Aidan Finn, IT Pro

The WSUS team has announced that the release candidate program for WSUS 3.0 is winding down.  This means that the release to manufacturing will be pretty soon.

Check out the guide that I wrote beased on the initial public beta release.

Patch Tuesday has just passed.  The following updates are available from Microsoft Update:

Critical

• MS07-018: Vulnerabilities in Microsoft Content Management Server Could Allow Remote Code Execution (925939) – Content Management Server 2001, Content Management Server 2002
• MS07-019: Vulnerability in Universal Plug and Play Could Allow Remote Code Execution (931261) – Windows XP Home Edition, Windows XP Professional, Windows XP Professional 64-Bit Edition
• MS07-020: Vulnerability in Microsoft Agent Could Allow Remote Code Execution (932168) – Windows 2000 Server, Windows 2000 Professional, Windows 2000 Datacenter Server, Windows 2000 Advanced Server, Windows XP Home Edition, Windows XP Professional, Windows XP Professional 64-Bit Edition, Windows Server 2003 for Small Business Server, Windows Server 2003, Datacenter Edition, Windows Server 2003, Enterprise Edition, Windows Server 2003, Standard Edition, Windows Server 2003, Web Edition, Windows Server 2003 Datacenter Edition for Itanium-based Systems, Windows Server 2003 Enterprise Edition for Itanium-based Systems, Windows Server 2003 Datacenter x64 Edition, Windows Server 2003 Enterprise x64 Edition, Windows Server 2003 Standard x64 Edition
• MS07-021: Vulnerabilities in CSRSS Could Allow Remote Code Execution (930178) – Windows 2000 Server, Windows 2000 Professional, Windows 2000 Datacenter Server, Windows 2000 Advanced Server, Windows XP Home Edition, Windows XP Professional, Windows XP Professional 64-Bit Edition, Windows Server 2003 for Small Business Server, Windows Server 2003, Datacenter Edition, Windows Server 2003, Enterprise Edition, Windows Server 2003, Standard Edition, Windows Server 2003, Web Edition, Windows Server 2003 Datacenter Edition for Itanium-based Systems, Windows Server 2003 Enterprise Edition for Itanium-based Systems, Windows Server 2003 Datacenter x64 Edition, Windows Server 2003 Enterprise x64 Edition, Windows Server 2003 Standard x64 Edition, Windows Vista, Windows Vista x64

Important

• MS07-022: Vulnerability in Windows Kernel Could Allow Elevation of Privilege (931784) – Windows 2000 Advanced Server, Windows 2000 Datacenter Server, Windows 2000 Professional, Windows 2000 Server, Windows XP Home Edition, Windows XP Professional, Windows Server 2003 for Small Business Server, Windows Server 2003, Datacenter Edition, Windows Server 2003, Enterprise Edition, Windows Server 2003, Standard Edition, Windows Server 2003, Web Edition

You can see virtualistion on Windows Longhorn Server in action in this webcast.

Credit: Microsoft TechNet Ireland.

Bink is reporting that there are two releases for Sofgrid on the way.  SoftGrid 4.1 will be upgraded by Service Pack 1.  This will include Hotfix and critical updates and increase stability and compatibility.  MS will release the Sequencer, Desktop, Client, Terminal Server Client and Server all at the same time in around April or May.

SoftGrid 4.2 will be a desktop only release, i.e. not for Terminal Server.  It will include Vista support for the sequencer and the client.  Expect to see a release around July.

Credit: Bink.

The April edition of this free online magazine is available to read.  The focus is on infrastructure management and administration.

Administration:

• Disaster Recovery: AD users and groups.
• Windows XP Embedded

Management:

• System Center Capacity Planner: Estimate and plan your infrastructure using modeling.
• Advanced client inventories using SMS.
• SMS 2003 R2 Inventory Tool for Custom Updates (also see my whitepaper).

Bink reported that Microsoft is working on a server version of the BDD 2007 toolkit.  It will be available in Q1 2008.  It will support W2003 and Longhorn.  It will also integrate with Configuration Manager 2007 (note that Windows Deployment Services is integrated with CM 2007 Beta 2 for desktop deployment).

There will be a series of beta releases.  We will see an early release this summer for Longhorn Beta 3 and CM 2007 which should also RTM around then.  Beta 2 will be out around Q4.

My gut is telling me that this will be the successor to the little known Automated Deployment Services (ADS).  I’ve used this image based solution before for deploying servers.  It’s complicated but very powerful if you choose to use the full functionality of the product.

Source: Bink

The Irish Independent is reporting (free sign-up required) that a laptop was stolen from the constituency office of the Taoiseach (the prime minister of Ireland).

This story reinforces how important it is to implement roaming device security.  I’ve talked about this sort of thing over and over before but here we go again …

First, let’s get something out of the way.  Security is the opposite of usability.  You must find the right balance between the two.  This is not usually a one-size-fits-all policy.  I’m not saying that you should treat every person/computer differently.  That’s the sort of madness that only over zealous (in)security offices come up with.  Create a set of polices that cover a reasonable number of scenarios and clearly document and communicate them.

Physical security cannot be guaranteed for roaming devices, even in your own office.  I’ve known a finance company in London where burglars dressed as cleaners walked past a dozing security guard and walked away with every laptop they had time to find.  You can try to use security cables but these can be cut by someone who is prepared.  This might not include the casual burglar but anyone targeting your data will be prepared.  Don’t think this is realistic?  Hah!  Aren’t you naive!  If your business data is valuable to you then it’s way more valuable to your competitors.  I’m not saying you need to lock down every roaming device but you might want to consider it for those with critical data.

Any roaming device with sensitive data that cannot be physically secured should be encrypted.  Let’s look at that sentence:

• A roaming device is not just laptops.  There are laptops, tablet PC’s, PDA’s and mobile/cell/handy phones.  Each of these is capable of storing sensitive data.  We often think of securing laptops and tablets but we rarely consider the device that is most likely to be not only used by directors, government ministers, etc (the mobile phone or PDA) and is also most likely to be stolen or lost.
• Sensitive data … ask a user if they have sensitive data on their PDA or laptop and they’ll say "No … I just use it for email".  That there is the most sensitive data.  Look at the major corporate lawsuits or political scandals these days and what documentation is being used?  Email.  What is the only IT business application that senior management use?  Email.  What is used to share most valuable documentation?  Email.  Anyone using a laptop or PDA for email (which is 99% likely these days) will have a local replica of their inbox and will likely have the attachments (at least the most valuable ones) on local storage..  This must be secured.
• Passwords are not a long term security solution against a determined attack.  If you store files on a machine and secure them or the machine with passwords, PIN’s, etc, then you can gain access with a few easy steps.  Some manufacturers include biometrics but that’s just another password.  A TV show even documented how to bypass this security method.  The only solution is to encrypt the data with a strong algorithm to make it unreadable to unauthorised users.

There’s two approaches to encryption:

• Encrypt the files: Using something like EFS in Windows.  This usually requires some effort on the part of users.  It will not secure mail.  I don’t like it because of the reliance of effort on the part of users.  I prefer things to be completely automated.
• Encrypt the hard disk:  This encrypts the entire contents of the mobile device.  This is my favoured approach.  Access to the device is secured by physical token or a passphrase.  There is no bypass like with traditional password protection because the data itself is encrypted.

There’s plenty of encryption solutions available.  Some versions of Windows Vista include BitLocker for complete disk encryption.  It’s OK if you have the right versions and don’t want to implement a management solution, i.e. for ad-hoc device security.  The downsides are lack of centralised policy, management, passphrase recovery and it requires that you know before you build the machine that you want to encrypt the hard disk because it requires a dedicated partition 0.

I prefer a dedicated solution that will offer centralised deployment, policies, passphrase recovery and cross platform security:

• Centralised Deployment: From a console, you can deploy your agent to targeted devices.
• Centralise Policies: You can deploy a preset collection of well defined and managed policies to devices.
• Passphrase Recovery: What do you do when your boss calls at midnight from Tokyo saying that he forget his passphrase and needs access to his laptop for a business deal?  If you can’t reset their passphrase using  across-verification method then you shouldn’t count on being around for much longer.
• Cross platform support: Remember that you need to secure all mobile devices, not just laptops.  Using a single solution will simplify deployment and management while minimising mistakes.

I like Safeboot for this sort of thing.

Don’t forget document security!  We often focus on device security.  Have you heard of a sales person or manager who is leaving who is caught email sensitive documents to their future employer or a personal email account?  I have seen it personally … a few times.  No amount of folder permissions or encryption will stop this because these people need access to these files to do their jobs.  Could you put them on gardening leave when they hand in their notice?  Sure … but if they’re clever they’ll have copied the data before they told their employers about their intentions.  The solution here is to implement file level encryption or authentication using something like Windows 2003 Rights Management Services.  This solution will use a PKI to place encryption on documents or emails so that unauthorised internal or users cannot read or modify (depending on the security put in place) the document or email.  This secures you against employees copying data externally or deliberate/accidental leaks.

Given enough time with mobile devices on your network, some of them are going to be stolen or lost.  You might have a scenario where a sneaky or unhappy employee tries to copy/leak sensitive data.  If you implement the above solutions then you’ll be able to sit back and watch things, knowing that your organisation is safe.

Microsoft has released a whitepaper that describes how to configure QoS on Windows Vista so that you can prioritise certain network protocols.

There is a new whitepaper from Microsoft, Dell and Platespin.  It discusses using virtualisation technology for disaster recovery.

OM 2007, the successor to MOM 2005, has been released.  I’m a huge fan of MOM 2005.  I haven’t had a look at OM 2007 since early betas last Summer but it’s shaped up to be a worthy successor.

The drive towards Microsoft’s Dynamic Systems Initiative continues with OM 2007.  Features from ITIL/MOF are present in the form of service modeling.  Also of interest, Audit Collection Services (ACS) introduces a new function to centrally gather important security event log entries to a central database.

There’s way more than I can cover in a single blog post.  I’ll save the electronic rain forest and just give you a few links:

• Evaluation Edition Download
• Online Demo
• Features overview datasheet
• What’s new and why upgrade?
• Overview whitepaper
• Audit Collection Services
• Client monitoring