Last week I received my copy of the Windows Server 2012 Security Book from Syngrees. I’m very pleased with the final work, It looks great!

Are you going to TechEd in New Orleans? If you are going we (Tom Shinder and I) will be there to present and we are also organizing a book signing session, more details coming soon. While we are waiting for TechEd, I’m going to do a raffle and the rules are pretty simple:

• Follow me on Twitter @yuridiogenes
• Tweet: I want the new Windows Server 2012 Security book from @syngress written by @yuridiogenes @tshinder and @debshinder

On May 28th I will announce the winner of this book here on the blog and I will send a signed copy of the book in the second week of June.

Good luck!

Almost a month ago I wrote this post about an attempt to establish a site to site connection between TMG and Windows Azure and the conclusion was: you need a valid IP on your edge device in order to do that. Done, got my valid IP and now I’m ready to rock! It should be straight forward now that I have all the steps in mind and know how it works, but it was not. Using the same lab environment (but now with TMG having a valid IP address I faced a different issue. The tunnel between Azure and TMG connected for a couple of seconds (from the Azure Portal perspective) and then it drops. Constant pattern, so it was not only a transient situation. Using TMG DataPackager with VPN template I gathered the data that I needed to understand what it was going on. When I started to review the IKE Logging this is what I got:

[0]00FC.0638::00/00/0000-00:00:00.000 [user] |Azure_IP|IkeVerifyPacketHeader failed with Windows error 13824(ERROR_IPSEC_IKE_INVALID_HEADER)
[0]00FC.0638::00/00/0000-00:00:00.000 [user] |Azure_IP|IkeVerifyPacketHeader failed with HRESULT 0x80073600(ERROR_IPSEC_IKE_INVALID_HEADER)
[0]00FC.0638::00/00/0000-00:00:00.000 [user] |Azure_IP|IkeVerifyPacketHeader failed with Windows error 13824(ERROR_IPSEC_IKE_INVALID_HEADER)
[0]00FC.0638::00/00/0000-00:00:00.000 [user] |Azure_IP|IkeVerifyPacketHeader failed with HRESULT 0x80073600(ERROR_IPSEC_IKE_INVALID_HEADER)
[0]00FC.0638::00/00/0000-00:00:00.000 [user] |Azure_IP|IkeVerifyPacketHeader failed with Windows error 13824(ERROR_IPSEC_IKE_INVALID_HEADER)
[0]00FC.0638::00/00/0000-00:00:00.000 [user] |Azure_IP|IkeVerifyPacketHeader failed with HRESULT 0x80073600(ERROR_IPSEC_IKE_INVALID_HEADER)
[0]00FC.0638::00/00/0000-00:00:00.000 [user] |Azure_IP|IkeVerifyPacketHeader failed with Windows error 13824(ERROR_IPSEC_IKE_INVALID_HEADER)
[0]00FC.0638::00/00/0000-00:00:00.000 [user] |Azure_IP|IkeVerifyPacketHeader failed with HRESULT 0x80073600(ERROR_IPSEC_IKE_INVALID_HEADER)
[0]00FC.0638::00/00/0000-00:00:00.000 [user] |Azure_IP|IkeVerifyPacketHeader failed with Windows error 13824(ERROR_IPSEC_IKE_INVALID_HEADER)
[0]00FC.0638::00/00/0000-00:00:00.000 [user] |Azure_IP|IkeVerifyPacketHeader failed with HRESULT 0x80073600(ERROR_IPSEC_IKE_INVALID_HEADER)
[0]00FC.0638::00/00/0000-00:00:00.000 [user] |Azure_IP|IkeVerifyPacketHeader failed with Windows error 13824(ERROR_IPSEC_IKE_INVALID_HEADER)
[0]00FC.0638::00/00/0000-00:00:00.000 [user] |Azure_IP|IkeVerifyPacketHeader failed with HRESULT 0x80073600(ERROR_IPSEC_IKE_INVALID_HEADER)
[0]00FC.0638::00/00/0000-00:00:00.000 [user] |Azure_IP|IkeVerifyPacketHeader failed with Windows error 13824(ERROR_IPSEC_IKE_INVALID_HEADER)
[0]00FC.0638::00/00/0000-00:00:00.000 [user] |Azure_IP|IkeVerifyPacketHeader failed with HRESULT 0x80073600(ERROR_IPSEC_IKE_INVALID_HEADER)
[0]00FC.0638::00/00/0000-00:00:00.000 [user] |Azure_IP|IkeVerifyPacketHeader failed with Windows error 13824(ERROR_IPSEC_IKE_INVALID_HEADER)
[0]00FC.0638::00/00/0000-00:00:00.000 [user] |Azure_IP|IkeVerifyPacketHeader failed with HRESULT 0x80073600(ERROR_IPSEC_IKE_INVALID_HEADER)
[0]00FC.0638::00/00/0000-00:00:00.000 [user] |Azure_IP|IkeVerifyPacketHeader failed with Windows error 13824(ERROR_IPSEC_IKE_INVALID_HEADER)
[0]00FC.0638::00/00/0000-00:00:00.000 [user] |Azure_IP|IkeVerifyPacketHeader failed with HRESULT 0x80073600(ERROR_IPSEC_IKE_INVALID_HEADER)
[0]00FC.0480::00/00/0000-00:00:00.000 [ikeext]                0|NULL|IkeRegConfigChangeNotifyCallback invoked
[0]00FC.0480::00/00/0000-00:00:00.000 [ikeext]                0|NULL|Stopping IKE tracing

Invalid header could be something related with the IKE itself, unfortunately researching for this error didn’t help me too much:

Next step: understanding what’s going on on the wire! Start reviewing netmon trace for this traffic and found this:

Oh well, that explains everything……TMG doesn’t work with IKEV2, hence it fails to negotiate. But wait a minute, how that this used to work in the past? Because prior to GA Windows Azure was using IKEV1. When you are using Windows Azure Gateway you can configure it to use Static Routing or Dynamic Routing (see more info about these definitions here), if you use Dynamic Routing then Azure Gateway for Site to Site will use IKEV2. This document is getting updated to reflect this change that was introduced in GA.

Just to remind you: TMG is not supported for site to site connectivity on Azure and now that Dynamic Routing require IKEV2, TMG is not an option even for testing purpose.

Recently MSRC (Microsoft Security Response Center) released a new tool called Security Response Readiness Assessment. This tool will help you to you identify, monitor, respond to, and resolve security incidents and vulnerabilities in your IT environment. This tool is based on best practices in software security incident response developed at Microsoft.

Launch it from here.

Stay safe!

Recently in a great partnership with Ed Wilson (The Scripting Guy) we (Tom and I) wrote a series of articles about private cloud security and PowerShell automation in order to assist you addressing some security concerns that I documented on the articles below:

• Leveraging Windows Server 2012 Capabilities to Address Private Cloud Security Concerns – Part 1
• Leveraging Windows Server 2012 Capabilities to Address Private Cloud Security Concerns – Part 2

Have a look on the first two articles of this series here:

• Security Series: Using PowerShell to Protect Your Private Cloud Infrastructure - Part 1
• Security Series: Using PowerShell to Protect Your Private Cloud Infrastructure - Part 2

Enjoy!

Recently I was working on a document where I had to build a lab in order to validate a series of assumptions. This lab required cross-premises connectivity with Windows Azure, in other words: allowing resources that were located on-premises to access virtual machines located on Windows Azure and vice-versa. For testing purpose (since it is not supported by Windows Azure) I used Forefront TMG as my VPN gateway, this was easily accomplished by using this great article written by my friend Richard Hicks. All good, VPN site to site established and my Windows Azure portal was showing this result:

The gateway connectivity was established as shown above, however I noticed this weird behavior of some KB of data in and nothing out. At glance I didn’t realize that this could be a problem, however once I started to test the resources (a simple ping from a VM located on Azure to the ProdDC1 located on-premise) I received a timeout. Odd…..weird…what’s going on? Luckily I was using Windows Server 2008 SP2 on TMG and I was able to enable IKE Logging using a procedure that I documented long time ago on this post. The result is shown below (consider XXX.XXX.XXX.XXX the valid IP of my router – which was doing NAT-T to my TMG):

[0]0100.0654::00/00/0000-00:00:00.000 [ikeext]                0|XXX.XXX.XXX.XXX|
[0]0100.0654::00/00/0000-00:00:00.000 [ikeext]                0|XXX.XXX.XXX.XXX|Received packet
[0]0100.0654::00/00/0000-00:00:00.000 [ikeext]                0|XXX.XXX.XXX.XXX|Local Address: 192.168.1.160.4500 Protocol 0
[0]0100.0654::00/00/0000-00:00:00.000 [ikeext]                0|XXX.XXX.XXX.XXX|Peer Address: XXX.XXX.XXX.XXX.4500 Protocol 0
[0]0100.0654::00/00/0000-00:00:00.000 [ikeext]                a|XXX.XXX.XXX.XXX|iCookie 5f4f98ebb5fc8fb5 rCookie 4fd35b13948ab70b
[0]0100.0654::00/00/0000-00:00:00.000 [ikeext]                a|XXX.XXX.XXX.XXX|Exchange type: IKE Quick Mode Length 268 NextPayload HASH Flags 1 Messid 0x00000031
[0]0100.0654::00/00/0000-00:00:00.000 [ikeext]                a|XXX.XXX.XXX.XXX|mmSa: 0x00000000029BB8B0
[0]0100.0654::00/00/0000-00:00:00.000 [ikeext]                a|XXX.XXX.XXX.XXX|Create QMSA: qmSA 0000000004050150 messId 31
[0]0100.0654::00/00/0000-00:00:00.000 [ikeext]                a|XXX.XXX.XXX.XXX|Processing QM.  MM 00000000029BB8B0 QM 0000000004050150
[0]0100.0654::00/00/0000-00:00:00.000 [ikeext]                a|XXX.XXX.XXX.XXX|Process Payload HASH, SA 00000000029BB8B0 QM 0000000004050150
[0]0100.0654::00/00/0000-00:00:00.000 [ikeext]                a|XXX.XXX.XXX.XXX|Process Payload ID, SA 00000000029BB8B0 QM 0000000004050150
[0]0100.0654::00/00/0000-00:00:00.000 [ikeext]                a|XXX.XXX.XXX.XXX|Process Payload ID, SA 00000000029BB8B0 QM 0000000004050150
[0]0100.0654::00/00/0000-00:00:00.000 [ikeext]                a|XXX.XXX.XXX.XXX|Process Payload SA, SA 00000000029BB8B0 QM 0000000004050150
[0]0100.0654::00/00/0000-00:00:00.000 [ikeext]                a|XXX.XXX.XXX.XXX|QM propNum 1, transformNum 0, peerSpi 2308443503
[0]0100.0654::00/00/0000-00:00:00.000 [ikeext]                a|XXX.XXX.XXX.XXX|QM transNum 1
[0]0100.0654::00/00/0000-00:00:00.000 [ikeext]                a|XXX.XXX.XXX.XXX|PROTO: ESP Algo 12
[0]0100.0654::00/00/0000-00:00:00.000 [ikeext]                a|XXX.XXX.XXX.XXX|IPSEC_ENCAPSULATION_MODE: 3
[0]0100.0654::00/00/0000-00:00:00.000 [ikeext]                a|XXX.XXX.XXX.XXX|IPSEC_KEY_LENGTH: 128
[0]0100.0654::00/00/0000-00:00:00.000 [ikeext]                a|XXX.XXX.XXX.XXX|IPSEC_HMAC_ALG: 2
[0]0100.0654::00/00/0000-00:00:00.000 [ikeext]                a|XXX.XXX.XXX.XXX|IPSEC_LIFE_TYPE: 1
[0]0100.0654::00/00/0000-00:00:00.000 [ikeext]                a|XXX.XXX.XXX.XXX|IPSEC_LIFE_DUR: 3600
[0]0100.0654::00/00/0000-00:00:00.000 [ikeext]                a|XXX.XXX.XXX.XXX|IPSEC_LIFE_TYPE: 2
[0]0100.0654::00/00/0000-00:00:00.000 [ikeext]                a|XXX.XXX.XXX.XXX|IPSEC_LIFE_DUR: 102400000
[0]0100.0654::00/00/0000-00:00:00.000 [ikeext]                a|XXX.XXX.XXX.XXX|QM propNum 2, transformNum 0, peerSpi 2308443503
[0]0100.0654::00/00/0000-00:00:00.000 [ikeext]                a|XXX.XXX.XXX.XXX|QM transNum 1
[0]0100.0654::00/00/0000-00:00:00.000 [ikeext]                a|XXX.XXX.XXX.XXX|PROTO: ESP Algo 3
[0]0100.0654::00/00/0000-00:00:00.000 [ikeext]                a|XXX.XXX.XXX.XXX|IPSEC_ENCAPSULATION_MODE: 3
[0]0100.0654::00/00/0000-00:00:00.000 [ikeext]                a|XXX.XXX.XXX.XXX|IPSEC_HMAC_ALG: 2
[0]0100.0654::00/00/0000-00:00:00.000 [ikeext]                a|XXX.XXX.XXX.XXX|IPSEC_LIFE_TYPE: 1
[0]0100.0654::00/00/0000-00:00:00.000 [ikeext]                a|XXX.XXX.XXX.XXX|IPSEC_LIFE_DUR: 3600
[0]0100.0654::00/00/0000-00:00:00.000 [ikeext]                a|XXX.XXX.XXX.XXX|IPSEC_LIFE_TYPE: 2
[0]0100.0654::00/00/0000-00:00:00.000 [ikeext]                a|XXX.XXX.XXX.XXX|IPSEC_LIFE_DUR: 102400000
[0]0100.0654::00/00/0000-00:00:00.000 [ikeext]                a|XXX.XXX.XXX.XXX|IsRecvPolicyTunnelPolicy: TRUE
[0]0100.0654::00/00/0000-00:00:00.000 [ikeext]                a|XXX.XXX.XXX.XXX|Looking up QM policy for IKE
[0]0100.0654::00/00/0000-00:00:00.000 [ikeext]                a|XXX.XXX.XXX.XXX|QM localAddr : 10.0.0.0.0 Mask 255.255.255.0 Protocol 0
[0]0100.0654::00/00/0000-00:00:00.000 [ikeext]                a|XXX.XXX.XXX.XXX|QM peerAddr : 172.16.0.0.0 Mask 255.255.0.0 Protocol 0
[0]0100.0654::00/00/0000-00:00:00.000 [ikeext]                a|XXX.XXX.XXX.XXX|Policy
GUID: {b476013b-cc93-4a45-86de-3649e39c5ec0}
LUID: 0x8000000000000029
Name: ISA VPN S2S tunnel to network Fabrikam Cloud
Description: (null)
Flags: 0x00000000
Provider: <unspecified>
Provider data:
Type: IKE Quick Mode Tunnel
Proposals: 1
-- 0 --
  Lifetime:
    Seconds: 3600
    Kilobytes: 102400000
    Packets: 2147483647
  PFS group: None
  SA transforms: 1
  -- 0 --
    Type: ESP-Auth & Cipher
      Auth transform:
        Type: SHA1
        Config: HMAC-SHA1-96
        Crypto module: <unspecified>
      Cipher transform:
        Type: AES-128
        Config: CBC-AES-128
        Crypto module: <unspecified>
Flags: 0x00000000
Local tunnelEndpoint: 192.168.1.160
Remote tunnelEndpoint: XXX.XXX.XXX.XXX
Normal idle timeout (seconds): 300
Idle timeout in case of failover (seconds): 60

[0]0100.0654::00/00/0000-00:00:00.000 [ikeext]                a|XXX.XXX.XXX.XXX|Accepted proposal.  Prop: 1 trans: 1
[0]0100.0654::00/00/0000-00:00:00.000 [ikeext]                a|XXX.XXX.XXX.XXX|Created new QM SA context              217
[0]0100.0654::00/00/0000-00:00:00.000 [ikeext]                a|XXX.XXX.XXX.XXX|GetSpi
SA context              217
Local address: 192.168.1.160
Remote address: XXX.XXX.XXX.XXX
Mode: Tunnel Mode
Filter ID: 0x8000000000000029
Remote Port: 0x0000
UDP Encapsulation:
  Local port: 4500
  Remote port: 4500

[0]0100.0654::00/00/0000-00:00:00.000 [ikeext]                a|XXX.XXX.XXX.XXX|Got SPI from BFE 1296515672
[0]0100.0654::00/00/0000-00:00:00.000 [ikeext]                a|XXX.XXX.XXX.XXX|Local address : 10.0.0.0.0 Mask 255.255.255.0 Protocol 0
[0]0100.0654::00/00/0000-00:00:00.000 [ikeext]                a|XXX.XXX.XXX.XXX|Peer address : 172.16.0.0.0 Mask 255.255.0.0 Protocol 0
[0]0100.0654::00/00/0000-00:00:00.000 [ikeext]                a|XXX.XXX.XXX.XXX|Process Payload NONCE, SA 00000000029BB8B0 QM 0000000004050150
[0]0100.0654::00/00/0000-00:00:00.000 [ikeext]                a|XXX.XXX.XXX.XXX|Construct IKEHeader
[0]0100.0654::00/00/0000-00:00:00.000 [ikeext]                a|XXX.XXX.XXX.XXX|Construct HASH
[0]0100.0654::00/00/0000-00:00:00.000 [ikeext]                a|XXX.XXX.XXX.XXX|Construct SA
[0]0100.0654::00/00/0000-00:00:00.000 [ikeext]                a|XXX.XXX.XXX.XXX|Construct NONCE
[0]0100.0654::00/00/0000-00:00:00.000 [ikeext]                a|XXX.XXX.XXX.XXX|Construct ID
[0]0100.0654::00/00/0000-00:00:00.000 [ikeext]                a|XXX.XXX.XXX.XXX|Construct ID
[0]0100.0654::00/00/0000-00:00:00.000 [ikeext]                a|XXX.XXX.XXX.XXX|
[0]0100.0654::00/00/0000-00:00:00.000 [ikeext]                a|XXX.XXX.XXX.XXX|Sending Packet
[0]0100.0654::00/00/0000-00:00:00.000 [ikeext]                a|XXX.XXX.XXX.XXX|iCookie 5f4f98ebb5fc8fb5 rCookie 4fd35b13948ab70b
[0]0100.0654::00/00/0000-00:00:00.000 [ikeext]                a|XXX.XXX.XXX.XXX|Exchange type: IKE Quick Mode Length 220 NextPayload HASH Flags 3 Messid 0x00000031
[0]0100.0654::00/00/0000-00:00:00.000 [ikeext]                a|XXX.XXX.XXX.XXX|Local Address: 192.168.1.160.4500 Protocol 0
[0]0100.0654::00/00/0000-00:00:00.000 [ikeext]                a|XXX.XXX.XXX.XXX|Peer Address: XXX.XXX.XXX.XXX.4500 Protocol 0
[0]0100.0654::00/00/0000-00:00:00.000 [ikeext]                a|XXX.XXX.XXX.XXX|IF-Index: 10
[0]0100.0654::00/00/0000-00:00:00.000 [ikeext]                a|XXX.XXX.XXX.XXX|Created new TimerContext 0000000004054840, type 6
[0]0100.0654::00/00/0000-00:00:00.000 [ikeext]                0|XXX.XXX.XXX.XXX|
[0]0100.0654::00/00/0000-00:00:00.000 [ikeext]                0|XXX.XXX.XXX.XXX|Received packet
[0]0100.0654::00/00/0000-00:00:00.000 [ikeext]                0|XXX.XXX.XXX.XXX|Local Address: 192.168.1.160.4500 Protocol 0
[0]0100.0654::00/00/0000-00:00:00.000 [ikeext]                0|XXX.XXX.XXX.XXX|Peer Address: XXX.XXX.XXX.XXX.4500 Protocol 0
[0]0100.0654::00/00/0000-00:00:00.000 [ikeext]                a|XXX.XXX.XXX.XXX|iCookie 5f4f98ebb5fc8fb5 rCookie 4fd35b13948ab70b
[0]0100.0654::00/00/0000-00:00:00.000 [ikeext]                a|XXX.XXX.XXX.XXX|Exchange type: IKE Quick Mode Length 60 NextPayload HASH Flags 3 Messid 0x00000031
[0]0100.0654::00/00/0000-00:00:00.000 [ikeext]                a|XXX.XXX.XXX.XXX|mmSa: 0x00000000029BB8B0
[0]0100.0654::00/00/0000-00:00:00.000 [ikeext]                a|XXX.XXX.XXX.XXX|Processing QM.  MM 00000000029BB8B0 QM 0000000004050150
[0]0100.0654::00/00/0000-00:00:00.000 [ikeext]                a|XXX.XXX.XXX.XXX|Process Payload HASH, SA 00000000029BB8B0 QM 0000000004050150
[0]0100.0654::00/00/0000-00:00:00.000 [ikeext]                a|XXX.XXX.XXX.XXX|Construct IKEHeader
[0]0100.0654::00/00/0000-00:00:00.000 [ikeext]                a|XXX.XXX.XXX.XXX|Construct HASH
[0]0100.0654::00/00/0000-00:00:00.000 [ikeext]                a|XXX.XXX.XXX.XXX|Construct CONNECTED NOTIFY
[0]0100.0654::00/00/0000-00:00:00.000 [ikeext]                a|XXX.XXX.XXX.XXX|Construct NOTIFY
[0]0100.0654::00/00/0000-00:00:00.000 [ikeext]                a|XXX.XXX.XXX.XXX|Adding inbound SA. mmSa 00000000029BB8B0 qmSa 0000000004050150
[0]0100.0654::00/00/0000-00:00:00.000 [ikeext]                a|XXX.XXX.XXX.XXX|Local Address : 10.0.0.0.0 Mask 255.255.255.0 Protocol 0
[0]0100.0654::00/00/0000-00:00:00.000 [ikeext]                a|XXX.XXX.XXX.XXX|Peer Address : 172.16.0.0.0 Mask 255.255.0.0 Protocol 0
[0]0100.0654::00/00/0000-00:00:00.000 [ikeext]                a|XXX.XXX.XXX.XXX|AddImpersonateHash 00000000040522F0 entryCount 2 isImpersonate 0
[0]0100.0654::00/00/0000-00:00:00.000 [ikeext]                a|XXX.XXX.XXX.XXX|SA context              217
[0]0100.0654::00/00/0000-00:00:00.000 [ikeext]                a|XXX.XXX.XXX.XXX|SA bundle

As you can see all required parameters were correct, no error and no problem during the negotiation. After researching on the web for similar problem I found this thread, which has the following requirements (as per Steve Espinosa - from Microsoft Texas) for a network device to work with Windows Azure Virtual Network:

• VPN device must have a public facing IPv4 address
• VPN device must support IKEv1
  • Diffie-Hellman in "Group 2" mode
  • Perfect Forward Secrecy = Disabled
• VPN device must be able to establish IPsec Security Associations in Tunnel
  mode
• VPN device must be configurable for an MSS of 1350 for the tunnel
• VPN device must support NAT-T
• VPN device must support these encryption protocols:
  • AES 128-bit encryption function
  • SHA-1 hashing function
• VPN device must fragment packets before encapsulating with the VPN
  headers
• VPN device must support a 50 character pre-shared key. While a shorter or
  longer key can be programmatically created, this functionality is not currently
  exposed in the Windows Azure Portal.
• For IKE phase 1 negotiation, set validity to 28800 seconds.
• For IKE phase 2 negotiation, set SA lifetime to 3600 seconds or 102400000 kb (~100GB), whichever comes first

 

The reason why I highlighted this item is because this is what I didn’t have it. Everything else was correct. Lesson learned: your VPN device MUST have a public facing IPv4 address otherwise the site to site VPN connection won’t work (although you might think it is working if you just look to the Azure Portal).

I’m very pleased to announce that our team just updated our main site and now you will be able to easily find the documents that we produce. Please visit http://technet.microsoft.com/en-us/cloud/private-cloud and let us know if you like it. One new document set that my team put together to help customers to implement a cloud infrastructure with Windows Server 2012 is composed by the following documents:

• Scenario definition: Describes an example organization that is implementing a cloud infrastructure. It details the organization’s current environment and why they’ve chosen to implement a cloud infrastructure. Many organizations will likely find that they have similar environments and requirements.
• Design options guide: Details all of the planning considerations for hardware and software that comprise a cloud infrastructure. This includes the network, storage, and compute components of the infrastructure. Further, it addresses planning considerations for different types of availability, scalability, performance, and security needs.
• Design decisions guide: Details what design decisions, as defined in the Scenario Definition, were made from the considerations covered in the Design Options Guide, as well as the rationale for why they made the decisions.
• Implementation guide: Details the implementation steps for the design detailed in the Design Guide. This guide provides a step-by-step approach that can be used to build the cloud infrastructure.

 

Go ahead and download all documents from the link below:

http://www.microsoft.com/en-us/download/details.aspx?id=36795

I hope you like!

This week my friend Tom Shinder published a post at the Private Cloud Blog talking about our agenda at TechEd North America and Europe. Tom and I are the PM for the Architecture Track. On the External TechEd North America web site you will see as Architecture & Trustworthy Computing with the following description:

We will be double acting as PM and speakers for both events. I will be co-presenting with Tom and Josh Adams at TechEd North America and at TechEd Europe I will be presenting with Karin Bazuza (my former coworker from CSS Security, now she is CSS Networking). The list of sessions for our track are:

TechEd North America

TechEd Europe

Syngress will also be sending some copies of our upcoming book Windows Server 2012 From End to Edge and Beyond, we probably will be signing books there also.

I hope to see you there!

Yesterday Tom Shinder and I had the opportunity to present at the DFW IT PRO Meeting about Private Cloud Security Infrastructure with Windows Server 2012, the audience was great, very participative and we had an amazing time interacting with them.

http://www.dfwitprofessionals.com/index.php/event-calendar/icalrepeat.detail/2013/03/07/382/-/march-7th-ug-meeting-security-enhancements-in-windows-server-2012-a-secure-private-cloud-scenario-approach

While we can’t share the slide deck for now, here are some of the links that we mentioned during the presentation:

• Private Cloud Security Architecture: A Solution for Private Cloud Security
• A Solution for Private Cloud Security
• Leveraging Windows Server 2012 Capabilities to Address Private Cloud Security Concerns – Part 1

Thanks for having us and see you next time!

Four months ago I wrote a post to this blog talking about the Cloud Security Readiness Tool and one of the limitations during that time was the existence of only one scenario (SaaS). Today I’m pleased to share with you that the tool was updated and now you have IaaS and PaaS:

Recently Cloud Security Alliance announced an official endorsement by recommending the use of this tool to help organizations to review and understand their IT maturity level and how to better approach to cloud security challenges. So, if you are about to implement SaaS, IaaS or PaaS make sure to use this tool to assist you planning for cloud security.

Tom Shinder and I will be speaking at DFW IT PRO Meeting at Microsoft Las Colinas office next week (March 7th). We will be talking about the security enhancements in Windows Server 2012 from the private cloud perspective. The link to register is available here. You can find more information about DFW IT PRO Meetings in the link below:

http://www.dfwitprofessionals.com/index.php/event-calendar/icalrepeat.detail/2013/03/07/382/-/march-7th-ug-meeting-security-enhancements-in-windows-server-2012-a-secure-private-cloud-scenario-approach

See ya there!

The book that I co-wrote about Security+ is now available in Portuguese/Brazil and on the same week that the book was announced, CompTIA also announced that the Security+ Certification is now also available in Portuguese. The CompTIA Press Release from last week has a brief interview where I explain more about the book, more info here: http://www.comptia.org/news/pressreleases/13-02-20/CompTIA_Security_Certification_Exam_Now_Available_in_Portuguese_Language_Version.aspx

Syngress recently published the table of contents of our upcoming book, take a look on what’s coming:

Source: http://store.elsevier.com/product.jsp?isbn=9781597499804&pagename=search#tabs-3

Just to remember that the book is already available for pre-order at Amazon.

Last week I was on the road with Tom Shinder to present at TechReady (internal Microsoft conference in Seattle) and also to participate in some team meetings in Redmond. We used this opportunity to visit Mark Russinovich at his office and record Episode 25 of From End to Edge and Beyond. We had a great time talking to Mark about his books and also about Cybercrime and other security related subjects. Stay tune at http://aka.ms/FEEAB because you can’t miss this Episode that will be live next week!

Thanks for your time Mark!

So you don’t want to deliver Internet Explorer 10 automatically via Windows Update? Ok, I understand that there might be many reasons for you to do that, even knowing that IE10 is more secure that its predecessor. Today Microsoft released the Blocker Toolkit to those who would like to block automatic delivery of Internet Explorer 10 to machines in environments where Automatic Updates is enabled. Download it from the link below:

http://www.microsoft.com/en-us/download/details.aspx?id=36512

Some FAQs about this Blocker Toolkit can be found it here:

http://technet.microsoft.com/en-US/ie/jj898509

Our last Episode of this series is now live at TechNet Radio. On this episode we discuss the importance of Identity Management in a private cloud scenario. Check it out:

The first post of this year will be about a very sensitive subject, something that if you don’t do anything as a parent it will be a failure (if something happens), but if you do too much it might look like you are going beyond the limits of privacy. I’m talking about the challenge to keep your kid safe while using technology. It is not only about Internet, it is about any device that provides connectivity with a virtual world. The old saying that only Internet can be dangerous for the kids is just no right anymore, any device that expose your kid to a broader audience might be vulnerable to predators. Recently I read an article called “Why I'm Cyberstalking My Son” and although the title might sound “tough” it is not; the article goes directly to the point and I really enjoyed reading it. This week I also read this post on Facebook about a some rules that a mother wrote for her son in order to use the phone, that was great, worth reading it here. It boils down to one thing: parents are getting conscious about cyber security, which is GREAT!

There are many resources out there that can help parents to keep their kids safer while using technology and I’m going to list some of those resources here:

• FBI Kids Safety: http://www.fbi.gov/fun-games/kids/kids-safety
• Internet Safety for Kids: http://kidshealth.org/parent/positive/family/net_safety.html
• Teach kids online security basics: http://www.microsoft.com/security/family-safety/childsafety-internet.aspx
• Age-based guidelines for kids' Internet use: http://www.microsoft.com/security/family-safety/childsafety-age.aspx
• Safe and Secure Online: https://www.isc2cares.org/safe-and-secure/

Now that you have all those links, let me give you a brief example of something that I’ve done to better control what my kids are doing on the Internet.

Surface Rocks Daddy!

Oh yeah, that’s what I heard from my kids when I got home with my Surface. Although Surface is very personal and ideally you will have one device per person in a house, this might not be the case for a big family. When that’s the case (which is mine), you should create multiple users (to have different profiles) by using the steps below:

1. From the Start screen, open the Search charm, enter Control Panel and then press Enter.
2. Tap or click User Accounts and Family Safety.
3. Tap or click Change account type.
4. Tap or click Guest and then tap or click Turn On.

(More info about accounts on Surface here)

When you use the Family Safety (watch this video for more details) option, you have access to the monitoring report that tells you in detail the activity for that account that you created. This report is very useful and here an example of some info that I can find on this report:

 

This first part of the report shows the most popular site that were visited during the week, which gives you an idea of what your kid is doing online from the browsing perspective. The second part of the report is shown below:

This second part is even more interesting. It allows you to see the time your kid is spending on the PC every day of the week and which applications are the ones he (or she) is using the most. According to this report I’m positive that my kid is watching

way too much movies :)

Wrapping Up

As you could see by this brief post there are many technologies and resources available to assist you (parent) to protect you kid online. Make sure to use it, share your experiences with other parents and evangelize the use of the technology for safety purpose.

A safer 2013 for all of us!

Hello folks, this will be the last post of the year and I just want to make sure I share a couple of books that some friends of mine recently released:

	Take advantage of numerous Hyper-V best practices for administrators Get to grips with migrating virtual machines between servers and old Hyper-V versions, automating tasks with PowerShell, providing a High Availability and Disaster Recovery environment, and much more A practical Cookbook bursting with essential recipes
	The essential administrator’s companion for the successor to DirectAccess Get to grips with configuring, enabling and deploying Unified Remote Access A quick start guide to have you up and running with Windows Server 2012 URA in no time

Great job guys, those are indeed a must read for 2013!

I also want to take a minute of your attention to let you know that the book that me, Tom Shinder and Deb Shinder were working on throughout this year is also available for pre-order here.

That’s it folks….I wish you a great 2013.

The news about the retirement of Forefront TMG 2010 was announced last September on this blog post. Since them I didn’t have I chance to write about it as I was engaged on so many other projects, however (and not intentionally) on that same day that this was announced, I was with Jim Harrison and Tom Shinder in Redmond for a happy hour (that turns out to be more like mourning TMG’s death type of moment), below you can see a little snap of this moment:

But honestly I don’t have a lot to say other than it was great working with TMG, it was great to be part of the great Forefront TMG 2010 book that we released via Microsoft Press, it was great to work with so many amazing minds that were part of this team. Although my relationship with the father of all that (Proxy Server) started in 1997, I only got certified in Proxy 2.0 in 2000 (see my Transcript here - transcript ID: 733651 - access code: mytranscript). Since them the relationship just got closer and closer…but, we work on the technology field and we need to move on as the market evolves. So, today (the last Friday of 2012) I want to share with you some tips from our MVP Deb Shinder. Take a look on what she wrote about this transition from TMG to another firewall solution:

• Considerations for Replacing your TMG Firewall (Part 1)
• Considerations for Replacing your TMG Firewall (Part 2)

As we move forward to a new year I want to wish you all a great 2013, full of accomplishment!

Stay safe!

Hello folks, just a quick update to announce Episode 3 and 4 of this Cloud Solutions Series:

Part 3 - Private Cloud Planning

 

Part 4 - Private Cloud IaaS

Stay tuned that next month we will release the last episode, which is about Private Cloud Identity Management.

Happy Holidays!

Today we are releasing part two out of five in this new series called “Microsoft Private Cloud Solutions for IT Managers”. This episode is all about Private Cloud Security. We hope you enjoy!

Today we are releasing part one out of five in this new series called “Microsoft Private Cloud Solutions for IT Managers”. I hope you enjoy me, Tom Shinder and Kevin Remde talking about Cloud Computing from all angles.

http://channel9.msdn.com/Shows/TechNet+Radio/TechNet-Radio-Cloud-Innovators--Part-1-Private-Cloud-Principles

Hello folks,

Today I have two good news about our upcoming Windows Server 2012 Security Book. Last month Deb Shinder joined us as a co-author of this book, she is already producing some great piece of content and we are just very happy to have her onboard. The other good news is that we reached 70% of the book, we are getting very close to the end (probably will be done writing by December).

If you are playing around with SMB3 and is trying to find more details on network traffic using Microsoft Network Monitor you may find out that SMB3 is not on the protocol’s list as shown below:

Before moving forward, it is important to emphasize that this behavior is expected. There are a couple of thing that you need to understand about this:

• You need to download the latest protocol parsers (at least version 2890) in order to parse SMB3 protocol. For that go to http://connect.microsoft.com , click Message Analyzer, Network Monitor and Protocol Suites and download the latest version from there.
• Even after installing the latest parse you will NOT see protocol.SMB3 in the list (expected). You should use SMB2 and it will parse SMB3 protocol using the latest parser.

More info about Protocol parse see http://blogs.technet.com/netmon and for more information about SMB 3 Protocol specification see http://msdn.microsoft.com/en-us/library/cc246482%28prot.20%29.aspx

Today at RSA Conference in Europe, Microsoft launched the Cloud Security Reediness Tool. Here how it works:

Go check it out now at: http://technet.microsoft.com/en-us/security/jj554736

Today Josh Adams published at the TechNet Gallery two great set of PowerShell scripts that can help you automating your Windows Server 2012 Cloud Infrastructure. Check it out what each one does:

• Windows Server 2012 IaaS Build Tables: Step-by-Step with PowerShell Examples : over 70 different PowerShell cmdlets are employed and described, many leveraging new features only found in Windows Server 2012, covering areas such as: Networking (NIC Teaming, QoS, DCB, etc.), Failover Clustering, Hyper-V , Storage Spaces, Disk Management (including MPIO), Server Management, Active Directory and PowerShell.
• SMB Share Configuration for Hyper-V Workloads : enable separate scaling of compute and storage resources, specific permissions are added to both the file system and share levels, it enables remote management of the solution along with and Kerberos-constrained Live Migration and more.

 

We hope you enjoy!

Note: make sure to rate and leave your comment on each one of those articles.