I will not only be attending PubForum 2008 but I will be speaking at it.  The event is being held in Dublin from May 9th until the 11th in the Camden Court Hotel in Lower Camden Street, Dublin 2.

PubForum is run by Alex Yushchenko, a Terminal Services MVP and virtualisation pro.  The idea is to educate about server based computing (AKA thin client) and virtualisation.  As the name suggests, there is also some beer consumed.  The types of people present include the biggest names in this market in Europe.  I was at a previous event in Brussels in 2006 as a delegate and it was a real eye opener on how big and complex this market it ... I just thought there was Microsoft, Citrix and VMware.  Damn, I was wrong!  It was also a lot of fun ... I barely remember me and a colleague spending endless hours with a bunch of crazy Swedes and Norwegians in the hotel bar every night.

My presentation is called "Adventures In Blade/SAN/Virtualisation and My 'Ideal' Design" .. basically what I've learned while doing this sort of thing in the past, what I'm also doing right now and what I'd do with unlimited budget.  It's bound to be an hour of ... open debate :)

Platespin is well known in the virtualisation market for providing solution for identifying candidates for virtualisation, converting physical to virtual (P2V) and for maintaining P2V on a live basis, e.g. for virtual DR.  It's just been announced that Novell has purchase this Canadian company.  Novell says that service should continue as before.

Credit: Dennis Olidis

Recent headlines in Ireland made more people aware of disk encryption.  A laptop containing personal information of 170,000 Irish blood donors was stolen in New York.  The laptop was being used to transport data as part of an application upgrade process.  Normally, security experts would have been screaming ... we remember the information loss in the UK with a third of the population's personal information going missing on insecure CD's or DVD's.  But in this case, the Blood Transfusion Service knew what they were doing.  They'd encrypted the disk so that data was effectively secure.  Or so we all thought!

A team in Princeton University has reportedly cracked disk encryption.  I'm not talking just about SafeBoot or Windows BitLocker ... I'm talking about disk encryption in general!

For disk encryption to work, the operating system on the computer must have access to the disk.  For this it stores decryption keys in RAM to be able to decrypt the disk as it uses it.  RAM does not instantly lose it's contents when you turn off your PC as we are taught in basic computer science.  It actually takes a little while for the contents to dissipate.  This process takes longer if you can chill the RAM boards using something like a can of compressed air.  Once the attacker obtains physical access to the machine (by breaking into an insecure branch office "computer room" or stealing a laptop in an airport or cafe) then they can start this process.  Now they boot up the machine with a special tiny operating system that minimises it's impact on RAM.  They scan the contents of RAM and can identify patterns associated with AES, DES and RSA.  This now gives them the information required to read the disks of the target computer.  The attacker has almost instant access to information that was otherwise considered virtually impregnable.

What does this mean?  We have to return to thinking that physical security is still a primary answer to data security.  Information on PDA's, laptops and even servers in insecure branch offices is back to being vulnerable to dedicated attackers.  Ordinary criminal loss is not a concern because this vulnerability requires an immediate attack on the RAM chips in the computer.  It remains a concern where we have a real risk of being attacked by attackers with a target in mind when they start the attack.

Let's consider two scenarios.  A company gives laptops to directors with a 3rd party disk encryption solution.  It uses AES 256bit encryption.  The director sits in a cafe drinking coffee and reading mail.  An attacker paid by a rival company or an intelligence agency (we know certain European countries do this on behalf of native firms, mais oui!) walks in and grabs the laptop before running out.  A van is waiting outside with a couple of engineers who can proceed with the attack.  The data on the laptop is lost.  The director's inbox is vulnerable; replicated files, etc all are there.  And as we know, directors have access to the most sensitive of data.

Here's a worse scenario.  We've been told not to place Active Directory domain controllers in branch offices where we cannot physically secure those machines.  The reason is that a domain controller contains a replica of all users usernames and passwords.  If the server is stolen then the entire forest is vulnerable and must be flattened/rebuilt.  The solution from Microsoft was a Windows 2008 Read Only Domain Controller (RODC) with BitLocker disk encryption.  This does two things.  Disk encryption virtually secures the contents of the disk (or so we thought).  The RODC only replicates data of users in the branch office.  This means that once the RODC is lost, an administrator can reset those accounts.  It didn't have to be done immediately because we know the disk encryption would slow down even the NSA for a long enough period.  Here's the new scenario.  An attacker breaks into the branch office on a Friday night.  He powers down the RODC and proceeds with the attack with the server in situ.  He takes a copy of the required user data from the RODC and puts it on his laptop.  He leaves before the weekend is over and nothing is suspected.  Using the usernames and passwords that he now has, the attacker can attack the rest of the target network with ease.

The solution remains as clear as it always has been.  Physical security remains the key to ultimate security.  I'm not saying we should abandon encryption.  It still plays a part in normal theft/loss and let's face it, the documented attack requires a dedicated attacker who can do the process almost instantly after powering off the machine.  It's funny how something as simple as a can of compressed air can be used to defeat something as complex as disk encryption.  I bet MacGuyver would be proud!

Credit: Anthony Garmont.

Things have been pretty hectic as of late.  I've started a job where I'm designing a server outsourcing/hosting solution from scratch.  As you can imagine, that's pretty time consuming, especially since I want to do it right.  I've also got another project that I was doing during business hours before this job but I'm now doing at night and the weekends.  It's pretty important too because I must get it right too.  More details on that will follow.

Oh - my heart is growing blacker and blacker as the minutes pass.  I just passed two MS partnership assessments:

• Small Business Sales and Marketing
• Small Business Sales and Marketing Assessment

I think an angel just died or something ;-)

Beta releases of SCCM 2007 Service Pack 1 and the Release 2 version are now available to download from Connect.  The only information I've found on the products is included in the download which I haven't had time to bring down yet.  It's gonna be a couple of months before I get looking at these but SCCM 2007 R2 is of great interest to me.

The infamous IT news source, The Register, is hosting an online debate on how the green movement is currently and will affect the IT industry.  You need to register to "attend" this virtual conference.  It will be held on February 27th at 6PM GMT, 1PM EST.  It looks like it'll delve deep into the things I talked about recently.

Microsoft has released WSUS 3.0 SP1.  This package contains all the components you require to install WSUS 3.0 and SP1.  The server component is supported on Windows Server 2003 SP1 and Windows Server 2008.

WSUS is Microsoft's free patching solution for Microsoft products, not just Windows.

The improvements are:

• Support for Windows Server 2008. 
• New Client Servicing API.
• Improvements for local publishing: supports publishing of drivers within the enterprise by using vendor provided catalogs. API include support for bundles and prerequisites. 
•  All hotfixes: WSUS 3.0 SP1 includes all the changes and hotfixes that have been issued since the release of WSUS 3.0. 
• Support for Microsoft SQL Server 2005: WSUS 3.0 SP1 lets you use SQL Server 2005.

Microsoft also released a number of documents for you to read:

• Operations Guide
• Step-by-Step Guide
• Deploying WSUS 3.0 SP1
• Overview
• Release Notes

You can learn a bit more by reading the marketing bumph in MS's brochure about SQL Server 2008.

Bink posted a very useful link to a Microsoft blog post that lists currrent and future listings of supported Microsoft applications on Windows Server 2008.

What will support Windows Server 2008 at RTM?

• .NET Framework 2.0 (installed)
• .NET Framework 3.0 SP1 ( part of Application Server role )
• .NET Framework 3.5
• Dynamics CRM 4.0
• Exchange Server 2007 SP1
• Forefront Security Server 1.0
• MOSS SP1 ( installation notes for Windows Server 2008)
• SQL Server 2005 SP2
• System Center Data Protection Manager 2007
• System Center Configuration Manager 2007 (Formerly SMS)
• System Center Operations Manager 2007
• Windows Sharepoint Services 3.0 SP1 ( installation notes for Windows Server 2008 )
• Visual Studio 2008
• WSUS 3.0 SP1

Clearly there are some critical applications which are included in this list, including SQL, Exchange, MOSS and Windows Sharepoint Services. We will ship the Hyper-V technology 180days after RTM.

What are we planning to support in the first half of 2008?

• Dynamics AX 2009
• MOM SP1
• SCCM 2007SP1
• System Center Essentials 2001
• Forefront Client Security SP1

What are we planning to support in the second half of 2008?

• Application Virtualization 4.5
• Commerce Server 2007 SP2
• HIS 2006 SP1
• MOM 2005 SP1
• SQL Server 2008
• System Center Essentials 2001
• Windows System Center VMM 2.0
• Windows Essential Business Server
• Windows Home Server vNext
• Windows HPC Server 2008

So What will not be supported?

• SMS 2003
• System Center Reporting Manager

• Internet Security and Acceleration Server 2006 and earlier

Credit: Bink.

The EHLO blog (The MS Exchange team) has posted some links to information on new features in Entourage 2008.  Entourage is the Mac alternative of Outlook.  It's used to access an Exchange server.

<RANT> OK - why the hell are people buying "handbag PC's" in if they are using a Microsoft server infrastructure?  Hello!?!?!  Just spend €600 to get a good PC with Windows on it and install Office.  Another €100 gets you a Windows laptop.  They're cheaper to own too.  And this rubbish about Mac OS being more secure and more stable.  Pure and utter RUBBISH! </RANT>

Anyway, long story short, Entourage 2008 and Mac Office 2008 will give you as much as they can to access a MS server infrastructure.  You will never get the full and integrated experience that Windows and Office 2007 will give you.  It comes down to a dependency on Windows RPC.

Check out the links if you're unfortunate enough to have those fashionable white PC's on your network and you need to give them more than basic access to your Exchange servers.

Can you tell that I'm a fan of Macs on an MS network?  :-)

DPM 2007 is Microsoft's second version of their backup suite.  The first version didn't really go down well in the market because it was only good for file servers.  DPM 2007 now adds support for system state, Exchange, SQL and SharePoint.  I had a quick play with the beta last Summer and I did like how simple it was to configure and roll out.  There isn't native support for non-MS products so there will be limited acceptance for it in the market.

Microsoft has released some documentation:

• Getting Started Guide
• System Requirements
• Troubleshooting Guide
• Planning a Deployment
• FAQ

ENN is reporting that IANA has launched their first IPv6 name servers.  You can run, you can hide, but there is no getting away from the fact that IPv6 is coming.  It's a whole new world.

BTW, the new generation TCP stack in Windows Vista and Windows Server 2008 feature IPv6 as a native component.  Legacy operating systems can be patched with IPv6, which obviously won't perform at the same levels.

Times are interesting when it comes to power consumption and hardware disposal.  We've got all sorts of "green" concerns.  We're got pressure to reduce our carbon footprints to reduce CO2 emissions.  Even if you're part of the GWB camp and don't believe in CO2 related global warming then you can't argue against the need to conserve resources, e.g. avoid wasteful trashing of hardware which contains precious (yes!) and toxic materials.  And even if you don't care about your environment, I bet you care about your bank account.  It is inevitable that we will see regulations tightening on the consumption of power and disposal of hardware.  There will be costs for needless wastage.  There's some things we can do to limit our exposure here.

I've previously mentioned that you can recycle your old hardware.  There are charities that will gladly take your old servers and PC's, even those 8 year old ones, recondition them and send them off to the farthest reaches of the planet with Ubuntu Linux on them for use in charities and schools.  Some charities will even securely wipe your hard disks for you.  You can make sure you limit your risk here by using a free secure wiping tool like DBAN.  There's a few advantages to using a recycling solution like this.  You get to give your hardware away and probably take some sort of tax break.  You get to dispose of your hardware for free.  Normal legal disposal actually costs a bit of money these days and that's likely to increase in price per unit.  Finally, you get to feel good about doing something that will benefit someone in need.

What about operating costs of current infrastructure?  Hosting data centers have already started moving in the direction of a solution.  Companies like IBM are making big claims about the power consumption and heat generation levels of their Blade servers.  Think about this.  You get a denser CPU per Rack U infrastructure, e.g. the HP C class can have 64 dual CPU servers (equivalent of a 2 disk slot DL360) in a 42 U rack.  That's less real estate being used.  OK - it's not all that much less but it sure is if you fill a row of racks.  Power consumption over a long period is claimed to be reduced.  That means you're getting a lower hit from any potential carbon emission related charges.  We all now that power costs are one of the big operating costs right now and that they are only going to get higher.  Heat generation is a big concern too because it requires some sort of cooling mechanism which can consume a great deal of power.  If you can reduce your server related heat then you can reduce that cost.  Once you install an operating system onto your powered on blades, the do become pretty efficient.  Just don't get confused by standing behind a rack of powered on blades that don't have an operating system.  It can get pretty hot back there because there is no management software installed.

Hardware virtualisation such as VMware Virtual Infrastructure (ESX, etc) or Windows Server 2008 Hyper-V also brings something to the table.  Think about all of your servers.  How many of them need all of the resources they have?  Your only hardware bottlenecks are typically memory and disk.  CPU is probably rarely above 10% on the majority of servers.  Why not consolidate that resource and save on server real estate?  Virtualise only those servers that are candidates.  Don't be fooled by some consultant into virtualising everything.  I worked on a site where they did and their server services performance levels were horrific.  A thing to consider here is tha your abstraction of hardware makes your virtualised servers mobile so hardware is not a concern during hardware failure (VMware VMotion or Windows 2008 clustering) and hardware replacement becomes easier.  On the green side, you have less server hardware so you have less green related charges when disposing of server hardware.  You've also got even denser server per Rack U installations which reduces real estate costs, power consumption and cooling related costs.

We can take this a step further with Virtual Desktop Infrastructure.  Why have 500 desktops when you can virtualise those onto 16 servers as virtual machines?  You've not only reduced hardware ownership and disposal costs but you've also minimised those green costs too.  Not to mention you've got a simple to manage and deploy infrastructure using solutions such as a VDI broker.

IT staff of SME's are reading this thinking "how the hell a I going to afford a blade and SAN infrastructure?".  Simple ... outsource!  You don't have to outsource your staff ... just the hosting of your servers.  You save in loads of ways.  Look at the big room hosting your servers right now.  It's consuming lots of space and increasing your rent costs.  You have to buy and maintain cooling and fire suppression systems.  Why not share all those costs and your new blade and SAN infrastructure costs by outsourcing the hosting of your servers?

I've probably given you a few things to think about there.  Whether you like it or not, green related costs are going to increase.  Acting now could prevent or minimise those cost impacts on your organisation.

EDIT:

I realised there was some more I could talk about on power conservation.  We'll never 100% remove desktops and laptops from the network.  VDI isn't for everyone either.  We have all seen company emails instructing us to turn off our PC's and monitors when we go home in the evening.  Almost no one does it.  If you have Windows Vista deployed then you can use group policy to manage power settings of those machines.  Consider that a desktop should be powered off 98 hours of the week then you can see how you might save some money by upgradig to Vista!

Steve Riley has posted links to video recordings of a bunch of his presentations at TechEd conferences.  Steve is a serious security expert.  Don't let his employment by Microsoft prejudice your opinions.  He's pretty open, honest and has well thought out reasoning for all of his points.  Steve is also one of the best speakers I've seen.  He can make a very entertaining presentation out of what is normally a very stuffy subject.  The presentations include:

• It's 11:00 PM, do you know where your data is?
• The fortified data center in your future
• Windows Mobile 6 security in depth
• Making the tradeoff: be secure or get work done
• Defending layer 8: how to recognize and combat social engineering
• Windows Vista firewall and IPsec enhancements

Check them out!

MS have released more reading and watching for you:

• A reference of the group policy settings found in the admx/adml administrative templates
• A video demonstration of how to set up a KMS server (volume license activation)

More and more people are deciding to use SharePoint (WSS 3.0 and MOSS 2007).  I love it as a sharing and collaboration solution.  I presonally love the free template for project planning!  It beats using MS Project any day of the week and saves on licensing too :)

MS has released a capacity planning tool for WSS 3.0 and MOSS 2007.

The SharePoint Capacity Planning Tool is a set of free models of Windows SharePoint Services 3.0 (WSS) and Microsoft Office SharePoint Server 2007 (MOSS). The two models use the analysis and simulation features of System Center Capacity Planner 2007 (SCCP) to help you explore suitable IT infrastructure options for your SharePoint deployment, based on the SharePoint usage requirements for your organization that you provide to the tool. It can give you a head start on planning your SharePoint topology by producing a first approximation of the topology your organization needs. Architects, systems integrators, and deployment engineers will find it to be a valuable starting point for further refinements of the topology.

Feature Bullet Summary

• Simple installation and setup
• Built-in knowledge of Microsoft Office SharePoint Server 2007
• Built-in knowledge of Windows SharePoint Services 3.0
• Recommended topology in a Graphical User Interface
• Export topology to Visio and server configuration to Excel
• Create custom hardware

The SharePoint Capacity Planning Tool depends on System Center Capacity Planner, which is available as a free download from Microsoft (see Related Resources).

WAIK has been updated to support Vista SP1 and Windows Server 2008.  I recently worked with the RC1 release and there were no surprises.  It's nice to see that MS has copped on and left the file extension as an ISO to stop confusion - the previous version was an IMG file.

You will use WAIK to generate automated or customised installations of Windows Server 2008 or Windows Vista.  The primary tools are ImageX (to work with WIM images), Windows System Image Manager (WSIM: to create XML unattended answer files) and to create customised WindowsPE boot images.

I covered it a little in my WDS whitepaper and Rhonda Layfield did a great job on describing a Vista unattended installation in one of Mark Minasi's newsletters.  You'll also find WAIK is covered in two of the Mastering Windows Server 2008 books ("Essential Technologies" and "Enterprise Technologies").

Microsoft has released loads of documents:

• Windows Server high-end whitepapers
• Windows Media Services
• Release Notes and Installation Information
• TCP/IP Fundamentals
• Network Access Protection Architecture
• Introduction to NAP
• NAP Policies in Windows Server 2008

As I broke earlier, Windows Server 2008 did in fact RTM today.  Windows Server 2008 Datacenter, Enterprise and Standard (x64) is available from TechNet and I have read of people downloading from MSDN as well.  You'll probably have to wait another month until it is on shelves.

Also available now are WAIK for all platforms and MUI for x64.  Lanugages for all packages at the moment are English, French, German, Japaneses and Spanish.  Other platforms and languages are expected over the coming days.  Versions with RTM Hyper-V are not expected for six months.

Windows Vista SP1 has also been announced as RTM.  Unlike Windows Server 2008, you'll have access to it from March onwards.  The initial public release will be via Windows Update.  It's gonna be a big download so you might want to think about whether you'll download that automatically or not if you have nested WSUS servers across your WAN - you probably shouldn't have automated approvals anyway!

Probably because of my involvement with the "Longhorn" Academy and Windows Server User Group Ireland, I was called by one of the MS marketing folks looking for quotes on Windows Server 2008 for a press release - the server OS is being released to manufacturing later today according to her.

What does that mean?  It means that MS subscription holders with rights to download Windows Server will soon be able to download it ina  few days.  MSDN and TechNet customers will be able to download it in a few weeks.

The timing is nice because Windows Vista SP1 was strongly rumoured to be going live today too.  Both of these SP's go hand-in-hand.