Active Directory Rights Management Services

I recently got my first 2008 training (6416B: Updating your Network Infrastructure and Active Directory Technology Skills to Windows Server 2008), from Arhur Goudswaard, again. A really great Microsoft Trainer . On of the new things in Windows Server 2008, I really like is Active Directory Rights Management Services(AD RMS).

Active Directory Rights Management Services(AD RMS) is a technology that is a form of selective functionality denial used for limiting the uses of documents such as corporate e-mail, Word documents, and web pages.Companies can use this technology to encrypt information stored in such document formats, and through server-based policies, prevent the protected content from being decrypted except by specified people or groups, in certain environments, under certain conditions, and for certain periods of time. Specific operations like printing, copying, editing, forwarding, and deleting can be allowed or disallowed by content authors for individual pieces of content, and RMS administrators can deploy RMS templates that group these rights together into predefined rights that can be applied en masse.

The RM server debuted in Windows Server 2003, with client API libraries made available for Windows XP and Windows 2000 as well. Windows Vista and Windows Server 2008 also supports Rights Management Services. In Windows Server 2008, Windows Rights Management Services has been renamed to Active Directory Rights Management Services, reflecting a higher level of integration with Active Directory.

An AD RMS system includes a Windows Server 2008 R2-based server running the Active Directory Rights Management Services (AD RMS) server role that handles certificates and licensing, a database server, and the AD RMS client. The latest version of the AD RMS client is included as part of the Windows 7 and Windows Vista operating systems. The deployment of an AD RMS system provides the following benefits to an organization:

Safeguard sensitive information. Applications such as word processors, e-mail clients, and line-of-business applications can be AD RMS-enabled to help safeguard sensitive information Users can define who can open, modify, print, forward, or take other actions with the information. Organizations can create custom usage policy templates such as “confidential – read only” that can be applied directly to the information

.

Persistent protection. AD RMS augments existing perimeter-based security solutions, such as firewalls and access control lists (ACLs), for better information protection by locking the usage rights within the document itself, controlling how information is used even after it has been opened by intended recipients.

Flexible and customizable technology. Independent software vendors (ISVs) and developers can AD RMS-enable any application or enable other servers, such as content management systems or portal servers running on Windows or other operating systems, to work with AD RMS to help safeguard sensitive information. ISVs are enabled to integrate information protection into server-based solutions such as document and records management, e-mail gateways and archival systems, automated workflows, and content inspection.

I think this a great new improvement in security for organisations working with highly confidential information. Some documents are so sensitive, that we all need to do our upmost best to secure them as much as we can. With AD RMS we get steps closer to achieving this.
Below you can view a good Youtube video, about the best practices for deploying AD RMS in an organisation.

PowerShell: Command to gather eventlogs from mutiple computers

I have created a command in PowerShell which can gather the eventid’s from multiple servers:

gc computers.txt | %{Get-WinEvent -ComputerName $_ -LogName Security -MaxEvents 100} | Format-List -Property Message, ID, MachineName, UserID | out-File C:\Temp.txt

It reads from the file computers.txt the computers where the script connects to (can also be the localhost) in this case it gathers the events from the Security event log, but you can also add there the Application and System logs. The maxevents gathers the 100 latest events from these servers, which you can adjust to a size you like. It then creates an table, with the eventid, message, machinename and userid. But there a lot more property’s you can gather, just play with it (as I did, and you will find out soon).It then is being redirected to a file C:\Temp, which is a list of the latest 100 events, again you can adjust the location of this file (of course you need permissions to write the file there).If you have any questions, you can post a comment to this blog-post, and I will try to answer your question a.s.a.p

Here, I found also a nice free book about Windows PowerShell. This book is created by Microsoft Technology Advisor Frank Koch. You can find this book here:
Free Windows PowerShell book

Windows Server 2008 R2

This blog post will be about the new Windows Server 2008 R2,especially the new-features of Windows Server 2008 R2.

What is Windows Server 2008 R2? As per Microsoft: Windows Server 2008 R2 will be the next version of the Windows Server operating system from Microsoft. Building on the features and capabilities of the current Windows Server 2008 release version, Windows Server 2008 R2 allows you to create solutions that are easier to plan, deploy, and manage than previous versions of Windows Server. Scheduled for release during Q4 2009.

Microsoft introduced Windows Server 2008 R2 at the 2008 Professional Developers Conference as the server variant of Windows 7. A reviewer guide published by the company describes several areas of improvement, including the inclusion of a number of new virtualization capabilities including Live Migration and Cluster Shared Volumes using Failover Clustering and Hyper-V, reduced power consumption, a new set of management tools, new Active Directory capabilities such as a “recycle bin” for deleted AD objects, new IIS version 7.5 that includes new FTP server, DNSSEC support, and an increase in the number of supported processing cores from 64 to 256. One of the most notable changes is that 32-bit processors (32bit Intel/AMD x86 architecture) are no longer supported, leaving users only with AMD64/Intel EM64T and Intel Itanium architecture support in Windows 2008 R2 editions.For the file server role, file classification capability has been added, which lets classification properties be applied to them – either manually or automatically based on location. Based on the classification properties, tasks can be performed on them – such as built in ones like copying/moving them to specific locations or custom ones such as running a specific script. A file can have multiple properties.[25]nt tools, new Active Directory capabilities such as a “recycle bin” for deleted AD objects, new IIS version 7.5 that includes new FTP server, DNSSEC support, and an increase in the number of supported processing cores from 64 to 256. One of the most notable changes is that 32-bit processors (32bit Intel/AMD x86 architecture) are no longer supported, leaving users only with AMD64/Intel EM64T and Intel Itanium architecture support in Windows 2008 R2 editions.For the file server role, file classification capability has been added, which lets classification properties be applied to them – either manually or automatically based on location. Based on the classification properties, tasks can be performed on them – such as built in ones like copying/moving them to specific locations or custom ones such as running a specific script. A file can have multiple properties.

Why should I upgrade (10 reasons):

#1. Powerful Hardware and Scaling Features

Windows Server 2008 R2 was designed to perform as well or better for the same hardware base as Windows Server 2008. In addition, R2 is the first Windows Server operating system to move solely to a 64-bit architecture.

Windows Server 2008 R2 also has several CPU-specific enhancements. First, this version expands CPU support to enable customers to run with up to 256 logical processors. R2 also supports Second Level Translation (SLAT), which enables R2 to take advantage of the Enhanced Page Tables feature found in the latest AMD CPUs as well as the similar Nested Page Tables feature found in Intel’s latest processors. The combination enables R2 servers to run with much improved memory management.

Components of Windows Server 2008 R2 have received hardware boosts as well. Hyper-V in Windows Server 2008 R2 can now access up to 64 logical CPUs on host computers. This capability not only takes advantage of new multicore systems, it also means greater virtual machine consolidation ratios per physical host.
#2. Reduced Power Consumption
Windows Server 2008 introduced a ‘balanced’ power policy, which monitors the utilization level of the processors on the server and dynamically adjusts the processor performance states to limit power to the needs of the workload. Windows Server 2008 R2 enhances this power saving feature by adding more

granular abilities to manage and monitor server and server CPU power consumption, as well as extending this ability to the desktop via new power-oriented Group Policy settings.

Active Directory® Domain Services Group Policy in Windows Server 2008 already gave administrators a certain amount of control over power management on client PCs. These capabilities are enhanced in Windows Server 2008 R2 and Windows® 7 to provide even more precise control in more deployment scenarios for even greater potential savings.
#3. Hyper-V™ in Windows Server 2008 R2

Windows Server 2008 R2 also holds the much-anticipated update to Microsoft’s virtualization technology, Hyper-V™. The new Hyper-V™ was designed to augment both existing virtual machine management as well as to address specific IT challenges, especially around server migration.

Hyper-V™ is an enabling technology for one of Windows Server 2008 R2’s marquee features, Live Migration. With Hyper-V version 1.0, Windows Server 2008 was capable of Quick Migration, which could move VMs between physical hosts with only a few seconds of down-time. Still, those few seconds were enough to cause difficulties in certain scenarios, especially those includling client connections to VM-hosted servers. With Live Migration, moves between physical targets happen in milliseconds, which means migration operations become invisible to connected users.

Customers employing System Center Virtual Machine Manager for Hyper-V will also enjoy additional management and orchestration scenarios, including a new VM-oriented Performance and Resource Optimization feature and updated support for managing failover clusters.

The new Hyper-V™ also has core performance enhancements, including the previously mentioned ability to take advantage of up to 64 logical processors and to beef up that CPU performance with host support for Second Level Translation (SLAT). Finally, VMs can also add and remove storage without requiring a reboot and also boot from VHD as well.
#4. Increased Desktop Management Efficiencies

Much of the interest in virtualization solutions is in the server world. However, equally exciting advances are being made in presentation virtualization, where processing happens on a server optimized for capacity and availability while graphics, keyboard, mouse, and other user I/O functions are handled at the user’s desktop.

Windows Server 2008 R2 contains enhanced Virtual Desktop Integration (VDI) technology, which extends the functionality of Terminal Services to deliver certain business programs to their employee’s remote desktops. With VDI, programs that Remote Desktop Services sends to a computer are now available on the Start menu right alongside programs that are locally installed. This approach provides improved desktop virtualization and better application virtualization.

Desktop virtualization will benefit from features including improved personalization management, a near-invisible integration of virtualized desktops and applications in Windows 7, better audio and graphics performance, a seriously cool Web access update and more. VDI provides more efficient use of virtualized resources and better integration with local peripheral hardware as well as powerful new virtual management features.
#5. Easier and More Efficient Server Management

Although increasing the capabilities of your server operating system is always a good thing, the perceived downside has always been additional complexity and workload for day-to-day server managers. Windows Server 2008 R2 specifically addresses this problem with lots of work evident across all of its management-oriented consoles. Features in these tools include:

· Improved data center power consumption and management, as evidenced earlier

· Improved remote administration, including a remotely-installable Server Manager

· Improved identity management features via the updated and simplified Active Directory Domain Services and Active Directory Federated Services

· And perhaps the most important new management feature is…
#6. PowerShell 2.0

Windows Server 2008 introduced PowerShell, a powerful command-line-based feature that enables administrators to automate repetitive administration tasks by using command-let (cmdlet) scripts. A series of core cmdlets were pre-installed with Windows Server 2008 along with the basic tools required for administrators to create their own cmdlets.

Windows Server 2008 R2 introduces PowerShell 2.0, which significantly enhances the earlier version with the inclusion of more than 240 new pre-built cmdlets as well as a new graphical user interface (GUI) that adds professional-level development features for creating new cmdlets. The new GUI includes colored syntaxing, new production script debugging capabilities, and new testing tools.
#7. Ubiquitous Remote Access

Today’s mobile workforce is increasing the demand on IT to provide remote access to corporate resources. However, managing remote computers is an ongoing challenge, with low wide are network (WAN) bandwidth and sporadic connection and re-connection processes interfering with lengthier desktop management tasks such as Group Policy changes and up-to-date patching.

Windows Server 2008 R2 introduces a new type of connectivity called DirectAccess—a powerful way for remote users to seamlessly access corporate resources without requiring a traditional VPN connection and client software. Using technologies that shipped in Windows Server 2008, Microsoft has added simple management wizards that enable administrators to configure SSTP and IPv6 across both R2 and Windows 7 clients to enable the basic DirectAccess connection, and then augment that connection with additional R2 management and security tools, including management policies and NAP.

With DirectAccess, every user is considered remote all of the time. Users are no longer required to distinguish between local and remote connections. DirectAccess handles all of these distinctions in the background. IT professionals retain precise access control and full perimeter security, helping to ease both desktop security and management headaches on both sides of the connection.
#8. Improved Branch Office Performance and Management

Many branch office IT architectures have relatively low bandwidth. Slow WAN links impact the productivity of branch office employees waiting to access content from the main office, and costs for branch office bandwidth allocation can amount to as much as 33 % of overall corporate IT spending. To address this challenge, Windows Server 2008 R2 introduces a feature called BranchCache™, which reduces WAN utilization and improves the responsiveness of network applications.

With BranchCache, clients who request access to data on the organization’s network are sent directions to the file on the local (branch office) network if the file has ever been requested there before. If the file is stored locally, those clients get immediate high-speed access. Such files can be stored either on a local BranchCache server for larger branch offices or simply on local Windows 7 PCs.
#9. Simplified Management for SMBs

With Windows Server 2008 R2, Microsoft is focusing more attention at the SMB and mid-market customer. This new focus provides these customers with a rich landscape of Microsoft product offerings, from Small Business Server up to Windows Essential Business Server and now Windows Server 2008 Standard. All SKUs are being outfitted with new management tools to make SMB IT Pro life easier.

Active Directory’s new Active Directory Administration Center is one example—all those disparate management GUIs now hosted ina single interface and all based on PowerShell. Additionally, there are the Best Practice Analyzers, which Microsoft has extended to every server role to keep all your server configs in sync with the latest know-how.

And last but not least, there’s the new Windows Server Backup utility. Long a second-class citizen, this updated, in-the-box backup app has been significantly upgraded to include more granular support for designing backup jobs, including support for system state operations; and, it’s been optimized to run both faster and to use less disk space.
#10. The Strongest Web and Application Server To Date
Windows Server 2008 R2 includes many updates that make it the best Windows Server application platform yet, but one of the most important is the new Internet Information Services 7.5 (IIS 7.5).

The updated Web server includes features that streamline management by extending IIS Manager, implementing the IIS PowerShell Provider and taking advantage of .NET on Server Core. IIS 7.5 also integrates new support and troubleshooting features, including configuration logging and a dedicated Best Practice Analyzer. Last, we’ve integrated several of the most popular optional extensions associated with Windows Server 2008, including URLScan 3.0 (now known as the Request Filter Module).

Source: Windows Server 2008 R2 : Resources

Nice powerpoint presentation about Windows Server 2008 R2 : Windows Server 2008 R2 Overview

Security Advisory 971778 (DirectShow Issue)

Microsoft had became aware of a bug in het DirectX engine used in Windows 2000, Windows Server 2003 and also Windows XP. As per Microsoft:The vulnerability could allow remote code execution if user opened a specially crafted QuickTime media file. Microsoft is aware of limited, active attacks that use this exploit code.
Microsoft is investigating this issue, and the investigation is ongoing. The investigation so far shows that Windows 2000 Service Pack 4, Windows XP, and Windows Server 2003 are vulnerable; all versions of Windows Vista and Windows Server 2008 are not vulnerable. My research on the internet shows that Microsoft is currently working to develop a security update for Windows to address this vulnerability. Microsoft will release the security update once it has reached an appropriate level of quality for broad distribution.The cause of this threat is that a remote code execution vulnerability exists in the way Microsoft DirectShow handles supported QuickTime format files. This vulnerability could allow code execution if a user opened a specially crafted QuickTime media file. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

See here for information:
Microsoft Security Advisory (971778) ; Vulnerability in Microsoft DirectShow Could Allow Remote Code Execution

Gourami / Farm Commander.

An old colleague and Citrix consultant who worked for us, has his own Citrix consulting company, it’s called Gourami. His name is Dennis Smith, he is a great Citrix consultant and developer. He makes customized applications for Citrix with usage of the .NET Framework.Combined with his firm knowledge of the Citrix product range he has proven to be a unique and his applications are very good combination with Citrix.

He has just released the beta of a new tool, called Farm Commander. I have just tested this tool, and this is a great tool, to automate things on serveral Citrix servers.You can copy files, and execute commands within an Windows Active Directory domain.With Farm Commander the left Panel is a file system, where you can select files and directories. In the right panel are the Windows 2000/XP/Citrix/Terminal/Domain workstations/servers listed. First you select files in the left panel, and then you select the servers in the right panel. Than you choose your action, copy, move or delete. Farm Commander than copies/deletes/moves the selected files to/from the selected server. In Citrix/Terminal Server environments you need to copy files from or to several servers at once, which is one of the key features of this application.So time is gained here, Farm Commander also features a detailed report of each action. As administrator you must know if there were failures in the taken actions. (read only/not enough rights)

Summary: Great tool for every sytems administrator/engineer, who administer large and complex Citrix enviroments. Is certainly worth to take a look at the website of Gourami. Gourami offers more great applications, which can save a Citrix administrator/engineer/consultant lots of time by using these tools. He also offers very good support on his products in the Gourami forums.

New processor

For my desktop pc, I just bought a new processor, my current processor doesn’t support Intel VT. A few monts ago I bought a new pc based on the Tweakers.net Best-Buy Guide (Dutch site for ICT people, deep technical). My processor was an Intel Core 2 Duo E5200, which doenst support Intel VT.I’m using VMware Workstation, and with that I can’t run 64 bits hardware (all new server software is only 64 bit. Like Windows Server 2008 R2 and Exchange 2007 R2 for example). I’m a Microsoft geek, thus I wan’t test, you got my frustration? I now bought a Intel Core 2 Quad Core Q9650, which I need to replace next weekend. By the way, that will be my first time replacing a processor! Tips are welcome (just post a comment).

Some personal work experiences with VMware / Server virtualization

I recently got more into VMware and met some great people who very passionate about this (some of co-workers inspired me for this blog-post)

I found a really great site, with lots of links to great VMware websites. It’s called the VMware Launchpad, its certainly worth checking it out. This site is a collection of great resources and blogs where you find lots of information about VMware and related technologies.

For example, the site of Bouke Groenesheij. He probaly is one the best VMware Trainers, he is also an consultant.My boss called him the world leading VMware Expert. He is also (one of the)founder of the Dutch VMUG, an Dutch VMware Community.He is now working at our company,he and some of my other colleagues, managed to get one of the largest Virtual Enviroments in Europe alive and running. He also trained our colleagues, and I heard they all did a great job. I hope I can follow a training from Bouke the coming year, after finishing my MCSE 2003, which I expected to finish this year in October.

Also the site of Eric Sloof, blogger of NTPRO, is also on of the best VMware trainers in our country. He is also on of the founder of the Dutch VMUG community.Eric Sloof is active as an ICT specialist for more than 15 years. Since 2006 the accent of his services changed from consulting to delivering VMware courses. As a VMware certified instructor he helps organisations who want to maximise the benefits of the VMware virtualisation products. Their IT professionals will benefit from attending in-depth, hands-on courses

Also the person behind the number one link, is working at one of our virtualization projects. His name is Duncan Epping, his blog is called Yellow Bricks. I did not met him yet, but I hope to do that very soon. You can also find Ducan on the VMware VMTN Communities as a user and Moderator.

VMware is the standard for us, and we are going to virtualize about 3000 servers in the coming years.Every server requested by an (internal) customer, will be a virtual instance in our newly VMware enviroment, which is one of the largest enviroments in Europe.We have some very challenging upcoming projects, for example all legacy servers will be P2V-ed to our VMware enviroment, also old bricks and an old bad designed Virtual Enviroment will be a migrated to that enviroment.

I am now trying to get my MCSE 2003 certificates, after I have finished that, there is a big chance that I will be doing the VCP-310 or VCP-400, that Is not sure yet.I’m hoping that Bouke will be my trainer.I’m also going to upgrade my MCSE 2003 to MCTIP on Server 2008. I would like to that right after I passed for my MCSE.I’m one of the persons how loves to certify (myself and really enjoy it(my co-worker found I strange) and learn as much as I can. Knowledge i think is the one powers to success in a job.

Conclusion: The IT is very challenging and I love my job, and every-day I’am learning something new.

Windows 7

Recently I installed this Windows 7 Release candidate, after working a few months with the Windows 7 Beta.I registered myself also for Windows 7 Beta exam (71-680), but was unable to do the exam on the scheduled date. I was that day really ill,unfortunately. I really like Windows 7. I always make this comparison, Windows Vista was like Windows Me, Windows 7 is like Windows XP. I have the feeling that Windows 7 also run a bit faster then Windows Vista, but have no prove of that (e.g performance logs). Everythings seems to be less complex, a with fewer clicks, I can do the things I always do with my computer. I really like to that I can encypt my usb-stick, with BitLocker Drive Encryption, so nobody is able to sell my private data! Also User Account Control has improved huge.Windows Vista offered two level of User Account, on or off. Windows 7 has now four levels:

Source: What’s New in User Account Control

• Never notify me. You are not notified of any changes made to Windows settings or when software is installed.
• Only notify me when programs try to make changes to my computer. You are not notified when you make changes to Windows settings, but you do receive notification when a program attempts to make changes to the computer.
• Always notify me. You are notified when you make changes to Windows settings and when programs attempt to make changes to the computer.
• Always notify me and wait for my response. You are prompted for all administrator tasks on the secure desktop.

Also see here for more information: What’s New in User Account Control

There has been also some changes on the security,particularly in the Windows Security Auditing. In Windows XP, administrators had nine categories of security auditing events that they were able monitor for success, failure, or both success and failure.

In Windows Vista and Windows Server 2008, the number of auditable events were expanded from 9 to 50, which enables an administrator to be more selective in the number and events to audit. These new audit events were not integrated into the Group Policy and could only be deployed by using logon scripts generated with the Auditpol.exe command-line tool.

In Windows Server 2008 R2 and Windows 7, all auditing capabilities have been integrated into the Group Policy. This allows administrators to configure, deploy, and manage these settings in the Group Policy Management Console (GPMC) or Local Security Policy snap-in for a domain, site, or organizational unit (OU). Windows Server 2008 R2 and Windows 7 make it easier for IT professionals to track when precisely defined, significant activities take place on the network.

Summary: Windows 7 is an great, on of the best Microsoft has ever made.

In the next blog post, I will highligt more changes in Windows 7

Blog Post

Blog posts, on this blog will continue to be in English, no more in Dutch.I’m also going to translate the old Dutch articles to English in the coming months.

MCSA

Zoals je eerder kon lezen op dit blog ben ik bezig met een Microsoft certificerings traject. Afgelopen woensdag had ik het 70-299 examen gedaan, na een week cursus via Computrain. De cursus was trouwens erg goed. We hadden als trainer Arthur Goudswaard, deze trainer heeft gewoon heel veel kennis van zaken en veel ervaring, was echt aangenaam verrast!

Afgelopen woensdag was ik dus geslaagd voor het 70-299 met precies 700 punten. Ik mag me nu dus MCSA (Microsoft Certified Systems Administrator) noemen!!