Saturday, July 09, 2005

There's no place like 127.0.0.1

Home at last from an exciting week at TechEd Europe. My feet are aching and I’m tired – but luckily the weather in Denmark is sunny and warm (30.5 degrees Celsius) as opposed to the rainy weather in Amsterdam. I guess my lawnmower needs some exercise (At the very least I won’t sit down all weekend after all the “sitting” I’ve done this week). I have a lot of blogging to catch up on so expect to see more tidbits from TechEd - but for now I will shutdown my notebook and enjoy the weekend.

Thanks to you all for a great week!

Thursday, July 07, 2005

Hardware management in Windows Server 2003 R2 - tidbits from TechEd Europe

A new feature of R2 is the ability to manage hardware through something called WS-Management. WS-Management uses the WS-* Web Service architecture to support a consistent method for remote management of devices (e.g. servers). It does this by exposing a set of functionalities to consume hardware management information on top of the Intelligent Platform Management Interface (IPMI). In addition to hardware it also interfaces with WMI so you can accomplish management tasks both through IPMI-enabled devices and WMI.Functions exposed are Read and Set information. Execute methods, create and delete objects and retrieve collections of objects. By default it uses certificate-based authentication but R2 also provides basic authentication (over SSL of course).

An example would be enabling Remote Desktops through wsman as I've demonstrated earlier through WMI and through the registry -

wsman invoke http://schemas.microsoft.com/wsman/2005/
02/wmi/cimv2/Win32_TerminalServiceSetting?
ServerName=HOSTNAME -machine:FQDN @{AllowTSConnections="1"}

(Wrapped for readability)

The wsman command line tool itself is actually a script, so you can use this as a basis for your own scripts, furthermore it "only" needs port 443 open on the target system.

For more information check out the TechNet scriptcenter article or this whitepaper.

Wednesday, July 06, 2005

Microsoft's stance on third-party replication technologies in connection with Exchange

Third day at Tech-Ed. Need sleep / time off.

Attended a Chalk&Talk instead on Windows Server x64... Exchange was discussed - maybe a little off subject - but someone mentioned a KB on how Microsoft support third-party replication/clustering technologies. As that sounded interesting, I set off to find the KB. You can read it here. Required reading, if you have one of those systems, I think.

Tuesday, July 05, 2005

Tidbits on security and Windows 2003 SP1 - TechEd Europe day #1

As I wrote earlier I attended the "Active Directory Internals: the Sequel" a couple of hours in the late morning and there were a couple of interesting topics.

As you may know Windows Server 2003 contains a reanimation (undelete) API which recovers objects without buying third-party tools. SP1 now also recovers the sIDHistory of an object. Restore is quite easy if you know the ldp tool - just set LDAP control flags in LDP to show deleted objects, find the object and in one operation set the isDeleted attribute to NULL and set the DN appropriately (To where you want to locate your object). Find more on the subject of reanimation in KB 840001 under the topic "How to manually undelete objects".

Also SP1 introduces the notion of confidential attributes that can't be seen by default by Authenticated Users (As most attributes can). Just set the searchFlags bit 7 to 1 (Confidential / True) or 0 (False).

Steve Riley and Jesper Johansson on security
The presentation wasn't by anyway boring - I kept my eyes open all day (a first ;-) - but I'm sad to say that the overall technical content wasn't satisfactory. Most of the day wen't with plain vanilla stuff on security based on the Implementing Client/Server Security presentations used earlier, administrative templates and other plain/old information. Luckily it was nicely beefed up with good stories, discussions and provocating thoughts by Steve and Jesper.

So what was interesting? -Well "Passwords has passed the end of their useful lifetime." I do agree with that and it has also been discussed by other security experts than Jesper and the solution isn't always just to buy a two factor authentication device as Schneier discusses in his essay - To Little, To Late. But personally I do prefer to use Password Safe instead of jotting down my password ;-)

There was an interesting discussion on security and outsourcing and they stated that China doesn't even have the concept of Intellectual Property and that outsourcing companies that may have loads of internal information on their customers probably will be the next point of attack.

ISA 2004 was as usual well appraised especially the fact that Application Proxy’s are much more usable than standard Packet filtering firewalls. I do agree that ISA 2004 is a great firewall with one exemption - the application filters aren't updated on a frequent basis and there are no new ones coming unless there is a product upgrade. Like MOM Management Packs it should be a requirement that each product group, if applicable, should release a new/updated application filter at the same time or just after releasing their product (E.g. for Live Communications Server). I discussed this with Steve and he told me that there are no plans for this (And he already had a discussion with the product group around this without luck).

On the point of SP1 it was emphasized that in an Exchange scenario SCW is used to secure the OS itself - NOT exchange so we should still use the Exchange 2003 Security Hardening Guide to secure Exchange.
Also I discussed with Steve on when the Firewall actually is disabled; a discussion I’ve had earlier with Susan Bradley on my article Microsoft Security Initiatives in SP1 and SP2 - nothing but a complex toy? (Check the comments). There’s apparently some confusion on this topic – in my experience with the RTM release the Firewall is always disabled after an upgrade or on in case of a new slipstreamed SP1 installation after you press Finish in the Post Setup Security Updates (PSSU) wizard.

As I mentioned in the start I wasn't bored at anytime but each time a topic looked a bit interesting (Like on Network Isolation or Wireless Security) the comment was We have a session during the week on X and X go listen to that instead and we want to make sure that we have enough attendees to our other sessions - Well why do you think we paid for a pre-conference day ? To listen to security for one day so that we could follow other tracks or the hands on labs the rest of the week! (To Steve and Jespers defence they were provided with a set of standard slideware that they were required to follow).

Monday, July 04, 2005

The hunt for non-PC SMS programs (SMS 2003 SDK v3)

Having created an SMS script late yesterday, setting the MOM flag on the programs for one of my customers, he came back and told me, he had to do an SMS restore as it trashed the image packages.
Bad, bad.

Ok, I said to myself. I'll just modify the program to skip those image package programs - and exclude any device management programs as well.
But this was easier than done. First of all, I'm at Tech-Ed in Amsterdam with my fellow blogger Dennis. Secondly, the battery of my Dell is bad and finding power for charging is difficult here at the RAI.

Having come across all those obstacles, I went on...

First I stumbled across v3 of the SMS SDK. It was released June 21st. Get it from MS downloads. This is a must-have for all doing SMS automation. The official voice says: New for the SMS V3 SDK is a .NET server side library which simplifies access to the SMS WMI site provider, and Device Management inventory extensibility information.

So I looked to the program flags and found that bit 9 indicates a device program. But how do I see, that the program is an OS installation?

That it NOT documented.

Found it myself though. The SMS_Package class has an ImageFlags property. It seems to be zero - remember this is undocumented and at your own risk - for normal packages.

So I redid my script and can now first filter away the image packages and then the device programs.

I hope my customer does not have to do a new restore tomorrow...

Arrived at Teched Europe and looking forward to a interesting week

I arrived Sunday at the Golden Tulip Inntel which is nicely situated between the Dam place and the Central Station. Beside being a nice hotel it has free wireless and lots of shopping/restaurants and the Tram nearby as some of the best features.

I originally meant to follow the pre-conference day on security with Steve Riley and Jesper Johansson. Primarily because they both are hilarious speakers and their views on security are interesting - but the first two items on their agenda were Implementing server/client security on Windows. Those specific sessions I delivered as a speaker a year ago on one of the TechNet days in Denmark - so probably nothing new there :- Instead I joined John Craddock and Sally Storey on "Active Directory Internals the Sequel" for the morning (ldp tool advanced topics usually ;-) and then I'll probably switch back to Steve and Jesper for the afternoon sessions.

When I'm at TechEd I usually find some of the subjects that's in the future or that I don't normally specialize in myself and also I like to use quite a lot of time in the Hands On Labs. I personally use TechEd as a possibility of delving into Technology a whole week without thinking on colleagues, customers and family and this year is business as usual.

My agenda for this week contains playing in the Hands On Labs with Windows Server 2003 R2, Enterprise Project Management Solutions (EPM), Microsoft Identity and Integration Server (MIIS), NLB/CARP Load Balancing with ISA Server 2004, Indigo and the new Data Protection Manager - sometimes I follow the lab guidelines (E.g. for Indigo) but most times I don't.

For the Sessions I look forward to hearing about the Network Isolation that Microsoft uses (As a Microsoft vendor I've had all the hassles during their initial roll-out when connecting a non-Microsoft domain joined computer to their network through RAS). Also I'm attending sessions on Scripting with R2, Longhorn Client Security, Microsoft ITs administration of Windows Mobiles, MIIS, Active Directory Federation Services (Including Web SSO), System Center Reporting and not least Running Windows with least privileges by Aaron Margosis (I really enjoy reading his blog - its a 'recommended').

Btw. my postings on TechEd Europe are cross-blogged on the MS Exchange Blog.