Management of Microsoft Hyper-V on Windows Server 2008 (Server Core)

Posted on By Mark Wilson

I recently bought a new server in order to consolidate various machines onto one host.  The intention here is to license Microsoft Hyper-V Server when it is released but, as that’s not available to me right now, I thought I’d use the latest Windows Server 2008 (Server Core) build with the Hyper-V role enabled.  Everything was looking good until I built the server, installed Hyper-V (using the ocsetup Microsoft-Hyper-V command) and realised that although I had a functioning Hyper-V server, I had no way to manage it.

According to the release notes for the Hyper-V beta:

"To manage Hyper-V on a server core installation, you can do the following:

  • Use Hyper-V Manager to connect to the server core installation remotely from a full installation of Windows Server 2008 on which the Hyper-V role is installed.
  • Use the WMI interface."

I wanted to run Hyper-V on Server Core because my experience of running Virtual Server on Windows Server 2003 has been that patching the host is a major issue involving downtime on each guest virtual machine.  Similarly (unless I migrate the workload to another server) applying updates to the parent partition on Hyper-V will also result in downtime in each child partition.  By using Server Core, I reduce the size of the attack surface and therefore the likelihood of a critical patch being applicable to my server.  If I need another Windows Server 2008 machine with Hyper-V installed just to manage the box then that’s not helping me much – even a version of Hyper-V Manager to run on a Windows client machine and administer the server would be a huge step forward!

I’ve raised a feedback request highlighting this as a potential issue which restricts the scenarios in which Hyper-V will be deployed; however I’m expecting it to be closed as "by design" and therefore not holding out much hope of this getting fixed before product release.

Forefront Security overview

Posted on By Mark Wilson

A few weeks back, I spent some time learning about the Microsoft Forefront security products.  I’ve written before about Forefront Client Security and intend to write some more posts that go into some detail on the other Forefront products, but I thought I’d start by taking a look at the suite as a whole.

The Forefront suite of applications currently includes a number of products:

Looking first at the client, Forefront Client Security provides virus and spyware protection in a single product for client and server operating systems with updates received using Microsoft Update.  That all sounds OK but, for some critics, the natural question to ask is "what does Microsoft know about client security?".  Well, it seems that they know quite a lot:

  1. First, Microsoft purchased GeCAD Software – a respected Romanian anti-virus vendor.
  2. Next, Microsoft purchased GIANT Software – a respected anti-malware provider.
  3. The Microsoft Malicious Software Removal Tool provides more than just the ability to remove malware from PCs as he reporting information helps indicate how widespread a particular issue is.
  4. Microsoft also purchased FrontBridge Technologies, whose scanning technology protects many organisations from viruses and spam.
  5. Another Windows Live service that provides Microsoft with reconnaissance information is the Windows Live OneCare Safety Scanner (indeed the entire OneCare product range – although these consumer products have little in common with Forefront Client Security).
  6. Oh yes, and the fact that they run one of the world’s largest free e-mail services won’t hurt their ability to gather diagnostic information.

So that’s the client – what about the server products?  Based on the former Antigen products gained with Microsoft’s acquisition of Sybari Software there are currently two products carrying the Forefront brand name – plus Microsoft Antigen for Instant Messaging (to be replaced with an OCS-compatible product under the Forefront banner).  Making use of multiple anti-virus engines, the Forefront Server Security products provide realtime and manual scanning for messaging and collaboration products.

Finally, at the edge, ISA Server has been with us since 2000 (we had Proxy Server before then) and has become a well-respected application-level firewall and proxy server that is available in both software-only and appliance formats.  Intelligent Application Gateway (IAG) is a newer product, built around ISA Server by another company that Microsoft recently acquired – Whale Communications.  IAG provides SSL VPN capabilities, combined with a detailed understanding of how applications work (positive logic) in order to ensure that only valid traffic is allowed to cross the network boundary.  Whilst IAG is currently only available in appliance format, with Microsoft being a software company I can’t help feeling that a version of IAG will be released in software form at some point in the future.

Unfortunately, this mix of products from different backgrounds means that Forefront doesn’t feel as tightly integrated as some other product suites (e.g. Microsoft Office) but that is changing as the components are updated.  In addition, Microsoft has announced a product (codenamed Stirling) which they are touting as:

"[…] a single product that delivers unified security management and reporting with comprehensive, coordinated protection across clients, server applications, and the network edge. Through its deep integration with the existing infrastructure, such as Microsoft Active Directory and Microsoft System Center, customers can reduce complexity, making it easier to achieve a more secure and well-managed infrastructure."

For anyone looking at purchasing Forefront products, Software Assurance (SA) might not be a bad choice as there are new versions of IAG planned based on the forthcoming ISA Server codename Nitrogen and ISA Server codename Oxygen products (don’t quote me on this as information is a little sketchy on these!) and further updates planned across the Forefront suite.

IT security is no longer an afterthought and has become an integral part of any organisation’s IT infrastructure. I’m impressed by the range of options that Microsoft can provide in the Forefront suite and, if they can convince critics that they have a credible range of products (they are currently suffering from "the Škoda badge problem"), then over time I expect to see Microsoft take a dominant position in Windows Server security.