Mark’s last session and almost the last session of the show, that seems to usually be the case. They keep Mark’s sessions until the end, I guess as a way to get people to hang around.
Process Monitor – File Activity does automatic grouping of reads and writes.
This session used be done by Mark Russinovich in partner with current presenters. I guess he has other sessions to concentrate on. However he is apparently going to be in the audience.
First and only time in Theater Room 411, great room and it is too bad the other rooms aren’t this nice. Only downside is no wi-fi in the room.
Really crowded room, almost full at this point.
70% of crashes due to 3rd party drivers
13% is Microsoft code
11% Unknown
6% Hardware Error
I am not sure what exactly this session is going to be about, but I am hoping it will help me understand the possibilities of RDS more.
Have to get this presenter’s other slide deck, more info on RDS in general.
10 Gb/s x .1% = 10 Mb/s
Lots of Q&A time (30 mins almost), may have been a bit too much but still good.
You know a session is good when one of your other favorite presenters is in the audience. Also odd note that 4 people in the front row are using a MacBook (Pro).
MinWin is built, huge shift in striping out lots of old stuff and dependencies. MinWin is bootable today by itself, ASCII art windows logo on boot.
Managed Service Account is like a System account for services with managed password but has separate security context.
This session will mostly be a live demo of the concepts I have seen in several other sessions I think. The agenda confirms my theory on this session.
Great demo on the entire process for setting up live migration.
First thing I did in this session was turn of my Wi-Fi since Laura will be monitoring and demoing with live traffic.
World’s greatest make-up case full of hardware key loggers and sniffers
Nmap / Zenmap
(Net Witness) Investigator
iPerf
Cain and Abel
inSSIDer
Snort
You can use VLC to play captured and re-assembled video streams from wireshark.
Laura’s Lab Kit v10
Cace (Pilot, AirPcap)
www.netscantools.com/teched2009/ 40% off.
Windows Scaling XP
TCP1323Opts
TCPWindowSize
Crowd not too thrilled about this years TechEd in general. Big crowd in the room.
Some stuff from other sections, but condensed into core goodness.
Dell did 1000 VM in 16-node cluster on one 16.5 TB CSV, wow.
Coalescing of timers allow for longer sleep states of CPUs. Cool feature.
SLAT (MS) = EPT (Intel) = NPT (AMD) = RVI (AMD)
So much good info, now to attempt to retain it.
A little bit too much Powerpoint and not enough demos. Seemed to be mostly overview and intro and not product in action.
Operations Manager can make VMM do lots via management packs for keeping your VM’s and host working as best as possible.
Lots of PowerShell scripting possibilities via VMM and Hyper-V in general. Lots of cmdlets for VM management.
The session was a little dry but so good pointers on what can be done.
Global SACL in Win7 / 2K8R2, allows for broad auditing much more easily.
sc qprivs servicename
sc qsidtype servicename
Jeff Woolsey is doing this presentation and that is the primary reason I am here. I saw him co-present and earlier one and he really knows his stuff and presents it well.
Hyper-V has had zero security patches since release. Total isolation of VM and Parent partition as well in between VM. Some choices made for security are annoying in little ways like no copy and paste via shared memory but done for VERY good reasons. Avoids some of the security flaws that VMWare has allowed.
If you are using W2K8R2 Server Core check out sconfig, allows for much easier initial management and setup of server core.
I was debating between this session and VIR312, it seemed this had more of what I wanted and less of what I didn’t (VMWare).
Don’t put anything other than Hyper-V VHD files on CSV, it is not a tested or supported scenario. CSV will most likely be expanded to support other things like SQL / Exchange / File services in future.
In a cluster one node can send IO to another node if storage connection is lost.
Refresh Failover Cluster Manager if changes are made in Hyper-V manager, or just make the change in FCM.
Current backup solutions such as DPM do not support CSV. They need to be made CSV aware using new APIs.
You can rename the folder portion of VolumeX to something more useful.
Really looking forward to this since the previous versions of the tool have saved our school lots of money and me lots of time. I haven’t tried the 2010 version yet but probably will this summer.
WAIK 2.0
WinPE 3.0
DISM
Under Task Sequence –> Install –> Install Operating System to change image without recreating the whole task sequence
Change drivers attempt to inject via selection profiles
Great session and insight into MDT 2010. Can’t wait to get Beta 2 and start trying it out.
This session is mostly to help get me up to speed on SCVMM. I have the luxury of starting with R2 so I get the benefits of the new stuff. I like what I have seen so far. VMM R2 RC is out now on connect apparently. Must go get it.
VMM PRO requires Operations Manager. Have to investigate if we need it and it is worth it.
Networking diagram is awesome.
This session was so jam packed with info I didn’t stop to take notes. If you weren’t there grab at least the slide deck if not the audio replay.
I have running the planning tool already so this session for me is to mostly make sure I didn’t miss anything and to make sure I am using tool correctly.
Whole new MAP toolkit coming in July. Totally changed interface from the one I just downloaded and tried.
MAP can do lots of things, some as simple as just inventorying your network.
This session had lots of notes on new security features of IE8. I didn’t take much notes since no feature really “jumped” out at me. It appears the protected mode problem we have currently still won’t be fixed.
This session will hopefully highlight all the goodies coming “soon” to W2K8R2. It really is a shame I can’t roll with it during summer upgrades. Now I will have to wait until Christmas vacation most likely. Room 153 has same orientation as 150, odd that is.
Really crowded session, quite popular it seems.
WSMan does lots of stuff, I don’t understand most of it and will probably never use it
RSAT tools can remotely utilize Server Manager
The demos in first part of this session were a bit overkill in speed. I think this session should have been split into two rather than squished together.
ADAC is promising but not REALLY cool yet, hopefully it will be expanded.
Honestly I am attending this session because I couldn’t find another one I liked better. I am interested to see what IE8 has to help in managing it. The layout of room 150 leaves something to be desired. It is very shallow and very wide, basically meaning you can either see a screen or the presenter well but not both.
IE8 supports slipstreaming now to offline OS image and bootable ISO
oscdimg to create new ISO
phishing filter is much more forceful in blocking
Use GP to disable click through to dangerous sites
UI cannot be locked by single process via GDI for something like pagefault, major change that dates back to Windows 3.0
SuperFetch and Search get out of the way REALLY in Win7 unlike Vista where they would hang around and make the disk churn when machine wasn’t really idle
Don’t turn off SuperFetch let it manage itself
A “good” SSD really helps Win7, question is what is “good”
IE8 requests network link before it even loads so that when it loads the network request has already happened
Concurrent single server connections raised from 2 to 6
Wide variation of Disk I/O based on drive model, can make a huge difference in UI responsiveness
Get WDDM 1.1 Video drivers if at all possible, huge memory savings
Trigger start services, somewhere in between automatic delay and manual.
38 Core OS services trigger start to save boot time
powercfg –energy again, have to try this
Can’t wait to deploy Win 7 wide and reap these performance rewards.
Corey Hynes – Jeff Woolsey
I am hoping to get a lot of this session since I am just starting with Hyper-V and I am want to start with R2 if possible.
It is obvious they are selling Hyper-V against VMWare products. Talking about costs and such. That is more of a marketing message I think than a technical message, hopefully they don’t talk on those points to much.
Live Migration
Cluster Shared Volumes
Processor Compatibility Mode
Hot-Add disks either VHD or pass-through
TCP/IP offload to hardware NIC via direct
Have to look at Application Publishing via TS (or RD) for remote access to applications.
Maintenance Mode to allow shutting down of Physical Host for maintenance
Since this is a 200 session it probably won’t be to deep but that is fine I just want to know what is new and I think this session will do that. We only have a handful of 2008 servers now so I need to get up to speed.
Joey Snow – Technical Evangelist
Short gap in time between 2008 and 2008 R2
TCP Offload support to better utilize dedicated network cards
Live migrate between processor generations, expose newer CPU capabilities via VM reboot
Expanding PowerShell usage scenarios
Server Manager UI can work on remote servers just like the Computer Manager could finally
BPA built in by default not standalone add-in
PowerShell remote, what-if testing
AD Undelete
Managed service accounts that automatically reset password
Active Directory Administration Center – bringing a nicer face to AD
IIS 7.5
IIS totally powershell
powercfg -energy
Great overview session
This year there is only one keynote and thankfully they made it good. There was no silly fluff like Doc Brown and a time machine or a character from 24. Just real info and good demos. They Only had a total of three people talk or do demos. Bill was the main presenter and did the first 45 minutes or so. Then Mark came out and did a bunch of demos and was good as usual, even handling a bit of live demo failure. He showed off some new things in Windows 7. After Mark left Bill came back on for a few minutes and introduced Iain to talk about Windows Server 2008 R2. By the time Iain got started the time for the keynote was already over, but he forged ahead with his material. He also was a very good presenter and poked fun at the usual server demo thing of having a rack of blinking lights. He showed off a bit of virtualization and talked about the plans for R2. A really good Keynote overall, exactly what it needed to be.
This is the last session time of TechEd, the only people here are the people who really want to hear this session. There are quite a few people here even taking that into account.
Polling is bad, NotifyChange good. I need to check out Process Tree, very powerful.
I am going to distill the presentation down to use Process Monitor, it is very powerful. If you can get the deck or even better a recording it is well worth it for troubleshooting guidance.
Steve was also chatting with the crowd before he started. I asked him about speaking in foreign countries and he said he mostly speaks in English world wide. In Vietnam he said he had translator, which makes his presentation take a bit longer. The jokes are especially interesting with delayed laughter.
Hackers are no longer just script kiddies and hobbyists, it has moved to professionals for financial gain and even national security.
Phishing is not about stealing identity's (except maybe MySpace) it is about stealing money. Two-factor authentication won't stop phishing only change the attacks. Asian banks send an SMS challenge to cell phone for one time key, it actually works to prevent phishing.
Three dimensions of data:
Confidentiality - Public, Internal, Confidential, Private
Retention - Regulated, Contracts, Temporary
Recovery - Mission-Critical, Urgent, Non-Urgent
Encryption turns data into goo, unless you have the secret.
S/MIME for E-Mail
EFS and BitLocker for files / hard drive
RMS for controlling data flow
Steve went about 15 minutes long, but another good session.
I got the chance to talk with Mark before the session, really good guy. Just amazing his knowledge. Before the official talk began Mark took some questions and talked about his new role at Microsoft and how it affects his tools.
Everyone is standard user, even admin. The UAC prompt simply doesn't ask for username and password if you are already running as admin. However everything else runs as normal user.
In Vista many things that needed admin rights are now changed to standard user to lower the need for admin rights. A lot of applications force themselves to into places like HKLM\Software and Program Files needlessly.
I am still concerned about gotchas with virtualization and app changes or now multiple users. There are so many kernel mode storage level drivers I would love to see a hierarchy of them. Only HKLM\Software is virtualized, except Microsoft\Windows and Windows NT.
Standard User Analyzer could help me get BlackBaud apps working.
Elevation prompts are color coded: Blue - core windows; Grey - digitally signed code; Orange unsigned code. Elevated processes are isolated from other applications.
Integrity != Permission. A lower integrity process cannot write to higher level process or data but it can read from the data if it has access to it. What this means is a malware might not be able write itself to disk for persistence but it can read everything it has access to via permissions while it is running. By default you are standard user so the malware should be restricted.
This session I will admit is just for me. I am interested in this technology and want to see what they have to say about it.
By default Home Server backs up everything except page file and temp internet files. Open restores as mounted drive for easy access through explorer. Crashed HD recovery is done via boot cd and pulling back most recent full backup.
The way to think of Home Server is a further refined and wizard based version of Small Business Server which is a version of Windows Server. Each one has less features than the latter, but also as far less complexity to go along with it. Home Server is like a domain for your home when you don't have the understanding or need of a domain.
Full system backups via VSS. The backups are incremental block based backups. The backups are duplicate aware.
Home server will auto-configure a UPnP router. There will also be a name.homserver.com domain name created with dynamic DNS if you want to access server remotely. From the web site you can have access to all the shared folders, either personal or public. When you want to grab files it automatically zips the files and sends you the zip. You can connect to RDP of clients via Remote Server.
Under the covers this machine is a Windows 2003 Server machine. Anything that a 2003 server can do, this server can do in theory. However most (the majority) of features are not exposed in UI, only those that the product is target toward. There is a limit of 10 clients and 10 users on the server.
The audience for this session want to push this product way beyond its defined market. Lots of question around features it isn't intended for.
This is the sister session to the CLI426 session I went to earlier this afternoon. They are very similar topics and just cover different areas more applicable to either the client or server. It is in an even bigger room than his last session but it seems to be just as full.
Server 2008 is last 32-bit version of server. No more uni-processor kernel, no need. Hot add PCI-Express, Memory and even CPU. Crazy. New hardware reporting architecture.
Self-Healing NTFS now in Server 2008. Background process runs to monitor for corruption.
SMB2
There are much deeper differences between AMD Opteron's and Intel's Core Architecture based Xeon's then I ever realized. Opteron's are NUMA based (like the Xbox 360) and the Xeon's are not. Some of the details may make performance differences in quad core CPU's, especially in 2008. It will be interesting to see specific workload benchmarks between the two architectures.
Clean shutdown had been enhanced in Server 2008. Services can ask for delay. Service can take as long as they want as long as they respond. If service doesn't respond for 3 minutes, system gives up on it.
Address Space Load Randomization allows services, kernel, user space and programs to be in a different place every boot. This will prevent direct code injection based on memory location. Some viruses and other attacks used that as a vector.
Even really smart people like Mark have glitches, and Dave Solomon stopped in virtually to say hi.
I think the fact that this session is a repeat and was a late add really hurt its attendance. Also as soon as the session was announced about 1/3 - 1/2 of the already small crowd left. The crowd that is in here could easily fit in a smaller space. Luckily it is in the same place as my next session which is going to be much more full.
IIS7 is now option for server core. Redesigned Server 2008 for Web, much improved hardware allowances. Code has actually been removed from the base install for things not needed (or allowed) on Server 2008 for Web.
Running on IIS6 today - MySpace - 23 Billion pages/month; Microsoft.com - 10K/sec; Match - 30 Million pages/day.
No IIS6 critical patches since RTM, not a one.
IIS7 broken into 40 modules that can be installed by choice. Greatly reduce potential attack surface area and reduced footprint.
The metabase is dead, the world rejoices. Moving settings from one box to another is simply copy. The new IIS7 manager looks much more user friendly.
Demo virtual machine hiccups are painful sometimes.
IIS7 has hooks in PowerShell as well, definitely a good sign. IUSR no longer named with machine name, about time. IUSR now built into IIS, no password to worry about. URLAuth native in IIS7. IIS7 integrates URLScan style rules.
Mark's sessions are one of the major reasons I come to TechEd. I always look forward to his sessions.
The time slice scheduler has been re-written to work better and properly report using features in newer processors. Vista can give multimedia applications higher priority than other applications to make sure the sound and video are glitch free. I think I have seen this myself while playing podcasts through iTunes while playing highly demanding games. Protected processes were put in to allow for secure memory for DRM or encrypted media content.
Symbolic links are now in Vista, use mklink. You can cancel I/O such as net use to non-existent server. I/O prioritization allows for background applications such as virus scanning, without changing CPU priority. Bandwidth reservation for streaming I/O to ensure media plays properly, also optimizes size of I/O.
Superfetch uses all available memory in attempt to predict what you will want to do and speed it up. It even watches what you do at certain times of day to try and prepare the machine for next action. ReadyBoost, ReadyBoot, ReadyDrive are all ready to help you.
Dekayed auto start upon boot for services so that the logon process is more friendly for users. Things like Windows Update can do this, hopefully anti-virus will do it as well. More reliable sleep transitions. Vista doesn't ask to sleep it tells the apps and drivers to sleep.
Volume Shadow Copy in Vista. Enables rollback on the client just like Windows 2003 server did for server drives.
UAC in 10 minutes in this session, 75 minutes in the session I am going to tomorrow.
4 integrity levels
Low - Protected IE
Normal - LUA User
High - Elevated user
System - System process
Virtualized files might have a hidden (to me at least) gotcha. If you have an application that has virtualized files and then is upgraded to have a Vista capable manifest it won't have access to those previously virtualized files. This could catch a bunch of people of guard I think with application upgrades.
Since I will be buying a new Exchange server in the next month I am curious to see what info this session has. Sizing knowledge from 2003 and before not very useful in regards to 2007.
Due to expanded memory footprint IOPs have greatly been reduced. Much larger cache allows for much less disc access. The more memory you have the less IOPs you need.
It sound like with 2007 I might be able to get my boss's multi-GB mailbox to open quickly, thus making here happy.
Luckily my puny 1000 users with about 40% concurrency I don't have to worry about the really high end issues. The biggest problem I have is huge mailboxes and provided speed for those users.
High FSB more important than GHz. Watch for memory speed as number of DIMMs increase. SAS is faster by about 10-15% than U320 SCSI.
The session could be Windows / Linux / Unix Network, centered on Windows due to audience. The whole session is LIVE, only 3 slides. Very popular session, even at 8 AM S330 is pretty much full.
Homemade trojan using Beast 2.07, inject into allowed programs, terminate anti-virus. Kind of scary to see how easy a trojan that he made in minutes was able to comprimise a machine.
The security guard and red shirts walking around forcing people to move isn't TOO distracting.
Second demo is using Core Impact, has an amazing list of known vulnerabilities. Hack the banner sites to quickly hit lots of (semi) trusted sites.
Third demo was code injection into SQL, almost too easy and poweful.
Fourth demo is wireless. WEP is a waste, don't do it. AirCrack. % minutes of traffic cracks 128 bit WEP. WPA problem is easy to guess keys. WPA key is stored on client.
Fifth demo is physical attack. Trick security is easiest access method. Foreign USB keys can be a huge risk.
Internal attacks are next. Grab the hash from one workstation. If as normal all local admin passwords are the same you can access any workstation. Find the workstation used by the Domain Admin. Dump the hashes on that one. Use hash injection tool to then access the domain controller. Scary stuff.
Great Session, it will be repeated tomorrow if you missed it.
Lots of cmdlets already built and lots more coming (soon hopefully). The only downside to PowerShell so far is that the Server 2008 management is NOT built on it. Why? I am guessing PowerShell wasn't ready in time to be a basis for 2008, coming in NT7 (Vista and 2008 are NT6 in case you are wondering).
PowerShell looks like it is working on text lists, but it is actually working on objects that have properties and possibly actions. The ability to open files and parse with a simple command is awesome, no more creating objects in VBScript.
The registry can be navigated from PowerShell just as a disk can be. Extensions have been created to add Active Directory as drive as well.
Quest has cmdlet plug-ins to add in AD (ADSI) access to PowerShell.
This is another session I am looking forward to after seeing Johan's first one. He is really good presenter and knows his stuff.
It seems like I will have a little easier time since I don't have to worry about anything prior to WinPE 2.0. It sounds like there are a lot of fixes and new features are in the newer WinPE.
BCDEdit TFTP Block Size - Anticipating Windows Size of 8K
Default Domain Policy / Ris Settings / Enable Tools and Disable all others.
Hopefully I won't have to use most of the deep tricks that were shown, but it is good to know about them.
Public folder management through GUI is coming back in SP1, not in RTM. Quick find is also only in SP1. It looks like Exchange 2007 management is returning to Exchange 5.5 days of being able to do it all itself as opposed to Exchange 2000-3 where it handed everything over to Active Directory Users and Computers. One really cool feature is the one liner screen that shows the powershell command that was used to complete the command. This will allow people to create scripts much easier simply by watching what the GUI does. I will definitely be re-writing scripts this summer it seems.
At first I was worried about the slowness / dryness of session but now I am even more excited to start using Exchange 2007 and powershell. It looks like it will make my life that much easier. You can save the customized filters for easy access later too.
Need to look up slide deck for UNC309.
Lots of work has gone into Vista to extend and harden GPO.
Sound problems in S330 again, grr.
A lot of the info so far has been repeat of what I have heard in other sessions.
PolicyMaker has been acquired by Microsoft. It allows setting of far more settings it seems. GPOVault is also now included in Desktop Optimization Pack.
A lot of the stuff in session I had already heard in other sessions.
Server 2003 initial setup was very fragmented and overlapping with its tools. Server 2008 goal is to streamline the setup of roles in unified tools.
Events specific to a role can be shown easily. Also the services relating to that role are listed in the view. Overall view shows the roles status.
servermanagercmd -install ?? -whatif tells you what would need to be installed to enable a role.
Check out SVR312 session or deck.
Event forwarding should really help monitor tablets, especially errors. Event viewer custom views will be really useful, it is the same idea as filtering today but you can save the filter set for easy recall later.
Task scheduler is amazingly more robust. You can have a task fire on a trigger. Also the task can be controlled with much greater granularity.
You can search for GPO settings now and also add your own notes to add knowledge as to why the setting was used. New All Settings view, has literally thousands of settings. It can be searched and filtered however. Makes it easier to find settings.
WSUS 3.0 is MMC based not web based, woo-hoo. Built in cleanup wizards, about time.
This session is being given by one of the people Johan mentioned in his talk, which gives me hope it is a good session. This session seems to be more of an introduction to BDD2007, hopefully they will go more into how-to.
Refresh as a re-imaging option seems to have promise, I will have to test it for next summer. Need to research Windows Deployment Services for further automating the image deployment process.
Good into actual usage methodology. Richard walked though the entire process of creating a lite touch deployment and running through it. He had recorded screen captures to speed the process up since what he did would have taken several hours realtime.
The Zero Touch portion is meaningless to me since we don't use SMS. A little overkill for my environment.
BDD 2007 gets better over the next year with additional support.
My battery died so I am doing these notes from memory totally instead of during the session.
Exchange 2007 seems to have even more greatly defined the individual roles. There has also been a few roles added. The idea of admin groups has been dropped as has routing groups. Routing is now defined by the AD sites setup. New Edge server role is even more hardened for external facing.
The new setup process much better streamlined and resilient. ExBPA is integrated and will download latest knowledge before install runs. If install fails it will recover at that point rather than fully rolling back.
The install can be fully scripted and much more simply using powershell now. Powershell seems very powerful and I may be able to very simply replace some if not all of my VBS/ADSI scripts that I have now.
I am interested to see what is new in OWA 2007 and what features will be useful to the remote users. Quotas now displayed prominently in OWA. A lot more inline features such as search instead of pop-up windows. Upgrade Front End (CAS) servers first. SP1 is going to be adding (back) a bunch of OWA features.
Replacement themes seem easy to create.
I wanted to come to this session to see if there is anything I am missing in MOSS, haven't dug in very deep myself. I am hoping to get some ideas to take back to everyone else.
This session is very heavy on workflow. For me while interesting, the majority of it is beyond the scope of what we will be using MOSS 2007 for. I was hoping for a little more broad into parts of MOSS.
Infopath is something we might be able to use to recreate some forms more easily.
Sharepoint conference next year.
This session is about troubleshooting more than the new features in Vista GP.
Sound problems in room S330 again, just like last afternoon.
To create GP Central Stoe:
\PolicyDefinitions in SYSVOL
\EN-US inside the above
GPOGuy.com
ADMX Migrator
SysProSoft PolicyReporter
Look up folder redirection logging keys
Computer | Admin Temp | System | Verbose vs Normal status messages - really helps impatient users.
Great Session.
Funny, good start. It looks like some of this will also be bringing attention to things that were released in 2003 R2. You can have a File Server Role. Roles seem to be the extension of the installed features method in 2003.
Single Instance Storage on NTFS is going to be available in all versions of Server 2008, not just in Storage Server edition. About time.
It seems this session should have been titled Server 2003 R2 features that have been enhanced in 2008 or Features in 2008 that were also in 2003 R2 but you didn't know about.
It sounds like the way 2008 treats the users will not change at all from 2003 R2.
Good session, but not labeled correctly.
This session is about Volume Activation 2.0. Which comes down to MAK or KMS. I am going to have to deploy KMS and want to see some more info on it. So far this session has been an explanation of how the activation methods work, not as much about how to do it.
KMS can monitor MAK activation as well to some extent which can be useful.
The idea of having one presenter ask questions of the other presenter on just presented material is not a good presentation method. It just feels very forced way of repeating info.
I have a better understanding of VA2.0, however I don't really know anything about deploying KMS. It sounds like people aren't happy about the KMS 25 machine minimum limit.
My goal for this session is to better understand what BDD can do for me and how to use it to deploy Vista. Then I can hopefully go back and get it working. I thought the title sounded familiar. I have used this presenter's website to get some ideas already, really glad I came.
Driver injection seems very powerful and easy to utilize. Seeing this in action I think I may have to reconsider moving all my older images to BDD and not use the older imaging process. It is really cool. I thought my current process was easy, but I think this will even further simplify it.
Re-imaging in the summer could potentially get much cleaner and easier as well,
Important XP Sysprep Hotfix:
KB888111
KB883667
KB890463
You can target the settings based on many different criteria.
http://blogs.msdn.com/benhunter
http://blogs.msdn.com/mniehaus
He had seen the bug I am having, but couldn't remember the fix. I may email him if I still can't work around it.
I must admit about 90% of the reason I am here is Steve Riley. I have always enjoyed his sessions. I am also interested to hear what he has to say on this topic. Since the keynote ran long the session is starting 15 minutes late.
As usual Steve is roaming the audience while speaking. He remembered to introduce himself after a few minutes for those who are new. Then started with the MS / Starbucks coffee machine bug post from someone's blog.
Trust the data or trust the client? Is it mutually exclusive? Everything (everyone) coming in is evil until proven otherwise.
Physical Security is step one. Lots of things to consider.
Internet Application Gateway 2007 == Microsoft's implementation of SSL-VPN. Something that I was not familiar with. It seems interesting, not sure how I would use it though. Now I have an idea RDP gateway. More investigation needed.
IAG doesn't have everything that ISA has, but it does have a much larger feature set. Only available as a turnkey appliance not standalone software.
It seems that a lot of the System Center suites are too large for my network, it seems MOM or SCOM now is overkill for 10 servers. I might be wrong though.
Do you have an incident response plan? Most don't. Document everything.
Great session!
Presenter - Gary Henderson
Gary is a good speaker, got the crowd going really well at the beginning of the session. Many people in audience have already been to WSUS, so Gary is going to focus on new demos.
True management console is now a part of WSUS. Better control of which group of machines an update goes to.
If you have a singe SUS server, just install WSUS on same server. One way from SUS to WSUS, no going back. Use migration tool to synchronize SUS to WSUS.
Install update on shutdown for XP SP2 will be available once the server is upgraded WSUS.
Very good information, really looking forward to deploying in my environment.
Presenters - Steve Riley and Jesper Johansson
This is a session that was going to be a cabana talk, however they moved it to another room. Which also filled up totally.
It has been said before and will be said again, your network (yes you) is not secure.
Oh in case anyone wonders I am the guy who has gotten a call saying I am doing a good job. I work at an all girls K-12 school, where people give positive reinforcement.
The security triangle - only get two - Usable, Secure or Cheap. Similar to the traditional triangle - only get two - Cheap, Fast or Good. Balance is the key.
My battery died at this point. Mostly they went over their 10 (or so, actually 13 now) security myths. Either grab the slide deck or read their book. Highly recommended.
Presenter - Scott Schnoll
Problems:
Unwanted message #1 concern. Phisher scams (identity theft), Spam, Viruses.
Don't want to lose good messages when filtering out the bad. Better to let the bad in than to miss the good.
Solutions:
Connection Filtering - RBL
Sender Filtering
Recipient Filtering
Intelligent Message Filter
Anti-Virus (What happens with Sybari?)
E2K3 SP2:
Updated SmartScreen Technology
Anti Phishing Technology
Sender ID Framework
Need to get Sender Policy Framework setup for RPCS.
SPF Record Wizard - http://www.anti-spamtools.org
In case anyone in the session during Q&A is wondering, Sended ID is not simply an on/off. It is just an additional check for determining the SCL. I feel bad for Scott having to deal with that first question.
Presenter - Marc Shepard
WSUS is the new version of SUS. I will be installing it as soon as I get back to office. I didn't go to the earlier session due to conflict. Going to the update session tomorrow.
Brief overview of WSUS. Get updates from new Microsoft Update with encompasses more than Windows Update did. Very robust reporting in comparison to SUS.
Minimize Downloads - Configure Auto-Approve for scan and detect, Approve updates only if needed.
Emergency Updating - Approve update with deadline in the past. Use GPO to push down shorter polling policy.
WsusUtil /reset
WsusUtil /move
WsusUtil /deleteunneededrevisions
WsusDebugTool /Tool:PurgeUnneededFiles
Avoid saturation network - Stage rollout, Use BITS throttling, IIS throttling, host express install files.
His demos weren't quite scaled right. Then someone in audience told him. Showed the command line and results on demos, but didn't really go into detail as to what and how they were working. The presentation kind of lost steam near the end. Most of the people in the audience were IT and he went more into developer ideas. He lost the crowd for the most part I think.
Presenter - Austin Wilson
This is probably the most forward looking of all the sessions I am going to. This will affect me in the coming year, but most likely won't affect my students or faculty even in the 2006-07 school year.
Top Security Challenges
Implementing defense in depth, Rolling out updates efficiently, Managing access, Reduce frequency of updates, Better guidance on security threats.
Secure startup and full volume encryption.
Service hardening - restrict where and what a service can access
Integrated IPSec/Firewall Console.
Aps are all LUA unless marked otherwise.
Once drivers are staged any level user can install them.
Security is really at a whole new level for longhorn.
Hopefully I will get to implement these features sooner than later.
Presenter - Chris Wanner (HP)
AMD Opteron - x86-64, HyperTransport, Integrated memory
The competition between AMD and Intel is good for everyone.
64-bit Extensions - Not really new, just new to x86. New to volume market. Allows for continued scalability while preserving compatibility.
Dual-Core Tech - Another vector to increase performance, relieve pressure on cache and core frequency. Opteron designed from beginning with Dual Core in mind.
Virtualization - Creation of multiple Virtual Machines. HW Virtualization commits unnatural acts. Current hardware was not meant to virtualized.
Blades - Networking, Storage and power integrated into the enclosure rather than the blade itself. Complete solution that integrates the blades together.
Nothing earth shattering in this session. Just more depth on issues I already knew about. I would have loved to know what the trio of Intel guys thought about the presentation. Chris tried to be even handed, but there was a great deal of the presentation that said AMD = good and Intel = bad.
Presenter - Jesper Johansson
Luckily they repeated this session, I was torn between it and the other session I went to in the original time slot. Running the Security Configuration Wizard on all of our servers is a goal for the summer.
Your network (yes you!) is not secure. It may be protected, but it isn't secure.
Defense in Depth is key. Many layers of security are needed, a firewall isn't enough. Isolate the laptops from each other, why do they need to talk. The goal of security management is to have nothing happen.
SCW is not in default install. It must be added via add/remove.
Lock down ports based on IP.
Audit templates cannot be rolled back.
SCW takes precedence over SCE.
Jesper really likes the command line.
Presenter - Scott Schnoll
Session started with ExBPA, as you can see from previous entries I went to an entire session on ExBPA. Not many comments until next topic.
Excange 2003
ExMon - Real time performance data collection.
MSSearch - Check status of Full-Text Indexing.
Suppress OOF to BCC distribution lists.
Preserve custom system notifications.
Block specific MAPI clients.
Create a catchall mailbox.
Outlook 2003
Disable MAPI Compression.
Configure RPC over HTTP polling.
Optimize .OST
Outlook Web Access
Customize Logon Page
Segmentation
Controlling Freedocs
Forms Based authentication inactivity time-out
Spell check throttling
Create Custom Theme
Publish more or less free/busy data
Enable Change Password
Outlook Web Access Administration Tool - New to me
View SCL in Outlook Web Access
Presenter - Steve Riley
The first time I saw Steve talk was in early '99 in a basement ballroom in Seattle for a Windows 2000 airlfit. I have seen him talk several times since and he always is good. Both in presentation and content. The webcast program just popped up and said Steve wasn't talking enough, not usually a problem. Steve does his entire presentation while walking around the audience. Very interactive session.
Security Policies fail for four reasons.
1. Barrier to progress
2. Security is a learned behavior - Infosec is often unintuitive
3. Expect the unexpected - Expect failures and disasters
4. There's no perfect mousetrap - Threats always exist
Identify theft is impersonation. Same old threats from beginning of time just different attack vectors.
Policy authors must consider impact on workflow. The effectiveness of policy must be evaluated. Management doesn't understand the importance of servers or ramification on business if they are lost or down.
Poor perception of risk. Awkward exception handling. Trusting the computer not the person on digital signature. People want security, but not if it gets in the way. Malicious insiders. Social Engineering.
Policy is the what and even more importantly the why.
Another good one Steve.
Well I think my memory is a little blurry. I think the person I thought was Fred the other day is actually Aaron Margosis the presenter of this session. Hmm. Yep it is confirmed I am either remembering the name wrong or I have no idea what I am talking about. Probably both. Yep he works for the Federal Group so this is the guy I am remembering just wrong name.
Presenter - Aaron Margosis
I am really interested in this session as it has real impact on my work life. With 450 student machines spyware is a big problem. If I can figure out a way to get the students running as something other than administrator it should help a lot. The challenge is not preventing them from doing anything they could do before, or at least not make it too hard.
Power Users is not non-Admin
LUA Bug = Feature works only as admin
Bad guys are now more powerful and more organized.
Non-Admin stops many rootkit methods. LUA rootkits are easier to detect.
XP and 2003 blank password accounts only have local access.
In cmd color command.
MakeMeAdmin - short term elevation for a single application.
LUA is "Not the answer"
Attackers will go after LUA users once it is necessary.
Lots of good info, now just to try it.
Presenter - Mark Russinovich
This is another session where I am looking forward to the presenter as much as the content. I have seen several of Mark's presentations over the years and they are always good.
There is a lot of spyware out there and most of it is really bad. Buffer overflows are the most common vector for well known and fast spreading attacks. Lucky thus far that no one has been able to cause real destruction. Data Execute Protection is on for all applications and drivers for 64bit windows.
Lots of delivery methods, pop-ups, roll-overs and others. Make sure you hit the red X not any other button looking graphic.
Sigcheck - Verify digital signatures.
Autoruns - Check more startup locations than msconfig.
Process Explorer - Task Manager on steroids.
Suspend all the malware and then kill at once.
Rootkits newer and more evil malware. Rootkits attack the tools to detect them. RootKitRevealer vs HackerDeffender.
Another great session and great presenter.
Presenter - Jesper Johansson
Looking forward to this session as much because of the presenter as the topic. Need to get the book he wrote with Steve Riley. He started off by getting crowd clapping along with Queen's "We Will Rock You". He then walked around in the aisles while doing his presentation. At some points going back to podium for demos.
People may not want to hack you for your information. One example, a hacker may just want to add themselves to the automated payroll. This presentation is not about script kiddies, this is about higher level hacking. These types are attacking methodologies not attacking security faults in programs.
Great pictures throughout the presentation.
Port scan refused = firewall port open but not sure what is beyond, nothing currently responding.
Bad guy won't use your interface, just your methods.
Shared service accounts are bad.
Look at outbound server filtering.
Isolation between servers.
Too much dependence on a domain admin account.
If foreign code had been run on a machine, it can never be trusted again.
Disable LMHASH.
Once you have the HASH you can use for Challenge/Response using the hash, no need to crack password.
Great session, now I need the book.
Presto changeo we are now in another session. At this point they are covering the places an email is stored, either locally or on Exchange. Details of OAB. What happens when a user sends mail, either online or offline.
Troubleshooting Outlook to Exchange connection problems, often DNS. Check available ports. RPC over HTTP another goal for this summer.
How to messages get into transport, lots of ways really. Messaging routing within Exchange. Checking queues. Categorizer. Delivery of public folder destined messages. While passing through transport filters are also applied. Link state table and routing groups. Remote delivery, errors either 400 or 500 level.
Cool session with lots real deep technical details.
Presenter - Edward Bell
Well I think I may have chosen poorly with this session. I was hoping for something on Windows Update or WSUS. It seems it is more going to focus on SMS 2003. I will see what I get out of it. Maybe not, I think I will head to Life of an E-mail.
As I was walking into the session room I saw Fred (can't remember last name and he wouldn't remember me). He basically came up with the idea of recording TechNet road show like sessions and then distributing them. They were on CD at the time, now of course they are webcasts. I even did one on SMS 2.0, it was pretty crappy if I do say so myself and I doubt it was even used.
Ok back to the session at hand. Watching the presenter table it appears there seems to be some problems with the KVM switch, hopefully they can figure it out in time.
Pressenter - Paul Bowden
I am fairly sure I remember seeing sessions by Paul at previous TechEd's. ExBPA is really a cool idea. Integrate a lot of the knowledge of PSS and Developers and then put it in the user's hands and enable it to be easily utilized. I know what the tool is and I mostly want to see new ways to use it.
Main goal with ExBPA was ease of use. The idea was download and run with no other configuration. As long as you can enter correct credentials you can run the tool. Automatic updating is key, since there are always new kinds of knowledge that can used in analysis.
Well my tablet battery finally died during this session so I am transcribing some handwritten notes for this last bit.
There are other BPA's, which I didn't know, currently they include SQL and soon there will be others. The ExBPA gathers and analyzes 1500 data points. It is a two step process, first collection over LAN/WAN and then local analysis of the results.
By the end of the month ExBPA 2.1 will be released and it will add performance metrics and analysis. In the October time frame 2.5 will be released. I imagine near the SP2 time frame and it will add an E12 upgrade check.
First this session is also in the keynote hall. I really looked at either side of the stage and I agree with my earlier statement that the left side is better than the right. Both more in focus and better contrast.
Pressenter - Gianpaolo Carraro
Cover SP1, x64, R2 and a bit on Longhorn server. Platform trends - Dynamic Systems Initiative and Trustworthy Computing.
One of the handy things in this session is that on certain slides there is a pointer to a drilldown session on particular subjects. R2 enhancements that mean a lot to me are x64 and Storage Management. I need to figure out what Identity and Access Management means in my space.
Longhorn + IIS7 XML based IIS configuration file.
For me this session was probably too high level and overview. Which was what it was supposed to be I guess. Gave me some good ideas of what else I want to see this week. A little too much info in the allotted time, needed to cut a few slides or ideas.
Presenter - Konstantin Ryvkin
The presentation began with an overview of Microsoft internal Exchange architecture both past and present. Further detail on current Exchange layout was then offered.
NtBackup had problems with cache contention on disk to disk backups. The MS IT group requested the Server Development group fix the problem. Apparently the SRV Dev group doubted their findings but did eventually relent. The SRV Dev group gave MS IT a new switch to enable File Unbufferd mode or the /FU switch.
Next section is how mobile messaging works at MS. Very broad methods of access and different devices. Have to get HTTPs/RPC working this summer for students and faculty.
After mobile the presentation went to Internet mail. All mail goes through several stages. First is spam filtering and then onto virus scanning. Lastly it is delivered to back end servers. The idea of using multiple Virtual Servers for tracking purposes.
The last section is a drill down on Anti-Virus and Anti-Spam. 85% of MS incoming email is filtered at gateway level. They use multiple antivirus scanning engines, which tells me they are using Sybari Antigen. This makes sense of course since they are now owned by MS.
This session was another good one. Unfortunately it is mostly ideas that I can't leverage with my meager 1000 users and single server. However it is good to know those ideas since some scale down to my scale of infrastructure.
I got to the session close to 15 minutes late. The main reason for that was the lateness of the keynote. The other two reasons were that I had to login to CommNet and figure out what session I was going to and printed out my agenda. Then the room for this session I think was about as far away as possible from the keynote location.
I missed the first few minutes of session but I don't think I missed too much. The session started out with some history of AD deployment at Microsoft. Then it went into upgrade and migration of AD either from NT4 or 2000 and how to manage significant changes. Key idea there is don't do it all at once.
The next section of the session was about disaster recovery and planning. Some bits on dedicated sites followed. There details on why MS has a dedicated site for Exchange and why you should really consider why you think you might need one. Mostly there aren't as many reasons for dedicated sites as might be thought.
The goodness of x86-64 comes up next. Short version is that lots of RAM is good especially if you have a huge AD database. Also exchange really like 64bit servers because it is terribly random in its AD queries. Low end = Intel EM64T High end = AMD64 Interesting. Later mentioned this is because that is what the vendor offered.
AD/DC tweaks is the next set of slides. The tweaks sometimes are dependent on number of processors and other times just general suggestions.
Server Performance Advisor - new cool tool, well new to me.
Ultrasound - monitor FRS
Thanks for a good session
