Kevin Remde's IT Pro Weblog
My friend and colleague Chris Henley is leading a 12 week Webcast Series all about strategies and tools for the migration to Active Directory.
Chris is an excellent presenter and quite knowledgeable on the subject, so this is going to be a great series. Sign up for all of them! And if you missed some of them live, you can also view the previous session’s recordings on-demand.
(Free training – and a chance to win a Portable Media Center, too!)
Sometimes I see or read about really cool things from Microsoft.. development tools and resources that really make me wish I were still a Software Engineer. I’ve always loved the creativity and problem solving that software development affords. Example: the new tools coming in Visual Studio 2005 still make me salivate, quite frankly.
I remember when I was a developer seeing good documentation coming from Microsoft and others, and getting really excited. I was especially pleased whenever Microsoft would release some white-paper about how THEY were doing development (the way I do now when I look at how Microsoft does IT, too.)
What made me think of that was a letter I found in my inbox this morning. Michael Howard sent a letter to the NTBugtraq e-mail listserver membership which was published earlier today. In it he describes a new Microsoft “Security Development Lifecycle” paper.
“The SDL is the process that Microsoft has implemented for the development of software that needs to withstand malicious attack. The process encompasses the addition of a series of security-focused activities and deliverables to each of the phases of Microsoft's software development process. These activities and deliverables include the development of threat models during software design, the use of static analysis code-scanning tools during implementation, and the conduct of code reviews and security testing during a focused "security push". Before software developed under the SDL can be released, it must undergo a Final Security Review by a team independent from its development group. When compared to software that has not been subject to the SDL, software that has undergone the SDL has experienced a significantly reduced rate of external discovery of security vulnerabilities. This paper describes the SDL and discusses experience with its implementation across Microsoft software.”
So this is the sort of thing that, as a former developer, gets me excited on behalf of developers everywhere! You can compare your company’s secure development process to the way Microsoft does it, and borrow from our best practices. (Does the phrase, “Don’t reinvent the wheel” mean anything to you?)
And I encourage all of my counterparts on the MSDN team to blog about this paper, too.
Kevin
..and we only have to wait until May 12th!
That’s when, according to gameindustry.biz, the official unveiling will be done. And on MTV, of all places!
Windows Server Administration Webcast Series Homework Assignment #10
1. http://blogs.technet.com/kevinremde
2. Windows Server 2003 Virtual Lab: VPN Scenarios with ISA 2004”
http://www.microsoft.com/technet/vlab
This virtual lab allows you to:
On that Virtual Lab homepage, click on the ISA section.
Resource Page forTechNet Webcast: Windows Server 2003 Administration Series (Part 10 of 12): VPN/RAS (Level 200) Wednesday, April 13, 20051:00 P.M.–2:00 P.M. Pacific Time
Here are some resources relating to the webcast topic presented. I hope you find them useful.
—
“What is Dial-up Remote Access?”
“How Dial-up Remote Access Works”
http://www.microsoft.com/Resources/Documentation/windowsserv/2003/all/techref/en-us/W2K3TR_dura_How.asp
Remote Access Concepts
http://www.microsoft.com/resources/documentation/WindowsServ/2003/enterprise/proddocs/en-us/sag_RASS_concepts.asp
Virtual Private Networks for Windows Server 2003
http://www.microsoft.com/windowsserver2003/technologies/networking/vpn/default.mspx
“What is VPN?”
http://www.microsoft.com/Resources/Documentation/windowsserv/2003/all/techref/en-us/W2K3TR_vpn_what.asp
“How VPN Works”
http://www.microsoft.com/Resources/Documentation/windowsserv/2003/all/techref/en-us/W2K3TR_vpn_how.asp
Placing Remote Access Servers
http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/deployguide/en-us/dnsbf_vpn_zsom.asp
Selecting an VPN Protocol
http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/deployguide/en-us/dnsbf_vpn_riyr.asp
Concepts for IAS
http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/deployguide/en-us/dnsbk_ias_tttg.asp
Determine the Role of the IAS Server
http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/deployguide/en-us/dnsbk_ias_dprk.asp
Integrate IAS with the Certificate Infrastructure
http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/deployguide/en-us/dnsbk_ias_xkyp.asp
Secure the IAS RADIUS Server and RADIUS Proxy
http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/deployguide/en-us/dnsbk_ias_qnbl.asp
Microsoft TechNethttp://www.microsoft.com/technet
Official Series Content Resource Pagehttp://www.microsoft.com/technet/tnt4–04
Free Windows Server 2003 Virtual Labs:http://www.microsoft.com/technet/traincert/virtuallab/windowsserver2003.mspx
Windows Server 2003 Evaluation kit:http://www.microsoft.com/windowsserver2003/evaluation/trial/evalkit.mspx
Windows Server 2003 Training and Events:http://www.microsoft.com/windowsserver2003/techinfo/training/default.mspx
New and improved Microsoft Events page:
http://www.microsoft.com/events
Wednesday, April 20, 20051:00 P.M.–2:00 P.M. Pacific Time
Join this webcast and learn what you need to know about routing, routing protocol and configuring routing on Windows Server 2003.
Yay! No major audio or timing issues this week! It’s so much fun when things go right!
Here, is this week’s “best of” Q&A log from the webcast. Sincere thanks again to my teammates for doing such a great job helping to answer questions! I give them the credit for the information in this document. Wonderful!
Also I want to make sure also have the link to the Session Resources I posted for Part 9, and the homework assignment also.
Part 9 Questions and Answers:
“Thank for the informative webcast every week. Some times would be nice, if the webcast would earlier in the morning for you. Because it is exhausting to see all the good webcast late in the evening for us in Europe.”
Yeah… that’s a problem I wish I had considered further when originally scheduling these. Much of my job involves travel. I do these webcasts more often-than-not in hotels or other Microsoft Offices. During my normal TechNet Event weeks, Wednesdays are usually travel days between Tuesday and Thursday events, so if I can’t get a flight out or drive to the next location on Tuesday night, I’ll be doing it Wednesday morning… which is why I thought later on Wednesday afternoon would be better.
If I get the opportunity to do another series (and I’d LOVE to!), I’ll see if we can do it Monday morning instead.
“Will the past 2 events be available in live meeting format soon?”
The last one [part 8] should be posted. We've had problems with and are still trying to recover part 7.
Keith Combs: “I love DHCP”
Thanks, Keith.
“Can we download any presentation WMA? not pdf. Thanks.”
The WMV archive will be available 72 hours after the event.
“This is off topic, but our company would like to use this MS Office Live Meeting 7 application format for providing online demos with government Public Health Laboratories. Can you direct me to more information of how to utilize this application for such purposes (purchase, configuration, etc.)? Good class.”
Thanks. Have you looked at http://www.microsoft.com/livemeeting?
“No, that is the kind of thing I was asking about. Thank you. Are there others you know of?”
Yes. You might also check http://www.microsoft.com/office/livecomm/prodinfo/default.mspx
“Would you include addresses that are going to be reserved in an exclusion range?”
Yes, that's another good way to self document those addresses.
“Is it better to use exclusions or a narrow pool range to place static entries for like servers and printers?”
Because of the inflexibility of Pools once you’ve defined them, I would make them large to begin with, and then use exclusions to narrow down what is actually being handed out by individual DHCP servers.
“Followup to the exclusion question - is there any impact to doing it either way?”
Other than the inflexibility of re-configuring pools, no.
“Is there anyway to issue out IPV6 ip addresses via DHCP?”
Not aware of any - Great Overview here - http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03mngd/14_s3ip6.mspx
“If you have an address range for DHCP to give out, but some of those addresses are used in reservations, would DHCP know not to give out those addresses or would it cause conflicts?”
Yes, it will not give that out, but be aware that if it is already in use, it won't force a release on the address.
“We have a number of remote users and I want to assign them an address when they VPN in. Is there a good article describing this when using a domain controller with and a separate RRAS server?”
An address that is the same each time they connect, or just any address from a pool?
“Can be either. Whatever would be the best practice.”
Most people set up a pool for VPN clients. Less maintenance and hassle.
“OK Is there a good KB article for setting up a pool?”
All of the VPN deployment and planning docs will go through this. It is also in the ISA Server 2004 planning documents in case you are using our firewall product.
“Should you confirm that there are no entries in the other tabs in TCP/IP properties before you switch to automatic pickup?”
No need.
“Does the DHCP server have to have a static address or can it obtain a reserved IP address from it's own database?”
It should have a static address.
“If you are going from a static IP environment to a DHCP environment, will you have to touch each PC to make that change, or is there another way?”
You could use NETSH - http://support.microsoft.com/default.aspx?scid=kb;en-us;257748
“I have a Linux-based computer set up for DHCP now. Can I configure a W2k server for DCHP while it's running on the Linux box - or do I need to shut down the Linux box first before configuring DHCP on the W2k server?”
It’s just another DHCP server on the line, so there shouldn’t be any issues unless they are both being configured to hand out the same or overlapping address ranges.
“Can you delete the bad scope are just leave it alone?”
You can delete it. I just left it in the demo so I could also show how superscopes were configured.
“When configuring a pool with a router, how will the dhcp know which ip address to give out for each subnet?”
Like most things computer related, it will do only what you tell it to – not what you WANT it to. If you’re using your router as a DHCP server, then you have to be aware what addresses it’s responsible for, just as you would if you were configuring more than one DHCP server within the same physical networked area.
“How can we integrate dhcp with DNS?”
Active Directory Integrated with DDNS - http://support.microsoft.com/default.aspx?scid=kb;en-us;816592
“I would like Kevin to settle a debate. When is DCHP is best handled; by a gateway vs. server?”
I wasn’t aware there was a debate. Do you mean, “Should I have my router handle addressing for me or should I have a separate server?” ? If you are happy with how your router is working, and if you don’t mind having that single point of failure, and want to limit how much (if any) logging or auditing you have available.. and don’t want flexible configuration options… then by all means, use your router. <grin>
“One DHCP server with multiple subnets all with different address pools, how can i insure the right IP address goes to the correct subnet”
Typically that is the job of the Relay Agent on a particular subnet - http://support.microsoft.com/default.aspx?scid=kb;en-us;120932
“I was trained to use DORK acronym discover offer release acknowledge”
Cool.
“Are the clients still can connect to resources on the network if i reboot the dhcp server?”
Yes. A DHCP server will only affect the clients if they go to request an address, and it's down.
“Can Kevin share those funny pictures with us?”
Absolutely!
Cheers!
Just a comment on what a strange day it’s been. I’m currently staying at a Sheraton in Madison, as tomorrow we’re doing live TechNet and other events at the Alliant Energy Center.
Today, however, in less than one hour, I’ll be doing a webcast from the hotel. Now… typically when I book my rooms I call the hotel to see if they have high-speed Internet. I’m a snob that way, I guess. <sigh> But mores if I’m going to do a webcast, I usually want to make sure that the Internet access is WIRED as opposed to WIRELESS.
Well… having not found any WIRED hotel rooms near the Alliant Energy Center, I decided to stay where the rest of my team were staying here at the Sheraton.
Problem: WiFi here has been up and down all day. Not good for webcasting at all.
Solution: The folks here are going to let me reserve the WIRED connection located in their Business Center here. They even provided me a phone for the audio portion of the webcast. (I’m heading down in just a couple minutes to set things up.)
In the meantime, I happened to see that the wireless from the hotel next door is available, so I’m using a low-signal, 1Mbps connection right now. I guess that’s the punch-line to an already interesting day.
Gotta run! Webcast time!
This question was asked during my TechNet Briefing event held yesterday (April 5th) in Appleton, Wisconsin.
The Answer: No, and Yes.
I found the answer in the Security Configuration Wizard Documentation, specifically page 10 of the deployment document which states:
“To configure multiple servers with a policy, you can use scwcmd configure /p:PolicyFile /i:MachineList at the command prompt, rather than this SCW UI procedure. Type scwcmd configure at the command prompt to learn about the parameters.”
Also – a VERY good resource of information is an on-demand webcast by Peter Meister, Lead Product Manager, Windows Server 2003, entitled “Windows Server 2003 Service Pack 1 – Security Configuration and Role-Based Server Deployment”
Enjoy!
Windows Server Administration Webcast Series HomeworkDHCPHomework Assignment #9
2. Review DHCP Online DocumentationClick on and read through at least the first two from my Session Resource Page:
“What is DHCP?”http://www.microsoft.com/Resources/Documentation/windowsserv/2003/all/techref/en-us/W2K3TR_dhcp_what.asp
“How DHCP Works”http://www.microsoft.com/Resources/Documentation/windowsserv/2003/all/techref/en-us/W2K3TR_dhcp_how.asp
Review DHCP Online Documentation
Resource Page for
Wednesday, April 6, 20051:00 P.M.–2:00 P.M. Pacific Time
“What is DHCP?”
http://www.microsoft.com/Resources/Documentation/windowsserv/2003/all/techref/en-us/W2K3TR_dhcp_what.asp
“How DHCP Works”
http://www.microsoft.com/Resources/Documentation/windowsserv/2003/all/techref/en-us/W2K3TR_dhcp_how.asp
“DHCP Terminology”
http://www.microsoft.com/resources/documentation/WindowsServ/2003/enterprise/proddocs/en-us/sag_DHCP_ovr_Terms.asp
“Configuring Scopes”
http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/sag_DHCP_imp_ConfigScopes.asp
“IPv4 Multicasting Technical Reference”
http://www.microsoft.com/Resources/Documentation/windowsserv/2003/all/techref/en-us/W2K3TR_Mcast_Intro.asp
“Best Practices”
http://www.microsoft.com/resources/documentation/WindowsServ/2003/enterprise/proddocs/en-us/sag_DHCP_imp_BestPractices.asp
“DHCP Tools”
http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/sag_DHCP_ovr_tools.asp
“Security Information for DHCP”
http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/sag_DHCP_ovr_Security.asp
Wednesday, April 13, 20051:00 P.M.–2:00 P.M. Pacific Time
Join us for this presentation where we will investigate setup and configuration of RAS connections, the authorization of these connections, and finally implementing VPNs and IAS.
Hello all!
I’ve created a document containing useful links to related resources for our live-and-in-person TechNet Briefings this quarter. If you attended my event and want the document containing the LIVE links, or even if you’re just curious about resources relating to Windows Server 2003 Service Pack 1 or Microsoft SQL Server 2005, you’ll find this document useful.
CLICK HERE TO DOWNLOAD
Hope you find this helpful!
Consortium to Invest in Time Travel
I’m so proud that Microsoft is firmly behind this effort.