Archive

Archive for March, 2009

Running Isa Server and ForeFront TMG on Hyper-V : Security Considerations

March 20, 2009 Leave a comment

Supported Virtual Environments

Microsoft ISA Server and Forefront TMG are supported on hardware virtualization in accordance with the following programs:

  • Microsoft Support Lifecycle
  • Microsoft ISA Server system requirements
  • Forefront TMG system requirements
  • Microsoft Server Virtualization Validation Program (SVVP)
  • Support Policy for Microsoft software running on non-Microsoft hardware virtualization software

isa-tmg-with-hyper-v

The option showing on the figure offers the highest network security possible without the addition of IPsec or other network-layer security mechanisms, such as 802.1x. The Child partitions are assigned a virtual network which is completely separate from the virtual network assigned to the Parent partition. Overall performance of the virtual deployment is still dependent on the performance offered by the ISA / TMG server itself.

Deployment Planning

The primary deployment criteria for any edge protection deployment must be security, stability and performance. Defining the priority of each of these is a task that has to incorporate deep analysis of the organization’s line-of-business (LOB) application requirements, general and network security needs as well as any regulatory compliance. Although it is not possible to address all possible scenarios, this whitepaper will outline the critical points for the most common deployments.

Best Practices:

1. Where possible, pass traffic through a Child partition running ISA Server or Forefront TMG. This will help you control traffic between networks and detect attacks from local and remote hosts, virtual and physical

2. Avoid the use of “allow all” rules. If your application vendor cannot clearly define the traffic profile for you, some time spent with your favorite network capture tool can be of use.

3. Restrict RPC and DCOM to specific ports. By default, RPC and DCOM will use whatever ephemeral ports are available when the related server application starts up and request connections or sockets. By limiting the range of ports available to them, you can also limit your acceptable traffic profile

Application security

You should avoid mixing virtual applications or servers of differing security contexts within a single Parent partition; especially when one or more of them face the network edge. Protecting your Exchange server becomes much more difficult when the adjacent Child partitions or (worse yet) the Parent partition is hosting a game server. This is another place where ISA or TMG can offer protection between hosts. Because Child partitions on separate parents are effectively on separate networks, you can potentially use ISA or TMG to isolate those applications and achieve greater overall security than if they were deployed on dedicated hardware.

Best Practices:

1. Install Windows Server 2008 Core on the parent. This limits the attack surface and patching requirements to the bare minimum. Since Windows 2008 Core does not support applications which rely on Windows UI mechanisms, this will help prevent installation of non-essential applications on the Parent partition

2. Each Child partition on a specific Parent partition should be of near-identical security. For instance, the Exchange and SharePoint Child partitions that user access from the Internet should meet the same security and access requirements as much as possible. You cannot satisfy this if you deploy your Exchange and SharePoint servers and game servers as Child partitions on the same Parent partition.

3. The Parent partition must be up-to-date on patches. A vulnerability of the parent translates to a potential vulnerability on each and every guest it hosts.

4. Each Child partition must be up to date on patches. While an unpatched Child partition not generally as threatening as an unpatched Parent partition, if a compromised Child partition has access to the Parent partition, it may be able to mount an attack on the parent and thus poses a potential threat to all guests; regardless of their vulnerability to that particular threat or their network proximity to the compromised Child partition.

5. DO NOT use the Parent partition as a workstation. The fewer applications that are installed and running on the parent, the smaller the attack surface it presents. If you install Windows Server 2008 Core on the parent, this threat is much better mitigated.

6. Restrict access and management of the parent partition. As detailed later, the accounts with management access to the Parent partition effectively have full control over any and all Child partitions.

7. Use a TPM-based parent partition with BitLocker. The deeper you can enforce access controls to the Parent partition, the better protection you afford the Child partitions.

Network security

Of particular interest in the virtual environment is the question of managing traffic flow for the Child partitions, Parent partition and the physical network. If a guest has direct access to any physical network, it potentially presents a greater threat to its sibling Child partitions and Parent partition than if it were forced to pass through a traffic control such as an ISA Server or Forefront TMG. While defining a network which imposes such traffic controls is a critical part of the network design, management control of this network is even more critical.

Routing traffic around an ISA or TMG server presents a state where it is not able to provide any security for the network whatsoever simply by virtue of having been effectively removed from the traffic path. While this case seems to be no different than a mis-patched network cable in the data center, you must consider that there will be no obvious visual indicators for misrouted virtual networking as there might be with a network cable plugged into the wrong port on a physical patch panel or switch. This point will make identifying these problems correspondingly more difficult and time consuming, effectively making problem resolution that much more costly. The best way to prevent such occurrences is to define and enforce very clear data center change control policies and system monitoring / reporting systems.

Best Practices:

1. Avoid connecting the Parent partition to the Internet without additional protection. While Windows Server 2008 Filtering Platform provides a much stronger host firewall than previous Windows releases, network security best practices dictates that you should layer your network security. You can accomplish this by using an external layer-3 filtering device between the Parent connection and the Internet. ISA Server or Forefront TMG on a separate physical host works well for this purpose.

2. Avoid connecting the Parent partition to any virtual network unless absolutely necessary. Because the Parent partition is the key to keeping the Child partitions alive and well and because the Parent partition is likely to use at least one physical network, the fewer points of entry you provide to the Parent partition from a Child partition, the better. For instance, Hyper-V “Local” virtual networks are invisible to the Parent partition and so are good choices for use as isolated perimeter networks usable only by connected Child partitions.

3. Avoid sharing the same Internet virtual switch connection between multiple guests. You cannot ensure traffic security for your network if your game server Child partition is sharing the Internet connection with the ISA / TMG Child partition. Better that any Child partition which needs Internet access should access it through the ISA / TMG Child partition.

4. Avoid combining your perimeter network segments on a single Parent partition. In any deployment, the use of perimeter networks is intended to create security boundaries between networks of differing trusts. By placing all of these machines and networks on the same Parent partition, you may inadvertently bridge these security boundaries through one or more Parent partition virtual network connections or by mis-assignment of a server to the wrong virtual network.

5. Avoid collapsing your perimeter network design to simplify the virtual network design. Your perimeter network design was created to satisfy the requirements imposed on you by multiple sources. It’s highly unlikely that if the design cannot be collapsed in hardware that it can be collapsed in virtual networks.

The Parent partition

Regardless of whether the VM deployment is edge- or internally-placed, the Parent partition is the most important and therefore the most critical machine among them. If the Parent partition is compromised or fails, all of its Child partitions are threatened.

Best Practices:

1. Use hardware that passes Windows Hardware Quality Labs as “certified for”:

· Windows Server 2008. If you expect to have server-class functionality and reliability, you cannot hope to achieve that using home-computer class system hardware or drivers. An investment in devices and related drivers that were designed and tested to experience server-class workloads will go a long way toward keeping your virtual deployments on-line under heavy loads. In particular, while it’s generally true that drivers written for Windows Vista will “work” on Windows Server 2008, the odds are that they will not stand up to the heavier workload presented by server applications or virtualization.

· Hyper-V. By limiting your choices to hardware which satisfies WHQL testing specifically targeted at Microsoft Hypervisor, you provide a better chance that your virtual deployment will behave properly. Many hardware vendors are working closely with all server virtualization vendors to validate their offerings for one or more server virtualization platforms.

2. Keep the system drivers current. The single most common cause of server network problems is the system drivers themselves; most commonly – the network drivers. When these need to work closely with other high-performing drivers such as those found in today’s virtualization solutions, the performance and stability of the system drivers is even more important. While it may not always be possible especially in test environments, you should consider limiting your production deployments to signed drivers only.

3. Use Windows Server 2008 Core for the Parent partition. This provides the smallest possible attack surface of any Windows Server deployment option, while simultaneously restricting the user’s ability to weaken this security posture.

4. Disable any Externally-facing NICs for the Parent partition. After you have created an “external” virtual switch for use by Child partitions, you should disable the related virtual NIC in the parent to prevent access to the Parent from the Internet.

5. If you cannot disable “external” virtual switches for the Parent, unbind all L3+ protocols and enable WFP for those NICs. By unbinding protocols and settings a heavily-restrictive policy in WFP, a host that cannot communicate using a protocol on which an attack depends is not vulnerable to the attack from a network at which the protocol is unbound and filtered. In other words, “if I can’t hear you, you can’t bother me”.

6. If the previous steps cannot be employed to protect the parent, use an external layer-2+ firewall. There should be no reason to make the parent accessible to Internet-based attacks. If you find yourself considering such a deployment, you should re-evaluate your planning.

7. Use a dedicated, Out-Of-Band (OOB) network connection to provide management connectivity to the parent.

· Dedicated connection: by providing a network connection that is unrelated to any virtual network, the parent will remain available even if the virtual networking mechanisms should fail.

· OOB connection: by separating the parent management from the guest networking, you can effectively isolate the parent from the network where application-based attacks would be seen.

8. Use TPM-supported hardware and Bitlocker on Windows Server 2008 to control access to the Parent partition and protect Child partition disks and definition files from unauthorized access. Server theft is a reality that must be considered in any deployment and the ability to acquire multiple servers in a single box can only make this even more attractive to would-be thieves. By placing all of your guests on a Bitlocker-protected disk, you effectively hide your servers from would-be thieves.

Parent and Guest Connections

You must balance the requirements of your virtual networks with the security needs of the whole environment. For instance, a single virtual network for each partition connection associated with a single NIC offers better off-host network performance than does a physical connection shared by multiple partitions through a single virtual switch. If the Child partition imposes a comparatively light network requirement, then it may be a candidate for sharing a virtual network with other Child partitions.

See: http://technet.microsoft.com/en-au/library/cc891502.aspx for detailed discussion

Categories: Uncategorized

IE8 Release Candidate 1 Available NOW

March 12, 2009 Leave a comment

IE8 Release Candidate 1 Available NOW


The good news is you can get some now – RC1 is available today on the IE8 site.

To get you started along your way, I thought I’d share the 8 biggies – that’s the 8 biggest things you need to know – about IE8.

1. Compatibility: The clever worker bees over at Microsoft Corp have been working hard to ensure IE8 is the most standards-compliant browser we’ve ever put to market. Check out the Internet Explorer Compatibility Center to make sure your visitors have the best experience when they’re viewing in IE8.

2. Security: IE8 is the most secure browser we’ve built to date. Check out the long list of security features, from the new and improved SmartScreen filter, domain highlighting and cross site scripting for all you devs.

3. Accelerators: A powerful new way to get stuff done! See them in action here. Check out the MSDN guide on how to build Accelerators.

4. WebSlices: WebSlices allow you to tear off parts of a page and doc them into the tool bar. Very powerful for highly trafficked and subscribe-able content. Check out the MSDN guide on how to build WebSlices.

5. Visual Search: Possibly my favorite of the new batch of features in IE8. Visual search adds steroids to your search box, by allowing you to add suggestions. See them in action here and check out the MSDN guide on how to build VisualSearch.

6. IE Add-ons: IEAddons.com is the premium library of the latest Accelerators, WebSlices and VisualSearch. Finally a central home for this sort of stuff. Be sure to get your IE8 Add-ons into the library.

7. InPrivate Browsing: For those who want to go to places online where you don’t want to be spied on, you know places like umm, well, you know where, InPrivate Browsing clears all personal (cookies, history etc) data from the session once you close the browser.

8. MSDN Developer Center for IE8: This is the Mecca of awesome content for anyone who wants to take advantage of any of the developer features of IE8. I highly recommend a quick squiz.

Categories: Microsoft

Windows 7 session coming up on Apr 3rd

March 12, 2009 Leave a comment

 

Language(s):  English. 

Product(s):  Other,Security. 

Audience(s):  IT Manager,IT Professional.    

Duration:  75 Minutes 

Start Date:  Friday, 3 April 2009 11:00 AM Australia (AEST) 

 

Event Overview 

Windows 7 has many features for the consumer, developer and IT Pro.  But what about Security?  In this session we’ll talk about and show some of the important security features that are coming as part of Windows 7.  These include Applocker™, Bitlocker™ and Bitlocker To Go™, DirectAcess™, User Account Control and the security changes to Internet Explorer 8.  There will be demo’s on all these technologies so you can see firsthand how Windows 7 security has been improved!

 

Speaker – Jeff Alexander, IT Pro Evangelist, Microsoft

Jeff Alexander is a IT Pro Evangelist for Microsoft and travels across Australia speaking to customers and partners about the latest technologies.  Jeff can be seen speaking at Security events, TechEd and other recognised Industry Tech events.  Jeff started as employee number 27 at Microsoft Australia and has been with the company for 21 years.  Jeff’s blog is http://blogs.technet.com/jeffa36

Twitter Hashtag #win7live

Click here to Register for the Live Meeting Event

 

 

 

Categories: Windows 7

Installing Windows 2008 R2 with Hyper-v in Core version

March 10, 2009 Leave a comment

Steps that you need to use to install and configure the Hyper-V on a Windows 2008 Core

Note the following:

  • There is no way to upgrade from a previous version of the Windows Server operating system to a Server Core installation. Only a clean installation is supported.
  • There is no way to upgrade from a full installation of Windows Server 2008 to a Server Core installation. Only a clean installation is supported.
  • There is no way to upgrade from a Server Core installation to a full installation of Windows Server 2008. If you need the Windows® user interface or a server role that is not supported in a Server Core installation, you will need to install a full installation of Windows Server 2008.

Compare Server Core Installation Options

Server Role

Enterprise

Datacenter

Standard

Web

Itanium

Active Directory Domain Services

Available
Available
Available
Not Available
Not Available

Active Directory Lightweight Directory Services

Available
Available
Available
Not Available
Not Available

DHCP Server

Available
Available
Available
Not Available
Not Available

DNS Server

Available
Available
Available
Not Available
Not Available

File Services

Available
Available
Limited
Not Available
*Not Available

Hyper-V

Available
Available
Available
Not Available
Not Available

Print Services

Available
Available
Available
Not Available
Not Available

Web Services (IIS)*

Partial/Limited
Partial/Limited
Partial/Limited

Partial/Limited
Not Available

 

 

 

·         Enable CPU virtualisation assistance and DEP in the BIOS.

·         Install Windows Server 2008 Enterprise x64 (Core Installation).

·         Determine the NIC ID: netsh interface ipv4 show interfaces.

·         Set the IP address for NIC, let say for NIC #2:
netsh interface ipv4 set address name=”2″ source=static address=192.168.1.20 mask=255.255.255.0 gateway=192.168.1.1

·         Set the DNS: netsh interface ipv4 add dnsserver name=”2″ address=192.168.1.2 index=1.

·         Rename server: netdom renamecomputer %computername% /NewName:HyperSvr1.

·         Reboot for that to take effect: shutdown /r /t 0.

·         Join it to domain: netdom join %computername% /domain:CONTOSO /userd:administrator /passwordd:*.

·         Reboot for that to take effect: shutdown /r /t 0.

        ·         Install the Hyper-V update: wusa.exe Windows6.0-KB950050-x64.msu.

·         Reboot.

 

·         Install the Hyper-V role: start /w ocsetup.exe Microsoft-Hyper-V.

·         Reboot.

·         Disable the firewall netsh firewall set opmode mode=disable

 

 

To manage a server running a Server Core installation by using a terminal server client:

1. On the server running a Server Core installation, type the following command at a command prompt:

      cscript C:WindowsSystem32Scregedit.wsf /ar 0

This enables the Remote Desktop for Administration mode to accept connections.

BTW, in order to view your current settings you can type:

      cscript C:WindowsSystem32Scregedit.wsf /ar /v

If you see "1" in the script output, that means that RDP connections are denied. If you see a "0", they will be allowed.

Note: If you are running the Terminal Services client on a previous version of Windows, you must turn off the higher security level that is set by default in Windows Server 2008. To do this, type the following command at the command prompt:

      cscript C:WindowsSystem32Scregedit.wsf /cs 0

To enable remote management from an RDP connection through the firewall

1. To enable remote management from any MMC snap-in, type the following:

      netsh advfirewall firewall set rule group="Remote Desktop" new enable=yes (you may have already done this step)

To open an RDP session with the Server Core machine

1. On the remote management computer, click Start > Run, type mstsc, and then click OK.
      
2. In Computer, enter the name of the server running a Server Core installation, and click Connect.
      
3. Log on using an administrator account.

4. When the command prompt appears, you can manage the computer using the Windows command-line tools.

      Note that while you’re logged on to the server, the original server console session is locked out.

5. When you have finished remotely managing the computer, type logoff in the command prompt to end your Terminal Server session.

Also, from the command line of the Server Core box, type: c:windowssystem32cscript scregedit.wsf /cli   for a listing of all the command line references

Categories: Virtualization

Determining if your machine is ready for Windows 2008 R2 and/or Hyper-V

March 10, 2009 Leave a comment
Windows 2008 R2 will be released only on 64bits. How could you determine if your machine is ready to install Hyper-V?
There is a software that’s check if the processor is 64 bits and if it support’s Virtualization
SecurAble probes the system’s processor to determine the presence, absence and operational status of three modern processor features:
 
  • 64-bit instruction extensions,
  • Hardware support for detecting and preventing the execution of code in program data areas, … and
  • Hardware support for system resource “virtualization.”

Download

 

Categories: Virtualization

Windows 7 Virtual Roundtable Q&A: Part One

March 10, 2009 Leave a comment
 
 Here is the first set of questions and answers that address Windows 7, along with the destinations to find more detail:

Q:  When will the Automated Installation Kit (AIK) fully support Windows 7?

Q:  Will any other version of Windows be able to read BitLocker To Go "with an add-on or additional software"?
  • A:  Yes, you will be able to unlock and read from BitLocker files on Windows XP and Windows Vista.
Q:  When can we expect Microsoft Deployment Toolkit (MDT) 2010 to be released, or release candidate 1 (RC1) for deploying Windows 7?
Q:  Is the kernel the same for Windows Vista Service Pack 1 (SP1) and Windows 7?
  • A:  The kernel consists of many different files; it is updated with Windows 7, but is based on the same underlying architecture.
Q:  Has ReadyBoost changed from Windows Vista?
  • A:  ReadyBoost in Windows 7 adds support for concurrently using multiple flash devices (such as USB keys, Secure Digital cards, and internal flash devices) and for caches larger than 4 GB. ReadyBoost supports exFAT, FAT32, and NTFS file systems.
Q:  In Windows 7 can you toggle or set all local policy settings individually as a preference instead of having to enforce for flexibility/versatility?
  • A:  No. Group Policy settings are independent of Group Policy Preferences. There is no 1:1 relationship between them in Windows 7.
Q:  Will the Applocker Group Policy Object (GPO) will be available on Windows Server 2008?… or is just on Windows Server 2008 R2?
  • A:  AppLocker is not dependent on a specific version of Windows Server. You can manage AppLocker from a Windows 7 client using the Group Policy Management Console (GPMC) that ships in the Remote Server Administration Tools (RSAT) for Windows 7, which is currently in Bet. You can download the beta here.
Q:  You say any app that runs on Windows Vista should run on Windows 7, does that hold true for any app that runs on Windows XP? Should it run on Windows 7 as well?
  • A:  Since Windows Vista and Windows 7 share similar design frameworks, there is a foundation for application compatibly. Since Windows XP has a different framework, the levels of application compatibility are not the same.
Q:  Will there now be a possibility to burn an .iso image file without burning software?
  • A:  Yes. Double-click an ISO, and Windows 7 opens a minimalistic dialog. Choose a burner, select whether or not to verify your burn, and burn/cancel.
Q:  Will Microsoft support the RC [of Windows 7]?
Q:  Will there be an Application Compatibility Toolkit available for Windows 7 like there was for Windows Vista? When might that be available?
  • A:  Yes. We plan on releasing an update to the Application Compatibility Toolkit (ACT) in April to support Windows 7 pre-releases. There will also be a version corresponding with Windows 7 release to manufacturing (RTM).
Q:  What kinds of improvements are being made in the area of application compatibility testing and migration?
  • A:  There will be a version of the Application Compatibility Toolkit to support Windows 7 available in the April 2009 timeframe. Additionally, the Windows system application compatibility fix (shim) database is constantly extended with each Windows release milestone.
Q:  What is the migration process to get my stuff off of a Windows 7 box before I have to flatten it to install the final version?
  • A:  For individual use, Windows Easy Transfer can be used to gather files and settings from your computer and save to an external location. For organizational use, the User State Migration Tool (part of the Windows Automated Installation Kit) can also perform in-place user profile migration using Hard-link Migration along with a clean operating system install.
Q:  Will Deployment Image and Servicing Management be supported for existing Windows Server 2008?
  • A:  Deployment Image Servicing and Management (DISM) supports Windows 7 client and Windows Server 2008 R2. DISM also leverages an included shim for Package Manager (pkgmgr.exe) to enable DISM to perform Package Manager commands against Windows Vista or Windows Server 2008 images.
Q:  Why is Windows 7 more quick to start up compared to Windows Vista?
  • A:  In working to improve performance for startup we have focused on making improvements in the following areas:
    • The efficiency of core Windows code
    • Only starting certain services when they are needed (demand-start services)
    • The way device drivers are initialized
    • Allowing multiple device drivers to start at the same time (parallelization)
    • An overall reduction in the memory and CPU required to start and run the graphics system
Q:  Windows 7 performance out of the box experience does seem much better than Windows Vista, but is there anything that addresses the overall issue of performance degradation over time that plagues devices over time without having to configure or buy and configure additional third party software?
  • A:  Microsoft has invested in PerfTrack, an automated reporting feature in Windows that tracks the performance of over 400 experiences on the PC. Windows 7 also includes troubleshooters such as IE Performance as well as a Check for Performance Issues to help users check for performance issues over time.
Q:  Where can I find detailed step-by-step process for building a Virtual Hard Disk (VHD) that can be selected as the boot disk on a Windows 7 system?
  • A:  Detailed guidance for creating Boot from VHD files is currently being created. The basic process is to create a virtual disk using diskpart.exe, attach the virtual disk using diskpart.exe, use ImageX to apply a System-Prepared Generalized Windows Imaging (WIM) file to the attached virtual disk, then detach the virtual disk using diskpart.exe. After the VHD file is created, add an entry into the boot loader using bcdedit.exe to point to the file location of the VHD file. This only works with Windows 7 Enterprise and Ultimate editions and Windows Server 2008 R2 VHD files.
Q:  Will deployment of Windows 7 use the same tools as Windows Vista (WIM files, ImageX, etc…)?
  • A:  Most tools are retained from Windows Vista. Deployment Image Servicing and Management consolidates functions of IntlConfig, PEImg and PkgMgr in the Windows AIK for Windows 7. DISM supports PkgMgr functions against Windows Vista and Windows Server 2008 images. Integrated tools like the Microsoft Deployment Toolkit and System Center Configuration Manager 2007 will also support Windows 7 and Windows Server 2008 R2 deployment.
Q:  Are there any improvements in the Windows 7 imaging technology such as WAIK, SIM, MDT, ImageX compared with Windows Vista?
Q:  How can you deploy BitLocker with a custom image?
  • A:  There are two common approaches. You can pre-partition the drive for BitLocker, install the operating system, and enable BitLocker via deployment task sequence. Or, you can run the BitLocker Drive Preparation tool post-install and enable BitLocker via deployment task sequence. The default installation of Windows 7 will automatically create the BitLocker partition at install time.

Published 09 March 09 08:49 AM | Celine Allee
http://blogs.technet.com/springboard/archive/2009/03/09/windows-7-virtual-roundtable-q-a-part-one.aspx

Categories: Windows 7