Microsoft – Windows Server 2012 Hyper-V 3.0 best practices checklist

Roger Osborne has posted a great article with a Windows Server 2012 Hyper-V best practices checklist.

I especially like the fact that it’s not just a checklist, but it also explains what it does and why it is considered a best practice to do it this way (in specific situations).

Additionally you might also want to take a look at “Top 20 Hyper-V Performance Metrics You Should Care About” and System Center Advisor.

 

Microsoft – Resources to get more familiar with Active Directory Federation Services (ADFS)

Nowadays more and more work, communication and collaboration involves multiple external parties. This can involve by example employees, customers, partners, suppliers, cloud providers/platforms/applications.

This means it is becoming increasingly important to have proper authentication and authorization methods in place for single sign on (SSO) so users can be more productive. Besides the ease-of-use It can also lead to better security.

Microsoft’s Active Directory Federation Services (ADFS) will make this possible. For more information on ADFS, here are some resources. Keep in mind though that while some information may be outdated, it will give you a broad idea of the concept and the inner workings. The current version of ADFS in Windows Server 2012 is 2.1 , while Windows Server 2008 uses 2.0

• Active Directory Federation Services (TechNet)
• Active Directory Federation Services,Part 1: How Do They Really Work?
• Active Directory Federation Services,Part 2: Building Federated Identity Solutions
• Active Directory Federation Services 2.0 solution guide (including ForeFront UAG)
• Active Directory Federation Services 2.0 Deep Dive: Deploying a Highly Available Infrastructure
• AD FS 2.0 Step-by-Step and How To Guides
• AD FS with Office 365 Step by Step Install Guide
• ADFS 2.0 Setup Guide
• A Guide to Claims-Based Identity and Access Control (2nd Edition)
• Choosing Between Forefront TMG or Forefront UAG for Publishing Scenarios
• Cloud Security: The Practical Meaning of Security, Identity and Access Revealed!
• Complete walkthrough: Setting up a ADFS 2.0 Server on Windows Azure IaaS and Configuring it as an Identity Provider in Windows Azure ACS
• Demystified Series: Active Directory Federation Services (AD FS) Part 1
• Demystified Series: Active Directory Federation Services (AD FS) Part 2
• Deploying and Configuring ADFS 2.0
• Federated Identity in the Cloud [NZ 2010: SEC402]
• Federation and Federated Identity: Part 1 Active Directory Federation Services – How Do they Really Work?
• Federation and Federated Identity: Part 2 Building Federated Identity Solutions with Forefront Unified Access Gateway and ADFS v2
• Forefront UAG and ADFS: Better together
• Managing Identity in the Cloud with ADFS and Windows Azure – TechDays 2012
• MS Innovations Blog posts tagged with adfs
• Office 365 ADFS virtual lab
• Office 365 for SMB Jump Start (03) | Office 365 DirSync, Single Sign-On & ADFS
• Office 365 SSO: A Simplified Installation Guide
• Plan for and deploy AD FS for use with single sign-on
• Setting up Single Sign on with Office 365 using ADFS 2.0
• The Access Onion – Peeling away at Access Management, Identity Federation, PKI and SSO issues
• What’s new in Forefront UAG Service Pack 2 (also ADFS 2.0 changes)
• Windows Authentication, ADFS and the Access Control Service 
• Windows Server 2008 (R2) Active Directory Federation Services (TechNet)

PS: Microsoft is moving more and more towards claims based authentication. Examples include Windows Server 2012 Dynamic Access Control and also SharePoint 2013 that has switched to claims based authentication by default now.

If you have some other resources that might be useful, please let me know so I can add them as well.

 

Microsoft – Security Compliance Manager 3.0 (SCM) has been released

Microsoft has released the Security Compliance Manager 3.0 (SCM). This version includes support for Windows Server 2012, Windows 8, and Internet Explorer 10.

SCM enables you to quickly configure and manage computers and your private cloud using Group Policy and Microsoft System Center Configuration Manager. It provides ready-to-deploy policies and DCM configuration packs based on Microsoft Security Guide recommendations and industry best practices, allowing you to easily manage configuration drift, and address compliance requirements for Windows operating systems and Microsoft applications.

Basically in SCM 3.0 you can use predefined baselines, customize them or create completely new ones. Then you can export it from SCM 3.0 and apply it using an Active Directory GPO. To do this, create a new GPO in Group Policy Management, right click the GPO, import settings and complete the wizard.

You can also export existing GPO and then import it into SCM 3.0 and compare the differences.

 

Microsoft – Exam preparation resources wiki for Server 2012 and much more

Guido van Brakel (@guidovbrakel) has posted the great “Preparation resources for the exam 70-417: Upgrading Your Skills to MCSA Windows Server 2012″ on his blog http://www.enduria.eu some months ago.

Apparently he has now partnered up with the Microsoft Learning / Born To Learn team and is moderating wiki posts containing preparation resources for all kinds of exams including:

70-410: Installing and Configuring Windows Server 2012
70-411: Administering Windows Server 2012
70-412: Configuring Advanced Windows Server 2012 Services
70-413: Designing and Implementing a Server Infrastructure
70-414: Implementing an Advanced Server Infrastructure

From what I can see in the wiki based on the placeholders, a lot of great content is planned for the future as well.

The Born To Learn blog , Microsoft Virtual Academy (MVA) and Server 2012 Virtual Labs are also great resources you may want to check out.

PS: If you’re Dutch or Belgian, you might also want to take a look at the Tweakers.net forum and especially the “[Microsoft Certified] Ervaringen en discussies – Deel 9″ thread where lots of Microsoft Certification information is shared.

 

Home LAB – How to use Windows 8 Client Hyper-V and VMware Workstation on the same machine

In yesterday’s post I described that for my purposes it was still necessary to run VMware Workstation sometimes despite having Client Hyper-V installed on my Windows 8 machine.

What you have to keep in mind though, is that you’re already running a hypervisor when you have Client Hyper-V installed in Windows 8. Installing and running VMware Workstation might cause problems. So unfortunately you cannot run them at the same time. This is also true for other virtualization products like by example virtualbox.

As a workaround you can either uninstall or (temporarily) disable Hyper-V. When you want to switch between Hyper-V and VMware Workstation it is ofcourse best to just temporarily disable Hyper-V.

In this forum post, a couple of methods are described to (temporarily) disable Hyper-V. It includes creating a seperate boot menu entry to boot with Hyper-V disabled and modifying the setting either through registry or a command. All methods do require a reboot however.

PS:

• This kind of configuration is ofcourse not supported and should only be used for testing purposes in non production environments.
• Depending on both your hardware and what your planning to do, you might also want to consider:
  • Running VMware ESXi from a USB stick
  • Running Windows 8 from a USB stick with Windows To Go (WTG).
• It should also work on Hyper-V in Windows Server 2008 and up, but I haven’t tested it.

 

Security – Java releases update for major Java vulnerability

Last sunday I warned about a major vulnerability in Java.

It wasn’t expected that Java would come have an update available this quickly, but it is good that they did. So be sure to update to Java 7 Update 11 : http://java.com

 

Free training – Microsoft Virtual Academy (MVA) hosting 3 virtualization related Jump Starts

Microsoft Virtual Academy (MVA) is hosting 3 virtualization related Jump Starts in January and February:

1. Introduction to Hyper-V Jump Start (January 24th, 2013)
2. Microsoft Virtualization for VMware Professionals Jump Start (January 30th, 2013)
3. Microsoft Tools for VMware Migration and Integration (Late February)

I’ve attended a couple of Jump Starts including those of Office 365, Windows 8 and Windows Server 2012 already and I think it’s a great way to quickly get up-to-date about a subject. Also there’s a great team of people working behind the scenes to answer questions and provide more detailed resources. Other attendees often also share their experiences and provide valuable insights.

The links above provide include a course outline and a link to register for the Jump Start.

I hope to see you there.

 

 

Security – Major Java vulnerability, don’t become a victim

[EDIT 14-01-2013]

Oracle release Java 7 Update 11 to fix this security issue. Be sure to update: http://java.com/

[EDIT]

Normally when I read about security vulnerabilities, I don’t really get a sense of urgency.

With the current Java vulnerability however, I do feel like people have to act quick because there are so many respected companies and even countries actively taking action:

• Apple has disabled the Java 7 plugin on Macs through its OS X anti-malware system, in order to protect users from a potentially serious security issue
• Cisco: New Java Vulnerability Being Exploited in the Wild
• Mozilla Security Blog: Protecting Users Against Java Vulnerability in FireFox
• United States Computer Emergency Readiness Team (US-CERT) suggests disabling Java

Apparently this vulnerability is actively being exploited already and Oracle hasn’t released a Java fix yet. You might want to consider a combination of the options below:

• Updating Intrusion Prevention System (IPS) signatures (Cisco signature)
• Uninstall Java (Windows | Mac OS X)
• Disabling Java only for web browsers
• Disabling Java in specific web browsers

Personally I like the way FireFox is handling the issue because it blocks by default, but allows users to easily override this behavior for specific sites. Also I’m getting quite fed up with all these Java security vulnerabilities lately

I’d like to know what you’ll be doing. Have you or are you going to disable Java ? Which methods will you use ? Why ?

 

Home LAB – Virtualization and how to enable nested ESXi and other hypervisors in VMware vSphere 5.1

As a passionate ICT person, I work with multiple virtualization products including Microsoft Hyper-V and VMware vSphere.

At home I’m running Server 2012 with Hyper-V in my home lab and even though it works perfectly, I miss the option to be able to run multiple other hypervisors beneath it like by example multiple Hyper-V, VMware ESXi or Citrix XenServer instances.

With VMware products like VMware Fusion, VMware Workstation you can enable this with only a couple of minor adjustments as described in these great articles:

• How to Run Hyper-V in vSphere 5.1
• How to enable nested ESXi and other hypervisors in vSphere 5.1

For me personally, I’ll stay with my Hyper-V based home server and my Windows 8 Client with Client Hyper-V installed. For testing purposes however, I’ll have to use VMware Workstation 9 on my Windows 8 machine.  (even though I have Client Hyper-V installed). This way I can still run other hypervisors when needed.

I still hope though that Microsoft will add a similar feature to Hyper-V in the future.

 

PowerShell – Determine which Active Directory objects are protected from accidental deletion

In yesterday’s post I showed some commands to protect all or specific Active Directory objects from accidental deletion.

In some situations (by example preparing for a change) you might want to know which objects are protected from accidental deletion and which are not. Also when multiple people make changes in an Active Directory it might prove difficult to keep track of the changes.

To determine the protection status of AD objects, I use a script that checks the ACL of the AD Object. When Everyone is explicitly Denied access, it is protected from accidental deletion.