Even in Beta 1 of Forefront Stirling you can check out the security policy capabilities the product has. I know what you’re thinking – “whoopee, more policies”, but what you can do with the policies in Stirling are quite impressive.
What can you do with Stirling policies?
For each policy, you can easily specify granular compliance settings for Forefront Client Security (FCS), Forefront Server for Exchange (FSE), and various other security state assessments AND specify granular automated actions to be taken to remediate - all from a single console. Some ideas for what you might do with Stirling policies:
- If a client doesn’t have the correct firewall or latest anti-malware updates, remediate this using NAP.
- Scan email using two engines and when a virus is found to be sent via email, clean the virus and initiate a full client virus and anti-malware scan using FCS
- Audit to verify your IIS 6/7 and SQL 2005 servers have appropriate security settings enabled
- If a client is doing a port scan or quickly sending a large number of emails, quarantine their computer using NAP, block their outbound internet access through TMG, scan their email for viruses with FSE, and do a full virus scan with FCS
In updates past Beta 1, you can eventually expect even more capabilities and integration with other Forefront products.
How does it work?
There are two major components – the policy and the target group. The policy contains all of the settings you are checking for and/or the remediation steps. The target group can be a user, group, computer, OU, or domain. A policy can be bound to one or more target groups and precedence can be set to determine priority if there are conflicts in policy settings. Under the hood, you have Enterprise Security Assessment Sharing (ESAS) and SCCM doing the majority of the communication work related to the policies – which I’ll cover in more depth in future posts.
What’s the catch?
In order to get this functionality working, you’ll need to have the core Stirling infrastructure in place and then utilize the vNext for FCS and FSE installed (if you create policies related to these settings). Also, for the NAP functionality to work – you’re going to need to set up a NAP infrastructure separately.
GET STARTED
Download Beta 1 software or VHDs
Working with Stirling Policies
Ok, when Adam did the Edge interview with Bob Muglia back in January at his office, he talked about having a 9 server infrastructure at home. Tina Wood actually went to his home and published a video today which shows this. Bob shows his server room with raised floors and a terminal server console which they have around their home to control various functions of his house. I guess being the geek I am, I got exited at the idea of having my own server "Rack P_ _ _" at home and thought I'd blog about it. Also, it is pretty cool to know my boss 5 levels up (Bob is directly under Steve Ballmer) is an IT guy.
The question we still don't have answered though is - does Bob use a Home Server?
Today at noon IE8 Beta 2 was released and I did an interview with James Pratt to do a quick run down of what's cool with IE8 for IT Pros. One item I didn't mention in my post on Edge is a great summary link of IE8 features for IT Pros on the IE blog.
IE8 Beta 2 screencast demo and Interview We only have the single file format (wmv) to download (instead of psp, ipod, zune also) because you'll notice there is a combination of higher quality resolution screencast combined with the regular video and our automated program to create all these can't handle this format yet.
I had the chance to interview Mark about the future.. One thing he answers is - do you think we should or need to just scrap the windows code base and start over? A breakdown of everything which was covered can be found on Edge.
Interview with Mark Russinovich: the future of Sysinternals, Security, Windows
The Midori I'm talking about is not an alcohol; it's an "incubation software project" at Microsoft research to try and address the upcoming trends with technology and inherent limitations with the current Windows code base. For instance, making the operating system more easily and automatically take advantage of a "common desktop of the future": 256 cores, 1 TB of solid state memory, and unlimited storage space and computing power in the cloud. The estimated time frame on when this project will be complete cannot be disclosed, but it certainly will be long after Windows 7 is released.
Of course I can't tell you any more than what was leaked about this project, but read David Worthington's article which is a summary and an interesting read.
As far as I can tell, there isn't anywhere on Microsoft's sites or documentation which state DFS + Bitlocker is supported or works in Windows Server 2008. The DFSR FAQ mentions DFSR does not work with EFS, but does not mention Bitlocker. This is the case more than likely due to Bitlocker being so far below any user-mode application that the applications (such as DFSR) simply do not know that it exists. Consequentially, testing is not needed for every single scenario of Bitlocker + <app>. Microsoft does officially support the DFSR + Bitlocker combination on Server 2008.
Ned Pyle, a Microsoft enterprise support engineer, volunteered to do some performance testing of Bitlocker + DFSR. The net result was Bitlocker+DFSR worked great. However, there was a ~%25 degraded performance in replication time with Bitlocker turned on. This is to be somewhat expected due to the overhead of encryption, however, having a faster disk subsystem than what was tested with will more than likely significantly improve performance with Bitlocker enabled and reduce this gap. Again - please keep in mind this is a worst-case scenario considering the given hardware and configuration.
Here are the detailed results from the testing:
Environment used:
- Win2008 Enterprise
- Hardware - 2.4Ghz Quad Core, 4GB RAM, single 250GB non-SATA IDE drive
- Default DFSR config, no antivirus realtime scanning running
- Effectively worst case from disk perspective (very slow IDE disks shared with OS (%systemdrive% only))
- Replication time based on delta between event 4102 and 4104 on downstream.
- Between each pass the RG's are deleted as is the replicated folder data
1GBit NIC’s (Intel 82566DM-2 WHQL inbox driver 9.12.17.0) - Switched 1GB network, probably under fairly high load as it’s the NC test lab and is usually moving a lot of multi-cast imaging data all the time.
- No hops, same Ipv4 subnet.
Sample data:
5.05 GB (5,432,323,831 bytes)
Data set made up of: 2008 platform sdk, office 2007, visual studio 2008, r2 sdk, vista sdk directories 51,614 files, 5,680 folders
Bitlocker off:
baseline1 - 0h:50m:29s
baseline2 - 0h:49m:51s
baseline3 - 0h:50m:44s
avg - ~50m
Bitlocker on:
bitlocker4 - 1h:05m:14s
bitlocker5 - 1h:07m:25s
bitlocker6 - 1h:06m:10s
avg - ~66m (~25% slower)
If you're interested in going to Kuala Lumpur, Malyasia and you're into IT, then you should come check out TechEd South East Asia (SEA) this year from August 11-14th. Tomorrow is the last day you are able to get a discount of 999 RM (or about 323 USD).
I'll be presenting two sessions there:
- Tuesday, 10-11:15am - SVR322 : Active Directory Domain Services in Windows Server 2008
In this session, I'll show you the ins and outs of the latest features with Active Directory. - Wednesday, 8:30-9:45am - SEC331 : Microsoft Forefront Messaging Security: The next generation of Virus and Spam protection.
Here you'll get to see demos of the new forefront client security for Exchange console and learn about the improvements over the current version.
Also, I'll be there doing some interviewing and filming for TechNet Edge. If you come up and talk to me, I'll hook you up with some Edge swag as long as I still have some left.
There are a number of enhancements to DNS in Windows Server 2008. There are already some lengthy articles on the features, so in this post I hope to give a quick “why you care” on each of the features and some nuggets of wisdom / insight. Here we go…
DNS on Server Core: I see this as a very useful scenario for most people who use DNS in conjunction with RODC in branch offices using the new primary read-only zone. You get all of the server core benefits such as improvements in performance, less patching, security, etc, and it can have all of the same core functionality as a regular DNS server. The easiest way to manage is remotely using the DNS MMC.
Background Zone Loading: Companies who have a large number of records in AD-integrated zones might have to wait 1+ hours to have DNS respond to queries after restarting. Now, DNS spawns off multiple threads to be able to respond to client queries right away. If the record in the zone hasn’t been loaded into memory yet and it is still in the process of loading the entire zone, it will query the node in AD, cache it in the zone, and return a response to the client.
IPv6 Support: Microsoft supports IPv6 in Server 2003, but it was a bit of a management pain and there were some other limitations. See Joseph Landies Cable guy article for the management/integration improvements made in WS08. Also, some other improvements:
· DNS servers can now send recursive queries to IPv6-only servers
· The server forwarder list can contain both IPv4 and IPv6 addresses
· DHCP clients can also register IPv6 addresses in addition to (or instead of) IPv4 addresses.
· DNS servers now support the ip6.arpa domain namespace for reverse mapping.
Make sure your critical apps are cool with receiving a response for an IPv4 address and an IPv6 address. I haven’t personally seen any app problems, but nonetheless, worth mentioning.
Primary read-only zone: This new zone type is also referred to as a “branch office zone” which is available on RODCs running DNS. The zone will make a read-only copy of all of the AD-integrated zones locally from a full DC. The easiest way to think about it is as a read-only secondary zone, but better due to the benefits of AD-integration (i.e. security, management, and you can easily replicate multiple zones).
Global Names Zone: This allows you to resolve single-label names in DNS as an aid to get rid of WINS. If you still need computer browsing, you have apps hard-coded to only use NetBIOS name resolution, or have really old clients & NT4 – sorry, you probably still need WINS. However, if you just need the single-label name support for things like custom-named internal websites or servers throughout your entire environment – this is the solution. There are quite a few things to consider with this, so I recommend reading the whitepaper listed below. A couple quick key limitations are a) this functionality only works with WS08 DNS servers and b) it also doesn’t support dynamic updates.
DNS Client changes: For Vista clients or WS08 servers, the DNS client has a few good changes:
· Periodic check to make sure the client is authenticating with a local DC (configurable via group policy). Previously, a client would only fail back to the closer DC when forced.
· Locate the nearest domain controller using the defined Active Directory sitelink costs instead of searching randomly. This is disabled by default, but good to enable when you have clients across slow site-links.
· Use link-local multicast name resolution (LLMNR), also known as multicast DNS or mDNS, to resolve names on a local network segment when a DNS server is not available.
Get Started
Windows Server 2008 & Domain Name Service: What's New (WS08 Blog by Kurt Roggen)
Changes in Functionality from Windows Server 2003 with SP1 to Windows Server 2008 (http) (doc version)
The Cable Guy DNS Enhancements in Windows Server 2008 (by Joseph Davies)
What's New in DNS in Windows Server 2008 (very short blurb on TechNet)
DNS Server GlobalNames Zone Deployment Whitepaper
Note: this can also be found on TechNet Edge here.
With the launch of the 1st public beta for Forefront Stirling on April 8th, I thought it would be relevant to do a post this week on it. This release proves that the Stirling vision scenario in my previous blog article is becoming a reality. “Stirling” seems to be thrown around quite a bit and can be misunderstood, so let me 1st clarify. Codename Stirling refers to the next wave of all Forefront products, scheduled to hit RTM in the 1st half of 2009. This wave includes the “next version” of:
· Forefront Client Security (FCS)
· Forefront Security for Exchange Server (FSES),
· Forefront Security for SharePoint (FSS)
· ISA Server – new name Forefront Threat Management Gateway (TMG).
Additionally, this wave includes a server and single management console to interact with all of the above, commonly referred to as the “Stirling” server and “Stirling” management console. The console and server can be run on the same or separate machines. Down the road, we’ll have an official name to replace “Stirling” and “next version of”.
Ok, so what is some cool stuff to check out with the public beta?
· Dynamic response capabilities – see how the forefront products share information and interact with each other.
· Single management console and reporting for the entire technology suite except FSS - get a security state assessment for all of the connected machines & specify how you want to remediate through forefront policy.
· Integration with NAP – use NAP to remediate your machines
· Integrated malware and anti-virus protection – check out how it downloads & pushes out the updates
· Use powershell to manage it – by default Stirling uses powershell behind the scenes, but you can do it yourself if you feel inclined.
What are some things you can NOT you do yet?
· Install a topology which has more than one Stirling server
· Install the Stirling server, console, or next version of FCS on Windows Server 2008
· Install Terminal Services or a DC on the Stirling server
· Install non-English versions
Get started
Download the Stirling beta here.
The most helpful pre-requisite page to install everything here.
Stirling homepage
TechNet technical documentation for deployment, operations, etc.
Stirling blog
Forefront team blog
Note: this post can also be found on TechNet Edge here.
Gadgets for TechNet Edge, channel 8, channel 9, channel 10, and Visitmix are now live (thanks to Donavan West at Livegadgets.net). Now you can see the posts for any of our channels via the sidebar!
Download the gadget for TechNet Edge here.
See Duncan Mackenzie's post to download and see screenshots of the other channels' gadets.
And see Adam Kinney's post for special instructions to get the gadgets running on a 64-bit machine.
I interviewed Tandy Trower last year and I asked about how he thinks robots will play a part in daily IT Pro activities. Well, finally we have a very early temporary solution - the IT Probot (not to be confused with the Microsoft robot "IT 24-7"). I got the chance to meet up and interview the creator of the robot as well as get some demos. Check out the TechNet Edge interview here.
I did an interview with Iain McDonald a couple days ago in spite of the launch for Server 2008 in Los Angeles today. It was a pretty informative and fun interview, so check it out on Edge here. Also, it'd be cool if you were to comment on this post on Edge and let Iain know why you do or do not think we should do away with the codenames for our server products.
On a side note, I haven't been posting as much to my blog because I have been putting all of the content I create on TechNet Edge.
Below is a list of other content I've created that relates to Server 2008:
Windows 2008 Automation and Alerting Technologies
Windows Server 2008 - Server Core PM Andrew Mason
Server 2008 Active Directory IPD guide
Server 2008 terminal services infrastructure planning & design guides (IPD)
MSCOM OPS with Microsoft.com, WS08, IIS7, and the Lone Server
Solution Accelerators Beta release PM interview - Part 1
Solution Accelerators Beta release PM interview - Part 2
Windows Server 2008 Virtualization PM Bryon Surace in the Fish Bowl
Interview with Windows Server 2008 Virtualization program managers
If you have questions on any of these interview, please comment on the post - the people who I interviewed do read them.
Also, you can see all of the content we have which relates to Windows Server 2008 on TechNet Edge by going to the TechNet Edge Windows Server 2008 tag.
Self-healing NTFS is a feature which is currently present in Vista and is also included with Windows Server 2008. There’s a good chance you haven’t heard of it until now with WS2008, so I’m assuming this is because it isn’t really a “wow” end-user feature. However, it is actually a very useful feature as an IT Pro.
Have you ever had some weird disk or system behavior on your system volume, discovered or believed it was disk corruption, and then ran “chkdsk c: /f” on it only to get that lovely message:
“Chkdsk cannot run because the volume is in use by another process. Would you like to schedule this volume to be checked the next time the system restarts (Y/N)”?
Although you’ll still get this message if you try to run the command in Vista/WS08, you should never or rarely get to the point where you would need to - due to self-healing NTFS.
By default in Server 2008, self-healing NTFS is turned on and automatically detects and recovers/repairs/removes corruptions on the NTFS volume, boot sector, or files. It does this on the When any of these repairs are done, it will log a NTFS source event in the system event log (so far I’ve only seen the # 130 and 55 event IDs).
So the next thing you may be thinking is: It’s going to possibly remove/delete a corrupted file someone is using on the disk? What if I lose data?
The way I like to look at is – if the file is corrupted, it’s gone anyway and you can look at what was removed in the logs. Furthermore, there is a good possibility self-healing NTFS can fix the issue without the user ever even knowing there is a problem and you get all of the overall benefits listed below.
However, just for those who don’t want the automatic repair/deletions, there is a way to turn it on/off. It’s a pretty simple command: “fsutil repair set c: 0” where c: represents the volume you’d like to turn in off. Replace the 0 with a 1 and it will turn it back on the drive. When you turn it off, it will notify you a file is corrupt but do nothing to fix it.
Overall benefits (rephrased from the Changes in functionality from WS2003 SP1 guide below):
· Runs without requiring reboots on all volumes, except in extreme corruption conditions
· Preserves as much data as possible - based on the type of corruption
· Reduces failed file system mounting requests
· Provides better reporting for file system changes
· Recovers volumes when boot sector is readable, but no NTFS volume identified
· Validates and preserves data with critical system files
Get started
Changes in Functionality from Windows Server 2003 with SP1 to Windows Server 2008 (http) (doc version)
Blogger who listed this feature as one of top 10 features of Server 2008 “facts beyond the fluff”
Mark Russinovich’s Kernel Changes in Server 2008 – Self-healing NTFS is mentioned in a single slide at 23:10.
This blog post was originally posted on TechNet Edge - here.
So we just released this cool capability on Edge where you can imbed the latest video from the TechNet Edge homepage. All you need to do is imbed the following code on your website or blog:
<iframe src="http://edge.technet.com/latest/player/"
frameborder="0" height="325" scrolling="no" width="320"></iframe>
and it looks like this:
Ok, I had the chance to meet up with the friend, Jeff Toews, who has known Lone Server for about 7-8 years now (yes, he really does exist). Lone Server does indeed exist, however, it probably won't be much longer before he starts to hit the gym (aka upgraded) so he can get some chicks.
You can check out the video I posted up on TechNet Edge of the interview.
del.icio.us Tags:
Lone Server
