Wow, that sounds kind of dirty…
I am proud to say that I have managed to make it this far without joining the time sink that is Twitter (although watching CNN, you’d think that it will eventually replace speech as the primary form of human communication).
Anyhoo… Bing just added a pretty cool feature: searches of Twitter tweets. Just search for any given Twitter user name + twitter, and you’ll get their picture and last two tweets.
The Solution Accelerators team is at it again, releasing the IT Infrastructure Threat Modeling Guide, which provides an easy-to-understand method for developing threat models that can help prioritize investments in IT infrastructure security. This guide describes and considers the extensive methodology that exists for Microsoft Security Development Lifecycle (SDL) threat modeling and uses it to establish a threat modeling process for IT infrastructure.
Included in the guide are the following:
Chapter 1: IT Infrastructure Components
This chapter focuses on understanding the details of the components that the IT infrastructure threat modeling process will consider, including diagramming, identifying threats, mitigating threats, and validating all the information that is acquired during the process. The chapter discusses use scenarios, dependencies, implementation assumptions, entry points, and trust levels.
Chapter 2: The IT Infrastructure Threat Model Portfolio
This chapter describes how to populate the IT infrastructure threat model portfolio with relevant data about your components. The chapter includes information about prioritization and is essential for helping you mitigate threats with the greatest potential impact to your organization.
Chapter 3: Applied Example – The Threat Modeling Process
This chapter uses a fictitious organization's communications system as an example for the IT infrastructure threat modeling process. The rapid introduction of mobile devices into IT infrastructure could make such a system an ideal target for an attacker. You can use the SDL Threat Modeling Tool as described in this guide or another of your own choosing.
The threat modeling guide also discusses how you would use the Microsoft SDL Threat Modeling tool, and walks through some applied examples with our good friends at Fabrikam.
To download a copy of the IT Infrastructure Threat Modeling Guide, click here.
Related Resources
The following resources provide additional information about security topics and in-depth discussion of the concepts and security prescriptions in this guide:
Cool Instant Answer on Bing… just visit and search for “<job> salary”
If you are involved in a project to plan or upgrade Active Directory in your branch offices, you may have questions such as: What type of domain controller should I use for a given branch office? Does a given branch office even need a Domain Controller? What topology should I use? How do I monitor AD at the Branch Office location? Can I upgrade an existing 2003 Domain Controller to a Windows Server 2008 RODC? All these questions and more are answered in the new RODC Branch Office Guide, which explains how to plan, deploy, and administer read-only domain controllers (RODCs) in branch office environments.
This guide describes new features in Windows Server 2008 that can provide benefits for Active Directory deployments that include branch offices. It explains how to assess an existing deployment of domain controllers in branch offices to determine whether deploying read-only domain controllers (RODCs) in existing or future branch offices is appropriate for your organization. For more general information about how to install and configure an RODC, see Planning and Deploying Read-Only Domain Controllers. For more information about deploying an RODC in a perimeter network (also known as DMZ), see Active Directory Domain Services in the Perimeter Network (Windows Server 2008).
Get the Read-Only Domain Controller (RODC) Branch Office Guide here:
The Partner Online Technical Communities are one of the best kept secrets at Microsoft. Actually, they are not a secret, but I keep running into Partners that haven’t heard that they have unlimited no-cost support break-fix, developer, and presales incidents for over 50 Microsoft technologies, including:
- Microsoft Dynamics products
- Microsoft Exchange Server
- Microsoft Forefront security
- Microsoft Intelligent Application Gateway
- Microsoft Office products
- Microsoft Office Communications Server
- Microsoft Office SharePoint Server
- Microsoft SQL Server
- Microsoft Silverlight and Expression
| - Microsoft System Center products
- Microsoft Virtual PC and Microsoft Virtual Server
- Windows Internet Explorer
- Windows 7 RC
- Windows Mobile
- Windows Server
- Windows Small Business Server (Windows SBS)
|
As you can see, Windows 7 RC was just added to the list. These are not newsgroups where you hope someone eventually comes along that has seen your problem before, the Partner Online Technical Communities are staffed by Microsoft employees that guarantee a response time according to the following table:
| Response Time |
| Gold Certified Partners Certified Partners | 4 business hours for break-fix queries 8 business hours for presales questions on any Microsoft technologies. |
| Small Business Specialist Community | 4 business hours for break-fix queries |
| Microsoft Action Pack Subscription (MAPS) | 8 business hours for break-fix queries |
| Gold Certified and Certified Partners with the ISV/Software Solutions competency Registered Members in the Empower for ISVs program Partners with the Custom Development Solutions competency Web Solution Partners 4 | 8 business hours for developer questions related to Microsoft ASP.NET, Microsoft Silverlight, Microsoft Expression, SQL Server, Windows Presentation Foundation, Microsoft Visual Studio, C++, and C#. |
| Registered Members 5 | 1 business day for break-fix queries |
| OEM System Builder Partners | 2 business days for pre-installation queries |
| 4Microsoft Action Pack Special Edition Web Solutions Toolkit holders
5Registered Partners who do not meet the preceding criteria will receive a one-business-day response time. |
Try out the Partner Online Technical Communities here:
https://partner.microsoft.com/global/40014662
The Service Level Dashboard is an application built on Windows SharePoint Services 3.0. It is designed to work with an existing Operations Manager 2007 R2 infrastructure configured to monitor business-critical applications. The dashboard evaluates an application or group over a time period that the administrator selects during setup, determines whether it met the defined service level commitment, and displays summarized data about the service levels.
The Service Level Dashboard integrates with the Operations Manager Data Warehouse database and displays service level metrics on the Windows SharePoint Services interface. All the customized and personalized data associated with the Web Parts of the Service Level Dashboard is stored in the Windows SharePoint Services Content database.
The dashboard can summarize the current status and health of all defined SLOs against an application or group of objects. Key measures used to evaluate various aspects of the health of defined SLOs include such information as service level metrics, mean time to repair (MTTR), mean time between failures (MTBF), and service level trends.
New features in Version 2.0 of the Service Level Dashboard include:
- Near real-time data latency. The data latency is now near real-time at two to three minutes, giving IT service managers the visibility they need to make decisions faster.
- Dashboard metrics for service level tracking. New metrics facilitate the tracking of mean time to repair (MTTR), mean time between failures (MTBF), and application service level trends.
- New presentation platform. Version 2.0 uses Windows SharePoint Services 3.0 as its presentation platform, eliminating the need for business users to have the Operations Manager console.
- Authentication. The Service Level Dashboard now uses Windows SharePoint Services groups to authenticate users and sites, making it easy to establish access to specific reports by setting permissions based on the user’s role in the organization.
- Service level objectives (SLOs). Administrators can use the new Service Level Tracking feature in Operations Manager to configure service goals for applications and groups.
Get it here: http://technet.microsoft.com/en-us/library/cc540485.aspx
You know… the kind of day where all of the hard drives fail on one of your domain controllers, and then the new sysadmin runs a script on your production AD environment that deletes all user accounts, and then a hurricane hits your backup datacenter and floods your server room, submerging the last few backup servers you had left?
I hate it when that happens…
Fortunately, the Planning for Active Directory Forest Recovery guide has been updated to cover AD environments with Windows Server 2008.
This guide contains best-practice recommendations for recovering an Active Directory forest, if forest-wide failure has rendered all domain controllers in the forest incapable of functioning normally. The procedure steps in this guide, which you must customize for your particular environment, describe how to recover the entire Active Directory forest to a point in time before the critical malfunction. They also ensure that none of the restored domain controllers replicates from a domain controller with potentially dangerous data. The procedures apply to Active Directory Domain Services (AD DS) in Windows Server 2008 and the Active Directory® directory service in Windows Server 2003.
The time to plan for disaster is BEFORE it happens. Read through the guide, build a solid backup plan (including offsite backups), and practice the disaster recover process often enough that you know what to do when a real disaster strikes.
Download the guide here: http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=326c8a7a-dcad-4333-9050-a6303ff3155c#tm
If you are performing a greenfield or clean install of SharePoint, it is a good idea to install the latest version (which as of today would be Service Pack 2 with the April Cumulative Update). The latest install media for SharePoint, however, only has SP1 integrated, so today I will show you how to slipstream the latest updates into your install media.
To get started, you will need a copy of the SharePoint 2007 install media, the SP2 installers for both Windows SharePoint Services and Office SharePoint Server, and the latest Cumulative Updates for both WSS and MOSS. You can download them all here:
First, create a folder that will hold the slipstreamed installer. In my case I’ll call it c:\SP2Slipstream.
Next, extract the install media into that folder as follows:
OfficeServer.exe /extract:c:\SP2Slipstream (there are no spaces after the /extract switch). You will end up with the folder structure below.
The Updates folder is where we are going to extract all up the SP2 and Cumulative Update files, and setup.exe will be smart enough to integrate the updates at install time.
Next, extract the four update files as follows:
wssv3sp2-kb953338-x64-fullfile-en-us.exe /extract:c:\sp2slipstream\updates
officeserver2007sp2-kb953334-x64-fullfile-en-us.exe /extract:c:\sp2slipstream\updates
wss-kb968850-fullfile-x64-glb.exe /extract:c:\sp2slipstream\updates
office-kb968851-fullfile-x64-glb.exe /extract:c:\sp2slipstream\updates
When you are done, the Updates folder will be full of msp files.
One last step before you burn the SP2Slipstream folder to a CD… Delete Wsssetup.dll from the updates folder because it conflicts with Svrsetup.dll. Having both Wsssetup.dll and Svrsetup.dll in the updates folder for a slipstreamed installation source is not supported.
Burn your SP2Slipstream folder to a CD and you are all set to go!
I just finished installing Service Pack 2 on my team’s SharePoint server, and the process went absolutely flawlessly (which is very different from some of my past upgrades). What made the difference? Reading the instructions (something we geeks tend to not do :)
Before we get started, here are the links for the current updates (Service Pack 2 and the April Cumulative Update) in case you want to start downloading in the background.
You will want to install the updates in the sequence above, but feel free to cancel the SharePoint Configuration Wizard that pops up at the end of installing each update. You only need to run it once at the end.
So… before you get ready to update SharePoint, make sure you visit the following:
Updates Resource Center for SharePoint Products and Technologies
This site will always list the latest updates, as well as information on the best practices for installing them.
Next, read the article about deploying software updates for Windows SharePoint Services 3.0 or the article about deploying software updates for SharePoint Server 2007. These articles are money and are what made my install go so well. Some tips that I did not follow on earlier upgrades that may help you out (there are many more tips in the above articles):
- First of all, do the update during a scheduled maintenance window where you do not have users on the server (duh!)
- Remove the Web servers that run Office SharePoint Server 2007 from service for the duration of the software update installation. The reason for doing this is that the software update might make schema changes to the SQL Server database, and user authoring during the upgrade might result in the front-end and back-end servers having different content.
If you are running Infopath Forms Services, quiesce the farm to gracefully kick off your users that are doing the long running transactions that Forms Services uses, and then net stop w3svc to kick off everyone else. - Checkdb and defragment your SharePoint databases before doing the upgrade, following the steps here How to defragment Windows SharePoint Services 3.0 databases and SharePoint Server 2007 databases.
- Back up the server farm before you start the software update installation. Create a backup of search and all databases. For more information about how to perform backups, see Prepare to back up and restore a farm (Office SharePoint Server 2007).
The article covers other important steps such as the correct order in which you want to install the update in a farm, how to speed up the upgrade in a farm with large content databases, updating language packs.
Make sure you also visit the Known issues that you may experience when you install the 2007 Microsoft Office suite Service Pack 2 and Windows SharePoint Services 3.0 Service Pack 2 page in case there is any late breaking issues that CSS becomes aware of from customer calls.
Lesson Learned: Read the instructions (especially on a beastie as complex as SharePoint)
Todd Klindt has already covered the new stsadm commands that were added in Service Pack 2 (SP2) of SharePoint here (Top 6 new STSADM operations in SharePoint 2007 SP2), but it looks like we slipped in a few more in the April Cumulative Update:
Job-gradual-site-deletion
Lets a site collection be marked as deleted, which immediately prevents any further access to its content.
Added in the April Cumulative Update to perform gradual deletion of site collections. When an operation uses gradual deletion, a site collection is immediately marked as deleted, which prevents any further access to its content. The data in the deleted site collection is then deleted gradually over time by this timer job instead of all at once, which reduces its effect on Windows SharePoint Services 3.0 and SQL Server performance. Gradual deletion is available in the Deletesite: Stsadm operation (Office SharePoint Server)and Mergecontentdbs: Stsadm operation (Office SharePoint Server)operations.
Setosearchsetting
Sets the current values of the Enterprise search settings in Microsoft Office SharePoint Server 2007.
For additional information about how to manage settings to improve search results, see Helping users make successful queries (Office SharePoint Server).
Getosearchsetting
Displays the current values of the Enterprise search settings in Microsoft Office SharePoint Server 2007.
The two following articles were updated to include use of the gradualdelete parameter:
Back up and restore site collections by using built-in tools (Office SharePoint Server 2007)
Delete a site collection (Office SharePoint Server)
Today I was getting ready to install the virtual lab for a SQL Server maintenance class I am taking, and since I am on Windows 7 RC, I figured it would be a good chance to try out the new version of Virtual PC and XP Mode.
You can download both from here: http://www.microsoft.com/windows/virtual-pc/download.aspx
Don’t make the same mistake I did… you can’t install XP Mode without first installing Virtual PC. Install both.
Installation is very straightforward, and when it has completed you will have a new icon for Virtual Windows XP in your start menu.
Start up Virtual Windows XP, and you will be prompted to enter a password (you can have it remember the password if you would like).
The next screen prompts you to enable Automatic Updates (why would you do anything else?)
and then Virtual PC proceeds to complete the expansion/setup of Windows XP in the background.
After a bit, VOILA! You have Virtual PC running a fully licensed version of Windows XP SP3.
Programs that you install in the VM show up in the “Virtual Windows XP Applications” folder, and clicking on any of those applications will launch the application itself while hiding the underlying Windows XP that runs it.
It works quite well, although I am so used to the subtle look-and-feel of Windows 7 that appearance of Windows XP themed-applications hurts my eyes a bit. That’s fine… I won’t be using this on a day-to-day basis. This is really design as a transitional technology until small businesses can update their applications to versions that run natively in Windows 7.
Where did Virtual PC go?
If you get this far, you are going to run into an interesting issue. Virtual PC (the actual console) doesn’t exist.
According to the Virtual PC page, this is a feature :) I’ll withhold judgment as I was not involved in the design discussions, but it was certainly confusing to me as a long-time VPC user.
http://www.microsoft.com/windows/virtual-pc/features/compare.aspx
So how do you create new VMs or change settings? The answer is a new special folder (technically a Known Folder called “Virtual Machines”).
Once you open this folder (you can also get there by tapping your windows key and typing vmwindow and hitting enter), you can see a list of your machines, their status, allocated memory, hard drive locations, etc. You would create a new machine by clicking the button at the top of the window.
If you have an image selected, two more buttons show up.
The “Open” button will start up the VM, while the Settings button pulls up the familiar UI for changing VM settings.
Other than my difficulty with discovering the new UI, the VPC team has added a ton of oft-requested features such as USB support, Folder integration between host and guest (for My Documents, Pictures, Desktop, Music, and Video), clipboard sharing, and printer redirection.
Download and play with it here: http://www.microsoft.com/windows/virtual-pc/default.aspx
If you have been tasked with securing SharePoint, there are a lot of considerations to take into account. How do users authenticate? Does part of your farm live in an extranet or DMZ? How do you secure user-to-server communications? How do you secure server-to-server communications? How do you scan for viruses? How do you harden the servers in the farm?
While I cannot answer all of those questions in a single post (the Roadmap to security content for Office SharePoint Server 2007 is a great place to start), I can give you a HUGE leg up on the last question. How do you harden servers in a SharePoint farm? There are a ton of dependencies (on IIS, on SQL, on TCP/IP, potentially on IPSEC, etc) and it is very easy to miss a setting or misconfigure something that will break functionality.
Fortunately, there is a feature that was introduced in Windows Server 2003 SP1 that will make your life much easier…. the Security Configuration Wizard (SCW). In short, the SCW automates the process of hardening SharePoint (or any other type of server) by using security templates that will lock down the server as tight as a drum. Even better, if you choose a wrong setting or somehow break something while configuring security, you can simply un-apply the template and you are back where you started. No more wondering which setting you applied that broke functionality.
The SCW wizard will walk you through configuring settings including:
- Server Roles
- Client Features
- Enabled Services
- Open Ports
- Registry Settings
- Audit Policies
- Anonymous Access
Assuming the generated security policy works well for your needs, it is a simple matter to apply that policy to similar servers (such as all Web Front End servers) in your farm.
The templates used to power the wizard (and generate the security policy) are standard XML files that store all the settings specific to a given component. The SharePoint template, for example, specifies what services SharePoint requires, what ports, that it has a dependency on IIS and ASP.NET, etc. To begin, download the Security Configuration Wizard Manifest for Microsoft Windows SharePoint Services 3.0 here:
http://www.microsoft.com/downloads/details.aspx?FamilyID=0AB396E0-4333-4621-95FA-313230DCD946&displaylang=en
If you open up the file, you can see everything that will be configured by applying the template.
The Security Configuration Wizard is not enabled by default, so stop by the Add/Remove Programs control panel, click on “Windows Components” and check the appropriate box.
Once installed, SCW will show up under Administrative Tools.
From there on, just follow the steps in the wizard. It will detect the services and roles you have installed, and most of the defaults should work fine. Most of the screen shots are self explanatory, so I’ll let them speak for themselves.
For more information on the Security Configuration Wizard, there is a page up on TechNet with all the information you may need:
http://www.microsoft.com/windowsserver2003/technologies/security/configwiz/default.mspx
I’ve been waiting for this guide for a while (‘cause that’s how I roll), but if you are interested in guidance on when/how to use Active Directory in your perimeter network, the AD team has released a guide for that:
Active Directory Domain Services in the Perimeter Network (Windows Server 2008)
The guide covers the following AD models for the perimeter network:
- No Active Directory (local accounts)
- Isolated forest model
- Extended corporate forest model
- Forest trust model
Overview
This guide contains direction for determining whether Active Directory Domain Services (AD DS) is appropriate for your perimeter network (also known as the DMZs or extranets), the various models for deploying AD DS in perimeter networks, and planning and deployment information for Read Only Domain Controllers (RODCs) in the perimeter network.
Because RODCs provide new capabilities for perimeter networks, most of the content in this guide describes how to plan for and deploy this new Windows Server 2008 feature. However, the other Active Directory models introduced in this guide are also viable solutions for your perimeter network.
YAASAFTSAT (AKA Yet Another Awesome Solution Accelerator From the Solution Accelerator Team) :)
Check out the new Service Level Dashboard 2.0 Beta for System Center Operations Manager 2007 R2 RC1
This free Solution Accelerator collects and monitors operational measurements for your line of business (LOB) applications. Its graphical dashboard makes it easy to keep tabs on service availability and performance, letting you:
· Spot trends in service availability and performance
· Head off problems before they occur
· Reduce costs by streamlining IT operations
This new version of the Dashboard uses Operations Manager as the engine, and Windows SharePoint Services 3.0 as its presentation platform to track and report service levels on a near real-time basis. The Dashboard now tracks additional metrics for service level compliance, including mean time to repair (MTTR), mean time between failures (MTBF), and application service level trends. The Dashboard’s SharePoint-based authentication lets you create individual Dashboards by department, so you can easily track service levels for different groups in the organization.
Click here to join the Beta on Microsoft Connect (you’ll need your Microsoft Live ID). Already using SCOM 2007 R2 Release Candidate 1 ? Click here
I just got the following from the Microsoft Operations Framework (MOF) team, and wanted to share:
The MOF team is pleased to present the MOF Quick Start Kits. Complete with ready-to-use graphics and comprehensive presentation decks, the Quick Start Kits allow you to add to any presentation with ease. Topics covered include an overview of MOF 4.0, information on MOF and compliance, training and certification updates, and study guides.
The kits speak to targeted audiences— customers and partners.
· MOF IT Pro Quick Start Kit. Available on the MOF home page, this customer-facing kit includes presentations, data sheets, graphics, mind maps, and links to supporting content. The kit does not include MOF core content—it directs users back to the /MOF page to download the documentation.
· MOF Quick Start Kit for Partners. This kit is available through the Microsoft Partner Program site. In addition to the customer-facing content in the IT Pro Kit, this resource includes exclusive partner materials, such as data sheets, conversation points, and a customer-facing flyer.
There is lots of good stuff in the Quick Start Kits, including the Visio diagrams, diagrams, graphics, presentations, training information, etc. The framework is completely open, and you can incorporate any of the MOF concepts, diagrams, workflows in your day-to-day work.
As always, your definitive source for MOF is http://www.microsoft.com/mof.
