A few days back, I wrote a post looking forward to Windows Server 2008
It turns out that Microsoft also has published a Windows Server 2008 Technical Overview white paper that may be worth a read.
If you’re anything like me, then you have hundreds of security credentials to use at many websites. Best practice dictates that you should use a different password at each one but sometimes that’s just not practical – and, unless you write it down, sometimes you just forget what the password is.
I’m not sure how Windows and Linux applications store passwords, etc. (I suspect they use a variety of methods) but Mac applications tend to use the Mac OS X keychain feature – the equivalent of writing down all your passwords and storing them in one (secured) database.
If credentials are stored in the keychain, you don’t normally need to use them again as the application (e.g. a web browser) reads the keychain as required but users can come unstuck if they need those credentials to log in from a different computer. Luckily, it is possible to find out what the password is for a particular application or website (as stored in the keychain). Simply open the Keychain Access utility, open the appropriate item, select the show password checkbox, supply the keychain password when prompted and click the allow once button – at this point the password should become visible in clear text.
I have a number of web services running at home, some of which are SSL secured; however, they are only used by me (and a few select friends and colleagues) so, in theory, I could generate certificates by creating my own public key infrastructure (PKI) and add my certificate authority (CA) to the Trusted Root Certificate Authorities store. The trouble is that I’m lazy, and a CA is just another infrastructure service to run (it really is a bit geeky to have as many computers as I do), so I use a public certificate instead.
Because I don’t require the highest levels of validation, I don’t need an expensive certificate from a class 1 CA like Verisign so last year I used a free certificate from Ascertia. No matter how hard I tried, I couldn’t complete the certification path or get clients to trust the Ascertia root certificate, but last night, Scotty McLeod mentioned low-cost certificates from and, crucially, Go Daddy is one of the trusted CAs in most web browsers (certainly recent versions of Internet Explorer, Firefox and Safari).
Of course, there are other (more expensive) options available from Go Daddy and other CAs for longer certificate life, multiple top level domains, domain wildcards or higher levels of validation (hence trust) etc. but for $19.99, I bought a 12 month SSL certificate that will work with both servername.markwilson.co.uk and www.servername.markwilson.co.uk.
I recently read Craig Spiezle and Alexander Nikolayev’s TechNet Magazine article about the SenderID Framework (SIDF) – one of the available schemes to validate mail servers in the fight to reduce unsolicited commercial e-mail (UCE), more commonly known as spam.
SIDF is similar to the Sender Policy Framework (SPF) in that it uses specially-formatted TXT records in DNS (called SPF records) to detail the mail exchange (MX) servers that SMTP e-mail may originate from for a given domain, and any other domain names that may be used.
I’d decided some time ago to implement an SPF record for my domains but my hosting service provider at the time did not support the use of TXT records. Since I moved to ascomi a few months back that’s not been an issue and last night I finally requested that the changes were made.
There are a variety of tools online to help create SPF records, but the first problem I had was the need to decide whether to use OpenSPF, SenderID, or an alternative (such as Domain Keys). In the end, I decided to go with SenderID – largely because the Microsoft SenderID website helped me create an SPF record which supported the both SenderID Mail From method (identical to the SPF method) and the SenderID Purportedly Responsible Address (PRA) header method. Finally, to validate that my record was correct, I sent an e-mail to check-auth@verifier.port25.com and used the Email Service Provider Coalition verification tools – Microsoft also publishes a short implementation guide for SIDF which is worth a read.
The differences between SPF formats are discussed on the OpenSPF site too (and OpenSPF also has tools to help create the necessary records) but the OpenSPF guys seem to be more interested in saying why SenderID violates the standards and shouldn’t really be called SPF (I call that the “not invented here” syndrome) than in actually helping people work out how to stop spam.
It’s also worth pointing out that my SPF record will not directly affect the volume of spam that I receive; it will, however, help others who perform SPF lookups to determine if mail that appears to come from one of my domains really originated from a server which I authorised. Even then, they may elect to retain the message, or they may drop it – that’s no different to today but as more and more SPF records are published, the volume of spam on the Internet should drop considerably as all messages are effectively authenticated as having passed through an authorised MX for the stated domain name.
I spent this evening at Microsoft UK, attending the inaugural Windows Server UK user group meeting. There weren’t many of us there but there was a lot of information passed around as Scotty McLeod from Perot Systems and Austin Osuide from EDS gave presentations on Windows Server 2008, Read Only Domain Controllers and Terminal Services Gateway Servers.
Based on his ability to retain technical information, it strikes me that Scotty has a brain the size of a planet and Austin quite simply oozes enthusiam (he knows his stuff too!). I intend to blog some more about the topics that were covered; however I did want to mention Austin’s technique for ensuring that his demo could complete, regardless of anything going wrong (although there wasn’t much he could do about the Microsoft Campus security closedown at 10pm). When preparing his demo, with a number of virtual machines running on VMware Workstation, Austin had also taken snapshots at key points so that he could revert to a basic system and walk through the process, or jump to any point in the demo with a partially or fully completed configuration.
Some people pray to the demo gods but it seems to me that this technical approach may be more reliable!
This evening, I’m planning to be at the inaugural Windows Server UK user group meeting, prompting me to write up my notes from the Windows Server 2008 Technical Overview event held at Microsoft UK last month. Presented by Andy Malone from Quality Training, I’ve already given my (negative, but hopefully constructive) feedback to Microsoft on this event (so I won’t dwell here on why I thought it was so bad – although the presenter seems to think that it went rather well…) but I did at least manage to glean some information about the latest Windows Server release – what follows picks out some of the highlights.
Formerly codenamed Longhorn Server, Windows Server 2008 shares a common code base with Windows Vista and, not surprisingly, Microsoft is touting it as the most secure and highest quality version of Windows ever produced.
The first change is the setup; with three distinct phases of:
Whilst looking at deployment, it’s worth mentioning that remote installation services (RIS) has been replaced by Windows Deployment Services (actually, this is also available with Windows Server 2003 SP2) which, unlike ADS, supports client and server operating systems as well as multicast deployment.
Windows Server 2008 also pulls much of the administration into one console – Server Manager (which made me smile, casting my mind back to the old Windows NT Server Manager console). There are some new component concepts to get around – components are now known as roles and features but more significant is Windows Server Core, an installation option consisting of a subset of executable files and libraries, providing a small footprint for a much reduced attack surface. Offering a number of server roles, Server Core provides core functionality in either a standalone (e.g. headless) scenario or as part of a larger Windows Server infrastructure. There are no GUI tools for Server Core – management is via command line tools (local and remote), terminal services (remote) or Microsoft Management Console (MMC) snap-ins (remote). Server core is an installation-time choice (there is no option to convert to a standard installation later) and Server Core will not support application installations (such as SQL Server, Exchange Server, etc.) but I can see it being very useful for running core infrastructure (AD, DNS, DHCP, etc.) servers in a secure fashion.
Other security features (some of which are already present in Windows Vista) include support for the trusted platform module, BitLocker drive encryption, a redesigned TCP/IP stack with native support for IPv6 (alongside IPv4), the updated Windows firewall, new Group Policy settings and Windows Service hardening whereby services run in their own address space and a number of layers are used to separate the kernel, service, administration, user and low-rights program layers. Windows Server 2008 will also (finally) see Microsoft introduce network access protection (NAP).
Some network features are being removed from Windows Server: the file replication service (FRS) is replaced by remote differential compression (RDC); bandwidth allocation protocol (BAP) is out, as is X.25 support, serial line interface protocol (SLIP) support, and services for Macintosh (SFM); there are also a number of changes to routing and remote access with the removal of open shortest path first (OSPF), the basic firewall and static IP filter APIs.
Terminal Services gains new functionality too – including a version 6 of the remote desktop protocol (RDP) and:
At least in the beta product, Active Directory sees a number of name changes – some of which make sense and others which seem be be inteded just to cause confusion:
| Old name | New name |
|---|---|
| Active Directory | Active Directory Domain Services |
| Active Directory Application Mode (ADAM) | Active Directory Lightweight Directory |
| Windows Rights Management | Active Directory Rights Management |
| Windows Certificate Services | Active Directory Certificate Services |
| Identity Integration Feature Pack | Active Directory Metadirectory |
(I fully expect at least some of these to change again before product release!)
There are some Active Directory goodies too:
dcpromo.exe now supports Server Core (i.e. it will run in command line mode), uses the logged on credentials for promotion and allows the seed method to be chosen (e.g. populate from a specific server offering Active Directory domain services), enables site selection (with automatic detection), provides automatic DNS configuration (for resolvers and delegation), and allows role selection for DNS (on by default), global catalog (on by default) and read-only domain controllers.ntdsutil.exe with the server online, just stopping and restarting Active Directory services).Of course, Internet Information Services (IIS) gets an overhaul and the new IIS version 7 features a much-improved (MMC v3) administrative interface (as well as application and architectural enhancements). Windows Server 2008 also gains improved Unix interoperability features with authentication integration, Unix scripting and application migration tools, support for both 32 and 64-bit applications and extensions to the AD schema to support UNIX-related attributes (using LDAP as a NIS service – see RFC 2307). Clustering is also improved with a new MMC v3 management interface, enhanced infrastructure (e.g. support for graphically dispersed clusters and for GUID partition table disks in cluster storage) and improved security.
Before I wrap up, I’ll mention that there is a lot of misinformation circulating around Windows Server Virtualization (WSV). WSV is not part of Windows Server 2008 but it has been announced that it will ship as a separate product within 180 days of Windows Server 2008. Some features were recently cut from the initial release (Microsoft prefers to use the term postponed) and may make it into a future service pack or other update.
As one might guess from the name Windows Server 2008, the product looks set to be released late in 2007. Looking further out at the Windows Server roadmap, we can expect a 64-bit only “release 2” in late 2009 and the next major release in 2011. It looks to me as if there’s a lot of good features in Windows Server 2008 – watch this space to learn more just as fast as I do!
Microsoft’s James O’Neill has been on a crusade for a while now, trying to educate the world (well, the UK at least), that numbers written in the format +44 (0) 1234 567890 are wrong and that the E.164 format should be used instead. Of course, James is right (he explains more in a recent blog post and Ewan Dalton illustrates the issue a little more clearly in his post on the subject) but so many numbers are written incorrectly – it’s not uncommon to see 0207 xxx xxxx (the area code is 020 and the 7 is part of the local number) – and advertising only national rate numbers (as Microsoft does on it’s UK contact page) is not good practice either (another campaign related to phone numbers is Say No to 0870).
What I found particularly interesting is James’ explanation of making a phone number appear as a link in the form of tel:+44-1234-567890 so that those with a supported dialler (like Microsoft Office Communicator) can click to dial (for further information, see RFC 3966). I’ve updated my e-mail signature now (even if it does break the corporate rules for signature formatting)… unfortunately Outlook 2003 keeps on removing the link!
Just before I went on holiday, I rebuilt my company-supplied notebook PC to run Windows Vista (running Linux doesn’t look too good when you work in the Microsoft Practice of a major IT company). At the time, I didn’t have any volume license media and whilst I knew that all of the retail editions were contained in a single image on the retail DVD, that doesn’t include Windows Vista Enterprise Edition. Nevertheless, I installed Windows Vista Business Edition, choosing not to supply a product key (Vista allows 30 days before activation is required). Since then, a colleague has sent me the correct media and license keys, so tonight I was ready to rebuild on Windows Vista Enterprise Edition.
I say rebuild because I didn’t expect an in-place upgrade to work but it did – “upgrading” my Windows Vista installation to a new edition was as simple as dropping in the CD and running the installer. It seemed to take a lot longer than a fresh install (understandably) but I still have my user accounts, profile and data from prior to the upgrade. So, just to confirm, it is possible to upgrade from a retail to a volume license (enterprise) edition of Windows Vista.
I’ve just got back from a couple of weeks holiday – a rare opportunity to spend some quality time with my wife and sons. Over that time, blogging has taken a back seat – although I had taken my laptop with me it was on the basis that it was somewhere to back up the digital photos and anything remotely work-related was strictly banned… but I’m an Internet junkie and I just had to get online.
Turning on the laptop revealed weak signals from a number of free wifi providers in the area with names like “Netgear”, “Linksys” and “D-Link”. Of course, these were unsecured access points using default configurations but more worrying were the wireless networks that Windows Vista classed as security-enabled, named “BTHomeHub-xxxx“.
The BT Home Hub is a popular ADSL router in the UK and, although I’ve never used one, judging by what I saw WEP appears to be the default configuration (I certainly didn’t find any evidence of anybody using anything else) – BT Home Hub users should be made aware that wired equivalent privacy (WEP) is by no means secure and can be cracked very quickly, as Michael Ossmann details in his WEP dead again articles part 1 and part 2 and as Steve Gibson explained in episode 89 of the Security Now podcast (transcript).
I should stress that I did not use any of the methods that Mike or Steve describe to hack into anybody’s network but I was tempted. Next time I may even give it a try… all in the name of security research of course.