I don’t generally talk about my work (at least not directly) on this blog but, a couple of weeks back, I moved into a new role, which is going to involve working very closely with a certain software company from Redmond (and no, it won’t have any effect on the editorial content here – nothing on this site should be interpreted as representing the views of my employer or their partners). Clearly running Red Hat Enterprise Linux on my laptop wasn’t politically correct (I might have got away with Novell Enterprise Linux) so I needed to rebuild on Windows Vista.
As many of my corporate applications still require Windows XP and IE 6, I run a domain-joined (Windows XP) virtual machine to access them. I had been using VMware Server as the host but as VMware recently sent me a license for VMware Workstation 6.0 (as a VCP benefit) I decided to use that instead following the Vista rebuild. I backed up the virtual machine files to an external disk, rebuilt on Windows (including reformatting the internal disk) got 94% of the way through the restoration of the VM and then I was presented with this message:
Error 0x80070079: The semaphore period has expired.
Not good. I was in the middle of a restore – those files were my backup and the three problem files represented 30% of the virtual disk that makes up my D: drive (i.e. my data).
I’d written the files without errors but clearly something was wrong when reading them. I thought of buying a copy of SpinRite to check that the disk was fine but, before parting with any cash, I tried reading them on another machine and thankfully they restored without any difficulty. I don’t know if the issue was with my Vista machine’s USB device drivers (the successful restore was on my wife’s Windows XP machine), a timing issue (my wife’s machine is older and the external disk was USB 1.1) or something else (like that this is a 60GB FAT32 volume and Windows has a limit of 32GB for FAT32 volume creation – as the virtual machine files totalled 36.5GB in size, maybe the three 1.99GB files that Vista couldn’t read were physically located across and after the 32GB point on the disk) but my experience goes to show that it’s worth trying another machine before giving up totally on the data.
Apple will finally update the iPod (no… unless you count the iPhone… and I don’t want an iPhone – well, never say never, but it won’t be available over here for a while yet).
Apple will launch new MacBook Pros so I can pick up one of the outgoing models at a discount (yes… they actually updated the MacBook Pro just before WWDC but that new LCD display sounds so good I might have to save up for one of the new ones instead).
The video below features some of the highlights from the conference keynote including something that I personally find interesting – Apple’s decision to release Safari for Windows. Whilst this cannot be a bad thing (hey, look what competition from Firefox did to wake up Microsoft and get them to update Internet Explorer), I don’t use Safari on my Mac because so many websites don’t work with it… I can’t see that being any different under Windows; on the flip side, it may wake developers up to the presence of Safari and they might actually develop standards-compliant sites that work across all platforms (meanwhile Apple gets the advertising revenue from the search box and a foothold for application development on the Windows desktop). Regardless of the reasoning behind producing Safari for Windows, it does kind of disprove the whole “we’re really strapped for resources getting the iPhone out and that’s why we’re delaying Leopard” argument. Then again, maybe it was a rush job, as they certainly don’t look to have spent much time making sure it was secure – beta product or not, using known tools to find a flaw inside three minutes is something that Apple should have done before they released it.
I’ll admit that the finder needs some tweaks and that using Coverflow for documents looks very cool but as for Steve Jobs’ statement that Tiger is already better than the competition and that Leopard will further increase that lead – I just don’t get it.
I’m not really sure that this is a product that’s going anywhere fast (and I’ll spare you the Bill Gates demo – the Associated Press one is less likely to send you to sleep) but Microsoft is constantly being criticised for a lack of innovation and as a concept, Surface is certainly interesting. Personally, I can’t wait. Not to have an expensive coffee table upon which to bore people with digital photos (I can already do that with the TV!) but because I can feel a return to the “Space Invaders” tabletop video games of my youth coming on!
I recently attended a Windows Vista security session at Microsoft, presented by Steve Lamb. Windows Vista security is too broad to cover in a single presentation (or even in a single blog post!) but some of the key points that Steve concentrated on were around the Windows firewall and IPsec. This post picks up on the main points from Steve’s presentation.
The Windows XP firewall was criticised by some because it only inspected inbound traffic. Microsoft responded to customer demands and, in Windows Vista, the firewall also inspects outbound traffic; however it should be noted that a compromised machine can have its firewall disabled, so the presence of the firewall is not a reason to feel complacent; indeed Steve Lamb used the term security theatre (http://en.wikipedia.org/wiki/Security_theatre) to highlight security products that promise much and offer little.
Consider the following process:
I wrote about this problem a while back, but in short, outbound control can only be relied upon where the computer is not compromised and the user cares about security – i.e. not on those machines where it is needed (compromised computers where the users don’t care about security)! It can be useful for restricting known software from communicating; however in such cases, prompting should be disabled.
Trying to find a balance between ease of use/flexibility and security, the default actions for the Windows firewall are:
Inbound – block most traffic, with a few exceptions.
Outbound – allow all interactive traffic but restrict services.
Allow/block rules can be configured for programs, services, users, computers, protocols or ports.
The Windows Vista firewall feature list is extended in other ways too:
Windows XP SP2
Inbound and outbound
Configurable for direction
TCP, UDP, some ICMP
Application, global ports, ICMP types
Multiple conditions (programs, services, users, computers, protocols or ports)
Block, allow, bypass; with rule merge logic
UI and tools
Control Panel, netsh
Control Panel, netsh, MMC
Public COM, private C
More COM to expose rules, more C to expose features
Hardened RPC interface
The Windows filtering platform (WFP) is a series of APIs, designed to allow developers to hook into the network stack without requiring kernel changes. WFP provides authenticated communication, dynamic firewall configuration, a foundation for the Windows firewall and IPsec, works with encrypted traffic, and because it is fully documented there is little risk that a service pack release will break third-party applications. Architecturally, this also provides improvements with synchronous API calls, exposure of the user context for auditing policy changes, access control lists on API calls (no longer using registry ACLs and escaltion of privilege) and incremental policy updates.
Firewall configuration is still available from the Control Panel (with a few minor presentation differences); however a new Windows Firewall with Advanced Security MMC snap-in is provided which can also be used to assign settings to remote computers and to apply IPsec configuration. The new MMC snap-in is complemented with a new netsh advfirewall command line interface.
When merging and evaluating rules, the following order is applied, from highest priority to lowest:
Service restrictions (restricting connections that can be established by services – operating system services are configured appropriately by default).
Connection rules (restricting connections from particular computers using IPsec for authentication and authorisation).
Authenticated bypass (allowing specified computers to bypass other rules).
Block rules (explicitly blocking incoming or outgoing traffic).
Allow rules (explicitly allowing incoming or outgoing traffic).
Default rules (the default behaviour for a connection).
It should be noted that these rules are stored in the registry; however editing them directly is unsupported.
Firewall exceptions are also more flexible, including the ability to filter based on:
Active Directory user accounts and groups.
Source/destination IP addresses/range.
Source/destination TCP/UDP ports.
Comma-delimited list of ports.
IP protocol number.
ICMP type and code.
Support is also provided for multiple network profiles:
Domain – domain joined and connected to the domain (i.e. able to authenticate).
Private – connected to a defined private network (home or work).
Public – all other networks.
Network location awareness (NLA) detects networking changes and assigns each connection a GUID, whereby the network profile service (NPS) creates a profile upon connection and notifies the firewall whenever NLA detects a change. Local administrator privileges are required in order to define that a network is private and the computer defines the category when multiple interfaces are in use based on the logic in the accompanying diagram.
Windows Firewall group policy processing is also enhanced. Previously, computer policies were applied on operating system boot and user policies at logon, with a periodic refresh. Windows Vista extends this to apply computer and user policies when establishing a VPN connection or when resuming from hibernation/standby. Of course, firewall policies are set at the computer level, although they can be further restricted with per-user settings as previously described.
Windows Vista enhanced IPsec capabilities are integrated with the Windows Firewall, eliminating confusion with overlapping rules and allowing firewall rules to be IPsec-aware. IPsec configuration has been simplified in Windows Vista but it is still a complex subject, worthy of a separate post; however there are a couple of points worth noting:
Authenticated headers (AH) traffic is not compatible with network address translation (NAT) as it cannot be routed – an alternative is to use encapsulated payload (ESP) with 0-bit encryption to effectively provide the same function.
Shared secrets are stored as plain text in the registry so should not be used in production scenarios – certificates or Kerberos should be used instead for authentication.
In summary, Microsoft has made significant improvements to the Windows Firewall in Vista and anyone who is not using a third party product (and I would question the need for the use of third party firewalls in Vista) should turn it on right away, otherwise they are asking for trouble.
Of course, it also runs Windows Mobile and lacks the Apple wow factor but I can live without an iPhone. For those who just don’t fancy the idea of running Windows on their phone – there is the Symbian-based Nokia N95, which includes a 5MP camera on it’s spec-sheet.
A few weeks back, I wrote about creating a media PC using Windows Vista and an Apple Mac Mini. Unfortunately, its going to take me a while to save up and replace the Mac as my primary home computer and so it’s not quite ready to start life as a living room PC. Also, rebooting to switch between Windows Vista and Mac OS X very quickly became tiresome, so I decided to see if I could use the highly-regarded SWsoft Parallels Desktop for Mac to run Windows Media Center from my Boot Camp partition as a virtual machine under OS X.
After downloading a trial version of Parallels Desktop, I attempted to load my Boot Camp partition within the virtual environment; however it refused to play ball:
Unable to open disk image Boot Camp
I tried the fix which seems to be advocated by many on the support forums – i.e. appending the identified for my boot camp partition to the appropriate line in the virtual machine configuration file (e.g. Disk 0:0 image = Boot Camp;disk0s3) but that just changed the error message to:
Unable to open disk image Boot Camp;disk0s3
Looking on the parallels website, it seems that running Vista under Parallels Desktop from a Boot Camp partition is not yet supported:
Can I create a Parallels virtual machine with a Windows Vista operating system from a Boot Camp partition?
Parallels is currently compatible with Boot Camp partitions running Windows XP. Development is underway to support Vista partitions. However, you can run your licensed version of Windows Vista in Coherence mode, which enables you to run your guest operating system without having to manage two desktops.
More worryingly, I was experiencing many spinning beachballs of death, resulting in force quitting Parallels and an unstable system, so I guess I’ll write that functionality off until the next version is released.
Changing tack, I decided to ignore the Boot Camp image and re-install Windows Vista inside a virtual machine. This is where Parallels Desktop redeemed itself, with near-native performance, no sign of any instability, and operating in a similar manner to the Microsoft and VMware virtualisation products with which I am more familiar (i.e. install the guest operating system, then install a tools package to provide improved device support). In additional to the various unsigned drivers (tut tut), there was one slightly-worrying feature – the Realtek 8029 network card that Parallels emulates is not supported under Vista, which could lead to issues later – even so, I very quickly had a Vista desktop running on the Mac; albeit with the standard graphics (i.e. no 3D effects). This is when I began to look at the killer feature in Parallels Desktop for Mac – coherence mode, whereby the Windows applications appear to be running natively on the OS X desktop:
Coherence is amazing – it really does have to been seen to be believed (Windows applications even appear when cycling between applications in OS X using command+tab). In fact, the whole application seems to be well-executed, with a widget-style 3D flip between configuration and the running virtual machine and all the features that would be expected of a desktop virtualisation product today as well as tools for P2V conversion (Parallels Transporter) and for manipulating disk images (Parallels Image Tool).
Another useful feature is the approach to sharing files – Parallels can provide Windows with access to my Mac OS X home folder (or any other folders that I define), alternatively I can simply copy files from Mac OS X to the Windows desktop. For anyone who is worried about the security implications of this, Parallels Desktop for Mac also includes Kapersky Internet Security 6.0 (although to install this, I needed to specify that I wanted to run kisstart.exe as administrator).
Parallels Desktop has a simple approach to USB device management – simply select the devices which will be made visible to the guest virtual machine from the device menu. I enabled the TV tuner and remote receiver that I’d bought for Windows Media Center and installed the drivers, then set up Windows Media Center to receive live TV and… nothing except an error message to say:
Files needed to display video are not installed or not working correctly. Please restart Windows Media Center or restart the computer.
It turns out that Windows Vista Media Center requires 64MB of onboard graphics memory and the Parallels video driver will only provide up to 32MB. Without any TV, that was effectively the end of that experiment, but it had been a good chance to have a look at Parallels Desktop for Mac.
So, what about the alternatives? When I looked at the VMware Fusion beta, it was more like VMware Workstation for Mac and lacked anything as impressive as coherence. My main reason for installing Fusion was to have virtual machine portability between platforms and that didn’t work out for me, resulting in disk driver issues and blue screens of death – I ran out of time for resolving these problems but it should be noted that Fusion is still a beta product (I haven’t tried the latest version). Parallels Desktop could be the way forward for me to run Windows applications on the Mac but I think I’ll be holding back until there is a version which properly supports Boot Camp and Vista. I’ll be watching to see what VMware does with Fusion and how SWsoft reacts – this could be an interesting year for virtualisation on the Mac.
My father-in-law’s PC has gone screwy again. Sometimes it just happens.Â He doesn’t deliberately make configuration changes, although he did recently buy a new digital camera and the installation CD added a lot of third party software that I would have managed without.Â I would consider him to be a “normal” Windows user: he uses the PC for Internet (web) access, e-mail, the odd letter, home finances, some family history research and digital photography; he also pays for a McAfee subscription which should keep him safe from some of the badness out there on the ‘net – except that, a couple of nights back, McAfee updated itself and since then something has been “wrong” with the PC.
Actually, I don’t think I’ve ever seen a PC with a networking stack that was so badly “wrong”. Not having been there when the McAfee update took place, I don’t know what messages it displayed but from looking at the event log after a very slow boot, the DHCP client service shut down because “a system call that should never fail has failed”. Then, after a few minutes of waiting, various services failed because of missing dependencies (including, critically for Internet access using his ADSL modem, the Remote Access Connection Manager service). Removing all McAfee software didn’t help. Neither did restoring the IP stack to its default state with netsh int ip reset (see Microsoft knowledge base article 299357).
It was one of his friends that suggested the answer – what about System Restore?Â I’d never previously used this feature in Windows XP but it was a godsend.Â I restored the system to the state it had been in before the McAfee update and rebooted (see Microsoft knowledge base article 306084).Â The boot up sequence was back to normal, the Internet connection was working again and all I needed to do was remove and reinstall the McAfee software.Â Which meant that I did get to spend at least part of my Sunday afternoon in the park with my wife and kids.Â Result.
It’s Saturday afternoon, the sun is shining, and I’m in my den, blogging. Which makes me a bit of a saddo.
Actually, I’m just posting items that I wrote in my hotel a couple of nights back… and I’ll soon get back to doing something more wholesome with my weekend. You see, normally I like to stay at Hilton hotels because:
The staff deliver great customer service (something that is increasingly rare to find in the UK).
I can get a reliable high-speed Internet connection in my room.
Sure, the iBahn Internet connection is pretty expensive (Â£15 for 24 hours) but if I’m working late into the evening for nothing more that the price of a broadband connection, then I figure that the company is getting value for money. In fact, it’s not unusual for me to work at the hotel the next morning too, because the connection is faster than the one I use at work!
Unfortunately, last Thursday night, the Internet connection in my room wasn’t working, so I tried the BT Openzone hotspot instead. After repeatly trying to connect, I eventually got a connection but lost it before I even had the chance to pay. Eventually, I gave up, figuring that there must be something up with my Wi-Fi stack. Later, I googled “BT Openzone Linux” and found that:
“Some hotspots may not support Linux-based Intel Centrino mobile technology systems”
Windows Vista makes a number of changes to the implementation and management of group policy objects (GPOs) and, as group policy is something that I haven’t worked with for a while, I figured it was time to take another look. A week or so back, I spent the morning at Microsoft, where Steve Lamb presented a session on using Group Policy in Windows Vista to control user behaviour and network security.
Policy has existed in various versions of Windows for a long time but group policy was introduced in Windows 2000 (enforced by Active Directory) and many group policy settings are also available as local computer policies (used when a machine is not authenticated by an Active Directory domain controller). Each new version of Windows brings more control over what can be controlled using policies and Windows Vista is no exception with a significant increase in the available options (Microsoft quotes various figures but they all indicate at least 2000 new settings). The new areas covered include removable device management, power management and user access control. There are also new management tools the group policy management console (GPMC) is now included with Windows (previously, it was a separate download ) and the group policy editor (gpedit.exe) now supports filtering of administrative template policy settings via a context-sensitive option on the view menu to show, for example, only those settings that apply to at least Windows XP Professional with SP2.
Windows Vista also makes improvements to policy control around network awareness, detecting changes in network conditions (e.g. connecting to a new network) and enforcing new policy settings accordingly. There are also improvements to the application of policy (with fewer requirements for synchronous application of policy).
It’s important to note the difference between a policy – stored in a subfolder (machine or user) on the domain controller under %systemroot%\sysvol\sysvol\domainname\policies\guid\ – and policy definition files – stored at the same location but simply defining the available settings.
Although Windows Vista will still act on legacy (.adm) policy definition files, policy definitions created under Windows Vista use a new XML-based file format with an .admx extension. Furthermore, Windows Vista group policy uses separate .adml files to provide the language-specific textual components of each policy.
When editing policy on a Windows Vista computer, the policy definition files are stored at %systemroot%\policydefinitions\ with one .admx file for each area of control and associated .adml files in each language subfolder (e.g. en-us).
These can be copied to the central store (really just a grand name for the policies folder that is replicated as part of sysvol) in order to make them available for administration from multiple locations. Central store copies of policy definitions will then take precedence over local copies (but legacy clients will be unaffected by the new settings).
Although legacy clients will simply ignore policy settings that they do not understand, Microsoft recommends that once Windows Vista policies are implemented, then no further policy edits should be made from pre-Vista computers. The reasoning for this is that even opening the policy definition on a pre-Vista computer will cause the legacy .adm files to be created on the sysvol and this leads to a phenomenon known as sysvol bloat. By using only Windows Vista clients for group policy management, this bloat can be avoided. It’s also worth noting that GPO reporting should be performed within the Windows Vista version of the GPMC (rather than using the resultant set of policy MMC snap-in) and that new policy backups should be taken using the Windows Vista GPMC to avoid issues when restoring policy backups taken from GPMC running on Windows XP/Server 2003. Further details for managing group policy administrative template (.adm) files can be found in Microsoft knowledgebase article 816662.
For bringing forward settings from legacy (.adm) policy templates, Microsoft has licensed the ADMX Migrator utility (from Full Armor).
Another new feature with Windows Vista group policy is the ability to define multiple local policies (administrator, non-administrator and per-user) and even to disable local policy altogether on domain-joined computers. Whilst the local computer policy remains (and is created by default), further local policies may be created using the group policy editor. This is useful for computers over which some control is required but which fall outside the scope of management for Active Directory (e.g. kiosks or computers deployed in a DMZ).
Troubleshooting group policy is aided with Windows Vista’s improved event logging (with more useful events and links to support information on the Internet) as well as the ability to view events in friendly (human-readable) format or XML (for analysis/processing). The new event viewer also supports the ability to create subscriptions. Actions can also be associated with events (e.g. send an e-mail, or execute a script).
Filters can be used to view just group policy events and by drilling down into the appropriate logfile, an activity ID can be extracted from a failure event to further filter events, or to view with the group policy log view (gplogview.exe) – another free download from Microsoft. This allows for step-by-step group policy processing to identify the failure point and any error codes, after which changes can be made and gpupdate.exe used to apply the new settings for re-analysis.