Rob’s Ragg…. Tech Talk & Cool Toys for Grown up Boys

Hyper-V certification (70-652) is now available!

I missed the beta exam and I've been waiting for the test to go live.  I checked tonight it I can now register for the exam.  Check it out:

Preparation Guide for Exam 70-652

TS: Windows Server Virtualization, Configuring

http://www.microsoft.com/learning/en/us/exams/70-652.mspx

I'd like to test for the Hyper-V exam and the SBS 08 exam.  The SBS 08 exam isn't available yet, but I'll keep checking for it.

Have questions about Hyper-V or SCVMM?  Send them my way, I'm happy to help with the discussion.

Until next time!

Rob

More (better) Virtualization licensing changes

I heard a rumor that a change was coming, but I didn't know the details until today.  Check out this article:

New Microsoft Licensing and Support Eases Path to Virtualization

http://news.moneycentral.msn.com/ticker/article.aspx?Feed=PR&Date=20080819&ID=9043163&Symbol=MSFT

I'm pleased to see that we're making it easier to support a virtualized environment. 

I like the following statements:

"Microsoft recognizes this and is innovating its licensing policies, product support and a wide range of IT solutions to help customers get virtual now."

To highlight the recent innovations in virtualization, Microsoft also will begin a worldwide series of "Get Virtual Now" events this month that will showcase Microsoft virtualization products and partner solutions, reaching more than 250,000 IT professionals.

And I'll be interested to see how this plays out.  I've seen too many places where virtualization makes too much sense.  The thing I really like about this announcement is that it's not only a licensing / policy change, but we're standing behind it with our support organization as well.

To enable this support policy, Microsoft launched the Server Virtualization Validation Program in June 2008. The program is open to any software vendor to test and validate its virtualization software to run Windows Server 2008 and previous versions of Windows Server. To date, Cisco Systems Inc., Citrix Systems Inc., Novell Inc., Sun Microsystems Inc. and Virtual Iron Software Inc. are participating in the program

This to me means that we're finally serious about stepping into the virtualization arena end to end.  While we've tried to support our virtualization products and solutions in a virtual environment, we've had too many exceptions.  I feel that now we're ready to step up and make virtualization, and its' support, as mainstream as everything else.  To me, this is long overdue.   

If you want to check out some of our upcoming events around virtualization, check out https://www.getvirtualnow.com/main.aspx and it will get you pointed in the right direction.  Right now they don't have any US events listed, but I expect that to change soon.  I've always been passionate about Virtualization, it's made a huge impact on my ability to learn more of our technologies as well as squeeze every bit of processing power out of my few <smirk> physical machines. 

My goal is to talk more about virtualization in the coming months.  If there's anything specific you'd like me to talk about, please let me know.

Until next time!

Rob

What the heck is Dynamics?

I keep seeing our product called Dynamics, but don't know much more than they are our CRM & ERP solutions.  The cool part about these offerings is that they fit our small business model to a "T", and they are a new way to drive additional value to our customers. 

If you want to know more about these offerings and how they can benefit you and your customers, please take a look at our upcoming events. 

Microsoft Dynamics CRM & ERP Events for Partners – Register now!

Partners - Looking for new ways to expand your offerings and grow your business? Be sure to attend the Microsoft Dynamics partner event in your city!

· Microsoft Dynamics CRM Event: We’ll discuss how you can empower your customers with unprecedented choices of how to buy, run, and use Microsoft Dynamics CRM, and also how to increase your reach by addressing opportunities in new geographies, market segments, and industries.

· Microsoft Dynamics ERP Event: Learn how Microsoft Dynamics ERP can adapt to the changing environments of organizations through collaboration and extensive business intelligence, and how it integrates with Microsoft Platform tools. We’ll show you how to position Microsoft’s ERP offerings to better engage with your customers and prospects.

Register NOW for your local event, and even take home some software.

Until next time!

Rob

Apparently they are even going to give away some software. 

Can you believe that Apple has disclosed more security vulnerabilities than anyone else?

Check out this article:

http://www.infoworld.com/article/08/08/06/Apple_gets_bruised_in_vulnerability_report_1.html

Apple has taken the place of Microsoft for disclosing more vulnerabilities than any other vendor, according to an IBM security report.

"The company rose from second place in 2007 to take the top spot away from Microsoft, which had fallen into third place behind open source content management system Joomla."

For the most part, I've actually become numb to the number of vulnerabilities / updates released each month.  To me, it comes down to the predictability of patches and the reliability of the patches released.  My hope has been that when we started the monthly patch release cycle that we would actually get to the point where we would not have to release patches every single month.  I agree that as long as we have vulnerabilities we need to be patching them, but why can't we eventually get to the point where we aren't finding vulnerabilities that often?  OK, so I accept that patches are here to stay, and the fact that Apple has topped this vulnerability report is really not a big surprise since their install base is growing, and more people are seeing it as a more viable platform to attack. 

Microsoft still tops the list when it comes to the number of exploits released.  Exploits are the malicious pieces of software that take advantage of the vulnerabilities; but we are dropping on the list of the number new vulnerabilities being identified.  To me, this is encouraging.  I have always felt that security is not only a race of speed, but one of endurance as well.  We must to be quick to respond to vulnerabilities, but we must also make long term commitments to addressing vulnerabilities going forward.  We have focused on both needs.  We have a global 24x7 team that is responsible for tracking and validating any potential vulnerabilities identified.  This is the team that is also responsible for providing guidance to our user community.  I could spend volumes talking about this group, but the Microsoft Security Response Center www.microsoft.com/msrc is the place to go for the low down on what this team does, as well as the latest information on any items we are watching. 

Personally, I had hoped our vulnerability count would have dropped years ago, but we have been consistent in quickly addressing the vulnerabilities as they've been identified.  We have one of the lowest times to resolutions for vulnerabilities.  I believe that the time to resolution is a bigger factor than the number of vulnerabilities.  The "time to resolution" tracks the length of time between a reported vulnerability and the remediation of that vulnerability. 

To me, the IBM report reinforces the fact that vulnerabilities will exist in software for a long time to come; and the leaders in the number of vulnerabilities will shift between various vendors.  Vulnerabilities are not a vendor specific issue, they are an industry issue, so let's keep focus on the bigger issue here.  It's not if there will be vulnerabilities and patches, but how many vulnerabilities, and how long it will take to resolve the vulnerabilities.  Please consider the following as you evaluate new software within your infrastructure:

A) How long does it take for the vendor to provide a remediation to the vulnerability

B) What type of infrastructure is available to assist in the deployment of these patches

C) how long does it take you and your team to test and deploy these patches.

People used to take the approach of using less popular software because there were not as many exploits being coded, but people are coding exploits for all platforms now, so it's not that easy to hide behind that idea anymore. 

I hope this has helped provide a glimpse into how vulnerabilities are being tracked and reported, and how it is changing the behavior of the industry.  Please also consider this information as you evaluate new solutions for your infrastructure.  When you purchase a new solution, usually there is not a track record of how that specific solution has been managed over its lifecycle, but you can look at how the vender has historically managed their update and deployment process.

Until next time!

Rob

War Games is 25 years old...

War Games the movie (http://www.imdb.com/title/tt0086567/), is 25 years old this year!  Remember that movie?  It was released in 1983 but it's lessons are more relevant today then they were then.  If you haven't seen it, I think you will appreciate the lessons it offers.  It stars Matthew Broderick as a high school student, and co-stars Ally Sheedy as his class-mate.  It's interesting to see things that were identified as risks 25 years ago are still significant risks today.  So you're thinking... "War Dialing now a days?  I removed the modems from my machines long ago because of the Internet".  But these days, "modems" have been replaced by cable and DSL modems the network card.  Now our computers are always "online".  Yes there are scanners that scan the Internet for vulnerable machines. If you don't have a firewall on your local machine and you are connected directly to the Internet, your just asking for trouble.  For this discussion, I'm more focused on the social engineering aspect of the movie.  Matthew Broderick was a high school student who didn't have to work hard for his grades because he could break into the school mainframe and change them whenever he wanted.  This is the piece of the movie that is still just as relevant today as it was then. 

Here's my point:  In the movie, Matthew Broderick knew where the secretaries kept their current computer passwords.  With these passwords, he had access to his grades anytime he wanted them.  Twenty-five years ago this movie demonstrated the risks of writing down your passwords.  How many passwords are our people still writing down today?  He was also able to purchase airline tickets without paying for them.  Why?  Because he figured out how the people using these systems could be manipulated into sharing information that they should not be sharing. 

I went to college with a person that scammed the phone company out of hundreds of dollars in overseas long distance charges just by socially engineering the international operators!  No one knew anything about what he was doing until after he was caught by the phone company, and at that time, the phone company was more interested in understanding how he took advantage of their system than they were about punishing him.  The phone company interviewed him to learn how he was exploiting their people so they could educate their people (security awareness?) to prevent that type of deception again.  He told me that he took advantage of the phone company by talking nicely to each operator he spoke to.  Since he was making an international operator assisted call, he had to talk to multiple operators to connect his call.  As each operator would ask for payment, he would tell them that he paid the last operator and they would take his word for it.  They trusted him.  The same principle applies today.  How do we win someone's trust and cause them to share information with us that they shouldn't be sharing?  These days, the malicious users have been able to automate a lot of these social engineering attacks.  Phishing (pronounced "Fishing") is a form of social engineering.  It makes you think that someone you trust is asking you for information that you think they need.  A good example is the emails that tell you your log on information to your bank account has been compromised.  Your account wasn't really compromised, but once you click on the link they provide and change your information, now the bad guys do have your account information. 

Back to the movie; as the movie progresses, Matthew Broderick demonstrates the skills needed to socially engineer any target he desires.  Later in the movie he researched personal information about the developer of a confidential computer system just so he could figure out the back door to that computer.  Twenty-five years ago we were talking about back doors and how we could learn more information about our potential victims in an attempt to steal additional information.  This was Twenty-five years ago and we still have people dumpster diving, researching our personal history, and trying to trick us into disclosing personal information about ourselves.  Of course these tactics are still working!  If they weren't, do you think so many malicious people would still be using them?  This malicious technology has become "smarter", the new attacks are coming in the form of Phishing, Spear Phishing and even E-mail Hoaxes as a way to separate us from our private information.  We, as computer professionals, must continue to educate our users about these risks and how they can reduce their exposure. 

I'm not saying that all of our users have to be security experts, but we MUST ensure that people are educated well enough to fend off these social engineering attacks.  What is Social Engineering?  Here is a link on Microsoft.com that does a pretty good job of describing social engineering:(http://www.microsoft.com/protect/yourself/phishing/engineering.mspx).  This article discusses Phishing, Spear Phishing, and E-mail hoaxes.  This link also includes information about some of our solutions that will help deter these types of attacks, but we can only go so far with technology.  We must continue to educate our user community. 

People, Process, and Technology.  It takes focused effort in all three areas to ensure we protect what needs to be protected.  I'm not advocating a computer certification before a user is allowed to use a computer, but we must find a happy medium.  A computer is a tool; look at how many tools, and other skill sets encourage or even require some level of training or certification.  Back to the movie; I agree this is a bit of a stretch, but in the movie, Matthew Broderick almost starts World War III because of his quest to hack into a computer to learn about a new computer game.  He could have killed more people than any hand gun.  These days you have to have a background check before you can buy a gun, but a computer could be capable of doing more harm than a single gun...  Right?  Like I said, I agree this is an extreme, but something we need to be conscience of.

I believe that there are subtle things we in this industry can do to incrementally educate our users about security awareness.  I've been asked to talk about the new version of SBS at a computer conference later this summer.  As I described my background, I told the organizer that no matter what subjects he wants me to discuss, I'll find a way of weaving some level of security into the content.  I'm not trying to "brain wash" anyone, but I feel that we need to keep security, and especially, social engineering as a part of all discussions. 

Security is a passion for me.  It's not about selling products, it's about ensuring that your private information stays private unless you choose otherwise.  If you have any questions, or need some help raising the security awareness of your user community, please feel free to ping me and we'll see what we can put together.

Until next time!

Rob

How do you do that again? Step-by-Step guides!

How many times have you gone to install some new component or feature to the OS and you just can't it working?  It happens to me all the time.  One of the hidden gems we have on our website is our step-by-step guides.  I use them often, and if you remember when I talked about BitLocker, I pointed to one then.  I want to point out our whole list of step-by-step guides for Server 2008.  Check these out:

http://www.microsoft.com/downloads/details.aspx?familyid=518D870C-FA3E-4F6A-97F5-ACAF31DE6DCE&displaylang=en

Some of the guides for Server 2008 are:

How to setup RMS for for Server 2008.  I've talked about RMS before and its ability to protect the confidentiality of your emails from end to end.  Now you have a step-by-step guide to get it done. 

Server Core.  Server Core is such an awesome option, but how do you get started?  You just can click around like the prior versions to figure things out.  Check out their step-by-step guide.

Me, I'm digging into the Certificate Services step-by-step guide.  I've setup PKIs before, but why not just follow their guide, it will also point out the new stuff in Server 2008 Certificate Services and make sure that I'm configuring my PKI by leveraging some of our best practices. 

I hope this helps, it sure makes life easier when you can at least get pointed in the right direction.  I'm not saying these step-by-step guides will completely meet your needs, there will always be some tweaks for your environment, but it's a good place to start.

Until next time!

Rob

Let's answer a few questions...

I saw this post:

http://ts2blogs.com/forums/p/2624/81847.aspx#81847 

and thought I would take a shot a few of the questions.

Is forefront compatible with vista?

If you are talking about Forefront Client Security, yet is works great with Windows Vista

Where can I get a copy of IIS which is compatible with Virtual Server Enterprise 2005 R2

The copy of IIS that comes with server 2003 is all you need.  You should be able to add the IIS component.  If you install Virtual Server 2005, it will check to ensure IIS is already installed.  Check out the Add / Remove programs option

How does Bitlocker work?

Check out my blog entry http://ts2blogs.com/blogs/rwagg/archive/2008/06/25/setting-up-a-computer-to-use-bitlocker-drive-encryption.aspx

What Microsoft products are not compatible with Windows Vista?

This is an interesting question.  Application compatibility relative to Windows Vista has increased significantly over the past 18 months, but some of the older versions of some of our products may have some compatibility issues.  Can you narrow the focus of this question?  What are you looking for?

Please check out our Windows Vista Compatibility Center:

http://www.microsoft.com/windows/compatibility/

I think it will get you pointed in the right direction.

What is the expected release date for Windows Vista Service Pack 2?

I do not have an ETA.  Is there something special you are looking for?

Where would I find the source or tools needed for integrating .net passport into a website?

I don't know off the top of my head, can someone else answer this one?

Does Microsoft have a product or tool that handles or helps with Search Engine Optimization?

This one is out of my league, anyone else?

What is the difference between Virtual Server and Virtual PC?

From the following URL

http://www.microsoft.com/windowsserversystem/virtualserver/evaluation/virtualizationfaq.mspx

Q.
What are the differences between Virtual PC and Virtual Server?

A.

Microsoft Virtual PC 2004 is a virtual machine solution for desktop operating systems. Microsoft Virtual Server 2005, on the other hand, is a solution for server operating systems. Although Virtual PC and Virtual Server share many features in common, they are designed for different purposes. As a result, some of their features are also quite different. Microsoft has created a white paper that explains the differences between Virtual PC and Virtual Server, and discusses the scenarios in which it is appropriate to use one or the other.

I think the white paper will get you pointed in the right direction.

What is Hyper-V?

Check out

http://ts2blogs.com/blogs/rwagg/archive/2008/06/26/hyper-v-has-rtm-d.aspx

and

http://ts2blogs.com/blogs/rwagg/archive/2008/06/26/virtualization-what-is-it.aspx

I think you will have a better understanding of Hyper-V after these, but the bottom line is that Hyper-V is the successor to Virtual Server 2005 R2.

Has Server 2008 been given a name yet? (for example project long horn became known as or was given the name Vista upon release)

Server 2008 is the name of our latest Server product.  Longhorn was the code name for Windows Vista and Windows Server 2008. 

How would you configure Remote Desktop?

From the Server 2008 perspective?  Right click on "My Computer" and choose properties.  Click on "Advanced System Properties" on the left hand side, and then click on the "Remote" tab.  Here is where you can configure the server to respond to Remote Desktop connection requests.

How would you configure Bitlocker?

http://ts2blogs.com/blogs/rwagg/archive/2008/06/25/setting-up-a-computer-to-use-bitlocker-drive-encryption.aspx

I've already talked about setting up BitLocker :)

When is hardware going to be Vista Logo'd? (Designed for Vista) {So far i've not seen any video cards or soundcards that are Vista Logo'd}

Hardware is already logo'd for Windows Vista.  My Thinkpad X61 tablet has a Windows Vista logo on it.  I've also seen video cards and sound cards labeled as Vista Compatible.  Can you give me more details here?

Is there a GUI side to Server 2008 or is everything going to be command-line with no possibility of GUI? {There are rumors out among IT professionals that there won't be a GUI side}

Server 2008 offers the traditional GUI you are accustomed to seeing on our Server products, but you will also be able to select a "Server Core" installation.  Server Core does not include the GUI, it is command line driven.  You can also use our Remote Server Administration tools to manage a Server Core machine remotely.  This gives you the best of both worlds.  You still get a GUI management framework, but the physical server does not have the traditional GUI / I.E. / Windows Media Player and such that need to be patched.  Windows Server 2008 Core installations drastically reduce the server footprint and attack surface of the OS.

Well I tried to take a shot at them, there are a couple of the questions that are beyond my day to day scope, so let's see if someone else can help us with them.  Please let me know if you have more questions, or if there is anything else I can do.

Until next time!

Rob