I have for weeks on and off been trying to get a long term solution to Hyper-V not being able to use the wireless connection on my laptop for virtual machines which can be a significant mobility limiter.
On top of that I actually managed to cause W2K8 to crash completely to BIOS with no 'blue screen' playing with bridged networking and Hyper-V networking last night so decided to give up for the evening and catch up with some of the blogs I read everyday before bed and found the following extremely timely post by James that fixed all my problems straight away.
James O'Neill's blog : Getting wireless access from a Hyper-V VM
James has been doing a fantastic job producing short videos of using Hyper-V and would recommend working through them all to get a good start to using it.
In a previous employment life I talked to Steve Lamb about some work he was doing to gather peoples experiences of BitLocker but as the then employer had a somewhat less liberal view on ownership of out of hours work like this than my rather more enlightened current employer nothing ever came of the discussion until now.
Having got my new work laptop, Lenovo X61s, with a built in TPM and XP installed I set about putting Vista Enterprise SP1 and Server 2008 onto it for various projects.
For the most part on automatic pilot I took ownership of the TPM saved the resulting TPM password file in various locations and encrypted the C: drive again backing up the recovery file in various locations. Nothing unusual. Next installed the December release of Server 2008 as I was wanting to use Hyper-V for testing and demonstrations and since I was installing the relevant wireless network awareness feature also installed the BitLocker feature and encrypted the C: drive (different volume of course as Vista and server 2008 are a lot smarter than previous Microsoft operating systems about allocating volume drive letters).
Was only a couple of days later it dawned on me that with all the fuss last year about BitLocker breaking dual or multiple boot systems especially those with a non Microsoft operating system installed which it does not if done right many people will have been scared of using BitLocker. A number of Microsoft and non Microsoft people have posted the ways to save a GRUB boot sector and use the Vista boot loader to start Linux just fine. In addition if you stop the TPM while you make changes to the boot system and start it again afterward as will be required installing Vista SP1 new measurements of the boot files will be taken and all will be just fine. Anyway if you follow the wizard and save appropriate copies of the TMP and volume recovery files you will be able to use the recovery console and access you system just fine.
Don't be scared of BitLocker understand it and you can realise a significant boost to security of your systems and data. I do not have Linux on this machine at the moment but I have built machines before with an XP partition, two Linux partitions (/ and /swap) and a Vista partition in that order. Put the XP partition on first and XP assigns the C: drive to itself and as it will not be encrypted provides he later BitLocker install a location with the necessary 1.5GB of free space to put the boot files that must be unencrypted but are still measured (TPM parlance for validity checked at each boot). Install your Linux of choice and use DD to save the boot sector to the XP partition. Install Vista which will overwrite the Linux boot sector, add the saved Linux boot sector as an option using BCDEDIT take ownership of the TPM and encrypt the Vista C: drive.
As noted above you can install multiple copies of Vista or Server 2008 and encrypt the volumes independently and each will have a separate recovery file and you will have a single TPM recovery file.
One thing for those of you building machines in a corporate environment and wanting to use BitLocker which unless you have nothing that could compromise you, your clients or staff you would be mad in my humble not to is that if you script BitLocker from the command line before you join the machine to Domain Services the recovery keys are not stored in the directory. The machine must be domain joined before starting BitLocker for it to automatically save to Domain Services and you must have extended the schema appropriately as well.
One of the reasons I tend to work like this is that I use multiple installs to separate my work and test environments especially as much of the testing involved beta software and thus does not always have anti-virus installed and while I have been lucky up to now and never knowingly had a problem I believe in limiting my risk. While I was writing this I saw the write up of an attack vector against Windows systems over at http://www2.gmer.net/mbr/ of which I have included the initial section below. Please read this through to see where I am going.
Stealth MBR rootkit
Jan 2th, 2008
In 2005 Derek Soeder and Ryan Permeh, researchers from eEye Digital Security, presented eEye BootRoot. The technique used in their project wasn't new and had been popular in DOS times, but they first successfully used it in Windows NT Environment. The eEye Digital Security researchers skipped one part - BootRoot didn't hide the real content of affected sectors like old DOS Stealth MBR viruses, but it had only been created to show the possible way to compromise Windows NT OS.
Unfortunately, all the Windows NT family (including VISTA) still have the same security flaw - MBR can be modified from usermode. Nevertheless, MS blocked write-access to disk sectors from userland code on VISTA after the pagefile attack, however, the first sectors of disk are still unprotected !
Rootkit in the wild
At the end of 2007 stealth MBR rootkit was discovered by MR Team members (thanks to Tammy & MJ) and it looks like this way of affecting NT systems could be more common in near future if MBR stays unprotected.
"Good points" of being MBR rootkit:
full control of machine boot process-code is executed before the OS starts rootkit does not need a file - code could exists in some sectors of the disk and it cannot be deleted as a usual file rootkit does not need any registry entry because it is loaded by MBR code to hide itself, rootkit needs to control only a few sectors of the disk How MBR rootkit works :
Installer MBR loader Kernel patcher Kernel driver loader Sectors hider/protector Kernel driver Detection Rootkit removal
One of the things a TPM does during startup is to check the boot information has not been modified since it last measured them to ensure that it is booting the system in the state it has been told to expect it in. Turn on your TPM and encrypt your Vista partitions and regardless of what the XP, Linux or even another Vista partition does to the boot information the TPM will detect the change and warn you on the next boot and those installs have no direct access to your partition to read or write data either unless you were to leave the recovery files on an unencrypted partition and a program or user was smart enough to find and use them.
I am using this little laptop with a slow mobile drive and BitLocker encrypted virtual hard disks for Hyper-V for small scale testing just fine and performance for Vista is just fine for everything I do even with the machine as a road warrior knowledge worker and I feel a lot more secure about client and personal data I store.
Oh for those sceptics about backdoors etc in BitLocker Microsoft and the staff on the BitLocker team have been very vocal about there not being any and have recently published the algorithms behind BitLocker and expect to obtain US Federal FIPS accredition this year.
Am booked in for 71-647 on the 16th up in London in the evening and 71-646 on the 18th again in the evening. Never been to either test centre before but my local centre only has the 10th for both of them and I sadly don't have the time to study enough between now and then stand a chance of passing.
Best thing they are free for all of you not familiar with the beta exams.
If you want to give them a go follow the link below for the information on how to register and promo codes etc and good luck but the beta period ends on the 18th so you will need to get a move on.
"So, a booth babe and a geek walk in to a bar..." : Keep Clam and Carry On: open now for registration
Technorati Tags:
Exam,
Server 2008
Now if this is true and everything goes ok during the final stages I will be very pleased.
Am already running a number of my live services on RC1 with no problems to write home about any Hyper-V apart from needing US English installed is real nice to use too.
Bink.nu | Windows Server 2008 is in Escrow! RTM build planned January 16th - Bink.nu
Technorati Tags:
Server 2008,
Release
Read this one through if you are interested in some thought provoking links to very well thought thoughts on our identity and security in relation to the state and police powers.
James O'Neill's blog : Inspector Morse is dead, alas.
I don't normally post on PowerShell as these days I seldom get the chance to do anything out of the ordinary but looking for some ways to use PowerShell to control some automation I came across WASP Windows Automation Snapin for PowerShell - Home which looks very promising indeed.
If like me you installed the December CTP and chose an install language other than en-US and Hyper-V failed to start the sad news is you like me will have to scrap the install and redo leaving the language as US English and change the language and keyboard layout post install and then re-add the Hyper-V role.
Very annoying as this bug was just closed on Connect as resolved with no further info and the RC1 and previous builds for the last couple of months did not behave this way working flawlessly.
Hyper-V apart from this is a dream on my Lenovo X61s with very good performance in my humble.
Anyone contemplating deployment, evaluation etc. of Server 2008 should read the Microsoft document over at [http://www.microsoft.com/downloads/details.aspx?FamilyID=173e6e9b-4d3e-4fd4-a2cf-73684fa46b60&DisplayLang=en] which details in 336 pages the changes you will encounter on your journey from Server 2003. A good document I am reading yet again as it like Server 2008 itself still beta so keep an eye out for changes as they happen.
Those of you still using Windows 2000 are in for a lot more work I am afraid as although the changes, in my opinion, from Server 2000 to Server 2003 and from Server 2003 to Server 2008 are not insurmountable my gut instinct is that Windows 2000 'shops' are going to feel some real pain going from Server 2000 to Server 2008 unless they prepare.
One of my current projects has been working through the Microsoft Software Lifecycle [http://support.microsoft.com/gp/lifeselect] and 2010 will be an interesting year, interesting as in the Chinese curse of "may you live in interesting times". Server 2000 will exit Extended support in 2010 and effectively be unsupported and Server 2003 will have transitioned from Mainstream to Extended support as well based on the assumption that Server 2008 will indeed ship in 2008.
Leaving the big question for organisations still using Server 2000, not a small number in my experience here in the UK, what will be your strategy? If you and your organisation do not have at least a plan get one and be prepared to revise it as time moves forward which takes me back to the Microsoft document on changed functionality - reading this and understanding one of the options for your organisations future comes highly recommended.
Just finished reading this article and would recommend it to anyone supporting Domain Services who suffer the the routine dumping of everyone else's problems into their support queue.
Ask the Directory Services Team : Troubleshooting networks without NetMon
Technorati Tags:
Troubleshooting
https://profile.microsoft.com/RegSysProfileCenter/wizard.aspx?wizid=1b393ae8-7c1e-4e79-8602-3830cdd08ee1&lcid=2057 is the link to follow to get registered for several hours pre-notice of the registration site going live for the launch which will be in Birmingham at the ICC on the 19th of March.
If you are already signed in with a Live ID it appears to just go straight through to the MS home page otherwise you will need to login with a Live ID etc.
The launch will be for Server 2008, Visual Studio 2008 and SQL 2008 and will have a maximum capacity of 2000 IT Pro's as I understand it and from what I have been told all attendees will receive 'product'.
Technorati Tags:
Server 2008,
Event
http://www.metacafe.com/watch/886450/fingerprint_system_nightmare/ is a bit annoying if you have the audio on but otherwise a very good example why finger print readers should not be used in my humble.
I have twice seen finger print scanners defeated in real life once using a very similar technique but a bit more CSI from the use of finger print powder and once by simply exploiting a known hardware flaw and shorting out the reader which caused it to replay the last scan unlocking the machine.
Time before last in the Microsoft staff shop in Redmond the there was a very nice sign on the Microsoft keyboard and finger print reader making it very clear that the finger print scanner was not allowed to be used on Microsoft machines.
Technorati Tags:
Security
For the past few months I have been spending a lot of project time on a PKI design and training for a client so have had more time than usual these days to think about certificates, smartcards, identity etc.
As a result I am going to spend blog some thoughts over the next while on what we have and what we know and who we are in part from the project, from discussions with friends and some tech events.
Have some free time and the where with all make it to Seattle for the 15th of October and want to learn more about Active Directory in Windows 2008 and Exchange 2007 then check out Quest Connect (https://www.spgeventformer.com/quest/2007/connect/agenda.cfm) an excellent opportunity to meet many fine people from Microsoft and Quest including the very talented Dmitry Sotnikov of PowerGUI fame.
If you do let me know and we can organise to meet up.
More Posts
Next page »