Speaking At European SharePoint, Office 365 & Azure Conference 2017

I will be speaking at this year’s European SharePoint, Office 365, and Azure Conference, which is being held in the National Conference Center in Dublin between 13-16 November. I’ll be talking about Azure Site Recovery (ASR):

image

It’s a huge event with lots of tracks, content and speakers from around the world.

 

For those of you in Ireland, this is a rare opportunity to attend a Microsoft-focused conference of such a scale here in Ireland.

Microsoft News Summary – 20 August 2014

The headline news from yesterday is that Steve Ballmer has resigned his new position from the Microsoft board to focus on “teaching” and his duties as the new owner of the Los Angeles Clippers NBA basketball franchise. He’s still the largest independent owner of MSFT stock.

Microsoft

Virtual Machine Manager

  • VMM 2012 Self-Service users cannot open a console session to a virtual machine: When you try to connect to the console session of a virtual machine (VM) that is running in Windows Server 2012 by using Microsoft System Center 2012 R2 Virtual Machine Manager or Microsoft System Center 2012 Virtual Machine Manager Service Pack 1 (SP1), the connection fails, and you receive the following error message – Virtual Machine Manager lost the connection to the virtual machine for one of the following reasons.

Azure

Office 365

Microsoft News Summary – 1 August 2014

Talk about crappy timing. A federal court in the USA has determined that emails are not actually emails, and therefore Microsoft must turn over emails business records stored on Email servers in the Dublin region to the FBI. One must wonder why the FBI didn’t contact the Irish authorities who would have jumped at once if the case was legitimate and issued an order locally. Maybe the case is not actually legitimate?

On the eve of Azure going big through Open licensing, a federal judge has stuck a stake through the heart of the American IT industry – this is much bigger than Microsoft, affecting Google, Apple, Oracle, IBM, HP, Dell, and more. Microsoft has already lodged an appeal.

Server Posterpedia –Windows Server Poster App

A new app that features the feature poster apps for a number of server products, not just Hyper-V, has been released. You can download this app from the Microsoft Store for Windows 8.

image

Click on a poster, and it’s displayed for you:

image

You can zoom and scroll through the poster. Cleverly, the actions that you can run from the app will link you to additional information on TechNet. And there is even a link to download the original poster.  What a handy way to start learning the features of server products.  This is worth installing Windows 8 for!

Ben Armstrong posted about the app overnight, including a video of the app in action.

image

Early Impressions Of Office 2013 Beta

I installed Office 2013 on my Windows 8 Build slate PC on Monday night.  Here are some early impressions:

  • It’s very different looking.  The layout has been optimized to make it touch friendly, but still appears to be mouse friendly.
  • The new control that everyone is talking about reminds me of something in the Star Trek’s of the last 20 years.
  • I really like where Word has gone.  Becoming a consumer of information is a great idea.  It is now also a reader, can scale the doc to your tastes, and can remember where you left off.  That makes it very Kindle-like.  It can also open and edit PDF.  Bye-bye Adobe Reader; you and your constant patching requirements (that are usually not done) won’t be missed.
  • As a person who writes the occasional white paper, I like how Word now allows flexible placement of images.  Note that we never embed images when writing books; the editors do that in the later PDF stages.
  • I love the new presenter view in PowerPoint.  I’ve been dreaming of presenting from my slate PC in the past.  I hate being tied to behind a podium when presenting and I don’t like looking back to the screen to remind me of what I’m talking about on this slide.  Plus being able to use “ink” to highlight things will be useful.
  • I haven’t looked into Lync or Outlook too much yet.  I have them working with Office365 with no extra work other than signing in (as usual).

Don’t ask me about Lync, SharePoint, and Exchange servers.  I haven’t a clue what’s new yet.  To be honest, they are usually outside of my scope of work.  There is a boat load of new documentation on download.microsoft.com for the “wave 15” betas of Office.

Technorati Tags: ,,,

How HM Treasury Was Allegedly Attacked & How to Defend Against It

I was listening to The Guardian’s Tech Weekly podcast on the way into work this morning and they were discussing some of the recent announcements from the British government about the cyberwar research that the MoD/GCHQ is doing.  In the discussion they mentioned that there was a recent attempted attack on HM Treasury (department of finance), and that the attacks allegedly came in two forms:

  • Drive-by browsing: this is where a user innocently goes onto a legitimate website, but an outsourced advert uses a browser vulnerability to inject some software onto the user’s computer.
  • Malware attachments: Some piece of dodgy software is sent as a normal looking attachment in an email.  This file has some sort of built in attack, like a trojan downloader, and the PC becomes a bot (something the attacker can remotely control by commands that the downloader will pull down from a service or website running on the Internet).

I am not a security expert.  In fact, most of the self-proclaimed security experts that you meet are not security experts.  I have met real security experts.  They speak a whole other language that we IT Pros don’t understand.  I’ve also met “security experts” with their recently downloaded checklists who do more damage than good.  The good news is that there is lots that you can do to protect yourself from attacks such as the above.  The bad news is that there is no 100% perfect defence.  For example, antivirus scanners detect already known threats.  Someone has to get hit somewhere before a threat becomes known.  Let’s stay positive and see what could be done to protect against the above two attacks.

Defending Against Drive-By Browsing

Drive-by browsing has been around for some time.  I’ve attended presentations by Microsoft’s Roger Grimes (serious security dude), where he talked about the website of a certain conservative news broadcaster.  They sold advertising space on their website.  Other than the space, they had no control over content.  That was done by the online advertiser.  And they probably did more outsourcing or bidding.  Allegedly, browsing this website could cause you to become a victim of an attack that was built into one of these outsourced adverts.  You’d just browse the site and *BANG* your PC downloaded a trojan downloader.  In other words, it was 0wned.

The most basic defence against drive-by attacks is to keep your browser up to date with security fixes.  Don’t be a fanboy sheep: all browsers are vulnerable.  I remember listening to another podcast (TWiT Windows Weekly) a few months ago where they discussed how Safari took seconds to smash, and Chrome/IE lasted a bit longer but eventually gave in at some hack-athon.  Google and Microsoft are constantly releasing updates.  Google do it via new versions of Chrome.  Microsoft do it through security hotfixes.

If you run anything but the smallest business then you need to manage these updates.  This is one of IE’s strengths because it can be updated immediately (or after internal testing) via Windows Updates, WSUS, and System Center (Configuration Manager 2007 or System Center Essentials 2010).  There really is no excuse for a business not to be doing this, monitoring patch update levels, and remediating any deployment issues.

This adverts are effectively downloading a trojan installer.  A proxy malware scanner can help defend against this.  Forefront Threat Management Gateway (TMG) includes a Malware Inspection Filter, as do many other firewall and proxy products.  I’ve always like the ISA (now TMG) family because they are AD integrated, and I can reuse security groups and user accounts for rules and exceptions.

Malware Attachment

The problem with email is that is pretty open, and trusting.  If I know the name or IP address of your SMTP gateway then there’s nothing to stop me from creating a malformed email that appears to come from someone you know and trust, and attaching a piece of malware to do bad things to your PC (and then your network).

Last night I read about some executive of a large corporation who sent out a memo to all employees to instruct that they should confirm the source of all emails before opening them. That certainly is one way to prevent the opening of an attachment. I just wonder if this executive answered the 20,000+ phone calls from his employees when they called to confirm that he really sent that email. Let’s get real – people have jobs to do and they cannot spend 3/4 of the day calling people to see if so’n’so really sent an email. Why would we have email at all in that case?

Sure we can do a bit of user education.  I don’t need to open an attachment with a .EXE file extension.  I don’t need to read an email from the wife of some deposed king.  And I really don’t need pills for you-know-what Smile  Common sense education helps.  But as Steve Riley has said in presentations in the past: the vulnerability lies in the meat that sits between the chair and the keyboard.  If we cannot fix that. then maybe we need to wrap our email system in defences to counter those weaknesses.

Lets start with the mail server.  Stick some malware scanning on there, like Forefront for Exchange (or another solution).  That will protect the server against external threats.  I know you’ll interject here with another suggestion (and I’ll get there).  Think about how IT is changing.  Consumerisation of IT has caused users to bring all sorts of devices onto our networks.  Lord knows what they connect to when they are not on our network.  And those same devices will be used to connect to the company’s mail services.  You need to protect the company’s email (and reputation) against those internal threats.

Next up is the online malware scanning service, such as Forefront Online Protection for Exchange (FOPE) or others.  The company’s MX record points to this, all incoming email is scanned for spam and malware, and then sent on to the company’s SMTP gateway.  You’re in complete control – you can even integrate the management of Forefront for Exchange with FOPE via a free (I believe) management console (it also can manage Forefront for SharePoint).  Now you can filter out the incoming rubbish before it gets to the company’s expensive Internet connection, and you have a layered defence.

Third Party Update Catalog

We aren’t finished yet.  Antivirus scanners are not perfect, especially when it comes to custom written or brand new threats.  The more serious attacks out there are not done by script kiddies in a basement; they’re done by organised crime, your competitors, and state agencies.  They have the time and money to create new programs to leverage discovered vulnerabilities.  For example, it’s one thing to scan for Conficker, it’s another thing to fix the vulnerability that it attacks so you can prevent anyone else from attacking it.

So you can use Windows Update, WSUS, ConfigMgr, or SCE to patch Windows.  Great!  The attachment that was used in the allegedly attack on HM Treasury was allegedly based on an Adobe product.  How often do you see Adobe products looking to update themselves to fix some security issue?  It feels to me like it happens a few times a week.  I bet most of you, and your users, disable these annoying updates – and that’s what the attacker is betting on!  They can write a custom attack, build it into a PDF (or whatever), send it to a user in your organisation using a crafted email that appears innocent enough, it’ll sail through the scanners (because it is an unknown attack), the attachment is opened in a vulnerable reader, and *badda bing* the attacker now has control of a PC on your network.

*PANIC* This is where you uninstall Adobe Reader, Flash, etc, and use third party alternatives – not so fast, my friend! (Why do I keep quoting Lee Corso?).  Adobe products, like every other, has vulnerabilities.  If you think those other readers don’t then you’re fooling yourself.  If you’re a big enough target, then an attacker will figure out what third party reader you use via social engineering, and craft an attack for that.  With Adobe, you at least have a way to force updates for your users.

No, we cannot trust users to run Adobe updates by themselves, just like we cannot trust them to run Microsoft updates for themselves.  Adobe has created software update catalogues that we can use in System Center Configuration Manager (MSFT’s main way to adopt/control consumerisation of IT) and System Center Essentials.  This will allow you to centrally download, test, approve, and deploy updates to relevant machines in an automated, and scheduled manner, with deployment deadlines.  Now you can force those vulnerable PCs to update, and secure your network against those vulnerabilities.

Summary

With all this you get layered defences.  Is it 100% secure?  No.  Like I said, I’m honest enough to say that I’m not a security expert but I know that with the above systems, you could protect yourself against the same attack that allegedly targeted HM Treasury (based on the information that I heard this morning).  Combine this with protection for PCs, servers, SharePoint, Lync, and so on, and you’ll have a nice fortress.  You can’t rely on people to protect the castle, and that’s why you need an automated portcullis approach like this.  The responsibility then falls on you as the gatekeeper to ensure that the gate is built correctly.

Note: I don’t know why some people always assume that virtual machines (on any hypervisor) assume that security should be any different for them.  The virtualised workloads still need the same levels of protection that they physical alternative would.

Visio 2010 Add-Ins – Pay Attention System Center People!

You may have wondered how to crate pretty pictures to share on a big screen that depict some health information about stuff that you manage using System Center.  Here’s how …

I was mucking around with the Visio plug-ins for Operations Manager for the first time today, adding monitored objects from SCE 2010 (plus their health status) into Visio.  The cool thing with this is that it refreshes the objects’ health in Visio!  And then you can save your diagram into SharePoint 2010 with live health refreshing.  In other words, you can create nice and friendly views of the services that IT provides and share them with service owners and/or users via diagrams on SharePoint sites.

VisioOpsMgrAddinExample

But it doesn’t stop there.

There are a lot of these plug-ins.  Why I’ve not heard/paid attention to most of these before, I have no idea.  There’s one for Exchange, allowing you a friendly view of your Exchange Server 2007 environment.  There is a cool one that drags in alerts from OpsMgr and update status from ConfigMgr if you are running a dynamic datacenter. 

image

Seriously, take a look at this stuff if you are running System Center, or if you’re a systems integrator looking for cool new upsell services.

Office 2010 Service Pack 1 RTM Date

According to Microsoft, you can expect Service Pack 1 for Office 2010 and SharePoint 2010 to RTM in the end of June.  “Initially, Service Pack 1 will be offered as a manual download from the Download Center and from Microsoft Update, and no sooner than 90 days after release, will be made available as an Automatic Update”.

Changes include:

  • Outlook fixes an issue where “Snooze Time” would not reset between appointments.
  • The default behavior for PowerPoint "Use Presenter View" option changed to display the slide show on the secondary monitor.
  • Integrated community content in the Access Application Part Gallery.
  • Better alignment between Project Server and SharePoint Server browser support.
  • Improved backup / restore functionality for SharePoint Server
  • The Word Web Application extends printing support to “Edit Mode.”
  • Project Professional now synchronizes scheduled tasks with SharePoint task lists.
  • Internet Explorer 9 “Native” support for Office Web Applications and SharePoint
  • Office Web Applications Support for Chrome
  • Inserting Charts into Excel Workbooks using Excel Web Application
  • Support for searching PPSX files in Search Server
  • Visio Fixes scaling issues and arrowhead rendering errors with SVG export
  • Proofing Tools improve spelling suggestions in Canadian English, French, Swedish and European Portuguese.
  • Outlook Web Application Attachment Preview (with Exchange Online only)
  • Office client suites using “Add Remove Programs” Control Panel, building on our work from Office 2007 SP2

SharePoint and Dynamic Memory

So far today, I’ve covered Exchange, SQL, and Lync support statements for Dynamic Memory.  This post is going to focus on SharePoint.  What is the news?

I have searched high and low using Google and Bing.  I have checked the guidance, including designing SharePoint 2010 for virtualisation on TechNet, and I have not found any mention of Dynamic Memory.  Let’s assume that SharePoint does support Dynamic Memory – unless you do have an abundance of support calls with CSS or Premier and can get an answer (please do share!).

Two things stand out:

SQL

The key to performance of SharePoint appears, to me, to be SQL Server.  We already know the story for SQL and Dynamic Memory.

Sizing

The sizing guidance for SP 2010 is quite realistic.  There’s a lot of “it depends” and talk of user acceptance testing.  In Ireland we call it “suck it and see”.  In other words, you won’t know what’s the right sizing for your environment until you try it.  Memory guidance uses the word “estimated” quite a bit.  Based on my previous experience with SharePoint (which is limited, I admit), MS sizing tends to be for huge user bases and not those that most of us deal with.  I remember a “small” SP 2003 farm from an MS Press book being 10,000 users.  I was sizing for 800 at the time, and MS Ireland considered us to be an enterprise customer! 

You will need flexibility.  That leaves me thinking that SharePoint is the perfect candidate for Dynamic Memory.  You will have to estimate that maximum memory, and the hypervisor will take care of assigning only what is required.  Later on (after monitoring) you can decide to reduce or increase the maximum memory setting.

I will update this post if I hear anything definitive.

On-Demand Hyper-V VM Design Webcasts

Do you want to know what the best practices for deploying Exchange, SharePoint and SQL are on Hyper-V (or any virtualization platform)?  Well here you go:

There should be enough in there to keep you hiding from the boss for half a day.