o Multiple LUNs per single iSCSI target: VMM 2008 supported only initiator-based iSCSI target connection, which allows only one LUN per iSCSI target. VMM 2008 R2 adds support for masking-based target connections, which allows multiple LUNs per iSCSI target and expands VMM support for iSCSI SAN providers. This implies that we have better support for iSCSI products from Network Appliance and EMC for example.
· Network related enhancements:
o Network Optimization
§ Win2k8 R2 supports 2 types of network optimizations: VMQ & Chimney
§ During VM creation you can enable/disable network optimization
§ If enabled, VMM will configure the VM to use VMQ or Chimney, if available on the host
§ During placement, VMM R2 detects and shows availability of Network optimization on the host
o Some workloads such as Network load balancers need to be able to spoof MACs: There’s a new setting that allows admin to enable/Disable MAC spoofing on a per VM basis
o Ability to reuse port groups defined in VMWare VirtualCenter
§ In VMM 2008, port groups were always created even if the admin had already created them on the host.
§ In VMM R2, the admin is allowed to pick an available port group that’s already defined.
· Maintenance mode
o For servicing a host, VMM R2 allows host to be put in maintenance mode: When you do this, all VMs on that host that are running are live migrated off the host to avoid downtime.
§ Admin can choose to save state VMs if host is not part of a cluster
o During placement, a Host that’s in maintenance mode gets zero star ratings. This also p-prevents PRO from picking this host when migrating VMs.
o Maintenance mode is supported for Hyper-V, VS and VMWare ESX hosts
· Support for Disjoint domains: When a host has different FQDN in AD and DNS, it’s said to be in a disjoint domain. For example: server name is foo and FQDN in AD is foo.domain.contoso.com and FQDN in DNS is foo.contoso.com. For Kerberos authentication to work, SPN needs to be created for DNS Name
o VMM 2008 required custom SPN to be manually configured in AD
o VMM 2008 R2 automatically creates custom SPN for DNS name. (AD needs to be configured to give permissions to VMM for SPN read/write permissions)
As you can see, there are a number of enhancements we’ve introduced in R2 along with fixing some important issues reported by customers and partners. We are not done yet! In addition to responding to more feedback from beta testers, there are a few more features in the pipeline for post Beta so stay tuned.
Download the beta here and keep the feedback rolling in!
Get Internet Explorer 8 NOW
Microsoft released the Internet Explorer 8. Get it at www.microsoft.com/ie8
Some new features in Internet Explorer 8 include:
· Accelerators. Accelerators give people easy access to the online services they care about most from any page they visit and allow users to browse faster by eliminating most of the clicks required to access desired content and services.
· Web Slices. With Web Slices, people can see the information they want to see most often without going away from the page they are on. Appearing in the Favorite bar, users can identify Web Slices with updates when in bold and they can see a rich Web Slice visualization of their content with access back to the source Web page.
· Instant Search Box. The enhanced Instant Search Box in Internet Explorer 8 is more helpful, making it easier for people to find content of interest and increasing the relevancy of search results. As users type a search term, they can see real-time search suggestions, including images and rich text, from their chosen search provider.
· Smart Address Bar. Provides matches as the user types across History and Favorites searching against all parts of the URL string (and the page title) instead of just the beginning. Allows mistyped entries to be removed from the Address Bar.
· Enhanced Tabbed Browsing. Tabs are grouped and color-coded so people can quickly discern which are related. It is easy to group or ungroup tabs or reopen closed tabs.
· Performance improvements. We’ve reduced the time that people must wait when starting the browser, opening a “new tab” and loading a page.
· SmartScreen Filter. Built upon the Microsoft Phishing Filter, the SmartScreen Filter helps protect against a broader set of phishing threats and helps protect from sites that attempt to download malicious software. The SmartScreen Filter is now easier to use with enhanced user interface and warning messages to reduce users’ click-through to confirmed sites.
· Domain Highlighting. Internet Explorer 8 highlights the domain name of the URL string in the Address Bar in bold text, making it easier for people to tell which site they are on and aid them in identifying phishing sites and other deceptive sites. The domain name is in black, standing out from other characters in the URL, which are gray.
· Cross-Site Scripting filter. Helps protect users and systems from attacks that can lead to information disclosure, cookie stealing, account/identity theft or otherwise masquerading as the user without permission.
- InPrivate. InPrivate helps to protect people’s data and privacy from being retained locally on the PC they are using. This protects against third parties who might be in a position to track their online activities. The consumer has the ability to use either of the features (InPrivate Browsing or InPrivate Filtering) independently.
- InPrivate Browsing. When activated, InPrivate Browsing helps ensure that History, temporary Internet files and cookies are not recorded on a PC after browsing. When in InPrivate Browsing, toolbars and extensions are automatically disabled and browsing History is automatically deleted when the browser is closed.
- InPrivate Filtering. InPrivate Filtering helps protect privacy by enabling the consumer to block content coming from third parties that are in a position to track and aggregate their online behavior. Users are provided with notice, choice and control of which third parties to allow and which ones to block.
For a comprehensive look at the features in Internet Explorer 8, please see the fact sheet available here: http://www.microsoft.com/presspass/newsroom/windows/factsheets/IE8FS.mspx
Windows 7 beta includes a pre-release candidate version of Internet Explorer 8 that is specifically optimized for Windows 7. Windows 7 enables unique features and functionality in Internet Explorer 8 including Windows Touch and Jump Lists which require additional product tests to ensure we are providing the best Windows experience for our customers. We will continue to update the version of Internet Explorer 8 running on Windows 7 as the development cycles of Windows 7 progress.
Hyper-V Remote management tools packages
The Hyper-V management tools are available separately to allow remote management of a server running Hyper-V. Packages are available to install the tools on Windows Vista with Service Pack 1 (SP1) and on 32-bit editions of Windows Server 2008. The following download packages are available:
· For 64-bit editions of Windows Vista with SP1, see http://go.microsoft.com/fwlink/?LinkId=123540.
· For 32-bit editions of Windows Vista with SP1, see http://go.microsoft.com/fwlink/?LinkId=123541.
· For 32-bit editions of Windows Server 2008, see http://go.microsoft.com/fwlink/?LinkId=123542.
Important
The remote management tools update package for the 32-bit editions of Windows Server 2008 is a permanent package. Once you install the update package, you cannot remove it.
For instructions about installing the tools, see Install and Configure Hyper-V Tools for Remote Administration.
Antivirus and Hyper-V : Things you need to do before
Antivirus and Hyper-V (or: Why can’t I start my virtual machine?)
A little while ago our support team put together this KB article in response to a problem that a lot of people have been reporting. Basically, what is happening is that users are having problems starting virtual machines after they install antivirus software in the management operating system. The root cause of the problem is that a number of these programs monitor file access in a way that interferes with Hyper-V’s attempts to open virtual machine files. If you see this problem – you have two options:
- Don’t install antivirus. Now – before you choke on your coffee or get your pitch-forks – listen to me for a moment. If you are running a server core configuration, or a full server configuration, and you have nothing running in the management operating system other than Hyper-V, and you do not have people logging in and browsing the web in the management partition, etc… Then you do not really need to have antivirus software installed as there is limited risk of a virus.
- Install antivirus and set up the following exclusions (most antivirus programs allow you to exclude specific directories, files and processes from scanning to help deal with issues such as these):
- Default virtual machine configuration directory (Normally this is C:ProgramDataMicrosoftWindowsHyper-V)
- Custom virtual machine configuration directories
- Default virtual hard disk directory (Normally this is C:UsersPublicDocumentsHyper-VVirtual Hard Disks)
- Custom virtual hard disk directories
- Snapshot directories
- Vmms.exe
- Vmwp.exe
Then everything should be just fine.
Hyper-V Storage considerations for Backup Strategy
As you plan your backup strategy, consider the compatibility between the storage and backup solutions:
· Virtual hard disks. These offer the best compatibility and can be stored on many types of physical media. For more information about the types of storage you can use with Hyper-V, see Hardware Considerations.
· Physical disks that are directly attached to a virtual machine. These disks cannot be backed up by the Hyper-V VSS writer. As a result, this type of disk will not be included in any backup performed by a backup program that uses the Hyper-V VSS writer. In this situation, you would need to use some other process to back up the physical disk, such as running a backup application within the guest operating system.
· iSCSI-based storage. This storage is supported for backup by the Hyper-V VSS writer when the storage is connected through the management operating system and the storage is used for virtual hard disks.
· Storage accessed from a virtual machine by using an Internet SCSI (iSCSI) initiator within the guest operating system. This storage will not be included in a backup of the physical computer. In this scenario, you must use another process to back up the data from the iSCSI-based storage before you perform a full server backup. For example, you could run a backup of the data on the iSCSI storage from a backup application running in the guest operating system.
For more information about deploying storage for Hyper-V, see Implementing Disks and Storage.
Hyper-V Planning and Deployment Guide
Significant additions for this release include details on planning for:
- Security
- Authorization policy
- Backup / recovery
- Advanced networking options
Running Isa Server and ForeFront TMG on Hyper-V : Security Considerations
Supported Virtual Environments
Microsoft ISA Server and Forefront TMG are supported on hardware virtualization in accordance with the following programs:
- Microsoft Support Lifecycle
- Microsoft ISA Server system requirements
- Forefront TMG system requirements
- Microsoft Server Virtualization Validation Program (SVVP)
- Support Policy for Microsoft software running on non-Microsoft hardware virtualization software
The option showing on the figure offers the highest network security possible without the addition of IPsec or other network-layer security mechanisms, such as 802.1x. The Child partitions are assigned a virtual network which is completely separate from the virtual network assigned to the Parent partition. Overall performance of the virtual deployment is still dependent on the performance offered by the ISA / TMG server itself.
Deployment Planning
The primary deployment criteria for any edge protection deployment must be security, stability and performance. Defining the priority of each of these is a task that has to incorporate deep analysis of the organization’s line-of-business (LOB) application requirements, general and network security needs as well as any regulatory compliance. Although it is not possible to address all possible scenarios, this whitepaper will outline the critical points for the most common deployments.
Best Practices:
1. Where possible, pass traffic through a Child partition running ISA Server or Forefront TMG. This will help you control traffic between networks and detect attacks from local and remote hosts, virtual and physical
2. Avoid the use of “allow all” rules. If your application vendor cannot clearly define the traffic profile for you, some time spent with your favorite network capture tool can be of use.
3. Restrict RPC and DCOM to specific ports. By default, RPC and DCOM will use whatever ephemeral ports are available when the related server application starts up and request connections or sockets. By limiting the range of ports available to them, you can also limit your acceptable traffic profile
Application security
You should avoid mixing virtual applications or servers of differing security contexts within a single Parent partition; especially when one or more of them face the network edge. Protecting your Exchange server becomes much more difficult when the adjacent Child partitions or (worse yet) the Parent partition is hosting a game server. This is another place where ISA or TMG can offer protection between hosts. Because Child partitions on separate parents are effectively on separate networks, you can potentially use ISA or TMG to isolate those applications and achieve greater overall security than if they were deployed on dedicated hardware.
Best Practices:
1. Install Windows Server 2008 Core on the parent. This limits the attack surface and patching requirements to the bare minimum. Since Windows 2008 Core does not support applications which rely on Windows UI mechanisms, this will help prevent installation of non-essential applications on the Parent partition
2. Each Child partition on a specific Parent partition should be of near-identical security. For instance, the Exchange and SharePoint Child partitions that user access from the Internet should meet the same security and access requirements as much as possible. You cannot satisfy this if you deploy your Exchange and SharePoint servers and game servers as Child partitions on the same Parent partition.
3. The Parent partition must be up-to-date on patches. A vulnerability of the parent translates to a potential vulnerability on each and every guest it hosts.
4. Each Child partition must be up to date on patches. While an unpatched Child partition not generally as threatening as an unpatched Parent partition, if a compromised Child partition has access to the Parent partition, it may be able to mount an attack on the parent and thus poses a potential threat to all guests; regardless of their vulnerability to that particular threat or their network proximity to the compromised Child partition.
5. DO NOT use the Parent partition as a workstation. The fewer applications that are installed and running on the parent, the smaller the attack surface it presents. If you install Windows Server 2008 Core on the parent, this threat is much better mitigated.
6. Restrict access and management of the parent partition. As detailed later, the accounts with management access to the Parent partition effectively have full control over any and all Child partitions.
7. Use a TPM-based parent partition with BitLocker. The deeper you can enforce access controls to the Parent partition, the better protection you afford the Child partitions.
Network security
Of particular interest in the virtual environment is the question of managing traffic flow for the Child partitions, Parent partition and the physical network. If a guest has direct access to any physical network, it potentially presents a greater threat to its sibling Child partitions and Parent partition than if it were forced to pass through a traffic control such as an ISA Server or Forefront TMG. While defining a network which imposes such traffic controls is a critical part of the network design, management control of this network is even more critical.
Routing traffic around an ISA or TMG server presents a state where it is not able to provide any security for the network whatsoever simply by virtue of having been effectively removed from the traffic path. While this case seems to be no different than a mis-patched network cable in the data center, you must consider that there will be no obvious visual indicators for misrouted virtual networking as there might be with a network cable plugged into the wrong port on a physical patch panel or switch. This point will make identifying these problems correspondingly more difficult and time consuming, effectively making problem resolution that much more costly. The best way to prevent such occurrences is to define and enforce very clear data center change control policies and system monitoring / reporting systems.
Best Practices:
1. Avoid connecting the Parent partition to the Internet without additional protection. While Windows Server 2008 Filtering Platform provides a much stronger host firewall than previous Windows releases, network security best practices dictates that you should layer your network security. You can accomplish this by using an external layer-3 filtering device between the Parent connection and the Internet. ISA Server or Forefront TMG on a separate physical host works well for this purpose.
2. Avoid connecting the Parent partition to any virtual network unless absolutely necessary. Because the Parent partition is the key to keeping the Child partitions alive and well and because the Parent partition is likely to use at least one physical network, the fewer points of entry you provide to the Parent partition from a Child partition, the better. For instance, Hyper-V “Local” virtual networks are invisible to the Parent partition and so are good choices for use as isolated perimeter networks usable only by connected Child partitions.
3. Avoid sharing the same Internet virtual switch connection between multiple guests. You cannot ensure traffic security for your network if your game server Child partition is sharing the Internet connection with the ISA / TMG Child partition. Better that any Child partition which needs Internet access should access it through the ISA / TMG Child partition.
4. Avoid combining your perimeter network segments on a single Parent partition. In any deployment, the use of perimeter networks is intended to create security boundaries between networks of differing trusts. By placing all of these machines and networks on the same Parent partition, you may inadvertently bridge these security boundaries through one or more Parent partition virtual network connections or by mis-assignment of a server to the wrong virtual network.
5. Avoid collapsing your perimeter network design to simplify the virtual network design. Your perimeter network design was created to satisfy the requirements imposed on you by multiple sources. It’s highly unlikely that if the design cannot be collapsed in hardware that it can be collapsed in virtual networks.
The Parent partition
Regardless of whether the VM deployment is edge- or internally-placed, the Parent partition is the most important and therefore the most critical machine among them. If the Parent partition is compromised or fails, all of its Child partitions are threatened.
Best Practices:
1. Use hardware that passes Windows Hardware Quality Labs as “certified for”:
· Windows Server 2008. If you expect to have server-class functionality and reliability, you cannot hope to achieve that using home-computer class system hardware or drivers. An investment in devices and related drivers that were designed and tested to experience server-class workloads will go a long way toward keeping your virtual deployments on-line under heavy loads. In particular, while it’s generally true that drivers written for Windows Vista will “work” on Windows Server 2008, the odds are that they will not stand up to the heavier workload presented by server applications or virtualization.
· Hyper-V. By limiting your choices to hardware which satisfies WHQL testing specifically targeted at Microsoft Hypervisor, you provide a better chance that your virtual deployment will behave properly. Many hardware vendors are working closely with all server virtualization vendors to validate their offerings for one or more server virtualization platforms.
2. Keep the system drivers current. The single most common cause of server network problems is the system drivers themselves; most commonly – the network drivers. When these need to work closely with other high-performing drivers such as those found in today’s virtualization solutions, the performance and stability of the system drivers is even more important. While it may not always be possible especially in test environments, you should consider limiting your production deployments to signed drivers only.
3. Use Windows Server 2008 Core for the Parent partition. This provides the smallest possible attack surface of any Windows Server deployment option, while simultaneously restricting the user’s ability to weaken this security posture.
4. Disable any Externally-facing NICs for the Parent partition. After you have created an “external” virtual switch for use by Child partitions, you should disable the related virtual NIC in the parent to prevent access to the Parent from the Internet.
5. If you cannot disable “external” virtual switches for the Parent, unbind all L3+ protocols and enable WFP for those NICs. By unbinding protocols and settings a heavily-restrictive policy in WFP, a host that cannot communicate using a protocol on which an attack depends is not vulnerable to the attack from a network at which the protocol is unbound and filtered. In other words, “if I can’t hear you, you can’t bother me”.
6. If the previous steps cannot be employed to protect the parent, use an external layer-2+ firewall. There should be no reason to make the parent accessible to Internet-based attacks. If you find yourself considering such a deployment, you should re-evaluate your planning.
7. Use a dedicated, Out-Of-Band (OOB) network connection to provide management connectivity to the parent.
· Dedicated connection: by providing a network connection that is unrelated to any virtual network, the parent will remain available even if the virtual networking mechanisms should fail.
· OOB connection: by separating the parent management from the guest networking, you can effectively isolate the parent from the network where application-based attacks would be seen.
8. Use TPM-supported hardware and Bitlocker on Windows Server 2008 to control access to the Parent partition and protect Child partition disks and definition files from unauthorized access. Server theft is a reality that must be considered in any deployment and the ability to acquire multiple servers in a single box can only make this even more attractive to would-be thieves. By placing all of your guests on a Bitlocker-protected disk, you effectively hide your servers from would-be thieves.
Parent and Guest Connections
You must balance the requirements of your virtual networks with the security needs of the whole environment. For instance, a single virtual network for each partition connection associated with a single NIC offers better off-host network performance than does a physical connection shared by multiple partitions through a single virtual switch. If the Child partition imposes a comparatively light network requirement, then it may be a candidate for sharing a virtual network with other Child partitions.
See: http://technet.microsoft.com/en-au/library/cc891502.aspx for detailed discussion
IE8 Release Candidate 1 Available NOW
|
IE8 Release Candidate 1 Available NOW |
The good news is you can get some now – RC1 is available today on the IE8 site.
To get you started along your way, I thought I’d share the 8 biggies – that’s the 8 biggest things you need to know – about IE8.
1. Compatibility: The clever worker bees over at Microsoft Corp have been working hard to ensure IE8 is the most standards-compliant browser we’ve ever put to market. Check out the Internet Explorer Compatibility Center to make sure your visitors have the best experience when they’re viewing in IE8.
2. Security: IE8 is the most secure browser we’ve built to date. Check out the long list of security features, from the new and improved SmartScreen filter, domain highlighting and cross site scripting for all you devs.
3. Accelerators: A powerful new way to get stuff done! See them in action here. Check out the MSDN guide on how to build Accelerators.
4. WebSlices: WebSlices allow you to tear off parts of a page and doc them into the tool bar. Very powerful for highly trafficked and subscribe-able content. Check out the MSDN guide on how to build WebSlices.
5. Visual Search: Possibly my favorite of the new batch of features in IE8. Visual search adds steroids to your search box, by allowing you to add suggestions. See them in action here and check out the MSDN guide on how to build VisualSearch.
6. IE Add-ons: IEAddons.com is the premium library of the latest Accelerators, WebSlices and VisualSearch. Finally a central home for this sort of stuff. Be sure to get your IE8 Add-ons into the library.
7. InPrivate Browsing: For those who want to go to places online where you don’t want to be spied on, you know places like umm, well, you know where, InPrivate Browsing clears all personal (cookies, history etc) data from the session once you close the browser.
8. MSDN Developer Center for IE8: This is the Mecca of awesome content for anyone who wants to take advantage of any of the developer features of IE8. I highly recommend a quick squiz.
Windows 7 session coming up on Apr 3rd
Language(s): English.
Product(s): Other,Security.
Audience(s): IT Manager,IT Professional.
Duration: 75 Minutes
Start Date: Friday, 3 April 2009 11:00 AM Australia (AEST)
Event Overview
Windows 7 has many features for the consumer, developer and IT Pro. But what about Security? In this session we’ll talk about and show some of the important security features that are coming as part of Windows 7. These include Applocker™, Bitlocker™ and Bitlocker To Go™, DirectAcess™, User Account Control and the security changes to Internet Explorer 8. There will be demo’s on all these technologies so you can see firsthand how Windows 7 security has been improved!
Speaker – Jeff Alexander, IT Pro Evangelist, Microsoft
Jeff Alexander is a IT Pro Evangelist for Microsoft and travels across Australia speaking to customers and partners about the latest technologies. Jeff can be seen speaking at Security events, TechEd and other recognised Industry Tech events. Jeff started as employee number 27 at Microsoft Australia and has been with the company for 21 years. Jeff’s blog is http://blogs.technet.com/jeffa36
Twitter Hashtag #win7live
Click here to Register for the Live Meeting Event
Recommended Books
System Center 2012 R2 Virtual Machine
System Center Virtual Machine Manager 2012 Cookbook
Cloudtidings.com 