Vol. 41, #8 - August 5, 2013 - Issue #941

Image

Security Auditing

  1. Editor's Corner
    • Security Auditing
    • Tip of the Week
    • Recommended for Learning
    • Quote of the Week
  2. Admin Toolbox
    • Admin Tools We Think You Shouldn't Be Without
  3. Events Calendar
    • Americas
    • Europe
    • Australia
  4. Webcast Calendar
    • Register for Webcasts
  5. Tech Briefing
    • Best Practices for Securing Active Directory
    • Security Compliance Manager (SCM)
    • AD DS Auditing Step-by-Step Guide
    • Advanced Security Audit Policy Step-by-Step Guide
    • The Four Pillars of Identity - Identity Management in the Age of Hybrid IT
    • What's New with Windows Azure? Lots!!
    • Killer Feature in PSv4: Desired State Configuration
    • Deploying System Center 2012 SP1 Using the PowerShell Deployment Toolkit
    • Configuring a Syslog Agent in Windows Server 2012
    • Firmware Replacements for Wireless Routers
    • SP2 for Office 2010 and SharePoint 2010 officially released
    • VIDEO: Tim's Favorite Sysinternals Utilities
    • Troubleshooting the TMG Firewall with Network Monitor (Part 1)
    • Use PowerShell to Work with SkyDrive for Powerful Automation
    • It's Time for Small Businesses to Move to Windows Server 2012 Essentials
  6. Windows Server News
    • Windows Azure Media Services gives YouTube junkies a new outlet
    • Four alternatives to the major VDI vendors
    • Resource contention and other key causes of VM performance bottlenecks
    • Looking at Windows 8 BitLocker full-disk encryption and alternatives
  7. WServerNews FAVE Links
    • This Week's Links We Like. Fun Stuff.
  8. WServerNews - Product of the Week
    • Beat server downtime with anytime server backup

 

Beat server downtime with anytime server backup.

Idera Server Backup works right out of the box for your Windows  and Linux servers - no additional modules or plug ins. Just download and get back to work in minutes. Try it for free and get scalable, multi-platform server backup that can take you from broken server to back in action, fast.

Try It For Free

 

Editor's Corner

This week's newsletter is all about security auditing in Active Directory environments. Naturally, auditing is one of the best practices for managing any type of IT environment. But as this Dilbert comic illustrates, sometimes it's best not to let others know about your organization's best practices:
http://www.wservernews.com/go/1375258807207

Security Auditing

Active Directory forms the core of the identity architecture for most IT infrastructures these days. So monitoring the security of Active Directory is important to protect your infrastructure against compromise and misuse.

Auditing used to be simple in early versions of Windows Server. You could track success or failure for events in the following categories:

Auditing got a lot more powerful (and complex) however beginning with Windows Server 2008 with the introduction of Advanced Audit Policy. Initially you had to use the auditpol.exe command-line utility to configure Advanced Audit Policy settings, but on more recent platforms you can also use Group Policy to do this:

Image
Figure 1: Configuring Advanced Audit Policy using Group Policy.

The big question of course with auditing is what you should audit. Or perhaps more specifically, how much should you audit. That's because the more things you audit, the more information you'll have to analyze. That can be a good thing or a bad thing. Too much information might make it difficult to distinguish what's really important from all the background noise you've collected. Too little information might cause you to miss something important that happened to your environment.

Because of such considerations, there's really no one size fits all audit policy recommendation that applies to every Active Directory environment. Instead, the best approach is probably to consider how important security is for your environment and then either leave the windows audit settings at their defaults, apply some baseline audit policy appropriate for most environments, or configure stronger audit settings suitable for high-security environments.

For example, the Audit Credential Validation policy setting under Account Logon shown previously in Figure 1 lets you audit events generated by validation tests performed on user account logon credentials. To audit this for domain accounts, you enable this policy setting on domain controllers. By default, neither success nor failure auditing is enabled for this policy setting. At a minimum however, you should enable success auditing for this policy setting--this is the baseline recommendation. If you need that extra level of security, you can also enable failure auditing for this policy setting. In either case, you need to be aware that enabling this policy setting can result in a high volume of security events being logged for your environment.

Where you can you find out more about the recommended audit policy settings for Active Directory environments? A good place to start is the whitepaper "Best Practices for Securing Active Directory" that was recently released by Microsoft and is available from the Microsoft Download Center. Another good place to begin is to download and install the Security Compliance Manager (SCM) version 3.0, which is also available as a free download from Microsoft. You'll find links to both of these items and other auditing resources in the Tech Briefing section of this newsletter.

What's your own take on auditing Active Directory environments? Got any third-party auditing tools you'd like to recommend? Any tips or gotchas to share concerning auditing? Send your feedback to [email protected]

Tip of the Week

GOT TIPS you'd like to share with other readers? Email us at [email protected]

The following tip was submitted by reader Quentin Gurney who is an enterprise IT architect currently working for a Fortune 100 company:

How to clean up device manager after a P2V Migration

We all have done a Physical to Virtual Migration (P2V) and noticed that there are some things that just do not translate well. What if you had a physical server, say a Dell, and you had the Dell open manage software installed, it is not going to do anything for you anymore so that is easy to find and remove. There are some other things though that you might not notice.

When you do a P2V migration, you are essentially doing a move from one hardware platform onto a software platform that emulates hardware. This emulated hardware requires drivers just like the physical platform. When you move the O/S, the old system drivers are not uninstalled. Neither is any vendor specific software. All the new drivers you need are added to your existing driver store and the device manager keeps both the old and the new, but you may not find the old ones without a bit more digging.

Here is a networking tip. Prior to migration, break all teaming done on the server via any vendor software (e.g. Broadcom or Intel). The teaming software will not function properly after the P2V, and you may not be able to uninstall it. If you do not take this step, you might have to restart your P2V again.

After migration, uninstall all hardware specific software – HP management agents, Dell OpenManage, Broadcom Advanced Control Suite, etc. None of these will be of any use in the virtual environment as the hardware will be gone. This will help clean things up from the O/S application perspective, but might not clean up everything in the device manager.

An additional step that you can take if you like is to remove all the non-present device drivers that are no longer required from the old hardware. These do get loaded, but not used. This is easily done, but you need to follow these steps to be able to find them.

Type devmgmt.msc at a command prompt on the server to launch device manager. In the device manager view menu, select 'show hidden devices'.

Image
Figure 2: Showing hidden devices in Device Manager.

Devices that are no longer present in the system will show as grayed out in the device manager as shown:

Image
Figure 3: Grayed out devices are no longer present.

Right click on the non-present device you wish to remove and select uninstall:

Image
Figure 4: Uninstalling a non-present device.

The device will be removed.

You may find that other drivers stay and even seem to be active, for instance I have found that certain old HP ILO cards will appear in the device manager as visible, active devices. You can remove them of course because they do not really exist.

A note – some software installs as a device driver and may also be removed this way – for instance antivirus programs install as a filter driver and may show up as a system device. You can uninstall these as well. If you change antivirus on a server or even your laptop, you will find these non-present devices.

Be judicious about what you uninstall as some software installed devices are only enabled when needed, like the MS RAS Async Adapter. Don't remove anything you are not sure of.

Recommended for Learning

Here are a few books on Windows security and related stuff you might want to check out.

Windows Server 2012 Security from End to Edge and Beyond: Architecting, Designing, Planning, and Deploying Windows Server 2012 Security Solutions (Syngress)
http://www.wservernews.com/go/1375258821394

Group Policy: Fundamentals, Security, and the Managed Desktop (Sybex)
http://www.wservernews.com/go/1375258824863

Thor's Microsoft Security Bible: A Collection of Practical Security Techniques (Syngress)
http://www.wservernews.com/go/1375258828613

And still my all-time favorite despite being a bit dated:

Protect Your Windows Network: From Perimeter to Data
http://www.wservernews.com/go/1375258832285

Quote of the Week

"Defeat is not defeat unless accepted as a reality-in your own mind." - Bruce Lee

Note to subscribers: If for some reason you don’t receive your weekly issue of this newsletter, please notify us at [email protected] and we’ll try to troubleshoot things from our end.

 

Admin Toolbox

Admin Tools We Think You Shouldn't Be Without

Free Tool: Idera Server Backup Free – fast, disk-based continuous data protection for Windows and Linux servers – back up and restore files in seconds
http://www.wservernews.com/go/1375259676566

SysAdmins: Stop paying for unnecessarily overpriced IT management solutions or help desk software. With Spiceworks, you get it all, and you get it free. Even smartphone & tablet apps. Download now.
http://www.wservernews.com/go/1375259681519

New. Altaro Hyper-V Backup v4. Powerful new features, faster and easier to use than ever. Still free (forever) for 2 VMs, still competitively priced. Download now.
http://www.wservernews.com/go/1375259686097

Samson Technologies SRK21 21 Space Rack Stand is a terrific 21U mobile rack for PCs and other equipment:
http://www.wservernews.com/go/1375259689738

Need a bench for heavy computer or test equipment in your lab or office? Check out AnthroBench:
http://www.wservernews.com/go/1375259693488

 

Events Calendar

Americas

Project Conference, 2014 on February 2-5 in Anaheim, California
http://www.wservernews.com/go/1375258839097

Lync Conference 2014 on February 18-20, 2014 at The Aria in Las Vegas, Nevada
http://www.wservernews.com/go/1375258841644

SharePoint Conference 2014 on March 3-6, 2014 at The Venetian in Las Vegas, Nevada
http://www.wservernews.com/go/1375258843613

Microsoft Worldwide Partner Conference (WPC 2014) coming in July, 2014 in Washington, D.C.
http://www.wservernews.com/go/1375258845675

Europe

European SharePoint Conference on May 5-8, 2014 in Barcelona, Spain
http://www.wservernews.com/go/1375258848613

Australia

Microsoft TechEd Australia on September 3-6, 2013 in Gold Coast, Australia
http://www.wservernews.com/go/1375258850847

Microsoft TechEd New Zealand on September 10-13, 2013 in Auckland, New Zealand
http://www.wservernews.com/go/1375258852769

Add your event

PLANNING A CONFERENCE OR OTHER EVENT you'd like to tell our 100,000 subscribers about? Contact [email protected]

 

Webcast Calendar

Register for Webcasts

 Add your Webcast

PLANNING A WEBCAST you'd like to tell our 100,000 subscribers about? Contact [email protected]

 

Tech Briefing

We'll start off with some resources for auditing Active Directory environments...

Best Practices for Securing Active Directory (Microsoft Download Center)

This whitepaper contains recommendations to enhance the security of Active Directory installations, discusses common attacks against Active Directory and countermeasures to reduce the attack surface, and offers recommendations for recovery.
http://www.wservernews.com/go/1375258868144

Security Compliance Manager (SCM) (TechNet)

Version 3.0 of the Security Compliance Manager (SCM) tool offers new baselines for Internet Explorer 10, Windows 8, and Windows Server 2012! SCM enables you to quickly configure and manage computers and your private cloud using Group Policy and Microsoft System Center Configuration Manager.
http://www.wservernews.com/go/1375258874550

AD DS Auditing Step-by-Step Guide (TechNet)

This guide includes a description of the new Active Directory Domain Services (AD DS) auditing feature in Windows Server 2008 and provides procedures to implement this new feature.
http://www.wservernews.com/go/1375258882394

Advanced Security Audit Policy Step-by-Step Guide (TechNet)

This step-by-step guide demonstrates the process of setting up an advanced Windows 7 and Windows Server 2008 R2 security auditing policy infrastructure in a test environment.
http://www.wservernews.com/go/1375258921097

 

Now let's move on to some other stuff...

The Four Pillars of Identity - Identity Management in the Age of Hybrid IT (TechNet)

The purpose of this document is to define and provide detailed conceptual information on the four fundamental pillars of identity that can be useful in creating a strategic direction for an identity infrastructure in your organization.
http://www.wservernews.com/go/1375258925691

What's New with Windows Azure? Lots!! (Michael S. Collier's Blog)

A presentation made to the Pittsburgh .NET User Group about the exciting new Windows Azure features announced during recent Microsoft conferences.
http://www.wservernews.com/go/1375258930004

Killer Feature in PSv4: Desired State Configuration (PowerTheShell)

Most of the things found in PowerShell 4.0 is consolidation work, but there is one feature called Desired State Configuration (DSC) that really has the potential to become a killer feature.
http://www.wservernews.com/go/1375258934222

Deploying System Center 2012 SP1 Using the PowerShell Deployment Toolkit (VirtualizationAdmin.com)

Janique Carbone provides an overview of the PowerShell Deployment Toolkit PDT, the function of each of the components, and some critical steps needed to properly leverage the toolkit.
http://www.wservernews.com/go/1375258938550

Configuring a Syslog Agent in Windows Server 2012 (WindowsNetworking.com)

David Davis takes a look at what you need to know about syslog and how to configure your Windows Servers to send syslog.
http://www.wservernews.com/go/1375258942972

Firmware Replacements for Wireless Routers (WindowsNetworking.com)

Eric Geier discusses how replacing your router's stock firmware with a third-party firmware can add more functionality.
http://www.wservernews.com/go/1375258946910

SP2 for Office 2010 and SharePoint 2010 officially released (Office IT Pro Blog)

Service Pack 2 (SP2) for Office 2010 and SharePoint 2010 is officially released. SP2 contains new fixes for areas of each product as well as all Cumulative Updates and Public Updates that have already shipped.
http://www.wservernews.com/go/1375258951238

VIDEO: Tim's Favorite Sysinternals Utilities (YouTube)

In this MicroNugget, CBT Nuggets trainer Tim Warner discusses his favorite set of troubleshooting tools you should add to your USB thumbdrive recovery toolkit.
http://www.wservernews.com/go/1375258955019

Troubleshooting the TMG Firewall with Network Monitor (Part 1) (ISAserver.org)

Deb Shinder takes a look at a basic overview of Network Monitor 3.4.
http://www.wservernews.com/go/1375258959425

Use PowerShell to Work with SkyDrive for Powerful Automation (Hey, Scripting Guy! Blog)

Microsoft PFE, Chris Wu, talks about creating powerful automation scenarios by using Windows PowerShell and SkyDrive.
http://www.wservernews.com/go/1375258964988

It's Time for Small Businesses to Move to Windows Server 2012 Essentials (PCWorld)

Windows Small Business Server (SBS) may be coming to an end, but it's not really dead--just rebranded.
http://www.wservernews.com/go/1375258968457

Windows Server News

Windows Azure Media Services gives YouTube junkies a new outlet

YouTube’s impressive statistics prove that video is a very powerful content delivery platform, but organizations require more control than YouTube offers. Learn how Windows Azure Media Services allows you to securely and easily provide on-demand access to video content through cloud services.
http://www.wservernews.com/go/1375258972566

Four alternatives to the major VDI vendors

Although vendors such as VMware, Citrix and Microsoft are atop the VDI market, there is a wide array of lesser-known vendors that may be just what you need to jump on the VDI bandwagon. Inside, learn more about the unique features and offerings of four emerging VDI alternatives.
http://www.wservernews.com/go/1375258976316

Resource contention and other key causes of VM performance bottlenecks

Finding a balance between achieving the highest level practical of virtual machine density while ensuring each VM delivers an acceptable level of performance can be a challenge – and it’s not always easy to determine why your VM performance is suffering. Hear from the experts on the five most common causes of VM performance bottlenecks.
http://www.wservernews.com/go/1375258980394

Looking at Windows 8 BitLocker full-disk encryption and alternatives

After years in the making, Microsoft’s BitLocker Drive Encryption may finally be enterprise-ready. In this IT tip, uncover the new and noteworthy features of BitLocker for Windows 8 and Windows Server 2012 that make it a worthwhile investment, even for large-scale desktop environments.
http://www.wservernews.com/go/1375258984269

 

WServerNews FAVE Links

This Week's Links We Like. Tips, Hints And Fun Stuff

GOT FUN VIDEOS or other fun links to suggest you'd like to recommend? Email us at [email protected]

Image

The best costumes from the San Diego Comic Book Convention 2013.
http://www.wservernews.com/go/1375258989207

What would happen if all your computer problems were problems in the real (physical) world?
http://www.wservernews.com/go/1375258993332

Explore the outer reaches of the universe in 'Cosmos: A Spacetime Odyssey' - an upcoming space and science spectacular hosted by astrophysicist Neil deGrasse Tyson:
http://www.wservernews.com/go/1375258997535

Jumpy the Border Collie knows a lot of cool tricks:
http://www.wservernews.com/go/1375259001785

 

WServerNews - Product of the Week

Beat server downtime with anytime server backup.

Idera Server Backup works right out of the box for your Windows  and Linux servers - no additional modules or plug ins. Just download and get back to work in minutes. Try it for free and get scalable, multi-platform server backup that can take you from broken server to back in action, fast.

Try It For Free

 

WServerNews - Editors

Mitch Tulloch is Senior Editor of WServerNews and is a widely recognized expert on Windows administration, deployment and virtualization. Mitch was lead author of the bestselling Windows 7 Resource Kit from Microsoft Press and has published hundreds of articles for IT pros. Mitch is also a seven-time recipient of Microsoft's Most Valuable Professional (MVP) award for his outstanding contributions in support of the global IT pro community. Mitch owns and runs an information technology content development business based in Winnipeg, Canada. For more information see www.mtit.com

Ingrid Tullochis Associate Editor of WServerNews and was co-author of the Microsoft Encyclopedia of Networking from Microsoft Press. Ingrid is also Head of Research for our content development business and has co-developed university-level courses in Information Security Management for a Masters of Business Administration program.