Vol. 20, #14 - April 6, 2015 - Issue #1024
Inside a Microsoft datacenter
- Editor's Corner
- Special offer for organizations up to 100 users
- Ask Our Readers - Microsoft licensing question
- From the Mailbag
- Inside a Microsoft datacenter
- Recommended for Learning
- Microsoft Virtual Academy
- Quote of the Week
- Admin Toolbox
- Admin Tools We Think You Shouldn't Be Without
- This Week's Tips
- Updated media available for Windows 8.1 and Windows Server 2012 R2
- Troubleshooting: Burn Disk Image menu option missing
- Reducing Windows Deployment time using Power Management
- Events Calendar
- Webcast Calendar
- Register for Webcasts
- Tech Briefing
- Cloud Computing
- Windows Client
- Recommended TechGenix Articles
- Recommended articles from websites in TechGenix Network
- Windows Server News
- Cloud governance key to bypass a breach
- Bigger isn't always better: Start your VMs small
- VDI disaster recovery options
- Tighten Windows 8.1 security in five simple steps
- WServerNews FAVE Links
- How Russians 'Tow' A Car
- 1920's - 'What The Future Will Look Like'
- How To Make A Girl Quiet
- French Cats Playing Patty Cake
- WServerNews - Product of the Week
- FREE tool for Active Directory recovery
- SAVE THIS NEWSLETTER so you can refer back to it later for helpful tips, tools and resources!
- SEND YOUR FEEDBACK to [email protected] if you have any comments or suggestions!
This week's newsletter of WServerNews presents a guest editorial by Andy Malone, a Microsoft MVP and IT trainer who describes his recent visit to a Microsoft datacenter in Dublin, Ireland. We also have a couple of tips on Windows deployment and also lots of other stuff we're sure you'll be interested in, so enjoy!
And for any of you readers who might be out there in Ireland (Mora na maidine dhuit!) here's a Dilbert comic strip that's especially for you:
Special offer for organizations up to 100 users
Netwrix Corporation recently announced that Netwrix Auditor for Active Directory is available to small businesses with no more than 100 user accounts absolutely for free during April 2015. This solution helps to detect security incidents and prevent data breaches, enables continuous compliance and optimizes operations by providing complete visibility into all Active Directory and Group Policy changes.
To download Newtrix Auditor for Active Directory for free and find out more about the solution, please follow the link: http://www.wservernews.com/go/1428063236593
Ask Our Readers - Microsoft licensing question
In our previous Issue #1023 Antivirus software: who can you trust? we included the following request from reader Jeff Magee:
I am working on an installation of a Ruckus based wireless network for one of my clients. The folks at Ruckus seem to be stumped since we've gone from Linux based FreeRadius to Windows 7 FreeRadius and now to a Windows 2012 server based Active Directory based authentication model. The site has a visitor database of about 250,000 possible users and the controller needs to authenticate the users from AD (in this latest iteration) but never more than about 1,500 users at any one time. The only device that will ever connect to the server is the Ruckus controller to verify user/password. A TechNet blog post seems to say that only devices that actually use the server software or a service requires a license. The end user device (phone/tablet/laptop) isn't using any DNS/DHCP/AD/file shares on the server and in fact will never know a server exists on the back end. Do the end user devices require a license? Obviously we wouldn't use the W2012 server for AD authentication if that is the case as the cost would be astronomical.
Several readers of our newsletter responded to Jeff's questions. First let's look at what Paz Efrat, an Enterprise Technology Strategist working for the Microsoft Greater Southeast District has to say on this issue:
It sounds like they would need a Windows Server External Connector license for each server (assuming that the users being authenticated are not employees or affiliates of their company). To read more about the types of Client Access Licenses, including External Connector licenses, see:
The official licensing guidance is located in the Microsoft Product Use Rights (PUR) document, which can be found here:
I would suggest using the Customized PUR:
I created an online PUR specifically for Windows Server, but just using the link above to create a customized PUR and then searched for the word External.
To get more direct guidance and purchase licenses, the customer should contact their local reseller (VAR, LAR, etc…). I hope this helps.
Several other newsletter readers also suggested the Windows Server External Connector license as the best solution for Jeff's scenario:
Re your article about the above and the question posed by Jeff working on a Ruckus based wireless network, to license his external users I think he would require a Windows Server External Connector license which would cover him for all of the site visitors. --Kevin, a Technical Support Manager for a UK government agency
For the question about authenticating ~250,000 external users. You want to look at the External Connector licensing for Windows/AD. It is setup for this scenario. Lower cost for unlimited connections from the internet. Thanks, and have a great day! --a reader named Ian
A reader named Robert also pointed Jeff to the following post on the Microsoft Volume Licensing Blog:
He then continued by saying:
AD authentication does require a CAL. However they don't need a CAL always, they can do Windows Core plus External Connector.
If anyone else has a suggestion for Jeff please to email us at [email protected]Ask Our Readers: WServerNews has almost 100,000 subscribers worldwide. That's a lot of expertise to tap into. Do you need help with some issue or need advice on something IT-related? Got a question you'd like us to toss out to our readers to try and answer? Email us at [email protected]
From the Mailbag
Last week in Issue #1023 Antivirus software: who can you trust? we included a story about Kaspersky Lab and how they reported finding evidence that the US National Security Agency (NSA) might be involved in the development and release of malware--and then how Bloomberg published an article which seems to suggest that security products produced by Kaspersky Labs should no longer be trusted because of Kaspersky Lab's alleged close ties with Russia's military and intelligence services. The point of our covering these stories is that they raise the larger issue of whether or not you can trust the antivirus software you've deployed in your environment. Let's look at what some of our readers have to say concerning this matter. First here's what a reader named Sam had to say concerning this:
I know that we have tried just about every antivirus out there at one time or another. We have concluded that no antivirus is 100% effective and have developed a policy to mitigate this persistent problem. Basically, we ran other malware detectors like Norton power scrubber, MalwareBytes and others to catch the viruses that Symantec End point protection does not detect periodically.
That's a good strategy and of course it's simply using defense-in-depth. Interestingly, Sam isn't the only reader who recommends MalwareBytes as Richard, a retired Systems Analyst and Network Manager, comments:
Why are there so many anti-malware packages on the market? All it does is breed cynical stories about their effectiveness. Reminiscent of the defunct UK motor industry producing badge engineered vehicles allegedly from different makers, but apart from minor trim differences were the same vehicle. Personally I prefer MalwareBytes download for free two week full trial from here:
Don't google for a download source as several malware sites masquerade as its source and happily fill your PC full of nasties) as a good immediate solution, often locates stuff that the big boys like McAfee and Norton fail to detect.
The Kaspersky labs report was interesting, in correlation I recall many years ago, either late 90's or early 00's a hoohah about an FBI.DLL found in original releases of NT 3.5 and 4. At the time there were big denials from Mr. Softy and the US government the file was for backdoor snooping. Mr Softy had a very convoluted explanation it was simply a coincidence to carry that name; but in view of the Snowden revelations who knows what to believe? Presumably code in that .dll has now been incorporated into another Windows component. It may have been reported in this newsletter unfortunately my current email doesn't permit content search to pinpoint it.
I actually don't remember FBI.DLL but when I googled it (Bing didn't help in this case) I came across this virus profile on the McAfee website which listed %WINDIR%\system32\fbi.dll as a generic backdoor trojan under Virus Characteristics:
Another reader named Greg shared the following thoughts:
My default is the McAfee Enterprise offered by my former employer that, as a retiree, I am still entitled use, but I also run Spybot Search & Destroy, SuperAntiSpyware and Malwarebytes. I see no way to avoid any built-in back doors, but hopefully anything that would get let in by one would be caught by one of the others. (Over the years, I've seen that each does seem to catch things that others do not.) The only drawback to this is that I think programs start more slowly because more than one AV product tests the software, but I've not had any of the rumored "AV conflicts" where two products lock each other out or cause some other software to fail.
Finally, last week's issue also included a link to a fun article about trying to surf today's Web using a Macintosh Plus. Well as Mark, a reader from Belgium points out, there are other ways to have similar kinds of geeky fun:
Some people even use a C64 to browse the web!
Thanks for the memories :-)
And now on to our guest editorial by Andy Malone...
Inside a Microsoft datacenter
I remember climbing up on stage a few years ago with a bunch of security folks at Microsoft TechEd event debating cloud security. At that point Office 365 and Windows Azure were relatively newish and I must confess that like many of my esteemed colleagues, I was a little skeptical over Microsoft's bold privacy claims.
Of course I like many stand up on stage or teach in classrooms with lots of pretty slides and demos and tell you that, "It's okay, you have nothing to worry about" or "Of course not. Don't be silly the NSA are not spying on you." But the harsh reality is that we are simply basing that assumption on trust. Ah yes there's that word again "trust", because at the end of the day we'd like to think that hey this is Microsoft. They are a well-established company with a good reputation for quality products and services. Therefore when they say that they will store my data securely in their datacenters, you have to take them at their word.
So you can imagine my thrill, when last year I was offered an opportunity to visit the Microsoft datacenter in Dublin. Now when I say thrill, I wasn't just thinking, hey this is a great geeky thing to do. For me a security guy it was an opportunity to see for myself if the information on all those slides were accurate. Although this happened last year, Microsoft enforce a strict NDA (Non-Disclosure Agreement), which places an embargo on any articles that you may right for 3 months after your visit. So in this article, be rest assured my aim is not to divulge secrets but merely give you, the reader an insight into what security is like within a datacenter.
Firstly, like many of the big providers you can't simply walk up to a datacenter and say, "Can I come in and have a look around?" They will of course say "no." So the first step is the application for entry. Once approved you turn up. Once you navigate through the layers of physical security, gates, turnstiles, cameras and guards. You eventually end up in the reception area. Of course Government Issued Photo ID is required along with the signing of multiple NDA agreements. Which by the way, they keep along with your cell phone for the duration of your visit. Once satisfied, your visit can begin.
Now when they say these datacenters are big, you have to think BIG! Multiple floors and buildings filled with literally thousands upon thousands of boxes which blink, bleep and whir 24 hours a day, seven days a week, 365 days a year. All with the sole purpose of ensuring you can continue to search the web, access your data, and play games. Now this gets me on to what Microsoft calls its cloud principles (For Office 365 anyway). In all they have 8 golden rules. These are as follows
- Services are highly configurable and scalable without customization.
- Services are under the Microsoft Security Policy.
- We provide transparency in data location and transfers.
- We audit on your behalf and provide certification reports
- Microsoft's liability is capped, consistent with industry standards.
- Office 365 is an evergreen service. Customers need to stay current.
- Our solution evolves rapidly with a documented roadmap.
- We provide services offers to help you migrate to the cloud efficiently
Sounds good so far, but how do you keep my stuff safe. Well upon account creation your data is matched with a datacenter in your region. For me here in the UK, it's Dublin. Within the datacenter your encrypted data and logs are replicated to another volume at regular intervals and then to other racks and finally to a sister datacenter, which in my case is Amsterdam. This meets the compliancy issue. Data must stay within the European Union.
Ah but what if there's a power cut? Well each datacenter (when I say each, in all Dublin has 6, soon to be 7 buildings) is equipped two independent power supplies each, so if one fails the other automatically kicks in. Then there are the battery backups, which is enormous by the way. It's the only place where you can actually walk inside a battery. If that isn't enough each of the 7 datacenters are equipped with 2 enormous CAT engines each. You know the kind that power ocean liners. Then if all else fails the datacenters have it within their software to switch service to a sister datacenter. When I asked "what could actually bring down a datacenter, the answer was an EMP -- An Electromagnetic Pulse)." Too be frank, I don't think anything could prepare you for the overall size and complexity of these facilities. In fact the only way to get around is by bicycle. It's interesting to note that the European staff rejected the option to use Segway's.
In terms of personnel Microsoft's security policies and procedures are some of the strictest in the industry, any violation of these will lead to dismissal.
So my might ask who's data is store within one of these vast repositories. The answer is simple, you never know. That's all part of the security policy, separation of duties. All that the datacenter staff are aware of, is that they only look after Microsoft data (no mingling). That is data from Microsoft's vast array over 200 services. This includes services such as Windows Azure, Office 365, Bing Search, Xbox Live, Microsoft IT and many more. So it's impossible for a staff member to snoop on your data, as it would be difficult for them to find. This is left to the operations team who are located elsewhere.
Another important issue of course is how disks are reused. Disks containing general data, i.e. disks that do not contain any sensitive or personal information may be wiped and reused. However any disk containing personally identifiable information or PII are NEVER reused and are destroyed by a giant crushing machine, all under the watchful eyes of at least two members of staff.
By the time we came out from within the bowels of the datacenter I was suitably impressed with the way Microsoft coordinated its security efforts in respect to ensuring my data remained private. They also answered a question that I just had to ask. "How do I know that the NSA or GCHQ are hacking into my data?" The answer was simple Microsoft NEVER divulge customer data to any authority unless through correct judicial procedures, i.e. a subpoena. Let's face it by the time you hear about this you'll know that you've been a bad guy anyway. I was told that they do try and contact you up to 7 days prior to the hand over in order for you to take legal advice.
So there you have it just a taste of what it's like inside the walls. It's big and very secure to ensure that Microsoft meets its compliance requirements. If you'd like to know more about Microsoft datacenter operations take a look here:
If you are a Microsoft Partner and would like to visit a datacenter, this may be possible, but you would need to speak with your Microsoft partner contact. More details on Microsoft Security & Trust policy can also be found here:
About Andy Malone
Andy Malone is an author, speaker, and trainer based in the UK. With a prestigious international career spanning 20 years, Andy is not only a world class technology instructor and consultant. But is also a Microsoft Most Valuable Professional (MVP) and multi award winning international conference speaker at such prestigious events as Microsoft TechEd, Dev Connections, TechMentor - Live 360 and the Cybercrime Security Forum. His passionate style of delivery, combined with a sense of fun has become his trademark and won him great acclaim.
Although his primary focus is security, Andy loves to talk about the Windows platform, Exchange and Office technologies. And with knowledge dating back to the MS-DOS 2 and Windows 2.0 era there is often an interesting story to be told. But technology never sleeps and Andy continues to work with the Microsoft product teams to create and deliver ground breaking material on Microsoft Azure and Office 365. For 2015 Andy is scheduled to deliver content in Europe, the Middle East and the US to name but a few. Andy has also just published his first book, the sci-fi thriller "The Seventh Day." Follow Andy on Twitter (@AndyMalone) or visit his website here: http://www.wservernews.com/go/1428063384578
Send us your feedback
Got feedback about anything in this newsletter? Let us know at [email protected]
Recommended for Learning
The TechNet blog titled "DevOps in the Enterprise: The role of IT Ops" has a recent post called "More Top 10 DevOps Books for Operations" that may be helpful for both IT decision-makers and implementers. Check it out:
Microsoft Virtual Academy
Just one announcement this week from the Microsoft Virtual Academy:
April 15-16: Getting Started with Azure Security for the IT Professional
Get the information and confidence you need, from the pros who know, as they demystify security in the cloud! On April 15 & 16, join Rick Claus and a team of experts, for this two-part, demo-filled course. Explore datacenter operations, virtual machine (VM) configuration, network architecture, and more. Register today!
Quote of the Week
"Technology is the name we give to things that don't work yet." -- Danny Hillis as quoted by Brian Eno in the following Daily Telegraph article:
Until next week,
Note to subscribers: If for some reason you don't receive your weekly issue of this newsletter, please notify us at [email protected] and we'll try to troubleshoot things from our end.
Are you on a budget or still experimenting with VM backup? Veeam Backup Free Edition v8 is the perfect solution because it’s: powerful, easy-to-use and free forever.
VeraCrypt is a free disk encryption software and that is based on TrueCrypt:
CPUstress can be used to simulate High CPU usage by an user mode process:
KindEditor is a lightweight, Open Source, cross browser, web based WYSIWYG HTML editor, easy to integrate with all of server side language such as Java, .NET, PHP, ASP, Python, Perl and Ruby:
This week we have several tips on how you can speed up your Windows deployments. We also have a tip on re-enabling the Burn Disk Image right-click menu option if you've lost it because of installing and removing some media management program. If you've got any cool tips of your own that you'd like to share with other readers, please email us at [email protected]
Updated media available for Windows 8.1 and Windows Server 2012 R2
A reader has reported to us that Microsoft released updated media for Windows 8.1 and Windows Server 2012 R2 on their Volume Licensing Service Center (VLSC) back in November. The updated media has all of the software updates up to November 2014 already integrated into the media which can help you speed up provisioning new client and server systems using this media.
I've also confirmed that the MSDN Subscriber Downloads website also has updated ISOs for Windows 8.1 and Windows Server 2012 R2, so if your business has an MSDN subscription you may want to go and grab these from the site. Note however that the updated ISO for Windows Server 2012 R2 is now too big to be able to burn to DVD media, which leads
Troubleshooting: Burn Disk Image menu option missing
After I downloaded the updated Windows Server 2012 R2 from MSDN described above, I thought I'd burn a copy onto DVD-RW media in case I needed it for installation on any of the servers in our lab. But when I opened Windows Explorer on my Windows 7 machine and right-clicked on the ISO file, to my surprise the Burn Disk Image menu option was no longer available!
I hadn't burned an ISO to disk for some time, and I suspect that I had probably installed some application that hijacked the menu option and when I later uninstalled the application it must have left the .iso file extension unregistered on my machine. Anyways, the fix I found for this issue was much simpler than the registry hack suggested on this TechNet forum page:
Instead of messing around with the registry, I went to Control Panel and opened Default Programs:
Clicking on Set Your Default Programs took me to this page:
When I clicked Choose Defaults For This Program, the Set Associations For A Program page showed that of the two file extensions .img and .iso only the .img extension was registered for Windows Disk Image Burner. So I returned to the previous page and clicked Set This Program As Default and clicked OK to close Set Your Default Programs. I then returned to Windows Explorer and this time the missing Burn Disk Image menu option was displayed:
Unfortunately as I said in the previous tip, the updated ISO file I downloaded for Windows Server 2012 R2 is too large to burn to recordable DVD media, but at least we can use it for network installs in our lab environment.
Reducing Windows Deployment time using Power Management
The Deployment Guys blog on TechNet has a terrific new post that describes a technique you can use to reduce the time it takes to apply a Windows Image (WIM) file to a hard disk by as much as 50% under certain circumstances. In other words, we're talking about how you can half the time it takes to perform a clean install of Windows on a system. You can read all about it here:
Note that this method does not provide any benefit when deploying Windows in a virtual environment, for example if you have built an image factory that uses MDT as described here:
Microsoft Build on April 29 - May 1 in San Francisco, California USA
Microsoft Ignite on May 4-8, 2015 in Chicago, Illinois USA
Microsoft TechDays 2015 on May 28-29 in the Hague, Netherlands
Add Your Event
PLANNING A CONFERENCE OR OTHER EVENT you'd like to tell our 100,000 subscribers about? Contact [email protected]
Register for Webcasts
Add your Webcast
PLANNING A WEBCAST you'd like to tell our subscribers about? Contact [email protected]
Creating Default Roaming Profiles for Microsoft RDS and Citrix XenApp and XenDesktop on Windows 2012 R2 for End Users (Jesse Boehm)
Installing and Configuring Citrix XenApp XenDesktop 7.6 (Part 3) (VirtualizationAdmin.com)
Cloud Storage: What's your favourite? (Mitch Garvis)
Cloud Prospects for 2015 (CloudComputingAdmin.com)
Getting QoS Right with Hyper-V and Converged Networking (Ben Armstrong)
Hyper-V receives Red Hat certification (Virtualization Blog)
PowerCLI 6.0 – Introducing PowerCLI Modules (PowerCLI Blog)
vSphere 6.0 Lockdown Modes (Mike Foley)
WHITEPAPER: A New, Automated Approach to Achieving Application Compatibility in Windows 7 Migrations (Dell)
Network Printer Tips and Tricks (WindowsNetworking.com)
Recommended TechGenix Articles
Revisiting Compliance in the Cloud: Is it Risky Business? (Part 1)
AWS Identity and Access Management (Part 2)
Managing Your Microsoft Azure Active Directory Instance
Managing network adapters using PowerShell
Exchange Online Protection Quarantine (Part 4)
Cloud governance key to bypass a breach
Security breaches are becoming increasingly commonplace no matter the industry or company. When this occurs, the blame is often put on the cloud, but, with a strong and modernized cloud governance and security strategy in place, you can sleep better at night. Learn how to keep hackers at bay with modern cloud governance and security strategies, and bypass a potential security breach.
Bigger isn't always better: Start your VMs small
While it is easy to fall into the trap of overprovisioning your virtual machines, when it comes to VMs, going bigger is not always the better solution since it's easy to add resources if the workload demands more. Learn more about VM size and why you should start your VMs small and grow as needed.
VDI disaster recovery options
Having a disaster recovery plan in place is vitally important, especially if you host virtual desktops, but how to go about planning for VDI disaster recovery isn't always clear. Fortunately, there are four options for VDI disaster recovery that you can utilize. Discover these options and set a successful DR plan in place today.
Tighten Windows 8.1 security in five simple steps
While Microsoft's Windows 8 and 8.1 are the most secure OS versions to date, no OS is completely free of vulnerabilities. Fortunately, there are some basic settings you can use to further protect your Windows 8.x systems from potential security risks. Learn how to tighten your Windows 8.1 security in just 5 easy steps today.
This Week's Links We Like. Tips, Hints And Fun Stuff
GOT FUN VIDEOS or other fun links to suggest you'd like to recommend? Email us at [email protected]
How Russians 'Tow' A Car
How Russians 'tow' a car without a rope:
1920's - 'What The Future Will Look Like'
The future as they saw it in the 1920's:
How To Make A Girl Quiet
There is nothing a girl enjoys more than selfies!
French Cats Playing Patty Cake
Two adorable cats are playing patty cake to the French children song 'Dansons la Capucine':
WServerNews - Editors
Mitch Tulloch is Senior Editor of WServerNews and is a widely recognized expert on Windows administration, deployment and virtualization. Mitch was lead author of the bestselling Windows 7 Resource Kit and has been author or series editor for almost fifty books mostly published by Microsoft Press. Mitch is also a ten-time recipient of Microsoft's Most Valuable Professional (MVP) award for his outstanding contributions in support of the global IT pro community. Mitch owns and runs an information technology content development business based in Winnipeg, Canada. For more information see www.mtit.com.
Ingrid Tulloch is Associate Editor of WServerNews and was co-author of the Microsoft Encyclopedia of Networking from Microsoft Press. Ingrid is also manages research and marketing for our content development business and has co-developed university-level courses in Information Security Management for a Masters of Business Administration program.