Even if you are unable to attend Tech-Ed, there’s no reason to miss out on all the great sessions that take place at it.  During the conference, some sessions are simulcast via the Virtual Tech-Ed website (so you can listen to and see the presentation live) and all the sessions are available as part of a DVD set a month or two after the conference (and if you can’t get your employer to pay for that–it might be time to re-think your choice of employers….)

This morning I watched a simulcast of the ”Why I Can Hack Your Network in a Day! (Level 300)” session by Marcus Murray.  It was another great Tech-Ed security session in the tradition of Jesper Johansson and Steve Riley.  I’d strongly recommend that you watch if you have any degree of responsibility for IT security (whether it’s the client, server or network.)

Marcus did some really good demos of how easy it is to hack most networks.  The hash-injection and RDP demos made me really appreciate some of the decisions I made in the past (and fortunately no one could hear me laugh when I realized how exposed some environments are.)

Links:

Virtual Tech·Ed Home 
TechEd DVD 2007
Marcus Murray’s Blog (with notes from his presentation)

Billed as “Canada’s IT Volunteer Matching Exchange” this is an initiative to match IT pros with charitable/non-profit organizations that are in need of IT assistance.  It just got started this week and there are already 225 volunteers registered!

http://matchit.ca/

Preventing the disclosure of sensitive data stored on laptops is not a new concept–security conscious organizations have encrypted the data on their laptops since the days of DOS (although back then it was a lot of work and required expensive third party software.) 

Fortunately, it is now quite easy to encrypt the data on a laptop–it’s maintaining access to that encrypted data in the long run that is difficult (ie. can you regain access to the encrypted data when the keys are lost or forgotten???)

Some good news is that Microsoft has released a “Data Encryption Toolkit for Mobile PCs” that includes a Planning and Implementation Guide and and an EFS Assistant that will make it a lot easier to implement BitLocker and/or EFS.  I’ve also included some notes, tips and links below that should help you keep your laptop data safe.

Windows XP/Vista – EFS

Microsoft’s Encrypting File System (EFS) has been around for a long time–but for some reason organizations have been slow to implement it (possibly because it requres some planning and extra work to implement correctly.)  If you’re running AD and Windows XP then EFS is probably the best way for you to encrypt specific directories/files on your users’ notebooks (although you may want to look at TrueCrypt for your USB keys.)  My advice here is to plan carefully and test everything before implementing in production and make sure that you configure data recovery agents (don’t use the default Domain Administrator DRA.)  Some good resources are:

MS Best Practices for EFS (KB 223316)
TechNet Magazine Articles (February and March 2007)
How to Encrypt Offline Files (KB 312221)
Problems with Offline File Encryption When Users Do Not Have Admin Privs (KB 810859)
TechNet Security MVP Column (December 2006)
How to back up the EFS recovery agent private key (KB 241201)

Windows Vista - BitLocker

BitLocker was introduced with Windows Vista and can secure your whole computer (versus the directory/file encryption possible with EFS.)  It also requires planning and additional work to implement correctly–so you should give serious thought to including it as part of your Windows Vista deployment and plan on buying computers (especially laptops) that support TPM.  My advice here is to plan carefully and test everything before implementing in production and make sure you store your recovery keys (AD is ideal for this.)  Some good resources are:

Data Encryption Toolkit for Mobile PCs
Windows BitLocker Drive Encryption Step-by-Step Guide
MS BitLocker FAQ
TechNet Webcast: Microsoft BitLocker in the Enterprise: BitLocker Tools to Make Your Life Easier

Windows XP/Vista and Linux – TrueCrypt

If you don’t have many laptops with sensitive data, or if you only need to protect the data stored on USB keys then I would recommend looking at TrueCrypt.  It’s an open-source gem that allows you to create encrypted volumes on either your hard disk or external USB storage and can be used with Windows XP/Vista or Linux.  It is powerful and feature rich–the only drawback is there is not really a mechanism to manage it across a large number of computers.

http://www.truecrypt.org/
Script to Launch/Mount TrueCrypt from USB

[Updated June 6, 2007 with link to latest version of Data Encryption Toolkit and TechNet Webcast]

Melissa struck my workplace on the afternoon of Friday, March 26.  Fortunately, it was late in the day when Melissa arrived and only a small subset of computers were running Word/Outlook 97.   I was the Exchange admin and this was before most people had any form of email antivirus–so it was a nasty surprise for me (although it wasn’t the end of the world–I did miss a great dinner at one of my favorite restaurants.)

The clean-up was completed overnight (I had already written some VBA scripts to crawl mailboxes for specific file attachments for a different task–and upgrading these to remove Melissa was fairly easy.) 

VBS/LoveLetter in May 2000 was a different story….

They’re also looking for more volunteers–so if you have some spare cycles, sign up.

- It’s relatively new technology and the rate of change is still quite rapid (with all the headaches that go with that.)  There’s a flood of new tools management tools being released– a new generation of CPUs with built-in virtualization support–and Microsoft incorporating virtualization into the next version of Windows Server (Longhorn.)

- Problems and errors are multiplied.  If something happens to the host server, this will have a impact on all the VMs running on it.  Make sure you have solid change management processes in place before going too far down the virtualization path–as well as a plan for how you will deal with hardware failures.

- Most implementations incur the performance overhead of the host OS (Windows or Linux) and any problems/instability that go with it.  If a serious problem occurs in the host OS, this will impact any VMs running on it.  If you’re currently having problems with server stability–don’t expect virtualization to save you.

- Success breeds VMs.  The number of virtualized servers that you will need to support will increase.  Make sure that you are ready to deal with this workload/complexity.  If you do not have a CMDB for your servers already, then implement one as you start moving to virtualized servers.

- Virtualizing a server doesn’t eliminate all the costs associated with it (remember that the physical hardware is only part of the TCO of that server.)

- Not all vendors will support their OS or application running inside a virtual machine (although fortunately this is becoming fewer and fewer.)  If a vendor is not willing to state their support for virtualization–expect them to use it as the scapegoat for any problems that may arise.

- If you’re implementing virtual servers because of bad software/applications–remember that virtualization doesn’t fix the bad code–it’s just a bigger and better band-aid.  If you take this approach often enough, and you’ll find that you’re implementing extra virtual servers for every application that comes along.

- Moving to a VM platform is similar to moving to a new vendor/hardware platform–even with all the benefits it’s one of those things that makes many server admins a little grumpy/anxious.

1. ’Cause all the cool nerds are doing it…  (Virtualization is now mainstream enough now that your execs are going to read about it in their in-flight magazines–and when they come asking questions, it’s much better if you have an informed response.)

2. Your “Learning” environment.  Virtualization allows you to work with multiple workstations or servers at a much lower cost than using real hardware (not to mention the heat and noise that real hardware generates.)  Even better, many vendors have their OS and major software applications available as downloadable virtual machines (and Microsoft even uses them as part of the regular training curriculum.)

3. Your ”Test/Dev” environment.  This is where most people get started with virtualization. In many organizations it’s always a challenge to justify these servers.  Fortunately, they are not used all the time and are normally subject to light workloads–making them ideal candidates for virtualization.  Even better, both VMWare and Virtual Server provide additional features that allow you to roll-back changes made to the server (which is much better than rebuilding the server from scratch.)

4. Building Client/Server Images.  Anyone that has built images for their client or server infrastructure the “old fashioned” way knows how slow and painful it is (no matter how good you are.)  Doing the non-hardware specific portion in a virtual machine is much, much quicker–especially if you take advantage of the rollback and point-in-time snapshot features.

5. Software Packaging.  In a non-virtual environment, software packaging is slow because you’re always having to go back to a clean machine and it’s a major headache keeping the various builds around that you need to in order to test your packages appropriately.  With virtualization, you can start package quickly when your VM only needs to be run from the hard disk–and it already has your packaging tools running.

6. Appliances.  A number of appliance vendors are now selling virtual versions of what used to be a hardware appliance.  This is a great concept as it is still a hardware/software configuration supported by the appliance vendor but it allows you to run it on whatever hardware you have under a maintenance/support contract (eliminating the “hardware risk” that keeps many organizations from using appliances.)

7. Replacing Old Hardware.  Many organizations have old servers in their datacenter still–and are either paying a whole lot of money for maintenance/support or are praying that the hardware doesn’t fail (as they no longer have a maintenance/support contract.)  If the application can run on a server sold in 2000–it can probably run inside a VM without any problems (and the availability of physical-to-virtual migration tools makes this a lot less painful.)  At the end, you may still be running an NT4 server–but at least you won’t have to worry about the hardware.

8. Isolating Bad Software/Bad Administrators.  A lot of organizations have more servers than they actually should because they have bought bad software, eg. three different pieces of software are needed to do job ’X’ but all three pieces are mutually incompatible and must be installed on different servers to work correctly.  A variation on this is when software requires regular logons with privileged account by an application administrator (making it dangerous to put on server shared with other applications.)  Virtualization allows you to provide all these additional servers–without as much impact on your hardware budget (although your TCO is still taking a hit because of the number of server instances you need to support.)

9. Fault Tolerance.  Some servers in your environment are pretty important to your business–but unfortunately they do not support clustering or load-balancing (or you do not have the money to spend for a fault-tolerant solution.)  Using virtualization and a SAN, you will be able to get to four 9′s easily (and possibly five 9′s) as long as you have your VM image on the SAN and datacenter staff that know when to fire up that image on the backup hardware.

10. Server Consolidation.  This is the “holy grail” of virtualization.  In many datacenters, servers are massively under utilized for a variety of reasons.  If you take the right approach to virtualization, you can migrate from many underutilized physical servers to a few fully utilized physical servers (while maintaining the same number of logical servers.)  This eliminates a lot of expensive hardware (and corresponding maintenance/support contracts) and should have a very positive impact on your datacenter’s electrical and air conditioning requirements.

Links/Downloads:

Are You Virtualized? – Part I

Are You Virtualized? – Part III

The big players in the virtualization world are VMWare and Microsoft.  Although I’m normally a big fan of Microsoft tools and technologies–I prefer the VMWare tools when it comes to virtualization.  Start with an installation of VMWare Server and then load up one of the sample VMs available from the VMWare Technology Network (for something small/simple try the browser appliance.)

Once you’re more comfortable with VMWare server, you can:

- create your own virtual server and install an OS

- download the newly released VMWare Converter and use it convert an existing physical server to a virtual machine (standard warnings about testing with production servers and/or in a production environment apply!!!)

- download one of Microsoft’s VHDs and use VMWare convertor to run it on VMWare server

- install Microsoft’s Virtual Server and get a feeling for its capabilities

More info and ideas in my follow-up posting “Are You Virtualized? – Part II“…

Links/Downloads:

Download VMWare Server

VMWare Technology Network – Virtual Appliances

VMWare Technology Network – Browser Appliance

Download VMWare Converter

Download Microsoft Virtual Server 2005 R2

Microsoft VHDs (Windows Server 2003R2, Exchange 2007, SQL 2005)

24 Hours of Exchange Server 2007

Also available are eight “labcasts” over the same period (with each an hour and a half long.)

Exchange Server 2007 Guided Labcasts