Every day I see critical servers in higher education sitting right out on the internet with public IPs. If you are responsible for maintaining that server and protecting your constituent's data, having it fully exposed to the Internet means you must be more cognoscente of security than if you were behind a corporate perimeter defense regardless of OS. I often recommend IPSEC to control access to the server and provide basic security like IKE signing of traffic where possible.
Remote Desktop Protocol is already encrypted but it is possible to SSL authenticate and encrypt your session with TLS 1.0. This provides an additional layer of security when connecting across the Internet and is simple to setup. Here are the things you will need:
Enrolling a Server Authentication Certificate
The first step is the most complicated. Make sure your server has a server certificate that includes Server Authentication. In my lab I auto-enrolled using group policy and use the DC as an enterprise CA. Just apply a policy to an OU where your test server resides and under Computer Policy – Windows Settings – Public Key Policies – AutoEnrollment Settings, enable autoenrollment. The Computer certificate included in GPO AutoEnrollment by default includes Server Authentication.
You can also enroll the server by connecting to the /CertSrv website and making a request. Use “Advanced Request”, “Administrator”, and check the box to store the certificate in the local computer certificate store. If your test server and/or test clients are not members of the forest, you can install the CA chain from the CertSrv website.
Require SSL and High Encryption (or FIPS Compliant Encryption)
On the server, open Administrative Tools – Terminal Services Configuration. Select Connections and in the right hand pane you should see RDP-Tcp. Open the properties of this connection and on the first page change Authentication to SSL and Encryption to either High or FIPS Compliant. (For more information on these see the following TechNet article: http://technet2.microsoft.com/WindowsServer/en/Library/a92d8eb9-f53d-4e86-ac9b-29fd6146977b1033.mspx)
Install RDP Client version 5.2
A standard 32-bit Windows XP Pro machine does not come with a version of the RDP Client that supports high encryption. You can install the client from your 2003 server using %systemdrive\system32\clients\tsclient\win32\msrdpcli.msi. With the newer version of the client you should see a security tab on the options page. Select “Attempt Authentication”. If you do not have the 5.2 client or do not at least attempt authentication, the connection attempt will time out. Also, make sure you connect to the server using the same name as what’s used in the certificate, in most cases the full DNS name. If not, you will be prompted to approve trusting the cert.
You may decide it is more practical to select “Negotiate” rather than SSL. This will allow down-level clients such as the RDP client on Windows Mobile to connect without using TLS 1.0. If you require SSL, you will not be able to connect unless your client supports it. Negotiate allows the highest level of encryption available on each client.
I just found the OpenXMLDeveloper.org site. Cool! I found the site after searching live.com for more information on open xml formats. There's a great article that provides source code for a simple tool to generate text in XML and store it in .docx (Word 12).
Just yesterday I spoke with a university about the changes in document formats including Office files and XPS. This site provides real evidence of all the work Microsoft is doing with these file types.
From the Windows Live Help file:
Windows Live Academic Search accesses content feeds from several publishers in the Computer Science, Physics, and Electrical Engineering areas. Academic Search works with CrossRef to facilitate cross-publisher searching. Publishers include ACM, American Institute of Physics, American Physical Society, Blackwell Publishing, Elsevier Science, IEEE, Institute of Physics, John Wiley and Sons, Nature, Taylor and Francis, and many others.
To access Windows Live Academic Search - http://academic.live.com/.
You can also open live.com, enter a search term and execute the search, then click "Academic" to try your search across academic sources.
We have the best partners in the world. I got an Email shortly after my last post for another article on the same topic.
Hopefully the trackback is automatically created.
First off, I’m happy to have written this while on a plane. I'm posting now that I'm in the Detroit airport - using my phone as a modem.
One of my peers recently built a PowerPoint deck that focuses on all the solutions we literally give away that are valuable to education. The resulting list is longer than you might expect. In the last year we have made significant investments in education including Microsoft Student (not free, but very cool). The following list comes from the slide deck I mentioned plus I added a few. The sort order starts with things focused directly on education and ends with free tools that benefit customers in education.
Windows Live @ EDU
Education Pack for Tablet PC
Shared Computer Toolkit
Learning Essentials for Office
Sharepoint Web Parts and Site Templates for Teachers/Classrooms
Office Templates for Education
Windows Movie Maker
Windows Live Safety
Virtual Server Enterprise
TechNet Virtual Labs
Visual Studio Express
Office Live Basic
Online training for developers and users
Office Viewers, Office resources such as ClipArt, PowerToys, Windows Mobile Add-Ins, TabletPC Add-Ins, Migration Tools, and on and on.. Feel free to add more through comments!
We just completed our mid-year review process internally, a milestone that focuses more on what you want to accomplish in the future rather than critique of past performance. I set a near-term goal to more clearly communicate our Education vision to technically-minded customers.
I've been brainstorming and have decided to start with the existing 3-pillar foundation. I have a lot of respect for the people that originally founded this concept and I think it provides a solid starting point.
Strategic Pillars for 21st Century Learning
This can be more simply communicated as "Academic, Business, and Lifestyle". Our infrastructure tools and solutions sometimes fit cleanly in to one category but often span two or more. This is a solid foundation to prove the relevancy of our solutions, something I really believe in and would like to share.
Series of online seminars on how to leverage Microsoft technology in the classroom.
I recently had a discussion with Exchange administrators from a couple of major Universities to decide whether it would be possible for someone to use their Exchange mailbox in a "calendar only" capacity. The end user would like to maintain his or her own Email but they would like to still take advantage of group calendaring. The short answer is you cannot disable the other components of a mailbox and there is no "Calendar Only" check box. The process of scheduling and responding to meeting requests is driven by sending and receiving Email messages.
So, here's one approach. Given that calendaring is very reliant on Email and we want to keep our routing as simple as possible, I would start by routing the user's Email through Exchange. Obviously there may be political issues as to why a user might not want to route through someone else's mail system but we will assume this is provided on an "opt-in" basis. In this scenario, routing mail through Exchange prevents a number of complications. Assuming Exchange has a recipient policy for "name.edu" Exchange will attempt to locally deliver any messages sent to an alias within this domain. Therefore if a user taking full advantage of Exchange sends a message to a "calendar-only" user, the message will not leave the server unless a forwarding mechanism is in place.
We need to implement two server-side rules for each mailbox from within Outlook. Unfortunately you must use the full Outlook client since OWA does not offer options to take action based on type. This can be completed by the user or by an admin with temporary access to the user's mailbox.
The first rule redirects any message sent to the user to a mailbox on an outside server. You can eliminate this step by administratively setting the ms-Exch-Deliver-And-Redirect and ms-Exch-Alt-Recipient attributes in Active Directory.
Then enter a second rule:
Make sure the first rule is listed first and the second rule is listed next. The rules are applied in order and you don't want to delete messages before forwarding them! There is potential for the user to misconfigure these rules but proper guidance and web based documentation should help lead to fewer user errors. It is possible to configure these rules centrally for each user, although it is not a simple process and does require developer experience. See support article 251125.
Now you have setup an environment where mail is always forwarded to the desired mailbox on another system but anything calendar related will still be available in Exchange for scheduling. The messages will also be delivered to the user's remote mailbox so he or she will know when a new item needs attention.
One final note. The deleted messages will end up in the Deleted Items folder and will not automatically be emptied. The Exchange Server administrator may choose to setup mailbox maintenance rules to empty the Deleted Items for these users on a regular basis, for example after 7 days.
This is one possible approach. University of Iowa has taken a similar approach documented on their ITS site. If others have come up with methods such as event sinks or customized delivery of messages by type, I would be very interested to learn more and leverage this site to share details.