My Notes to Myself and Others... : Windows 2008

“Introducing Windows Server 2008 R2” eBook Available as Free Download

Erik Rozman — Fri, 30 Oct 2009 21:09:50 GMT

If you have been wondering what’s new in Windows Server 2008 R2, there is a free e-book
out that can help you. The eBook is short and to the point.

Download it here.

Hyper-V security guide

Erik Rozman — Sat, 04 Apr 2009 16:20:31 GMT

This Solution Accelerator provides instructions and recommendations to help strengthen the security of computers running the Hyper-V role on Windows Server® 2008. It covers three core topics: hardening Hyper-V, delegating virtual machine management, and protecting virtual machines.

Download

Windows 7 Remote Server Admin Tools Beta released

Erik Rozman — Sat, 10 Jan 2009 10:07:47 GMT

You really can’t avoid Windows 7. Doesn’t really matter where you look you
simply can’t avoid it. Considering Vista and Windows 7 it looks like that the
hype Windows 7 is creating is very positive.

Since literally “everyone” has installed it, you might be interested in knowing that
a version of Remotes Server Administration Tools (aka RSAT) has been released
for it.

Click Here, for the download page.

Remote Server Administration Tools for Windows 7 enables IT administrators to manage roles and features that are installed on remote computers that are running Windows Server 2008 R2 (and, for some roles and features, Windows Server 2008 or Windows Server 2003) from a remote computer that is running Windows 7. It includes support for remote management of computers that are running either the Server Core or full installation options of Windows Server 2008 R2, and for some roles and features, Windows Server 2008. Some roles and features on Windows Server 2003 can be managed remotely by using Remote Server Administration Tools for Windows 7, although the Server Core installation option is not available with the Windows Server 2003 operating system.
This feature is comparable in functionality to the Windows Server 2003 Administrative Tools Pack and Remote Server Administration Tools for Windows Vista with Service Pack 1 (SP1).

Hyper-V or VHD Backup

Erik Rozman — Sat, 27 Dec 2008 14:36:44 GMT

One of the main advantages in virtualization is having the ability to quickly recover
failed systems. By turning a system into a virtual system you are actually turning
it into a file that can be used on any system that has Hyper-V installed on it thus
enabling quick recovery of a failed system.

The main problem is that to be able to backup a VHD file you need to stop the
virtual machine. Now obviously, on mission critical systems you can’t stop a system
every time you want to back it up. To overcome this issues, you can us the Volume
Shadow Service (VSS) mechanism to take a snapshot of the volume that stores
the VHD files and then copy the relevant files to external storage.

Taking a snapshot of a VHD file is possible since Windows 2008 has a built-in Hyper-V
VSS Writer that brings the virtual machine’s hard drive (the VHD file) to a consistent
state.

Once the snapshot is taken, you can manually mount the snapshot and back it up.

To do this, you should use a tool included with Windows 2008 called ‘diskshadow.exe’.
Diskshadow is an interactive interface to VSS. It has a vast list of commands but if we
concentrate on our specific issue you need to issue the following commands:

set context persistent
[You can set it to volatile if you would like to have the snapshot deleted once you exit
the diskshadow.exe application]

add volume <driveletter> alias <alias_you_choose>
(for example add volume t: alias VHDBackup)

set verbose on

create

Once you complete this set of command you have a snapshot stored.You can view
the stored snapshots by executing the following command:

list shadows all

Once you are ready to back the VHD up, expose the snapshot you would like to use by
using the following command:

expose <ShadowID> <Drive:>

Now you can access the data as you would any drive on your system. To hide the snapshot
execute the following command:

unexpose t:

The major advantage of this feature is that you don’t need to stop a virtual machine
to back it up. From my experience the process of taking a snapshot is relatively quick
and it does not tax a system but I would advise that you do it during afterhours.
One more point to consider is disk space,monitor it closely and delete unused snapshots.

Hyper-V Top Issues

Erik Rozman — Fri, 26 Dec 2008 09:41:52 GMT

Lately, we have been messing around with Hyper-V (by saying we,I actually mean
mean myself and the person that won’t tell me his Kazakh name…).

The technology itself is very cool, but as always it has it’s quirks. Oddly enough,
after we ironed out most of the issues a blog post appeared on the ‘Ask the Core
Team’ blog describing the top issues that they have encountered.

The post is very useful (and would have been really great a couple of month ago… :)).

Click here for the post.

BitLocker and Safe Mode

Erik Rozman — Sat, 15 Nov 2008 11:29:59 GMT

<Rant>

This one is kind of a gotcha that has caught me by surprise. If you use BitLocker with
a TPM that is PIN protected you can’t log into Safe Mode unless you go into recovery mode.

Personally I found this very surprising to say the least. I honestly can’t say that this sounds
logical to me, if you can provide the PIN protecting the TPM I can’t see why you shouldn’t
be able to access Safe Mode. You are not circumventing any of the protection mechanisms
you simply choose an alternate boot method AFTER you have already gained access to the
system legitimately.

…

</Rant>

Service Pack 2 season

Erik Rozman — Sat, 25 Oct 2008 11:28:58 GMT

Service Pack 2 beta(for TAP clients) has been announced for both Windows Vista and
Windows 2008:

http://blogs.technet.com/windowsserver/archive/2008/10/24/windows-server-2008-service-pack-2-beta.aspx

http://windowsvistablog.com/blogs/windowsvista/archive/2008/10/24/windows-vista-service-pack-2-beta.aspx

ARP cache timeout changed in Windows Vista and 2008

Erik Rozman — Sat, 13 Sep 2008 17:22:50 GMT

You might remember that Address Resolution Protocol (ARP) has a local cache that prevents
broadcasting for a system whose MAC address has been resolved. Older versions of
Windows used to have a timeout of 2 minutes for ARP entries (up to 10 minutes), this
has changed. Vista and 2008 has lowered this time to a random value between 15 seconds
and 45 seconds:

http://support.microsoft.com/kb/949589

Access Based Enumeration (ABE)

Erik Rozman — Sat, 28 Jun 2008 11:54:06 GMT

Neither the concept, nor the implementation are new-so why blog about it?
Well,it seems that ABE received a lot less attention then it should have. Most
networked operating systems will allow you to share information, and based
on your permissions you will only be able to “see” the resources that you can
actually access. Microsoft Windows has been (and to some extent still is)
different.

With Windows, you can see all objects inside a specific network share, even if you
have no permissions on the object itself. In other words, if a share exists (say
”Home Folders”) and you access it, you will see all the folders under it (most likely
reflecting the users in your company) even though you will have permissions
to access the information only on your home folder.

ABE changes this. When you have ABE enabled on a shared folder, you will only
see the objects that you actually have permissions to.

There are several advantages to this:

Even if a user can’t access a file, he can still deduct a lot of information
from knowing that a file or directory exist and knowing their name. ABE
prevents this.
Lower the number of security events in the Security Log due to curious
double-clicks…
Facilitate sharing a file (as opposed to a folder),more on this in a future post.

As I mentioned in the opening paragraph,neither the concept nor the implementation
are new. The concept has been here for a long time (I remember it from the time
I used to manage Novell based servers) and the implementation has been around for
quite a while (on Microsoft systems):Windows 2003 SP1.

Make ABE work For You

Lets start with an example. We have share called ‘Files’, our user has permissions on
a folder called “Test” inside that share. When he accesses the share called ‘Files’, he can
actually see all the other folders and files under this share:

Once you have ABE enabled this is what the user will see(the folders and file to which our
user has no permissions are gone):

Enabling ABE on Windows 2008

I am still not used to Windows 2008 so it never ceases to surprise me. Windows 2008 has
four methods (that I found) of sharing a folder (we will discuss sharing files in a later post).

Either method you use will automatically and seamlessly install the ‘File Server’ role on you
server, and the ‘File Services’ node under ‘Roles’ in the Server Manager MMC console (as a matter
of fact the role is seamlessly removed when the last user shared folder is removed):

This tool is very important as it replaces(more or less) the old ‘Shared Folders’ interface found under the ‘Computer
Management’ console, which means that you will be managing and configuring your shares through this
relatively new interface. In my opinion it would have been beneficial to have the old ‘Shared Folders’
available here too (it can be added to a custom MMC).

Ok,now lets go back and analyze the four methods that can be used to share a folder (bear with me here, it
might sound as if there isn’t anything new to learn about folder sharing since it has bee around forever.
But, in my opinion you will be surprised).

The first method for sharing a folder is:

Right click the folder
Choose ‘Share…’
Set the Share Permissions you would like to apply

Note that when using this method-ABE is enabled by default.

The second method:

Right click the folder
Choose ‘Properties’
Select the ‘Sharing’ tab
Press the ‘Advanced Sharing Button’
Enable the share

Note that when using this method, the share permissions are set to Everyone:Read and ABE is disabled
by default.

The third method is using the command line:

Open a command line
Use the following command: net share sharename=folder path

Note that when using this method, the share permissions are set to Everyone:Read and ABE is disabled
by default.

The fourth and last method (to the best of my knowledge) is a relatively new method:

Open ‘Server Manager’
Expand ‘Roles’
Expand ‘File Services’ and right click ‘Share and Storage management’ (if no user created shares exist
on the system, you will have to manually add the role or add the snap-in to a custom MMC).
Choose ‘Provision Share’,enter the wizard…

The major advantage of using this wizard is that it will walk you through all the tasks concerned with
provisioning a share, this way you will not forget anything.

The first page of the wizard provides you an overview of the volumes located on the system and requests the
path that leads to the share. If the storage on the system isn’t configured to your liking you can use the
Provision Storage’ at the bottom of the screen:

The second window of the wizard provides you with the opportunity of changing the NTFS permissions on the
chose folder:

On the third window you will be able to choose the share protocols you would like to use (SMB,NFS or
both):

The fourth window is important. Here, you are given the opportunity to change the SMB protocols settings
such as user limit, caching options and finally Access Based Enumeration. This is achieved by pressing
on the advanced button(note that be default ABE is disabled):

In the remaining windows you will be able to configure SMB permissions (share Permissions), DFS configuration
and finally create the share:

Managing ABE on Windows 2008

Managing ABE (which is a nicer way of saying enabling,disabling and checking it’s status) can be done by using
’Share and Storage Management’ snap-in. Once you right click on a share choose Properties and then press on
the Advanced button you will be presented with an all so familiar window that will enable you to manage ABE on
that share.

An additional option for managing ABE is to install the tools provided for Windows 2003 on the Windows 2008
server. You can do so by downloading the management tools form this link. By installing these tools you
will have your standard UI extended with an additional tab that will provide you with opportunity of enabling
and disabling ABE or enabling/disabling ABE on all shares on the system:

An additional tool that is installed is a command line tool that provides more of the same but at the command line:

In Conclusion

Access Based Enumeration is a good feature that provides a streamlined experience for users that
access shares. On the other hand, in my opinion, this feature has received too little attention and it may
cause confusion with IT departments that are not aware of it’s existence due to the radical change it causes
in the way that shares are handled. In addition to that I personally find it somewhat odd that the Windows
2003 tools used to manage ABE are not installed by default with Windows 2008 and that different ways of
sharing folders provide different results in regards to ABE.
All in all, once you get the hang of it , it’s a great feature that can improve usability.

Hyper-V is in the wild

Erik Rozman — Fri, 27 Jun 2008 08:01:47 GMT

Yesterday,and ahead of time, the final version of Hyper-V was released. You
can find product details at the following link. If you would like to download the
update for your Windows 2008 system, click here.

Works with Tool for Windows 2008

Erik Rozman — Sat, 31 May 2008 12:33:32 GMT

The “Works with” tool is a time and cost-saving resource for developers and IT Pros to determine application readiness on Windows Server 2008. Within two to four hours the tool compares an application with Microsoft’s application compatibility criteria and provides a detailed summary. The “Works with” tool can be applied to both commercial and custom in-house developed applications and helps provide IT Professionals increased confidence to deploy applications on Windows Server 2008.

Download

Windows NT Backup - Restore Utility (Vista & Win2k8)

Erik Rozman — Sat, 29 Mar 2008 20:09:32 GMT

The fact that NT Backup is nowhere to be found on Vista and Windows 2008 disappointed me.
Given, NT Backup wasn't the tool of choice for backing up systems but I always had the comfort
of knowing that it's there in the background and that if I needed a quick and dirty solution
it would help me out...

There are several solutions for this problem,one of them is to copy over a few files and have
NT Backup up and running again (not sure if this doesn't violate the EULA though). A nagging
question though is what happens if you ran a backup on Win2k3 or XP and you want to restore
it on Win2K8 or Vista...Well here is the solution, Microsoft released a restore utility that
will work on Win2k8 and Vista:

Windows NT Backup - Restore Utility Download

You can download either the x86 or the 64 bit version. Once downloaded make sure to start the
Removable Storage Management service and then install the file.

Windows 2008 (serverunleashed.com)

Erik Rozman — Fri, 29 Feb 2008 15:45:39 GMT

Ok,so it seems that I am in that mood today...one more marketing website
I found (and liked) is the serverunleashed.com . It showcases Windows 2008
in a very original way...

[once a week it helps out in HR...] good one...

Group Policy Preferences - Client Side Extensions

Erik Rozman — Fri, 29 Feb 2008 14:54:33 GMT

If you want your clients to be able to process GPO Preferences then you will need the
following client side extension:

GPP CSEs for Windows Vista (KB943729)
GPP CSEs for Windows Vista x64 Edition (KB943729)
GPP CSEs for Windows Server 2003 (KB943729)
GPP CSEs for Windows Server 2003 x64 Edition (KB943729)
GPP CSEs for Windows XP (KB943729)
GPP CSEs for Windows XP x64 Edition (KB943729)

For an overview on Group Policy Preferences click here.

Bitlocker - The Theory (Part 1 of 3)

Erik Rozman — Sat, 23 Feb 2008 20:26:05 GMT

I will start with a disclaimer. I know, not a good way to start a post...
I intend to write a series of posts about Bitlocker, starting with the theory and turning
that theory into practical implementation. I am writing these posts based on my own personal
research and knowledge. I have no connection to the people that wrote Bitlocker so I may
make mistakes here...If I do,please send me a message or leave a comment pointing out
the mistakes and I will make sure to fix them.

I decided to write these posts since I couldn't find any documentation about how Bitlocker
is supposed to work, how it's implemented and how it behaves in different scenarios. The
majority of articles I found, provided good background information some usage tips and
that's it... Now it's my turn to give it a shot.

What is Bitlocker

Bitlocker is a technology released with Windows Vista(Enterprise and Ultimate) that enables the
users to encrypt the contents of a volume. Bitlocker's role, in the pre-SP1 era, is to protect the
the system volume of a system by encrypting it. Since the encryption is at the volume level
the information is protected from a parallel installation attack.

The need for an encryption technology that protects a volume grew from the advent of mobile
computing and the threats of data theft (stealing a laptop is easier then stealing a desktop and
threats to a laptop are significantly higher considering that you use it in public places).

Bitlocker provides protection, yet you must remember that all encryption mechanisms can be
decrypted (otherwise we would be in a real bind) thus Bitlocker will slow down a potential data
thief not stop him.

You may be asking yourself at this stage what is the big deal here? Bitlocker is not the first
encryption technology to be released for Windows. Previous encryption mechanisms include the
Encrypting File System(EFS). How is Bitlocker different?

Bitlocker vs EFS

Bitlocker encrypts volumes (as one unit),EFS encrypts files and directories
Bitlocker encrypts system files,EFS can not encrypt system files
Bitlocker uses symmetric encryption while EFS uses asymmetric encryption
Bitlocker does not protect your data while a system is turned on, EFS does

Looking at this comparison, I hope that it is obvious to you that Bitlocker and
EFS are not adversaries or substitutes. Bitlocker and EFS are two technologies that can provide a
layered defense against data theft. That is if they are used correctly and together(hence the layered).

Since this post does not deal with data protection but with a specific part of it,namely
Bitlocker, lets continue by trying to understand what Bitlocker can do for you and what it can't.

What Bitlocker can do

Bitlocker can do the following things:

It makes it relatively very difficult to access data on a stolen disk or computer
It can encrypt the entire contents of a volume, including OS files, paging files, hibernation files
and temporary files
Post SP1 it can also encrypt additional volumes not only the system volume
Allows you to deploy and remove itself without destroying the data on the volume

What Bitlocker can't do

Bitlocker will not do the following things:

It does not protect the system from a network attack
It does not protect the data while a system is on (read-has electricity, including standby)

How does Bitlocker work - Booting an encrypted OS

Ok,now that we have the formalities out of the way, lets try to understand how does Bitlocker achieve
what it does. Once enabled Bitlocker starts an encryption process that obscures the data on the volume
it is applied to. The first volume that must be encrypted is the system volume and thus arises the problem
of the chicken and the egg:
If Bitlocker is a mechanism used by the OS to encrypt data, to be able to decrypt(access) the data
the OS has to be loaded (or at least part of it) but since we encrypt its volume it can not load because
it is encrypted...

To solve this problem, an additional volume has to be created(which should not store user data).This volume will not
be encrypted and will provide enough OS code to decrypt the system volume.Since in this part of the post
we are only discussing theory, take this as a given, an additional volume is created-the system boots from there
decrypts the encrypted volumes and allows the rest of the OS to boot.

How does Bitlocker work - Encrypting a Volume

Bitlocker encrypts a volume using a symmetric algorithm (Advanced Encryption Standard (AES) algorithm with
128-bit keys). The key length is controllable and their size can be increase to 256-bit yet that may cause performance
degradation.

The encryption process begins, and a key is created- this key is called the Full Volume Encryption Key (FVEK). The
FVEK is used to encrypt and decrypt the data. The FVEK is stored on the volume as part of the volumes metadata.
But wait-if the symmetric key that is used to encrypt/decrypt the data is stored on the volume it is meant to
protect what prevents a thief from picking it up and decrypting it...this sounds like locking a door and leaving the key
in the lock,from the outside...

To be honest, the door analogy is quite close to what happens with one small but major difference, instead of leaving
the key in the door, the key is placed inside a locked box that is welded to the door. In other words the FVEK, is
encrypted by an additional key called the Volume Master Key (VMK).

How does Bitlocker work - Decrypting a Volume

To decrypt a volume, you need to take the process used to encrypt it and reverse it (due to the use of symmetric
algorithm used): the OS boots, identifies the usage of Bitlocker, requests the VMK and uses it to access the FVEK
which in turn provides access to the encrypted data.

How does Bitlocker work - protecting the VMK (The Protectors!)

As you can see once you have access to the VMK, the game is over. Due to it's importance the VMK has to be
closely guarded. The measures used to protect the VMK are called 'protectors'. The role of the protectors is to prevent
unauthorized access to the VMK and it is assumed that if you have access to a protector you are authorized to use it
(this is a huge assumption but as the saying goes:"Who will guard the guards?").

There are several protectors that can be used to store the VMK:

Trusted Platform Module - A secure storage built into the system board that will store the VMK and release
it for use only if an additional authenticator(such as a PIN) is provided and no major changes to the system
have been identified.
External media - This may be a disk on key upon which the startup key is stored.
Recovery key - A manual process of entering 48 numbers to release the VMK.

More about the protectors in the second part of the Bitlocker series posts that will deal with implementation.

How does Bitlocker work - Why two keys?

There is one major reason for this-in the case of moving a hard drive to a different system or losing a protector
there is no need to re-encrypt the volume (a lengthy process). It is simply enough to re-key the FVEK by creating
a new VMK. In theory this is true, yet I have not found a way to do this.

Conclusion of part one

Bitlocker is part of a layered strategy to protect data from theft. The aim of this post was to lay down
foundations that will help with the implementation of Bitlocker. You should now be able to understand
the role of Bitlocker and it's abilities and shortcomings.

The second part of the series will describe the methods to implement Bitlocker.

Windows Automated Installation Kit 1.1

Erik Rozman — Fri, 08 Feb 2008 16:38:19 GMT

With support for Vista's SP1 and Windows 2008.

New features in the Windows AIK

Supports Windows Vista Service Pack 1 and Windows Server 2008
Supports for Windows Server 2008 ServerManagerCmd.exe. Documents how to build answer files for the Server Manager CLI used to install and to remove Windows Server 2008 roles, role services, and features.
Support for Windows Server 2008 ICT (Initial Configuration Tasks). Documents schema definitions how to add tasks, links, and branding material to the out-of-box experience.
Supports Windows Setup cross-platform deployment. You can install 64-bit version of Windows from a 32-bit preinstallation environment WinPE.
Contains Windows PE 2.1.
- Boot from Hard Disk. Support for booting directly from the hard disk, not into RAM Disk.
- Oscdimg tool. Updated features including support for larger images.
- Writable RAM drive. When booting from read-only media, Windows PE automatically creates a writable RAM disk (drive X) and allocates 32 megabytes (MB) of the RAM disk for general-purpose storage. You can customize the size up to 512 MB using PEImg /scratchspace.
Contains several new tools (%programFiles%\Windows AIK\Tools\<platform>)
- Driver Package Installer (DPInst). Add non-boot critical drivers during Windows Setup using the Driver Package Installer (DPInst)
- Boot critical driver projection tool (PostReflect.exe).
- Windows Vista SP1 Files Removal Tool (VSP1Cln.exe). Remove archived Vista RTM files and reclaim disk space after Windows Vista SP1 is applied.
- Windows Deployment Services Multicast (WDSmcast.exe). WDSmcast.exe is used by computers to join multicast transmissions offered by a Windows Server 2008 based WDS (Windows Deployment Server). More about this in an upcoming blogpost...
Contains Windows Vista Deployment Error Diagnostic Guide. Describes how to diagnose error logs related to deploying Windows Vista, specifically how to interpret errors related to Windows Setup (Setup.exe) and Package Manager (Pkgmgr.exe).

Download it here.

Group Policy Reference for Windows 2008

Erik Rozman — Fri, 08 Feb 2008 09:58:44 GMT

The definitive list can be found here.

Windows Vista and Windows 2008 TCP/IP values

Erik Rozman — Fri, 25 Jan 2008 13:09:54 GMT

TCP/IP Configuration Settings

Changes to TCP/IP Registry Values

Settings Configurable Using the Registry Editor

Settings Configurable from the User Interface

Download here.

The Compare campaign

Erik Rozman — Sat, 19 Jan 2008 09:19:19 GMT

Microsoft has built an area in it's Windows Server website called Compare. Basically this area
will provide content that compares Windows Server to other environments. There several
interesting screencasts and Webcasts there,take a look:

http://www.microsoft.com/windowsserver/compare/windows-server-comparison-screencasts-and-webcasts.mspx

http://www.microsoft.com/windowsserver/compare/default.mspx

An Interview with Mark Russinovich (Channel 9)

Erik Rozman — Fri, 21 Dec 2007 09:29:07 GMT

I heard Mark Russinovich speak at Tech-Ed Europe in Barcelona (2003) and I found
it to be a great experience, now that he is a part of Microsoft what he has to say
has additional weight since he is a part of the team that works on the Windows kernel
and additional goodies...

I highly recommend taking the 40 minutes and watching the interview with Mark at:

http://channel9.msdn.com/showpost.aspx?postid=365911