Month: February 2010

ACT for Configuration Manager

Those Configuration Manager teams in Redmond must be incredibly busy and well managed.  They have two product developments going on (ConfigMgr 2007 R3 and ConfigMgr v.Next) as well as producing add-ons for existing products.

The latest is the Application Compatibility Toolkit for Configuration Manager as blogged about by Jeff Wettlaufer.  The concept is simple enough; using ConfigMgr you can audit your existing desktops to see which applications you have.  You can use this information to assess Windows 7 compatibility.  It will also do the same for device drivers.  This reads like MAP for Windows 7 taking on the power and scalability of ConfigMgr.  MAP would be fine in a single office.  ConfigMgr takes this to the WAN.

That’s another bow to the string for Windows 7 deployment in the Enterprise.

Analyse Memory Of Saved State VM’s – And Host Security

Ben Armstrong (MS virtualisation whiz, The Virtual PC Guy) blogged overnight about a tool that allows administrators or developers to get at and analyse the contents of RAM in a saved state Hyper-V VM.  The tool is called VM2DMP.  It will convert a Hyper-V saved state memory to a DMP file that DMP analysis tools can load up.

This brings up a question: security.  Lets forget about TV shows like 24 and movies like the Net.  That stuff can be fun.  Sit back and think: what is the easiest way to gain access to some piece of data or files?  The answer is simple.  Gain physical access and literally steal the disks.

If I had access to a saved state VM then in theory (if I had the skills) I could use that tool to convert the memory, poke around and gain access to sensitive items that were stored in RAM.

Virtualisation makes this even easier.  You don’t have to remove the disks because they’re files.  Gain access to the host and away you go.  I remember when I started working on server virtualisation and having a chat with my cousin who is a senior security consultant with a major international company.  His previous role had him working in a lab and projects were to think up scenarios and find threats.  So he asked me: “how do you secure VM’s when they are only files?”.

It’s possible.  But you’ve got to do all the right things.

Security starts and ends with physical access.  Control access to the computer room(s) and monitor that access.  Be very strict about it.  The data centre I work in doesn’t care if they see you every day.  If you are not expected or not properly processed then you don’t get past the front door.  It sounds inflexible and it is.  But damn is that place secure!

Hyper-V run on Windows Server 2008 and Windows Server 2008 R2.  You have the option of enabling BitLocker on the host.  That’ll work on standalone hosts but not on a cluster.

Maintain control of who can log into the host.  You’ve got to treat host logon permissions the same way as you would treat computer room access.  That logon prompt and those drive access rights must be at least as important as access through the door.  If you can log into a host or gain access to drives remotely then the door is wide open to play. 

There is no need to give access (administrative or interactive logon) to a host beyond the virtualisation team.  Rights can be delegated.  The ideal solution for that is VMM.  You can allow delegated administrators to do admin work via the VMM console.  Members of self-service roles can use the portal to deploy and manage VM’s.  If you don’t have VMM then you can use the Hyper-V authorisation manager to delegate access.

And yes, you can enable and RDP into a VM.

Most of this stuff goes back to the basics of what you should be doing already.  Membership of domain admins should be very limited.  Nested groups and local group population via Group Policy (restricted groups) allows delegation.  Give only the access that is required.  Treat physical access like getting into somewhere like the NSA.  Use the right tools for the right reasons and don’t be lazy.  And the stuff I’m talking about here is not unique to Hyper-V.  You need to take precautions with all hardware virtualisation solutions.

The tool that Ben blogged about has legitimate uses; just be sure that only the right people get to use it on your Hyper-V hosts.

Technorati Tags: ,,

Got a Vodafone Ireland Home Broadband Router? Make These Changes

If you do and you’ve experienced issues then you should consider doing the following three things:

Confirm It Is A EchoLife HG556a

Browse to this Vodafone Ireland page and get the advanced configuration username and password.  They should be:

User name: admin

Password: VF-IRhg556

Log into the router (probably http://192.168.1.1) using those credentials.  That should open the Device Info page.  If the product name is EchoLife HG556a then you should consider doing the next two steps.

Update The Firmware

You’ll find a link and instructions for this on the Vodafone Ireland page.

I found (it might be a coincidence) that my slow home broadband browsing issue seems to be gone afterwards.  I’m not saying that it’s fixed but it’s not present now.  I am not closing my call – there still might be an issue and only testing over a longer time frame will confirm that. 

Change the QoS Setting

I’ve been having issues with streaming media to my XBox from a media PC for a while now.  I decided to browse through the settings on the router to see what the manufacturers/Vodafone Ireland have done.  There is a setting called QoS (Quality of Service).  QoS allows network administrators to slow down certain types of traffic to allow other types to speed up.  Here’s the rub: there is no one size-fits all that works.  I found this setting (Advanced Setup – Enable QoS) was enabled.  I disabled it, saved the setting and rebooted the router.

Now I tested XBox media streaming from a media PC.  It worked like it should do, no delays, no stutters, and the sound was staying in synch with the video.

Windows 7 Upgrade Laptop Battery Issues

Paul Thurrot reported on an issue with Windows 7 machines draining the laptop battery.  The issue is with machines that were upgraded.

As Microsoft recommends, and as I wrote in Mastering Windows Server 2008 R2, you should avoid upgrades where possible.  You just end up inheriting bad stuff that can make unpredictable things happen.

The tools are there to make it pretty easy to do a clean install.  Do a complete PC backup.  Export the user state using the tools in Accessories.  Do a clean install of Windows 7 (wipe the hard disk).  Install any applications and restore the user state.  If anything is missing, go ahead and access that complete PC backup that you should have done.  XP users can use the tools I recently mentioned to restore to Windows 7.

0x0000007C BUGCODE_NDIS_DRIVER Blue Screen on Windows Server 2008 R2 with NLB

There is a blog post by a Microsoft employee that describes an issue where a virtual machine (Hyper-V or VMware) running Windows Server 2008 R2 will crash.  The VM is configured with Windows Network Load Balancing.  Their research found that the problem occurred with “certain” antivirus packages installed.  They didn’t (and probably won’t) specify which ones.  The two proposed solutions are:

  1. Configure NLB before installing the antivirus package
  2. Uninstall the antivirus package

New Operations Management Management Pack: Power

There’s a glut of Operations Manager 2007 management packs available from Microsoft.  One of them really stood out.  It is the Windows Power Management Pack for System Center Operations Manager 2007 R2.

The short description is:

“The Power Management Pack for Operations Manager 2007 R2 enables you to monitor and manage the power consumption of computers running Windows Server 2008 R2.

This management pack provides:

  • Visibility into power consumption
  • Visibility and control of power policy
  • Ability to lower power consumption during non-business hours to reduce overall power consumption
  • Ability to limit power consumption
  • Ability to detect excessive power consumption”

Microsoft is making a lot of effort in this space.  System Center Configuration Manager 2007 R3 could be considered as “System Center Configuration Manager 2007 Power Management Edition”.  Windows 7 and Windows Server 2008 R2 both include lots of power features.

This new management pack seems to be leveraging some of those features in Windows Server 2008 R2.  The basic concept is that it will retrieve details of power consumption for servers running that operating system.  It allows you to set power plans and use automatic recovery to switch power plans based on server usage.  You can set thresholds and raise alerts when servers consume more than an allocated amount of power.  You can force servers to use no more than a certain amount of power. 

This is a complicated management pack.  There is a Word document with rough instructions.  Please read it thoroughly before importing this management pack.  If you have a physical lab (the management pack won’t do anything with VM’s) then work with it there first.  You should also note that if you use SQL 2008 for your OpsMgr database then you should apply a hotfix first.

Windows User Group Event: Windows 7 Application Compatibility – Prizes For Attendees!

This is quite possibly going to be your sole chance in Ireland to attend an event that will educate you about Windows 7 application compatibility solutions.  Our speaker (a veteran trainer) will be showing you how to get legacy applications working on Windows 7 using the solutions that Microsoft provides.  Some are built into the operating system, some are free downloads and some are in MDOP.

The event is on this Friday, February 5th at 10:00 in Building 1 at Microsoft Ireland EDC in Leopardstown in south Dublin.  It is a completely free event with no strings attached and is being run by the Windows User Group (me) with help from Microsoft Ireland.  Pastries and coffee/juice will be on hand to wake you up and keep you going.

We’ll also have a few prizes to give away including a Microsoft Arc mouse (I use one and it’s fantastic), and a couple of X-Box games to give away: Forza Motorsport 3 and Halo ODST.

Registration is simple and free.

Not everyone can get out of the office or travel to Dublin.  Don’t worry; we will be performing a simultaneous live webcast of the event. Please download and install the LiveMeeting Client in advance. The web client will not support audio so we do recommend the installed version. The event will be available at this link when registration starts.

We look forward to seeing you there or seeing you on the webcast.

Technorati Tags: