Ramblings from another nerd on the grid
Windows Security Center (WSC) helps make your PC more secure by alerting you when your security software is not up-to-date or when your security settings have potential weaknesses that should be corrected. For example, WSC shows you the status of your firewall settings and tells you whether your PC is set up to receive automatic software updates from Microsoft.
WSC originally debuted in Windows XP SP2. In response to feedback from customers and third-party security companies, Microsoft has made improvements to WSC in Windows Vista, including showing the status of antispyware software, Internet Explorer security settings, and User Account Control. In addition, WSC can monitor multiple vendors’ security solutions running on a computer and indicate which are enabled and up-to-date—a feature that other security center solutions do not have or do not do as well as WSC. Windows Security Center monitors the following security components for Windows Vista.
Firewall: Windows Security Center monitors the installation of a firewall solution, including the Microsoft Windows Firewall and third-party solutions. WSC monitors the presence of a firewall solution as well as the security state of the firewall. If any issue is detected with the firewall state, the user is alerted and provided with an appropriate guided experience to correct the problem from within Security Center.
Automatic Updates: Windows Security Center verifies that Automatic Updates is enabled and using Microsoft’s recommended settings. If the Windows Automatic Updates service is not running or if settings differ from the recommended settings, the user receives an alert notification and will be provided with a way to enable Automatic Updates in WSC.
Antivirus: Windows Security Center verifies the installation of antivirus solutions. When present, WSC reports whether real-time scanning is enabled and if the virus signature files are up-to-date. If any of these conditions are not met, the user receives an alert notification and is prompted with a way to resolve the problem.
Antispyware and other malware protection: Windows Security Center verifies the installation of third party antispyware solutions as well as Windows Defender. When a third party antispyware solution is present, or Windows Defender is on, WSC reports on whether scanning is enabled and if the spyware definition files are up-to-date. If any of these conditions are not met, then the user receives an alert notification and is prompted with a way to resolve the problem.
Internet security settings: Windows Security Center monitors the security settings that are associated with Internet Explorer and alerts the user whenever those security settings are lower than the recommended levels, which might put the user at risk. WSC provides a button to restore settings which the user can use to have WSC fix the settings or take the user to the control panel where the user can fix the settings manually.
User Account Control: To help ensure a safer computing experience, the User Account Control (UAC) service and policy must not be disabled or degraded. Window Security Center monitors the status of UAC and notifies the user if UAC has been changed to a setting different from what Microsoft recommends. WSC provides a button to restore UAC to the recommended settings in this case.
The Screencast
http://msinetpub.vo.llnwd.net/d1/keithcombs/p79SecurityCenter.wmv
Windows Defender (formerly known as Microsoft AntiSpyware) is a feature of Windows Vista that helps customers protect their computer against pop-ups, slow performance, and security threats caused by spyware.
Windows Defender lets you make conscious choices about software installed on your PC by providing always-on protection that monitors key system locations, watching for changes that signal the presence of spyware. Superior scanning and removal technologies use up-to-date spyware definitions created by Microsoft, with help from Windows Defender users who submit reports of potential new spyware.
From installation to maintenance and updates, Windows Defender is simple to use and comes with preconfigured settings and guidance to help you become more secure. An improved user interface gives you more control over your software. Common tasks such as scanning, blocking, and removing unwanted software are easier than ever, and a Software Explorer helps you understand which software and services are running on your computer and stops or disables “rogue” software. Windows Defender automatically handles many common tasks and interrupts or alerts you only in the case of issues that require immediate action.
Windows Defender takes advantage of many of the platform enhancements in Windows Vista, including improved caching technology that allows scans to run faster and User Account Control, which enables the software to run without requiring the user to elevate privileges to scan or remove spyware from the system.
Integration with Microsoft Internet Explorer allows downloaded files to be scanned before they are saved or executed, reducing the chance that spyware might be installed by accident. “Scan on execute” functionality provides an added layer of protection, and integration with Windows Security Center helps you keep track of spyware protection alongside other security and safety features.
Windows Defender is available for Windows XP Service Pack (SP) 2, Windows Server 2003 SP1, and Windows Vista.
Only genuine Windows customers can receive product downloads, Windows updates, and special offers. Windows Defender will validate that your copy of Windows is genuine before installation on Windows XP SP2 and Windows Server 2003 SP1. Furthermore, Windows Defender will only remove severe threats for machines that are not genuine. Low, medium, and high threats will be detected, but not removed unless your copy of Windows is genuine.
http://msinetpub.vo.llnwd.net/d1/keithcombs/p75WindowsDefender.wmv
Most user activities, such as surfing the Web, sending email, and using productivity applications, do not require administrative privileges. Yet most people log on to their home PC with an account that has full administrator privileges. This puts the PC at greater risk from viruses, spyware, and other threats.
User Account Control (UAC) in Windows Vista makes it easier to use your PC with standard user privileges. You can create a separate user account for each member of the family and control which websites, programs, and games each person can use and install.
UAC also helps families with children protect their PCs from malware such as viruses, worms, and spyware that might be hidden in programs that appeal to children. UAC makes it practical to give children their own standard user account, so that if a child tries to install a new piece of software, the system will prompt for an administrator account password to approve the action.
Even when you use an administrator account, UAC provides additional protection. By default, most programs run with the permissions of a standard user, which limits the potential damage they can do.
If you need to start a program that requires administrator privileges, the system will prompt you for an administrator password.
http://msinetpub.vo.llnwd.net/d1/keithcombs/p74UserAccountControl.wmv
As a licensed user of Windows Vista, you are entitled to software updates to the operating system periodically released by Microsoft. These include upgrades to Windows Vista features, updates that improve reliability and performance, and updates that provide new security protections against malware and other potentially unwanted software. Microsoft might also provide software updates to improve performance or reliability that are supplied by your computer manufacturer for other software and hardware components on your PC.
Windows Update determines which updates are applicable to your computer and can download and install them automatically if you choose, keeping your computer up-to-date and more secure.
Advances in Windows Update
In Windows Vista, the capabilities of Windows Update make updating easier and less disruptive.
Using Windows Update
To make sure your computer stays up-to-date, Microsoft recommends using the Automatic Updates feature of Windows Update. This ensures that both High Priority and Recommended updates are downloaded and installed in Windows Vista. This preference option is provided during the initial setup of Windows Vista, or you can set it at any subsequent time.
For users interested in taking a more active role in managing the update process, Windows Vista includes a range of preference options. These provide control over how you are notified about the availability of updates, as well the option to review and approve updates before they are downloaded or installed.
At any time, you can also proactively check to see if any updates are available for your PC. The Windows Update control panel allows you to scan for updates, review details about each one, access your updating history, and manage your updating preferences.
http://msinetpub.vo.llnwd.net/d1/keithcombs/p73WindowsUpdate.wmv
A firewall is a critical first line of defense against many types of malware. Properly configured, it can stop many kinds of malware before they can infect your computer or other computers on your network. Windows Firewall, which comes with Windows Vista, is turned on by default and begins protecting your computer as soon as Windows starts. The Windows Firewall Control Panel is designed to be easy to use, with several configuration options and a simple interface.
More advanced than the Windows Firewall in previous versions of Windows, the firewall in Windows Vista helps protect you by restricting other operating system resources if they behave in unexpected ways—a common indicator of the presence of malware. For example, if a component of Windows that is designed to send network messages over a given port on your PC tries to send messages via a different port due to an attack, Windows Firewall can prevent that message from leaving your computer, thereby preventing the malware from spreading to other users.
mms://wm.microsoft.com/ms/inetpub/keithcombs/p73Firewall.wmv
When you do advanced tasks with your PC, the performance capabilities of your PC hardware—the processor, memory, graphics card, and storage—can make a big difference. But understanding these capabilities and how they interact can be challenging.
Windows Vista introduces Windows Experience Index (WEI) to help you understand your PC’s performance capabilities, and to ease the task of buying new PCs, hardware, and software.
Windows Experience Index is a simple, numeric system that rates how well your PC can run the performance-oriented features in Windows Vista, such as the new Windows Aero user interface, multiple monitors, high-definition TV, and personal video recording. The numerical rating can also help you match the right software to run on your PC.
The Windows Experience Index rating is determined during the installation of Windows Vista. The rating is computed by running a set of capability tests on five critical hardware components:
Each test results in a capability score between 1 and 5.9 for the component. Since a PC’s performance is limited by the lowest performing component, the overall test result, or “base score,” for the PC is determined by the lowest of the five scores.
The rating system is particularly useful for consumers when:
Retailers and PC, hardware, and software manufacturers can also use the Windows Experience Index to help customers shopping for PC hardware and software by:
mms://wm.microsoft.com/ms/inetpub/keithcombs/p26WindowsExperienceIndex.wmv
As people begin using a computer for the first time, they typically complete a set of tasks to optimize the computer for their use. Such tasks include connecting to the Internet, adding user accounts for different people, and transferring files and settings from another computer. Windows Vista includes Welcome Center, a screen that presents all of these tasks in one easy-to-find place so users can easily and quickly set up their computer and do so on their own schedule. Below the tasks for Windows is a pane where the computer manufacturer can list tasks and offers. Welcome Center automatically appears when the computer is used for the first time and can optionally appear on future starts as well.
mms://wm.microsoft.com/ms/inetpub/keithcombs/p23WelcomeCenter.wmv
Windows Vista significantly simplifies the process of setting up a new computer. Users are asked to complete only the most essential tasks so they can get to their desktop as soon as possible and begin enjoying their new computer. Users can quickly review their language and country settings, and review and accept the Microsoft Windows and computer manufacturer license terms. They then create a user account with their username and password, and personalize their computer with a unique computer name and desktop wallpaper. After selecting automatic updates for Windows to help keep their computer up-to-date, and reviewing their date and time settings, users can view optional offers from the computer manufacturer and begin using their computer immediately.
mms://wm.microsoft.com/ms/inetpub/keithcombs/p23ComputerSetup.wmv
Matt Hester, resident TechNet Search guru has posted another screencast from our Windows Vista Product Guide screencast series. Head on over to http://blogs.technet.com/matthewms/archive/2007/07/23/windows-vista-product-guide-screencast-shadow-copy.aspx for an excellent article on Shadow Copy complete with an awesome demonstration he captured using Camtasia v4.01.
Next Monday we'll have another feature blogged and demonstrated by Chris Henley. When he gets that posted, I'll let you know.
For those of you unfamiliar with Windows Vista, we have a great feature reference called the Windows Vista Product Guide. My team has recorded over fifty demos of those features and we have every inclination to do the whole guide. That's about 200+ demos we'll deliver via screencasting. To kick this off, I thought I'd do something fun and kewl that is immediately noticeable when you install Windows Vista.
The Windows Sidebar is a pane or dock for applications known at Gadgets. This surface by default sits on the right hand side of your screen and is a container that developers can use for mini applications. The Windows Sidebar is a cousin to the Windows SideShow. For those of you using wide screen monitors, this is a nice location for those applications. In a multimon configuration, you could also set the location of the Sidebar to be on a particular monitor.
Gadgets are mini applications with a variety of possible uses. They can connect to web services to deliver business data, weather information, news updates, traffic maps, Internet radio streams, and even slide shows of online photo albums. Gadgets can also integrate with other programs to provide streamlined interaction. For example, a gadget can give you an at-a-glance view of all your online instant messaging contacts, the day view from your calendar, or an easy way to control your media player. Gadgets can also have any number of dedicated purposes. They can be calculators, games, sticky notes, and more.
Where do I get them?
Gadgets can be added by right mouse clicking the Sidebar and selecting the "Add Gadget" menu item. When you do, you'll see the mini gadget gallery depicted in the screenshot on the right. This is a small subset of the gadgets that have been developed. In fact, there are over 1100 at the time of this writing.
If you want to see all of the available gadgets, click the link in the bottom right hand corner of the gadget listings. This will take you to the online gallery at http://vista.gallery.microsoft.com/vista/SideBar.aspx?mkt=en-us. Keep in mind I'm in the US so your link will be sightly different depending on your locale. Once there, you can also click a button to "See all gadgets" which takes you to another gallery at http://gallery.live.com/.
What about security?
For those of you wondering about the security of these applications, I invite you to review the documentation at http://msdn2.microsoft.com/en-us/library/aa965881.aspx since it discusses the security context applications execute as, UAC interaction, etc. For those of you responsible for managing Windows Vista corporate desktops, there are group policies available to control the following:
While gadgets would appear to be "cute" at first glance, don't underestimate their power. During my research, I stumbled across a very creative PowerShell gadget from Mindscape developed by Andrew Peters. This means you don’t have to fire up your command shell all the time. Instead, just type your command into the sidebar to execute it. If you need data displayed, the fly-out mode displays the output for the command. Scary huh?
I also just noticed Michael Murphy has a blog post about a wine gadget. Michael is the team wine connoisseur so it didn't surprise me to see him locate such a mission critical app. :)
mms://wm.microsoft.com/ms/inetpub/keithcombs/p52sidebargadgets.wmv
Next Up
Matt Hester will be posting the next screencast on a feature in the Windows Vista Product Guide. Matt will be writing and demonstrating the Shadow Copy technologies so stay tuned for that. I'll post a link when he has it online.
Enjoy!
If you took a look at my previous Windows Server 2008 screencasts, you'll recall we left off with a Core server that had been activated and joined to our test domain. Sorry for the delay, end-of-year happened. Now things get interesting. This time, we're going to take that member server and convert it into a Read Only Domain Controller (RODC). Now you might be thinking, why on earth is Microsoft creating such a feature set? Isn't this beast a throwback to the NT read-only BDC days? Nope.
A Read Only Domain Controller (RODC) is an additional domain controller for a domain that hosts read-only partitions of the Active Directory database. An RODC is designed primarily to be deployed in a branch office environment. Branch offices typically have relatively few users, poor physical security, relatively poor network bandwidth to a hub site, and little local IT knowledge.
RODCs address some of the problems that might be caused by branch office locations that either have no domain controller or that have a writable domain controller but not the physical security, network bandwidth, and local expertise to support it. The following characteristics of RODCs help to solve these problems:
In this screencast, we are going to convert a Windows Server 2008 Core virtual machine into a read-only domain controller (also a VM). The VM is currently just a member server in the contoso.com domain. Conversion is pretty easy using a tool that has been around for years and years called DCPROMO.
For our screencast, we are going to focus on credential filtering or more accurately password caching depending on your point of view. We'll get to some of the other features in future screencasts. By filtering, I mean that we can limit the kerberos tickets/passwords that are cached on a RODC. Now why on earth would you want to do that? Well, think about the thieves of the world. If someone breaks into your branch location, would you rather that server disappear with all of your ids and passwords, or a much smaller subset of the overall organization? I think most people would agree a much smaller subset is more prudent.
Running DCPROMO in text mode
DCPROMO is normally a nice GUI wizard that can be executed unless you are staging servers and running the command line version. Running the GUI wizard presents a problem when trying to run it on a Windows Server 2008 Core machine because we don't have much of a GUI at all. To workaround this, we can run DCPROMO via the command line using a file with the details of the implementation we want. You'll notice in the text file we create (indicated below), we want the result of the promotion to be a ReadOnlyReplica. The text file contents below are an incomplete implementation of the details. You'll need to modify them in order to meet your local implementation needs. See the documentation (references at the bottom) for the full details of the parms in this file.
[DCInstall] InstallDNS=Yes ConfirmGc=No CriticalReplicationOnly=No DisableCancelForDnsInstall=No OnDemandAllowed=The name(s) of groups whose members' passwords will be allowed to be cached on the RODC OnDemandDenied=The name(s) of groups whose members' passwords will NOT be allowed to be cached on the RODC Password=Domain Admin password RebootOnCompletion=No ReplicaDomainDNSName=Full DNS name of the domain ReplicaOrNewDomain=ReadOnlyReplica ReplicationSourceDC=Name of a Windows Server 2008 domain controller in the same domain SafeModeAdminPassword=Choose an appropriate password to use for Directory Services Restore Mode SiteName=RODC Site Name UserDomain=DomainName UserName=Domain Admin account name
[DCInstall]
InstallDNS=Yes
ConfirmGc=No
CriticalReplicationOnly=No
DisableCancelForDnsInstall=No
OnDemandAllowed=The name(s) of groups whose members' passwords will be allowed to be cached on the RODC
OnDemandDenied=The name(s) of groups whose members' passwords will NOT be allowed to be cached on the RODC
Password=Domain Admin password
RebootOnCompletion=No
ReplicaDomainDNSName=Full DNS name of the domain
ReplicaOrNewDomain=ReadOnlyReplica
ReplicationSourceDC=Name of a Windows Server 2008 domain controller in the same domain
SafeModeAdminPassword=Choose an appropriate password to use for Directory Services Restore Mode
SiteName=RODC Site Name
UserDomain=DomainName
UserName=Domain Admin account name
Now that we know what dcpromo expects, we can simply kick it off on the command line as follows:
dcpromo /unattend:myfile.txt
myfile.txt can be any name you choose. The contents are the important part, not the name. That's always confusing to me when some programs expect a particular filename. Silly programmers. Can't live with em, can't ...
After dcpromo starts running, you'll know pretty quickly if you have the appropriate permissions and network connectivity. It installs the binaries it needs and starts communicating with the source DC rather quickly. After it downloads the schema and objects, you'll be prompted for a reboot. As indicated in the parm file above, you can reboot automatically at the end of the installation. After the reboot is complete, you can start filtering the cached credential list. So how do we filter this list? Easy!
Creating Password Replication Policies
After the member server is converted, you'll see the machine account move to the Domain Controllers container in Active Directory. Using the Users and Computer management console, we can review and modify the properties of our new RODC. While looking at the properties for the RODC, you'll notice a new Password Replication Policy tab page. From that page, we can modify the policies by explicitly allowing or denying password caching, checking the status of cached creds on our server, and checking the status of authentication.
If you are confused by multiple policies, we have a tool that can be executed from the Resultant Policy tab page and will give us the results of all policies that are applied to a particular principle. This is a great way to see who was allowed and therefore has cached creds, who was denied implicitly, and who was denied explicitly.
Now if you are worried about WAN traffic and latency from the branch location to the home office data center, you can always stage and pre-populate the credentials. See the screencast for how to do that.
The screencast covers pretty much everything you see written above and then some. It's just over 11 minutes so it's a concise demo of the concepts and methods. At the end of the screencast is a brief discussion of staging and pre-populating passwords for branch office server deployment.
Watch it @ mms://wm.microsoft.com/ms/inetpub/keithcombs/ws2008/CoreRODCCreation.wmv
If you have a podcatcher that supports Windows Media Video, you'll notice I have a link to the video in the attachment section at the bottom of this post. This will create a RSS <enclosure> and allow you to pull it off my server. If you aren't using a podcatcher, then you can right mouse click the link and save it locally for offline viewing and listening.
Additional Resources and References
TechNet RODC Step-by-Step @ http://technet2.microsoft.com/windowsserver2008/en/library/ea8d253e-0646-490c-93d3-b78c5e1d9db71033.mspx?mfr=true. Windows Server 2008 Technical Library @ http://technet2.microsoft.com/windowsserver2008/en/library/bab0f1a1-54aa-4cef-9164-139e8bcc44751033.mspx?mfr=true. Michael Murphy's webcast on Windows Server 2008 Active Directory @ http://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?culture=en-US&EventID=1032343629&CountryCode=US. Maria Green's blog post @ http://blogs.technet.com/mariaj/archive/2007/05/28/windows-server-2008-scenarios-part-iii.aspx. Arlindo Alves' blog post @ http://blogs.technet.com/aralves/archive/2007/03/22/longhorn-10-reasons-to-look-at-windows-longhorn-part-8-branch-office-deployments.aspx.
TechNet RODC Step-by-Step @ http://technet2.microsoft.com/windowsserver2008/en/library/ea8d253e-0646-490c-93d3-b78c5e1d9db71033.mspx?mfr=true.
Windows Server 2008 Technical Library @ http://technet2.microsoft.com/windowsserver2008/en/library/bab0f1a1-54aa-4cef-9164-139e8bcc44751033.mspx?mfr=true.
Michael Murphy's webcast on Windows Server 2008 Active Directory @ http://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?culture=en-US&EventID=1032343629&CountryCode=US.
Maria Green's blog post @ http://blogs.technet.com/mariaj/archive/2007/05/28/windows-server-2008-scenarios-part-iii.aspx.
Arlindo Alves' blog post @ http://blogs.technet.com/aralves/archive/2007/03/22/longhorn-10-reasons-to-look-at-windows-longhorn-part-8-branch-office-deployments.aspx.
Burn that little saying in your brain. Have you ever purchased something you never were completely satisfied with? I made my first major mistake on a Chevy truck. Not because it was a Chevy, but because I cut corners and instead of getting the V8 I wanted, I opted for the V6 to save a few bucks.
The problem with that purchase was that it was a direct factory order. I didn't test drive it because all of the trucks on the dealer lot were V8's. It was one of those Chevy Silverado Extra cabs. Loved the truck, but the V6 was just too sluggish on that large a truck. I sold it and got the Chevy short bed with a V8. Now that was a fun machine.
I bought a Dell Latitude D820 with the NVIDIA Quadro NVS 120M video chipset. That was another mistake I made. I need better graphics performance than the D820 delivers. Of course at the time, I didn't have any way of knowing how the video chipset would perform with Windows Vista Aero Glass.
The first Vista Ultimate build I installed last year scored a 3.1 Windows Experience Index (WEI). I figured since we were still three months from shipping Windows Vista, it was a driver issue. The WEI with the shipping Windows Vista driver was a 3.1. That driver wasn't very stable and NVIDIA and Dell released another version of the driver a couple of months later that improved the stability but there was no improvement in performance. Now I was getting worried. What if it isn't a driver issue?
Today, Dell and NVIDIA released their latest and presumably final version of the driver for this machine since it is no longer made. As you can see to the right, there has been no improvement in performance. In fact, this is the best they expect from this video chipset.
So how do you prevent this from happening to you?
Do your homework, or better yet, don't buy anything where the maker won't publish the WEI score. How is this score created? The WEI score is generated by winsat.exe. The Windows System Assessment Tool (WSAT) is a tool that is run at Windows Vista initial setup and can be run manually by the user of the system. Developers can also use it as a means to generate performance data which can be used in a variety of ways. I would like to see the online buying websites display WSAT WEI score data based on configuration choices. This would be a pretty simple provisioning addition. If you want more information on WSAT, see the slides on the subject. The bottom line, you won't know what your purchase experience will be like unless you have some standard data measurements from which to compare and make an informed choice from. I didn't last year but I won't do that again. Neither should you.
Screencast
See mms://wm.microsoft.com/ms/inetpub/keithcombs/p26WindowsExperienceIndex.wmv for a screencast on the subject.
[UPDATE] A question came my way from another Microsoft employee who I've know for years. Kevin asked, "For a business machine, why do you need/want > 3.1 for the graphics adaptor?" Good question. First of all, before you even need to consider the usage by applications you need to consider the overall performance of Windows Vista. Then on top of that you need to consider what applications you plan to use. For instance on my Intel T2500 based D820, the Vista inbox driver and the driver released in January was sluggish enough to make scrolling a page vertically in IE7 annoying. Pile on business graphics from Excel or other resource consumers, and before you know it things are bogging down.
Now granted I'm not a typical business user, if there is such a thing. I typically run multiple operating systems via Virtual PC, demo this, demo that, so I'm taxing the hell out of a machine. Ultimately you are the final judge of what the application mix is, but the reason I am pointing out this index is because over time, you'll learn to judge a potential purchase from these data points. If your application mix runs fine on Windows Vista with a 3.1 WEI, kewl beans. If not, you'll start to ascertain your minimum bar.
The real question is how to force the PC makers to start revealing this data. Only you can do that. Make the information a stipulation for purchase. Dollars talk.
You'll notice over the next couple of weeks that members of my team are going to be posting Windows Vista screencasts. Our goal is to produce a screencast demo of every feature listed in the Windows Vista Product Guide. At a minimum, that would be about 200+ screencasts. That's a lot of information my friends.
To create those screencasts, we are using TechSmith's Camtasia Studio v4.01. We purchased copies of the software for everyone on my team. I also purchased Plantronics .Audio 350 headsets for everyone. Of course some of my colleagues needed some assistance so we did a couple of rounds of training.
This project was my idea but there's no way in hell to pull it off without help. Matt Hester, Chris Henley, Chris Avis, Kevin Remde, Bryan Von Axleson and Shawn Travers stepped up and produced a bunch of the goodies. We're no where near done, but when we are, we plan to have a hypertext version of the product guide online to you can use the guide as a tour of all of the features in Windows Vista. Pretty kewl idea, eh?
If there are any other Microsoft employees that want to participate in this project, please contact me. You'll need a copy of Camtasia and a good headset as a prerequisite. Sorry, I don't have the budget to buy any additional software and hardware.
I'll be posting articles and links to the screencasts I did very soon. I hope you enjoy them and let me know if there are any recommended changes to the video format and delivery.
Core to any server is the ability to service networks requests. In some cases, raw I/O is the goal. In other cases, simultaneous streams might be the goal. Windows Server 2008 Core is the engine for many of those cases. Do you need a graphical user interface to run a server? Not really so lets see what this new Core implementations is all about.
Setup
The installation of Windows Server 2008 Core is nearly identical to a regular server install. However, the end result is VERY different. As with the previous screencast and install, we supply the product key, answer a few questions and we're off. The Core installation is much quicker because there's less "stuff" to install. This benefits you in a variety of ways. Core consumes less disk space. That's really obvious. Since Core is a much smaller set of applications, processes and services, the potential attack surface or vulnerability landscape is much smaller.
The Core installation will reboot your machine or VM a couple of times during device detection and installation. Eventually you'll be presented with the login screen.
[errata note] I made a mistake at the tail end of the setup portion of this screencast. I said we were going to promote the Core installation to a DC, then to a RODC. That is incorrect. We will convert directly to a Read Only DC (RODC).
Initial Configuration
The best place to get information on how to setup and configure Windows Server 2008 Core is of course the Step-by-Step guide. You'll learn a lot from this guide but of course doing is better than reading.
As indicated in the screencast below, one of the first things you'll want to do is set the administrator password. The guide shows the command line method. Regardless of the method used, do it, do it fast.
When you install the Core server, a machine name is generated and it isn't pretty like the one suggested by Windows Vista. It starts with LH- followed by a nice string of characters. You can of course create the machine name at setup if you are driving the setup process with an unattended installation script. Unattended installation is pretty easy but for the purposes of this screencast, we'll defer that magic. Make sure to use the following command to rename your server:
netdom renamecomputer %computername% /newname:<NewComputerName>
You can certainly use the command in the guide, but that means you need the generated machine name and I'm lazy. The command above will grab the machine name from the %computername% variable. Machine name changes require a reboot so you may want to hold off on that until you configure the network interfaces.
Activation
To activate or not to activate, that is the question. I would imagine you'll be testing and learning from your installation for longer than 30 days. If that's the case, you must activate. Activation is easy enough. The following command assumes you have network connectivity to the Microsoft activation servers.
slmgr -ato
Slmgr is a .vbs script present in Windows Vista and Windows Server 2008. It has a number of useful command line arguments. For instance, the -xpr command will tell you if your license period is about to expire.
Another useful argument is -ipk. It comes in handy if you burn through all of the activations for a particular key and need to change it. -rearm extends the grace period, but you can only rearm Windows a finite number of times.
Installing Roles
The one role or service installed by setup is the file server service. You can bring up a computer manager and connect to the Core server and immediately create a share and start using it for file sharing purposes. Some configuration of the firewall will likely be necessary for some of your designs.
Installing roles is pretty easy. Make sure to remember the role names are case sensitive to the installation tools. I know, that's odd. In the screencast, we install the FRS-Infrastructure role. There are a number of other possible roles.
Role installation allows your Core server to potentially specialize. By specialize, I mean you could strategically position certain Core servers on your network to handle specific types of demand. This may seem contrary to the consolidation trend over the years, but also keep in mind that a Core server can run multiple roles, too. The bottom line is that it's flexible.
Just like it's big GUI brother, the Core server can also install a number of features. Those features include Failover Clustering, Network Load Balancing, Subsystem for UNIX-based applications, Backup and others. Some of the features are only available in the Enterprise Core option.
I'll be posting a screencast soon on how to convert a Windows Server 2008 Enterprise Core into a Read Only Domain Controller (RODC) and filter the authentication password list. It's a very interesting demo so keep your eyes peeled for it.
This screencast is longer than the previous screencasts. I combined the setup screencast with the configuration details screencast. It's still pretty short at 18 minutes. Let me know if you prefer smaller or bigger chunks of demo video. The more complex the demonstration, the more I'll have to capture so the topics will naturally start to get longer. Here's the direct link to the Windows Server 2008 Core Setup and Configuration screencast:
mms://wm.microsoft.com/ms/inetpub/keithcombs/ws2008/CoreSetupAndConfig.wmv
Additional Resources
http://blogs.technet.com/server_core/default.aspx http://forums.microsoft.com/TechNet/ShowForum.aspx?ForumID=582&SiteID=17 - Server Core TechNet forum http://www.microsoft.com/windowsserver2008/servercore.mspx http://www.microsoft.com/windowsserver2008/default.mspx http://www.microsoft.com/windowsserver2008/evaluation/overview.mspx http://www.microsoft.com/technet/windowsserver/2008/default.mspx http://www.microsoft.com/technet/traincert/virtuallab/longhorn.mspx
http://blogs.technet.com/server_core/default.aspx
http://forums.microsoft.com/TechNet/ShowForum.aspx?ForumID=582&SiteID=17 - Server Core TechNet forum
http://www.microsoft.com/windowsserver2008/servercore.mspx
http://www.microsoft.com/windowsserver2008/default.mspx
http://www.microsoft.com/windowsserver2008/evaluation/overview.mspx
http://www.microsoft.com/technet/windowsserver/2008/default.mspx
http://www.microsoft.com/technet/traincert/virtuallab/longhorn.mspx
The Windows Server 2008 Server Manager is a portal of sorts to the installation, configuration, management and monitoring of the roles and features. Your initial view of those roles and features will be rather empty because of course, you need to install the ones that are germane to your particular server.
Initial Server Manager Stuff
This screencast starts to get into the meat of WS 2008. In Beta 3, there are seventeen roles that are available in the GUI version of Windows Server 2008 Enterprise. The Core implementation of Enterprise has a different set of roles so we'll defer that discussion to some of the Core step-by-step screencasts I recorded.
None of the 17 roles are installed by default. None of the 35 features are installed either. That is by design. The firewall is running and blocking traffic on initial setup of WS 2008 but very little else (from an attack surface perspective) is enabled initially in the server. Role or feature installation is a wizard driven piece of cake. You can also install roles via the command line if needed.
Does Server Manager just install roles and features?
Nope. Although you'll spend some time doing that initially, Server Manager is also a great management and monitoring tool. Think of the WS 2008 Server Man as being a digital dashboard where you can get a quick view of the health and well being of your server. You'll see server manager provide a summary view of the services that are executing, warnings or other critical errors requiring your attention, and access to the tools to diagnose and fix problems.
In the Summary view, you'll see computer, security, role and feature summary information. At a glance you'll see if there is a warning or error. Services that are having issues will be displayed and hot linked so that you can drill for more information and get to a root cause. It's simple and fast. It's task oriented. I think you'll like it because it combines a good set of the overall Windows Server 2008 toolset into a single location.
Must I use Server Manager for all of my server changes?
Nope. Although Server Manager consolidates many of the tools nicely, you can still use the administrative consoles that are specific to a service. For instance, if you install the DNS server service, access to the DNS console is available from the administrative tools group. You'll see that in the screencast demo.
Does Server Manager run on Windows XP or Windows Vista?
Nope. I'm sorry to say that, but that's the current answer. Now obviously that won't set well with a lot of you so I'll just say that we're working on the remote administrative models and have some things cooking I can't disclose at this time. However, you can use the usual tricks from your desktop. You can always use Terminal Services or RDP for remote management. In fact, that is one of the demos we're currently doing in our live seminars. I publish Server Manager as an RDP application and use it from another Windows Vista VM. I'll show you some of that in later screencasts as I show the tricked out VM's I built for our current content.
This screencast is a little longer than the previous two. It's right at nine minutes but gives you a nice demonstration of the capabilities in Server Manager. The next screencasts are around the Core Server implementation and we'll see how to install and configure an Enterprise Core server. For now, check out the following direct link to the Windows Server 2008 Server Manager demonstration:
mms://wm.microsoft.com/ms/inetpub/keithcombs/ws2008/ServerManager.wmv
http://www.microsoft.com/windowsserver2008/default.mspx http://www.microsoft.com/windowsserver2008/evaluation/overview.mspx http://www.microsoft.com/technet/windowsserver/2008/default.mspx http://www.microsoft.com/technet/traincert/virtuallab/longhorn.mspx
Setting up Windows Server 2008 Beta 3 is pretty easy but there are a couple of initial configuration tasks that you should pay attention to. Fortunately, like most of the recent product developments, we give you a nice checklist on what to do in a step-by-step manner.
Initial Configuration Task Screen
After you get through the install and setup of WS 2008, you'll notice that the administrative account is automatically logged into and you are presented with a screen with those steps. What do you think the first step is?
You guessed it! Create a complex password for the admin account. There are a number of simple steps in the first two sections of the task list. Most of the real work takes place in section three with the WS 2008 Server Manager which we'll defer to another screencast I'll post shortly.
This screencast will take five minutes to view and is very straightforward. Short is good. In fact, all of the screencasts I'm doing are intentionally being kept as short as possible. You'll see some subsequent demos take longer, but that's the nature of the beast as we go deeper and deeper into the topics. So here's the link to the Initial Configuration Tasks screencast:
mms://wm.microsoft.com/ms/inetpub/keithcombs/ws2008/InitialConfigurationTaskScreen.wmv
If you don't have the resources to install and begin using Windows Server 2008 Beta 3, you have other training options. Over the course of the next few weeks, I'll be rolling out a bunch of screencasts to give you a great Technical Overview of the product. The number of "casts" in this series will be high because I'm breaking the capturing into smaller chunks.
For instance, this first screencast is a little over seven minutes in length. How did I install Windows Server 2008 Enterprise in seven minutes? Well, first of all I have a smoking fast Lenovo ThinkPad T60p. That certainly helps but the real magic comes via the capturing tool, Camtasia. Camtasia lets me pause the recording of the capture so a thirty minute progress bar can essentially be removed from your boredom. So let's dive into the details of the product and tools.
Setup for Windows Server 2008 (WS 2008) could not be easier. You won't find a ton of information on setup just yet but it's coming. Setup isn't nearly as sexy as the services and features in the product. If you spent some time learning the deployment tools with Windows Vista, that knowledge will come in handy.
Windows Server 2008 installation is based on some of the same toolset and imaging technologies used by Windows Vista. When you boot from the WS 2008 DVD, Windows PE executes and loads the installation Windows Imaging (WIM) file. Within the WIM, you'll find multiple images that are available for customization and unattended installation. The product key you enter tells Setup which image to load and install. In the case of Windows Server 2008, you still need to give setup some help because there are two images for each key. One for the GUI version of the product and another for the Core version. We'll get to the differences in other screencasts down the road.
For today's demo, we are going to go through the GUI based install of Windows Server 2008 Enterprise Beta 3. In another demonstration, we'll go though the process of installing Enterprise Core.
The Setup screencast is a little over seven minutes and will stream directly off the microsoft.com cluster. Although the screencast resolution is set to 1024x768, setup processing flips the resolution a few times so it isn't as perfect as some of the demos you'll see in demos coming over the next couple of weeks. So here's the Windows Server 2008 Setup Demonstration:
mms://wm.microsoft.com/ms/inetpub/keithcombs/ws2008/Setup.wmv
There are a number of tools on the market to capture screen input and produce demonstrations and courseware. When you start looking at tools, you'll obviously evaluate them against a number of criteria like performance, features you need, and the operating systems supported.
During my teams testing, we discovered TechSmith's Camtasia v3.x was an excellent product and we have been using it pretty extensively for the past couple of years. Most of that testing was exploring what types of demos work well from blogs and other publishing media server types. Camtasia v3.x worked great with Windows XP and our virtual technologies so it became our preferred tool for capturing those demos.
Well, Windows Vista side tracked our focus a bit and also threw a monkey wrench into our plans. Camtasia v3.x wasn't compatible with Windows Vista and the version 4 product had some issues as well. However, I am happy to announce TechSmith has released a Windows Vista compatibility update.
You can download the trial from http://www.techsmith.com/download/camtasiatrial.asp. If you purchased Camtasia v4, you can download the trial and use it to update from v4 to v4.01 and pick up the Windows Vista fixes.
Several members of my team have tested the v4.01 beta versions. I just installed the v4.01 RTM product and thankfully I thought ahead and brought my headset to Orlando. I'll be doing some demo captures over the next couple days so I'll let you know if I hit any snags.
Surely by now you've heard of Windows Vista Complete PC backup and recovery. No? Well, if you've ever managed to lose a hard drive, then you know how much fun it is to reinstall operating systems and applications. Not to mention potentially losing ALL of your pictures, music, documents, and other business and personal data.
Just yesterday, one of the managers in my group had the hard drive go belly up on her tablet pc. If she was running Windows Vista, and if she had performed a Complete PC backup, she could have recovered from that catastrophic event in roughly 30-60 minutes (I'm guessing based on the average amount of data most people have). This is only one isolated instance of bad stuff that can happen. If you don't think it can happen to you, think again.
Many of you have likely used some form of backup and recovery. If not, you are in for a surprise the first time you boot Windows Vista. We'll politely ask you to create a backup. I would heed that advice and do it. Right then. After you've installed your favorite applications and copied personal data, do another backup. Right then. In fact, use Complete PC to do the backup to DVD and you'll now have a personal image of your shiney new Windows Vista installation complete with your personal touch.
So how does Complete PC work?
If you look closely, you'll see Complete PC borrows some ideas from the virtual machine world. We do a physical to virtual state and data capture then write the results to the backup target media or drive in the form of a virtual hard drive. Huh? Yes, we write a bunch of information directly into a virtual hard disk file. It has the .vhd extension and everything.
Can I mount the .vhd with Virtual PC or Virtual Server?
I'm told you can. I haven't tried it yet but may mess around with it a bit this weekend or next week. I owe the Complete PC feature team some testing results so I can add this to the stuff I have planned. Why would we allow this? The only reason I can think of is to allow access to the data through another tool in case you manage to delete part of the backup set, but don't delete the .vhd file. For instance, if you look in the directory that is created by the backup, you'll see a number of catalogs and XML files. What if you manage to screw one of those up so Complete PC can't restore? Well, as a last measure you could mount the .vhd in a VM and gain access. You cannot boot the .vhd with our virtual machine products.
So checkout the screencast demo below and see what you think. If you are used to other imaging products, you'll be very happy with the simplicity of Windows Vista Complete PC. For more information on this and some of the other backup technologies, see http://www.microsoft.com/windowsvista/features/foreveryone/backup.mspx and http://www.microsoft.com/windowsvista/experiences/backup.mspx.
Screencast Demo
You can watch my Windows Vista Complete PC screencast directly from our streaming media server or download and watch the video later on your laptop or podcatcher. The attachment below is a RSS enclosure for you podsters. If you want to keep the demos for offline viewing, right mouse click the attachment below and copy it local. Subscribe to my screencast RSS feed at http://blogs.technet.com/keithcombs/rss.aspx?CategoryID=11416.
"See you" again soon.
Errata
I was just listening to the recorded media file and noticed the following silly things I said, and one thing that was technically not possible:
Are you up to speed on the new imaging alphabet? ImageX, BDD, WIM, WSIM, WinPE and various other glorious acronyms are discussed in the screencast below. In the meantime, let me set the stage for the some of the desktop imaging problems today, and the solutions Microsoft is delivering with the next generation operating system, Windows Vista. Those technologies are being bundled into the Business Desktop Deployment (BDD) 2007 toolset.
The Problem
Ok, show of hands for those of you that have created a corporate desktop and rolled it out. For all of you with your hand in the air, keep it up if it changed almost as soon as you deployed it. In fact, I'd be willing to bet, the requirements for that desktop changed before you completed the rollout. You can put your hand down.
Every time the requirements change, a good desktop developer and integrator probably starts another version from the old desktop, or builds from scratch. Many of you use the popular imaging tools on the market and they are life savers in terms of their ability to take a snapshot and blow those images down to a hard drive or do desktop replacement. Thank god for multi casting, PXE and Windows Preinstallation Environment (WinPE).
The problem is, every time you get a new driver, security patch, or requirement, you end up creating another version of that desktop and the number of images you maintain piles up. Maintenance equals expense and studies have shown that the expense is considerable. Enter from stage left, WIM.
Windows Imaging (WIM)
The Windows Imaging (WIM) format is new for Windows Vista. It is the basis from which many of the tools are derived and is unique in many respects. The WIM format is documented and used through the WIMGAPI SDK. Documentation for the WIMGAPI is included with the Windows Automated Installation Kit (WAIK). In other words, if you don't like our tools you can certainly make your own, and if history is any indication, there will be a healthy market for those tools when Windows Vista ships.
A WIM file is the store for the packages and components that are installed and make up Windows Vista. The packages and components can also be non-Microsoft products. This component specification is defined in the Component Platform Interface (CPI) reference. This reference and guide is also included with BDD 2007 and WAIK. Look closely at the CPI specifications, research, and test package management. It's an important new set of services. I don't demo the package management tools in this screencast, but I plan to cover it at a later date when I cover package creation, security patch updates and driver injection.
ImageX
ImageX is one of those tools that uses the API to do a variety of chores with one or more .wim files. In the screencast, you'll see me use imagex to dump the content of a wim, mount a wim to a directory, export a particular image from a multi image wim into a new wim and other fun stuff. As with all tools, the best way to learn this stuff is to experiment. In my screencast, we use the install.wim from build 5520 which contains seven of the Windows Vista products SKUs.
Imagex is also a core tool used to capture or take a snapshot of a hard drive after customization and sysprep. A few of the imagex functions can only be used from WinPE and /capture is one of those.
Windows System Image Manager (WSIM)
The Windows System Image Manager is the tool of choice for creating custom Windows Vista deployments and having an answer file implement your changes. In the screencast, you'll see me open a .wim file, in this case the install.wim, create a new catalog of the packages and components, then start customizing those components. WSIM will also validate those choices to make sure you have the correct expected parms and data for it to work with. Once again, WSIM is using the underlying package management and storage capabilities in the new image technologies.
Business DeskTop Deployment (BDD) 2007
The BDD toolset brings all of the technology together into a single integrated environment. For corporate desktop deployment, it is the supported methods and tools. The emphasis for BDD 2007 is Windows Vista and Office 2007. Surprise! Please go signup for the BDD 2007 download at connect.microsoft.com. You'll see the tools from June right now but we are getting ready to bring the toolset up-to-date with the RC1 codebase.
The Solution
Hopefully after you've read this and watched the screencast, you'll download and explore the BDD 2007 toolset. You'll see we're serious about improving the underlying technologies and tools needed to create and maintain corporate images. With the patch management technologies coming with Windows Vista, keeping those images secure and up-to-date will be far easier than in the past. The end result should be less time and expense associated with creating and maintaining those images.
You can watch my Windows Vista Imaging screencast directly from our streaming media server or download and watch the video later on your laptop or podcatcher. The attachment below is a RSS enclosure for you podsters. If you want to keep the demos for offline viewing, right mouse click the attachment below and copy it local. Subscribe to my screencast RSS feed at http://blogs.technet.com/keithcombs/rss.aspx?CategoryID=11416.
Oh, and if you want to go see an expanded version of the demos complete with slides, see the webcast I delivered on this subject a couple of weeks ago. Go to http://msevents.microsoft.com/cui/WebCastEventDetails.aspx?culture=en-US&EventID=1032301598.
Additional Deployment References
http://www.microsoft.com/technet/desktopdeployment/bdd/2007/default.mspx
http://www.microsoft.com/technet/windowsvista/deploy/default.mspx
http://www.microsoft.com/technet/windowsvista/deploy/winpe.mspx
If you haven't had a chance to look at Windows Vista and it's instrumentation, eventing and monitoring toolset's, you really should grab a copy when the "release candidate" code becomes available. You'll be pleased with the improvements we've made to the amount of information that is available, and the tools that let you monitor, analyze, and act on that information.
In this screencast, we're going to take a brief drive into the tools that are installed locally on a Windows Vista implementation. Make sure to checkout some of our webcasts on Systems Management Server (SMS), Microsoft Operations Manager (MOM) and other enterprise tools to understand how the Windows Vista plumbing can be centrally managed and monitored.
If you visit http://www.microsoft.com/technet/windowsvista/relperf/default.mspx, you'll see a number of good documents describing the built-in diagnostics for things like resource exhaustion, failing memory or hard drives, and even the failing human. What? Yes, you heard me correctly. We'll tell you when you fail to backup your system. I really like that feature. Ninety percent of the people I know never backup their machines. Hopefully that will begin to change with the new backup nanny.
So how do you tell what's going on in the machine?
Easy. Go look at my screencast and then start checking out your system. The Reliability Monitor generates it's report every day. When you first install Windows Vista, you aren't going to see anything until the following day (on the reliability report). And don't worry if you go check the next day and the report still isn't there. It'll do it's thing, so please be patient. Check your email, pay the bills, buy some stuff, chat with your honey, etc. Come back in a little while and you'll see the first report. Maybe if you are lucky, you'll have a perfect 10.
Where else can I get information on Windows Vista reliability and performance?
The link above has some good information, but please read http://www.microsoft.com/technet/windowsvista/relperf/suppcost.mspx. It's really good. The Performance Tuning Step-by-Step Guide is ok but looks to be in need of an update. All of the guides and tuning advice are being updated. In the meantime I think you'll have some fun exploring some of this on your own, especially when you get a chance to see the next public release.
You can watch my Windows Vista Performance and Reliability screencast directly from our streaming media server or download and watch the video later on your laptop or podcatcher. The attachment below is a RSS enclosure for you podsters. Subscribe to my screencast RSS feed at http://blogs.technet.com/keithcombs/rss.aspx?CategoryID=11416. "See you" again soon.
Surely by now you've heard of Windows Vista Aero Glass. It's the sexy new transparency stuff you see in the operating system. It's very noticeable in a variety of the core applications. However, transparency isn't the only user interface improvement you see in Windows Vista.
Of course the most visible change initially is the icon for the start menu, affectionately called the "Pearl". If someone sees an oyster coughing up Vista Pearls, please call me. The Start menu is now faster, more streamlined, and is more helpful than in previous versions of Windows. The Start menu features integrated desktop search through a new feature called Instant Search which can help you find and launch almost anything on your PC. Eliminating the cascading "All Programs" view, the new start menu can help you get something started more quickly than ever. You'll also notice some glass effects on the Start menu.
So why does glass matter?
This windows in your house or building allow you to see what is going on around you. For those of you that get claustrophobia, I'm sure those windows help you get through the day. I am not making fun of that at all, just making a point about the importance they play in giving us another dimension to our world.
In the case of Windows Vista, it gives us a better view of the activity in our system. Seeing outside the box has a number of benefits. When we demo Aero Glass, it's all too common to see a video or some other animation indicating activity. In my day-to-day activities, glass lets me see progress bars more quickly. Downloads or installation status can be seen at-a-glance through glass transparency or via the Aero thumbnails on the taskbar. If you looked at my Flip3D screencast, you saw a demo of that.
Sparkle
Another really subtle usability enhancement is the highlighting that takes place around the minimize, maximize, and exit buttons for all applications. This gives the user a better sense of interactivity with the application and system. I just think it's a kewl feature. I wondered about this feature from an accessibility point of view. Does it help? I don't know.
Fatter Frames
What I do know is that there are new fatter frames around the application window. They don't seem that phat because the glass transparency makes them seem lean and mean. I personally like the new thicker frame for re-sizing purposes. Easy to grab!
Taskimation
After you get past the sexy stuff, start looking at the context sensitivity of the new Windows Explorer shell. As you move in and out of the different folders for pictures, music, documents and other stuff you'll see different tasks show on the task bar just below the address bar. Is that cool or what? I'm sure a few years ago we would have come up with an Intelli name for the feature. Intellitask. Intellidoodaad. Glad we seem to have dropped the Intellieverything.
I would talk about search more, but I'm going to save that information for a post coming up.
So pretty picture clips are good and all, but how about a nice streaming video on the subject? You got it. You can watch my Windows Vista Usability screencast directly from our streaming media server or download and watch the video later on your laptop or podcatcher. The attachment below is a RSS enclosure for you podsters. Subscribe to my screencast RSS feed at http://blogs.technet.com/keithcombs/rss.aspx?CategoryID=11416. "See you" again soon.
I'm guessing most of you think finding stuff is pretty important. The Windows Vista development team also thinks search should be an easy to use core operating system feature. The search feature set in Windows Vista is really multiple parts. We like to call this set of features Windows Vista Instant Search.
The Indexing Service
As with most search technologies, you have an indexing service that is responsible for indexing the data. Duh. You might think it's easy to write such a service. Think again. The trick is to write such a service so that it doesn't suck all of the performance out of your machine. I mean after all, you've got to pay the bills so you'll need some performance to run those mission critical applications like Live Messenger.
So how do we do it? Well, take a close look at the process list in task manager or the other performance monitors in Windows Vista. You'll see the search service is assigned as a low priority task meaning it's not supposed to consume so much performance and I/O that you feel it doing it's job.
A nice test is to add a .txt document to your desktop and add a unique word to the body. Save the document and search for the word from the Start | Search area. You'll see it's already indexed the document. Pretty cool eh?
The Search User Interface
I never have been a big fan of the term "user interface". It sounds a lot like "in your face". That's actually the point. When building search into the operating system, you don't want it to be intrusive. You don't want the indexing service dogging the system, and you don't want big ugly in-your-face UI to have to do a search.
Thankfully, the Windows team did a really nice job of adding searchability to Windows Vista. The first place you'll notice it is on the Start menu area. Just click the Windows Vista Start pearl or hit the windows key on most modern keyboards. Up pops the Start menu area with search at the bottom.
Or, while you are using the Windows Explorer tool, you'll see the Instant Search input field in the top right most portion of the explorer shell.
Search Results and Tagging
If you've been a good doggie and added properties to your documents as you saved them, you'll find those properties are now really useful. The search interfaces in Windows Vista allow you to search using advanced criteria and filtering. Tagging is a kewl way to categorize incoming information for later filtering and searching.
Think very strategically about the information you are saving NOW. As you'll see in my demos, adding the extra information to your documents, spreadsheets, slide decks, pictures, music, etc. will be highly leveraged with Windows Vista Instant Search. The following screencast is a quick look at the integral shell enhancements.
If you want the under-the-covers information on desktop search technologies from Microsoft, be sure to add a bookmark for my team's resident subject matter expert, Matt Hester. You'll find he has a search category on the subject and a recent TechNet Magazine article as well. He promised to add some more articles on Windows Vista Instant Search soon, along with some other "stuff".
You can watch my Windows Vista Instant Search screencast directly from our streaming media server or download and watch the video later on your laptop or podcatcher. The attachment below is a RSS enclosure for you podsters. Subscribe to my screencast RSS feed at http://blogs.technet.com/keithcombs/rss.aspx?CategoryID=11416. "See you" again soon.
This month my team kicked off a series of free live seminars. We are doing a Windows Vista Technical Overview in the first couple of hours, and Exchange Server 2003 and 2007 in the second couple of hours. So far, the Windows Vista interest has been huge. In the next few days, I'll be recording all of the Windows Vista demos (as promised). To kick things off, lets talk about some of the sexy stuff.
I'm sure by now, you've seen some demo of Windows Vista. Most of the webcasts we do are using Virtual Machines (VM). VMs are great for testing and demonstrating software, but they lack the graphics card horsepower needed for Windows Vista and Aero Glass. No fear, I'm going to show you in the screencast below, exactly what all of the fuss is about. To do the demonstration, I'll use Camtasia to capture the screen.
Background Information and References
Before we get to the Flip3D screencast, lets look at some other information on the subject. First of all, you should really invest at least 15 minutes watching the video at http://channel9.msdn.com/Showpost.aspx?postid=114694. It stars Kam Vedbrat being interviewed by Robert Scoble. Kam does a good job of giving you some of the background and design points about Windows Vista, Aero Glass and the Windows Presentation Foundation (WPF) services. Don't worry, the video is a high level discussion so I don't think anyone will get lost. You'll notice this video was shot back in September long before Beta 2. My screencast demo below was captured using a build for this week so you'll see some subtle changes.
Next, head over to microsoft.com and read up on Aero. It's a light weight article but useful for reference purposes. If you want to go slightly deeper, see the Windows Display Driver Model (WDDM) article. Most of the information in that article is useful for learning a little more about the requirements and mechanics.
My Windows Vista Flip3D screencast is available for viewing at a couple of locations. It is of course published here in Windows Media Video (WMV) format and will stream from our server. I also have a link below that says "attachment". It's actually a RSS <enclosure> for the WMV file so that if you have a video podcast player with WMV enclosure support, you can download the demo and view it offline. Maybe Zune will do that. If you are truly lazy like me, you can just right mouse click the attachment below and save it local for later viewing.
I have also posted this information to the screencast area of channel9. It is located at http://channel9.msdn.com/Showpost.aspx?postid=226251.
The capture and conversion process is still imperfect. When you watch the video, please don't judge Windows Vista performance based on what you see in the screencast. The conversion drops frames and the full fidelity of the true user experience. I do think you'll get a pretty good idea of the feature though.
Summary
So what do you think about Aero Glass and Flip3D? Hopefully you found the Windows Vista Flip3D information above useful. As you can see, finding and "flipping" to an application is now very easy in Windows Vista.
I plan to record all of the demos we're doing at the live events. They are hardly a comprehensive look at the OS but hey, it's a Technical Overview so we're just sticking our toe in the water. All of my screencasts can be seen easily in this blogs screencast category. Subscribe to my screencast RSS feed at http://blogs.technet.com/keithcombs/rss.aspx?CategoryID=11416. "See you" again soon.
Microsoft has made some recent bets on storage management. That is good news for me for a variety of reasons. First, it offers a glimpse of my HDTV future. What? Yes, you read that correctly. I’ll get to the explanation in a little bit. Second, it means our customers will have a broader range of storage support in Microsoft products.
One of the recent acquisitions we made was from String Bean Software. We acquired their WinTarget iSCSI Target software. I don’t know all of the details of the contract so I can’t cite the terms. The acquisition brings some fascinating technology to the Windows Server 2003 platform. With any luck, we’ll see the iSCSI Target code show up in all of the Microsoft server products. I have my fingers crossed.
Introduction and History
You might be asking yourself what the hell is iSCSI, an Initiator, or a Target? Well, most of you are probably familiar with SCSI. It’s been around for over a decade and most likely you’ve used a SCSI CDROM. In the early days, the 5meg speeds of SCSI were perfectly fast enough for the CDROMS and hard disk drives of the mid-1980s. But as hard disk and optical drive technologies got faster, SCSI needed to evolve.
As disk drives got faster, and as more disk drives could be coupled together to service I/O requests, bigger pipes were needed to transfer the data. Fibre systems were developed to handle the large I/O bandwidth needs typical to clustered database and messaging systems. Fibre Channel fabrics provide a highly scalable and path redundant mesh desired in storage network back-ends. The downside to fibre based systems is the cost and complexity to implement. This makes the entry point too expensive for a small or medium business (typically).
Fortunately, lower cost networking technologies burst on the scene right around the year 2000. Gigabit Ethernet (also known as 1000Base-T, GbE or GigE) uses standard Category 5 or Category 6 cable. Today, you can buy GigE switches and network cards at modest prices. I use multi-port gigabit nics in all of my servers. I pay a “little” extra to save a PCI slot by doing that, but it comes in handy.
Internet SCSI
iSCSI hasn’t been around that long. The standard was ratified in 2003. iSCSI rides on top of the ethernet and TCP/IP protocols and uses them for data transfer. iSCSI implementations use Gigabit Ethernet (GigE) ethernet. You can build an iSCSI based SAN out of some relatively cheap hardware components. On the software side, Microsoft is providing some of the components for free. Let’s take a look at what you can get your hands on right now, so that you can start testing the technology.
Microsoft Software
Windows Server 2003 R2 shipped with a new SAN Management console. If you’ve been to any of the in-person TechNet Seminars here in the USA, you see us demo that console. How in the world do we demo a SAN inside a virtual machine? Smoke and mirrors of course! Actually we are using an internally written service to simulate either a fibre channel attached rack of disks, or an iSCSI connected rack of disks. I’m told the programs we use are on the MSDN download center, but I don’t have a subscription so I cannot confirm that. Look for simhwprv.exe and simiscsiprv.exe. Those programs are mostly just stub programs so they can’t be used for anything real. But as a training or developer tool, they are rather useful.
However, there is a ton of stuff that is highly useful. First, go grab the Microsoft iSCSI Initiator. You can install this component on our most popular operating systems and use it to consume data from an iSCSI Target computer. If you are running Windows Vista, you’ll notice the iSCSI Initiator is already built into the product and the UI sits off an applet in control Panel. I had planned to capture a demo on that, but Vista doesn’t seem to like Camtasia right now (with the build I’m running). I’ll get that demo captured eventually and will update the links below.
Next you are going to want to grab the Microsoft iSNS Server. Think of the iSNS server like you would a DNS server. It is used for discovery and management of iSCSI devices on a network. iSCSI clients query the iSNS discovery domains for storage nodes and portals.
And lastly, you’ll want an iSCSI Target. If you are purchasing a SAN solution from a storage vendor, most likely they’ve engineered the iSCSI Target into their solution. You can see a list of iSCSI Initiators and Targets at http://en.wikipedia.org/wiki/ISCSI. Unfortunately, you won’t see a bunch of free Windows iSCSI targets listed.
I’m hopeful we’ll make WinTarget available for download soon. Soon is of course relative. The press release on microsoft.com says, “Going forward, Microsoft will not sell WinTarget as a stand-alone solution, but will release the WinTarget technology with Windows Storage Server 2003 R2. Additional details on product availability will be provided in the coming months.” This of course means Windows Storage Server R2 is a possible candidate for our iSCSI Target implementation. I would imagine it’s going through a code review as we speak and it will take a few months before that process is complete. So hang tight.
Usage Scenarios
Think about all of the types of data that are popular and prevalent today. In cubes of the USA we are all too familiar with spreadsheets, documents, email, databases, etc. But think about the data types used outside the corporate cube maze.
Many of us have digital cameras, iPods, Video cameras, Home Theatre PCs, etc. Think about how much storage space is consumed by all of those rich data types. How do you manage the storage sprawl today? How do you plan your growth? How do you migrate unused data to other slower cheaper storage media types?
Doesn’t that sound just like a business? Heck, I was talking about my house! I have about a terabyte of virtual machine images. I have close to two terabytes of HDTV recordings. With HDTV recordings clocking in at about 8–10gig per hour of programming, is there any wonder?
We have a modest collection of pictures and music, but my ripped DVD collection is growing. I think it’s hovering around 300gig right now. All of that data is across multiple internal and external hard drives. I have some friends that have some amazing music collections. Thousands of albums in ripped form.
That is going to change…
Think about having a home, home office or small business server with all of that digital goo on an array of disks. That home server could be a multi purpose machine. It could be a firewall, parental control and desktop policy machine, HDTV CableCard recording monster, file server, game image server or whatever. We are constantly thinking about the emerging trends. No promises for a product release, but you would expect us to be testing the waters, right?
Considering Windows Vista has a built-in iSCSI initiator, the client side plumbing is there. We just need some server side integration, and we’re good to go. This is really more than just a storage area network device.
Demo Time
I’m going to do several demos. The first demo is the Storage Management for SANS (SMfS) demo. This will give you an idea of what is already in Windows Server 2003 R2 in case you want to build your own SAN and use our console. It’s a quicky (8 minutes).
See mms://wm.microsoft.com/ms/inetpub/keithcombs/SMfS.wmv for the SMfS demo.
The next demo will show you how to setup the Microsoft iSNS Server, String Bean WinTarget iSCSI Target and the Microsoft iSCSI Initiator for Windows Server 2003. Keep in mind the WinTarget product no longer exists and it does not have a SKU. I am using it for demo purposes only. As soon as I can get my hands on a non-NDA iSCSI Target implementation of our software, I’ll probably re-record the demos.
See mms://wm.microsoft.com/ms/inetpub/keithcombs/iSCSI.wmv for the iSCSI demo.
NOTE: I am having some issues getting Camtasia Recorder to capture the iSCSI Initiator demo inside Windows Vista with the build of Vista I used to create a VM. The iSCSI demo works nicely in Vista, I just can’t show you yet so you are just going to have to trust me (grin). When I get the capture done, I’ll add the link here.
Storage consumption or use is growing at a rapid pace. Easy access from a wide variety of client operating systems and devices is necessary. Small and Medium business owners don’t have big bucks to shell out for a fancy fibre channel based Storage Area Network (SAN). We need to build the plumbing and infrastructure to make “Simple SAN” and iSCSI successful, affordable, easy to use, reliable and pervasive. Microsoft is making some strategic investments in those areas.
Start your training and testing now. Use the virtual machine technologies to test the products and your designs. As soon as we make a iSCSI target publicly available, I’ll come back and update this post.
Essential Reading and References
Windows Storage Server 2003 R2 – http://www.microsoft.com/windowsserversystem/wss2003/default.mspx
Boot from SAN Whitepaper – http://www.microsoft.com/windowsserversystem/wss2003/techinfo/plandeploy/BootfromSANinWindows.mspx
Microsoft Storage Technologies – iSCSI http://www.microsoft.com/WindowsServer2003/technologies/storage/iscsi/default.mspx
iSCSI Cluster Support FAQ – http://www.microsoft.com/windowsserver2003/technologies/storage/iscsi/iscsicluster.mspx
SAN Integration Technologies – http://www.microsoft.com/windowsserversystem/storage/sansupport.mspx
There are a number of levels in the key hierarchy, but you’ll spend most of your time with database level certs and symmetric keys. See the SQL Server 2005 Encryption Hierarchy article for a detailed description of certificates, asymmetrical and symmetrical keys. You’ll also notice at the bottom of that article is a link to the SQL Server 2005 Permissions Hierarchy. I would recommend reading and digesting both. It’s a short read and will be a good use of your time as we review the following scripts and demos.
Watching the Demos
My team is now disseminating information using a variety of publishing techniques. See the following scripts demonstrated using Windows Media Video format. The videos of the demos are now posted at http://channel9.msdn.com/Showpost.aspx?postid=139794 in both Windows Media Video format as well as Macromedia Shockwave Video format. See the buttons at the bottom of that post for the full screen versions.
Setting Up To Use Encryption
In our first script and demo, we are going to create a number of objects. We’re going to create a user id, login id, a sample database, and a sample table. Later, we’ll create and use some views into the data along with a helper function that will allow us to control access to the data. I’m going to cut a lot of the comments from the original script(s). I will however highlight or link (links are in red) important function calls and features in the scripts. You’ll notice that this first script is fairly straight forward. You’ll also notice that the definition for CardNumber doesn’t reveal anything out of the ordinary. It certainly doesn’t indicate the contents of that column will be encrypted. This provides a little bit of stealth but not much. The real power is in the encryption which you see soon.
Setup.sql – it’s purpose is to create a sample database, id and table to use. Nothing fancy.
CREATE DATABASE [DataEncryptDemo]go USE [DataEncryptDemo]go CREATE LOGIN [login_low_priv] WITH PASSWORD = 'Login1 Password!'CREATE USER [user_low_priv] FOR LOGIN [login_low_priv]go CREATE TABLE [dbo].[CreditCards]( CardId INT PRIMARY KEY , CardNumber varbinary(256) )go
CREATE DATABASE [DataEncryptDemo]go
USE [DataEncryptDemo]go
CREATE LOGIN [login_low_priv] WITH PASSWORD = 'Login1 Password!'CREATE USER [user_low_priv] FOR LOGIN [login_low_priv]go
CREATE TABLE [dbo].[CreditCards]( CardId INT PRIMARY KEY , CardNumber varbinary(256) )go
Key and Certificate Creation
CreateSecrets.sql – now we are starting to get into the good stuff. You’ll notice we are going to create a master symmetrical key to start things off (hyper linked below). The next few lines of the script create the certificate and symmetric key we’ll use to encrypt and decrypt data we’ll add or retrieve from the demo table.
USE [DataEncryptDemo]go -- Create the DB master key. -- Notice that the password may be subject to password policy verification, depending on your system.CREATE MASTER KEY ENCRYPTION BY PASSWORD = 'DB Master key password!'go CREATE CERTIFICATE [cert_SecretTable_SecretData_Key] WITH SUBJECT = 'SecretTable_SecretData_Key protection'go -- You can also use other encryption algorithms like AES_128 if your system supports itCREATE SYMMETRIC KEY [SecretTable_SecretData_Key] WITH ALGORITHM = TRIPLE_DES ENCRYPTION BY CERTIFICATE [cert_SecretTable_SecretData_Key]go
-- Create the DB master key. -- Notice that the password may be subject to password policy verification, depending on your system.CREATE MASTER KEY ENCRYPTION BY PASSWORD = 'DB Master key password!'go
CREATE CERTIFICATE [cert_SecretTable_SecretData_Key] WITH SUBJECT = 'SecretTable_SecretData_Key protection'go -- You can also use other encryption algorithms like AES_128 if your system supports itCREATE SYMMETRIC KEY [SecretTable_SecretData_Key] WITH ALGORITHM = TRIPLE_DES ENCRYPTION BY CERTIFICATE [cert_SecretTable_SecretData_Key]go
CREATE CERTIFICATE [cert_SecretTable_SecretData_Key] WITH SUBJECT = 'SecretTable_SecretData_Key protection'go
-- You can also use other encryption algorithms like AES_128 if your system supports itCREATE SYMMETRIC KEY [SecretTable_SecretData_Key] WITH ALGORITHM = TRIPLE_DES ENCRYPTION BY CERTIFICATE [cert_SecretTable_SecretData_Key]go
Encrypting Data and Testing Encrypted Contents
EncryptData.sql – in this script we start to do the fun stuff. You’ll notice we first open the keys created in the prior script. We are going to call key_guid() to get the symmetric key GUID from the database. Now that we have it, we’ll call the encryptbykey() function with that GUID and the data to be encrypted on the two inserts into the table. After that occurs, the credit card values are safely locked inside the table rows. You can see in the script we try to retrieve those rows using a standard select. This fails to display the credit card numbers because we didn’t call a decryption function. The next test in the script calls the decryptbykey() function. This of course works nicely.
USE [DataEncryptDemo]go -- In order to use the synmmetric key, you need to open it firstOPEN SYMMETRIC KEY [SecretTable_SecretData_Key] DECRYPTION BY CERTIFICATE [cert_SecretTable_SecretData_Key]go -- Now insert some secret data into the tableDECLARE @KeyGuid AS UNIQUEIDENTIFIERSET @KeyGuid = key_guid( 'SecretTable_SecretData_Key')IF( @KeyGuid is not null )BEGIN INSERT INTO [dbo].[CreditCards] VALUES ( 1, encryptbykey( @KeyGuid, N'4388-1234-1234-1234')) INSERT INTO [dbo].[CreditCards] VALUES ( 2, encryptbykey( @KeyGuid, N'4549-5678-5678-5678'))ENDELSEBEGIN PRINT 'Failed to obtain the symmetric key GUID'END SELECT * FROM [dbo].[CreditCards] SELECT CardId, convert( NVARCHAR(100), decryptbykey( CardNumber )) as 'Card Number' FROM [dbo].[CreditCards]go -- A good recommendation is to close the key after you have finish to encrypt dataCLOSE SYMMETRIC KEY [SecretTable_SecretData_Key]go -- Without the key open, the unencrypt function returns NULLSELECT CardId, convert( NVARCHAR(100), decryptbykey( CardNumber )) as 'Card Number' FROM [dbo].[CreditCards]go
-- In order to use the synmmetric key, you need to open it firstOPEN SYMMETRIC KEY [SecretTable_SecretData_Key] DECRYPTION BY CERTIFICATE [cert_SecretTable_SecretData_Key]go
-- Now insert some secret data into the tableDECLARE @KeyGuid AS UNIQUEIDENTIFIERSET @KeyGuid = key_guid( 'SecretTable_SecretData_Key')IF( @KeyGuid is not null )BEGIN INSERT INTO [dbo].[CreditCards] VALUES ( 1, encryptbykey( @KeyGuid, N'4388-1234-1234-1234')) INSERT INTO [dbo].[CreditCards] VALUES ( 2, encryptbykey( @KeyGuid, N'4549-5678-5678-5678'))ENDELSEBEGIN PRINT 'Failed to obtain the symmetric key GUID'END
SELECT * FROM [dbo].[CreditCards]
SELECT CardId, convert( NVARCHAR(100), decryptbykey( CardNumber )) as 'Card Number' FROM [dbo].[CreditCards]go
-- A good recommendation is to close the key after you have finish to encrypt dataCLOSE SYMMETRIC KEY [SecretTable_SecretData_Key]go
-- Without the key open, the unencrypt function returns NULLSELECT CardId, convert( NVARCHAR(100), decryptbykey( CardNumber )) as 'Card Number' FROM [dbo].[CreditCards]go
Using A View to Access Encrypted Data
CreateView.sql – this script creates a view that allows our lowly privileged user access to the encrypted data. The view calls the cert_id() function to retrieve our cert id number. That number is then used to open and use the symmetric key for decryption of the credit card number. The problem with this script is that it grants way too much authority and access to the keys used in the decryption process. We’re going to change that in a minute when we revoke those permissions but use a helper function to provide access to the data.
USE [DataEncryptDemo]go CREATE VIEW [dbo].[CreditCardsView]AS SELECT CardId as CardId, convert( nvarchar(50), decryptbykeyautocert( cert_id( 'cert_SecretTable_SecretData_Key' ), null, CardNumber )) as CardNumber FROM [dbo].[CreditCards]go GRANT SELECT ON [dbo].[CreditCardsView] TO [user_low_priv]goGRANT CONTROL on certificate::[cert_SecretTable_SecretData_Key] TO [user_low_priv] goGRANT VIEW DEFINITION on symmetric key::[SecretTable_SecretData_Key] TO [user_low_priv] go
CREATE VIEW [dbo].[CreditCardsView]AS SELECT CardId as CardId, convert( nvarchar(50), decryptbykeyautocert( cert_id( 'cert_SecretTable_SecretData_Key' ), null, CardNumber )) as CardNumber FROM [dbo].[CreditCards]go
Using the View to Access Data
UseView.sql – this is a simple script that impersonates the user we created. Keep in mind for the moment, the user has too much authority over the cert and key. However, you’ll also notice the view is doing all of the work to decrypt the data and present it. Nothing fancy here.
USE [DataEncryptDemo]go EXECUTE AS USER = 'user_low_priv'SELECT * FROM [dbo].[CreditCardsView]REVERTgo
EXECUTE AS USER = 'user_low_priv'SELECT * FROM [dbo].[CreditCardsView]REVERTgo
Creating Helper Functions to Access Encrypted Data
CreateView2.sql – now things are starting to get interesting. Here we start things off by creating a helper function called Cards_decrypted_Helper. This functions executes temporarily with elevated privilege as DBO. You’ll notice this function takes the data passed to it and decrypts it using the cert and symmetric key. So how does the helper function get called? By the new view of course!!! The new view is called CreditCardView2. The view iterates through the rows in the table, calls the helper, decrypts the data, then shows the result.
You’ll also notice we revoke the permissions for user_low_priv to the cert and symmetric key. After the revocations, we’ll grant access to the view.
USE [DataEncryptDemo]go CREATE FUNCTION [dbo].[Cards_decrypted_Helper] ( @SecretData VARBINARY(256))RETURNS NVARCHAR(50)WITH EXECUTE AS 'DBO'ASBEGINRETURN convert( NVARCHAR(50), decryptbykeyautocert( cert_id( 'cert_SecretTable_SecretData_Key' ), null, @SecretData ))ENDgo CREATE VIEW [dbo].[CreditCardsView2]AS SELECT CardID as CardID, [dbo].[Cards_decrypted_Helper](CardNumber) as CardNumber FROM [dbo].[CreditCards]go REVOKE CONTROL on certificate::[cert_SecretTable_SecretData_Key] TO [user_low_priv] goREVOKE VIEW DEFINITION on symmetric key::[SecretTable_SecretData_Key] TO [user_low_priv] go GRANT SELECT ON [dbo].[CreditCardsView2] TO [user_low_priv]
CREATE FUNCTION [dbo].[Cards_decrypted_Helper] ( @SecretData VARBINARY(256))RETURNS NVARCHAR(50)WITH EXECUTE AS 'DBO'ASBEGINRETURN convert( NVARCHAR(50), decryptbykeyautocert( cert_id( 'cert_SecretTable_SecretData_Key' ), null, @SecretData ))ENDgo
CREATE VIEW [dbo].[CreditCardsView2]AS SELECT CardID as CardID, [dbo].[Cards_decrypted_Helper](CardNumber) as CardNumber FROM [dbo].[CreditCards]go
REVOKE CONTROL on certificate::[cert_SecretTable_SecretData_Key] TO [user_low_priv] goREVOKE VIEW DEFINITION on symmetric key::[SecretTable_SecretData_Key] TO [user_low_priv] go
GRANT SELECT ON [dbo].[CreditCardsView2] TO [user_low_priv]
Testing the Helper Function
UseView2.sql – now that we have all of the access controls in place, we can test CreditCardView2 to see if it really works. In the first test we are using View2. It of course works correctly and displays the data. Our little helper function did all the work and more importantly, we reduced the permission footprint for our lowly user. The second test, the one using our first view fails due to the fact there is no access to the certificate and key used to decrypt the data. HA!!!
USE [DataEncryptDemo]go -- access through new view works without unneeded permissionsEXECUTE AS USER = 'user_low_priv'SELECT * FROM [dbo].[CreditCardsView2]REVERTgo -- no access through the old viewEXECUTE AS USER = 'user_low_priv'SELECT * FROM [dbo].[CreditCardsView]REVERTgo
-- access through new view works without unneeded permissionsEXECUTE AS USER = 'user_low_priv'SELECT * FROM [dbo].[CreditCardsView2]REVERTgo
-- no access through the old viewEXECUTE AS USER = 'user_low_priv'SELECT * FROM [dbo].[CreditCardsView]REVERTgo
As you can see, there are some powerful capabilities in SQL Server 2005. This was a brief look into the encryption functions, view usage, permission models, and help functions. That ought to get your appetite going.
A number of changes and improvements have been made to SQL Server 2005. Did I really need to state that? One of the big improvements is in the management and security area. The SQL Management Object (SMO) infrastructure replaces much of what used to be accomplished using SQL-DMO. SMO is tightly integrated with Windows Management Instrumentation (WMI). This linkage is so tight, new capabilities now exist to take advantage of the eventing taking place.
One way to take advantage of this instrumentation is to use Data Definition Language (DDL) or Data Manipulation Language (DML) via T-SQL. Last week, Kai Axford delivered a webcast on SQL Security as part of the “A More Secure and Well-Managed Infrastructure” series. In his webcast (Part 11), he did some DDL and DML demos. A number of people wanted me to post the scripts, so look down at the bottom of this post for those.
My team is also delivering live seminars as part of the “Best Of SQL Server 2005 Launch.” One of those demos is DDL. It’s a pretty simple demo, but to understand the power, you really need to look as the available events and build some automation around them. The SQL Server 2005 books are now online. If you look at the DDL_EVENTS hierarchy, you’ll notice we have database and server levels events we can trap. Once we trap an event, we can setup a tripwire to take the appropriate “corrective” action.
In our demo, we use DDL_DATABASE_LEVEL_EVENTS to see what is occuring on the virtual machine demo environment. Our script will detect unapproved actions and roll them back while logging the time, date, user ids and stuff to an audit table. Our script will also post a nice little message indicating to the user that action was prohibited. In reality, you might take advantage of other automation like sending a page to a pager/cellphone, sending an email message to the DBA’s or security professionals, etc. The automation is only limited by your imagination and programming skills.
See the full Data Definition Language (DDL) demo to get an idea on how to do this.
The script we demo is as follows:
USE AdventureWorks;GO CREATE TABLE AuditDDLOperations( OpID int NOT NULL identity CONSTRAINT AuditDDLOperationsPK PRIMARY KEY CLUSTERED, LoginName sysname NOT NULL, UserName sysname NOT NULL, PostTime datetime NOT NULL, EventType nvarchar(100) NOT NULL, DDLOp nvarchar(2000) NOT NULL);GO CREATE TRIGGER PreventAllDDLON DATABASEWITH ENCRYPTIONFOR DDL_DATABASE_LEVEL_EVENTSAS DECLARE @data XMLSET @data = EVENTDATA()RAISERROR ('DDL Operations are prohibited on this production database. Please contact ITOperations for proper policies and change control procedures.', 16, -1)ROLLBACKINSERT AuditDDLOperations (LoginName, UserName, PostTime, EventType, DDLOp)VALUES (SYSTEM_USER, CURRENT_USER, GETDATE(), @data.value('(/EVENT_INSTANCE/EventType)[1]', 'nvarchar(100)'), @data.value('(/EVENT_INSTANCE/TSQLCommand)[1]', 'nvarchar(2000)') ) RETURN;GO --Test the trigger.CREATE TABLE TestTable (col1 int);GO DROP TABLE AuditDDLOperations;GO SELECT * FROM AuditDDLOperations;GO --Drop the trigger.DROP TRIGGER PreventAllDDLON DATABASE;GO DROP TABLE AuditDDLOperations;GO
USE AdventureWorks;GO
CREATE TABLE AuditDDLOperations( OpID int NOT NULL identity CONSTRAINT AuditDDLOperationsPK PRIMARY KEY CLUSTERED, LoginName sysname NOT NULL, UserName sysname NOT NULL, PostTime datetime NOT NULL, EventType nvarchar(100) NOT NULL, DDLOp nvarchar(2000) NOT NULL);GO
CREATE TRIGGER PreventAllDDLON DATABASEWITH ENCRYPTIONFOR DDL_DATABASE_LEVEL_EVENTSAS DECLARE @data XMLSET @data = EVENTDATA()RAISERROR ('DDL Operations are prohibited on this production database. Please contact ITOperations for proper policies and change control procedures.', 16, -1)ROLLBACKINSERT AuditDDLOperations (LoginName, UserName, PostTime, EventType, DDLOp)VALUES (SYSTEM_USER, CURRENT_USER, GETDATE(), @data.value('(/EVENT_INSTANCE/EventType)[1]', 'nvarchar(100)'), @data.value('(/EVENT_INSTANCE/TSQLCommand)[1]', 'nvarchar(2000)') ) RETURN;GO
--Test the trigger.CREATE TABLE TestTable (col1 int);GO
DROP TABLE AuditDDLOperations;GO
SELECT * FROM AuditDDLOperations;GO
--Drop the trigger.DROP TRIGGER PreventAllDDLON DATABASE;GO
As you can see from the example and demo above, it’s a simple script but has a lot of power. If you are interested in other examples and procedures, see the “Designing DDL Triggers” online help page. Of course you should also have a local copy of this page since I know you were a good doggie and installed SQL Server 2005. If you don’t have a copy, shame on you. Come to one of the remaining launch events if you can and get one. If registration is blocked because it is full, you can still come by. However, walkins aren’t guaranteed to get in and you’ll only get a free copy of SQL Server 2005 and Visual Studio 2005 if you get in.
Here are the scripts from Kai’s webcast:
--Step 1: Create a table to log audited events toUSE LucernePublishingGOCREATE TABLE DDL_Audit (id INT PRIMARY KEY IDENTITY, AuditText VARCHAR(MAX))GO --Step 2: Create a table for testing the triggerCREATE TABLE LPTriggerTest (id INT PRIMARY KEY)GO --Step 3: Create a trigger to fire when-- an ALTER TABLE command is issuedCREATE TRIGGER LPTableAlterON DATABASEAFTER ALTER_TABLEASINSERT INTO DDL_Audit VALUES('A database table was altered.')GO --Step 4:Add a new column to the test tableALTER TABLE LPTriggerTest ADD TestText VARCHAR(MAX)GO --Step 5:Verify that the trigger firedSELECT * FROM DDL_AuditGO ============ --Step 1: Create a trigger to prevent-- tables from being dropped.USE LucernePublishingGO CREATE TRIGGER SafetyON DATABASEFOR DROP_TABLEAS PRINT 'You must disable the Safety trigger before you drop a table.' ROLLBACKGO --Step 2: Test the trigger by trying to drop a-- table from the databaseDROP TABLE dbo.LPBuildVersionGO --Step 3: Drop the trigger to allow database-- tables to be droppedDISABLE TRIGGER [Safety] ON DATABASEGO ============= --Step 1: Create a new table for auditing--with the eventdata() functionUSE LucernePublishingGOCREATE TABLE DDL_Eventdata ( PostTime datetime, DB_User nvarchar(100), Event nvarchar(100), TSQL nvarchar(2000))GO --Step 2: Modify the trigger-- to use eventdata() functionALTER TRIGGER LPTableAlterON DATABASEAFTER ALTER_TABLEASDECLARE @data XMLSET @data = EVENTDATA()INSERT INTO DDL_EventData (PostTime, DB_User, Event, TSQL) VALUES (GETDATE(), CONVERT(nvarchar(100), CURRENT_USER), @data.value('(/EVENT_INSTANCE/EventType)[1]', 'nvarchar(100)'), @data.value('(/EVENT_INSTANCE/TSQLCommand)[1]', 'nvarchar(2000)') ) ;GO --Step 3: Modify the test table again to-- cause the trigger to fireALTER TABLE LPTriggerTest ADD TestText2 VARCHAR(MAX)GO --Step 4: Verify that the trigger fired and wrote-- eventdata() information to the table.SELECT * FROM DDL_EventDataGO
--Step 1: Create a table to log audited events toUSE LucernePublishingGOCREATE TABLE DDL_Audit (id INT PRIMARY KEY IDENTITY, AuditText VARCHAR(MAX))GO
--Step 2: Create a table for testing the triggerCREATE TABLE LPTriggerTest (id INT PRIMARY KEY)GO
--Step 3: Create a trigger to fire when-- an ALTER TABLE command is issuedCREATE TRIGGER LPTableAlterON DATABASEAFTER ALTER_TABLEASINSERT INTO DDL_Audit VALUES('A database table was altered.')GO
--Step 4:Add a new column to the test tableALTER TABLE LPTriggerTest ADD TestText VARCHAR(MAX)GO
--Step 5:Verify that the trigger firedSELECT * FROM DDL_AuditGO
============
--Step 1: Create a trigger to prevent-- tables from being dropped.USE LucernePublishingGO
CREATE TRIGGER SafetyON DATABASEFOR DROP_TABLEAS PRINT 'You must disable the Safety trigger before you drop a table.' ROLLBACKGO
--Step 2: Test the trigger by trying to drop a-- table from the databaseDROP TABLE dbo.LPBuildVersionGO
--Step 3: Drop the trigger to allow database-- tables to be droppedDISABLE TRIGGER [Safety] ON DATABASEGO
=============
--Step 1: Create a new table for auditing--with the eventdata() functionUSE LucernePublishingGOCREATE TABLE DDL_Eventdata ( PostTime datetime, DB_User nvarchar(100), Event nvarchar(100), TSQL nvarchar(2000))GO
--Step 2: Modify the trigger-- to use eventdata() functionALTER TRIGGER LPTableAlterON DATABASEAFTER ALTER_TABLEASDECLARE @data XMLSET @data = EVENTDATA()INSERT INTO DDL_EventData (PostTime, DB_User, Event, TSQL) VALUES (GETDATE(), CONVERT(nvarchar(100), CURRENT_USER), @data.value('(/EVENT_INSTANCE/EventType)[1]', 'nvarchar(100)'), @data.value('(/EVENT_INSTANCE/TSQLCommand)[1]', 'nvarchar(2000)') ) ;GO
--Step 3: Modify the test table again to-- cause the trigger to fireALTER TABLE LPTriggerTest ADD TestText2 VARCHAR(MAX)GO
--Step 4: Verify that the trigger fired and wrote-- eventdata() information to the table.SELECT * FROM DDL_EventDataGO