Welcome to Dirteam.com/ActiveDir.org Blogs Sign in | Join | Help

The things that are better left unspoken

a blog by Sander Berkouwer

Related

AD Manager Plus
 

Blog roll

News



Archives

Pictures of my presentation at TechEd North America 2014

Last week, I presented my first session ever on TechEd. I co-presented the session PCIT-B341 Upgrading Active Directory the Safe Way: Using Virtualization Technologies with Mike Resseler in the last presentation slot of TechEd North America 2014 in Houston.

The story how I obtained the speaker position (in typical MVP manner) can be found in my blogpost I will be speaking at TechEd North America 2014. When you’re curious about the contents of the session you can read my blogpost Upgrading Active Directory using virtualization on 4Sysops.com.

My buddy Raymond made some photos during the session, that I think will give you a good impression on the fun we had:

Mike and me standing posing with our title slide mere moments for the session (click for larger size)
Explaining how new versions of Active Directory differ (click for larger size)Our audience (click for larger size)
Mike and me giving our audience some room for questions (click for larger size)

Presenting at TechEd (click for larger size) So why do you upgrade Active Directory? (click for larger size)Rambling on the simplified Active Directory deployment features in Windows Server 2012 (click for larger size)
Answering a question from the audience (click for larger size)Answering another question from our audience (click for larger size)
Thank you to our audience! (click for larger size)

  

Thank You!

I will be speaking at TechEd North America 2014

This week I’m in Houston for Microsoft’s 2014 TechEd North America event.

Yesterday, at the TechExpo, I ran into a couple of familiar faces. I talked to Ben Armstrong for a while, together with Didier van Hoye, MVP Hyper-V. While we were getting drinks for the guys at the booths, we ran into Mike Resseler, MVP System Center Cloud and Datacenter Management and working for Veeam.

It’s a small world, and what happened next illustrates exactly how small.

While I was discussing Mike Resseler’s PCIT-B341 Upgrading Active Directory the Safe Way: Using Virtualization Technologies session with him, I asked him if he was expecting any hard Active Directory-related questions. I offered to take a seat in the front row, so I could help him out. You know, that’s what Microsoft Most Valuable Professionals (MVPs) do…

Mike thought about it for a moment, but then replied:

“I’d much rather have you on stage with me.”

    

So, there you have it. I’ll be speaking at TechEd North America 2014. Glimlach

Here’s some more information on the session:

PCIT-B341 Upgrading Active Directory the Safe Way: Using Virtualization Technologies
Thursday, May 15 2:45 PM - 4:00 PM Room: General Assembly C
Speaker(s): Mike Resseler, Sander Berkouwer
Track: People-centric IT
Session Type: Breakout
Topic: Active Directory Domain Services

Upgrading technologies can always be a challenge and dangerous. By using your backup solution and virtualization technology (Hyper-V) you can try out everything upfront on your real production data without risking destroying the environment. The Change Management Process will become much easier.

  

When you’re also at TechEd North America, please visit our session. If not, make sure to visit Channel 9 after TechEd ends to see the recording of this session on demand.

Keep up with TechEd North America 2014 (Houston) even when you’re not an attendee

Next week, Microsoft organizes TechEd North America in Houston. As I’ve written last week, I’ll be attending, but you might not have gotten your hands on a ticket… this event is sold out.

However, you can still use your ginormous bandwidth (in contrast to the Hotel Wi-Fi in Houston) to be the first to get to know Microsoft’s new strategy, or simply follow the event from the comfort of your couch at home. The links below will provide you with a dose of Microsoft news:

earth
Official website
http://northamerica.msteched.com

RSS-256
Blog
http://channel9.msdn.com/Blogs/TechEd

Twitter-256
Twitter
http://www.twitter.com/TechEd_NA and hashtag #msteched

facebook-256
Facebook
http://www.facebook.com/TechEd

myspace-256
LinkedIn
https://www.linkedin.com/groups/Microsoft-TechEd-North-America-1864032 

  

Just like in previous years, Microsoft allows you to watch the keynote near live on Monday May 12, 2014 9:00 AM – 10:30 AM US Central Time.

Brad Anderson will be hosting the keynote during TechEd North America. Since he is Microsoft’s Corporate Vice President for Windows Server and System Center Program Management, you might want to tune into it here.

  

Enjoy!

I’m attending TechEd North America 2014

TechEd North America 2014

As a TechEd North America Alumni, I was thrilled to hear TechEd North America will be held in Houston, Texas this year from May 12, 2014 to May 16, 2014.

Since “Everything is bigger in Texas”, I though the booths would be bigger as well. Of course, I applied to staff and speak at TechEd again, but, luckily, they found more capable people than me to do so. I’ve booked my ticket and flight two weeks ago and was pretty stoked to see the event sold out mere days later.

Due to these circumstances, I’ll have a lot more time on my hands than the last two TechEds in the US I attended, which is a bonus. Also, my travelling schedule is a bit less complicated than it was these last times, since I don’t have anything on my schedule for Saturday or Sunday. Additionally, Raymond offered to share his room with me, which meant I didn’t have to look for accommodations.

I’ll be flying from Amsterdam Schiphol Airport (AMS) to Houston George Bush Intercontinental Airport (IAH) with flight KL0661 on Monday May 12, 2014. This is a direct flight on a KLM Boeing 747-400 (Mixed configuration). My return flight is another direct flight; Flight KL0662 on Friday May 16, 2014 on the same type of aircraft, which means I could actually catch some sleep on the way home…

I’ll be staying at the Houston Magnolia, six blocks from the George Brown Convention Center, where TechEd North America is held.

See you in Houston!

 

Related blogposts

I’ll be staffing at TechEd North America 2013 
I will be staffing at TechEd North America (Orlando) 
Stay up to date with TechEd North America (Orlando)

Security Thoughts: The Inconvenient Truth about CVE-2014-1776 (aka “The Windows XP Mega Vulnerability”)

An Inconvenient Truth

Looking at the news these last couple of days, you’d think the XPocalypse has begun.
A vulnerability has been discovered in Internet Explorer 6 through 11 and code has been made publicly available to attack it. Since, according to several websites, this is a critical vulnerability that was discovered after Microsoft officially ended support for Windows XP, thus, organizations using this old technology are and will remain at risk.

I chuckled.

    

Impact

The Verge describes the impact of this vulnerability as:

Microsoft published a security advisory today warning its customers that a vulnerability in all versions of Internet Explorer (6 through 11) could let hackers gain full user permissions over your computer, allowing them to install programs, view and delete data, and much more simply by visiting a website.

I think it’s interesting that Dante D'Orazio of The Verge uses the word “full”, while linking to Microsofts official Security Advisory 2963983. This webpage clearly describes:

An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

The ability to execute code is limited to the rights the compromised account has on the system. In organizations, implementing Windows with Least Administrative Privilege is the best practice and the standard. It should come as no surprise this principle is extensively covered in all Windows-oriented Microsoft exams.

While deleting (and possibly encrypting) user data can be a real nuisance, restoring data from backups is still available on well-implemented systems, since the system integrity isn’t typically compromised by these attacks.

This vulnerability is a critical vulnerability in terms of Microsofts Security Bulletin Severity Rating System bacause of the Remote Code Execution ability.

      

Attack vector

Although Internet Explorer is identified as the faulty product by many tech websites, the initial attack vector is not Internet Explorer, but a vulnerability in Adobe’s Flash Player that is described in CVE-2014-0515. Internet Explorer has a vulnerability in the way it accesses an object in memory that has been deleted or has not been properly allocated, but this vulnerability, at the moment, is only exploitable through Adobe Flash Player.

Because, in recent years, Adobe Flash accounted for a lot of attack vectors towards Windows systems, for Windows 8 and Windows 8.1, Microsoft has adopted a new patching mechanism, together with Adobe, to update Flash Player through Internet Explorer and Windows Update mechanisms. Through this update mechanism, Windows 8 and Windows 8.1-based systems have already been updated with Adobe Flash Player 13.0.206.

For Internet Explorer versions running on Windows systems before Windows 8, Adobe has issued an update to Flash Player for Windows, that brings its version to 13.0.0.206. Adobe still supports Windows XP when you’ve patched it through to Service Pack 3. So, even when people in your organization run Internet Explorer 6 on Windows XP, you can protect them from these initial attacks.

You can use Windows Server Update Services (WSUS) to push the Adobe Flash Player update.

  

Mitigating factors and workarounds

The list of mitigating factors and workarounds in Microsofts official Security Advisory 2963983 is long. In addition to updating Adobe Flash Player and Windows, and implementing the principle of least administrative privilege, these actions help you protet against exploitation of this vulnerability:

  • Internet Explorer Enhanced Security Configuration (IE ESC) mitigates this vulnerability. (This is enabled by default on Windows Server installations.)
      
  • You can deploy version 4.1 or version 5.0 of the Enhanced Mitigation Experience Toolkit (EMET). EMET helps to mitigate this vulnerability in Internet Explorer on systems where EMET is installed and configured to work with Internet Explorer.
      
  • When you set Internet and Local intranet security zone settings to "High" to block ActiveX Controls and Active Scripting in these zones, this protects against exploitation of this vulnerability.
      
  • When you configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone, this protects against exploitation of this vulnerability.
      
  • When you unregister or modify the ACLs on vgx.dll, web applications that render VML will no longer do so. This protects against exploitation of this vulnerability.
      
  • When you Enable Enhanced Protected Mode For Internet Explorer 11 and Enable 64-bit Processes for Enhanced Protected Mode protects against exploitation of this vulnerability.
      

  

No solution for Windows XP

It’s true that home-users and small businesses running Windows XP will (most likely) not gain access to an update for the vulnerability in Internet Explorer (if/when it becomes available). Microsoft has done a stellar job providing free support for nearly 13 years.

Large organizations and governments, however, had the opportunity to buy extended support on Windows XP for at least another year. Organizations that have made this purchase will see an update to address this vulnerability (if/when it becomes available).

I'm very interested to see if Microsoft decides to support Windows XP for customers. I Imagine the code that is needed to patch Internet Explorer on Windows XP is not that different from the code for Windows Server 2003 and more recent versions of Windows. There's multiple ways to look at it.

        

Fear, uncertainty & doubt (FUD)

To top things of, many news outlets and government agencies are now actively discouraging the use of Internet Explorer. A perfect example is this tweet by the Dutch Police Team High Tech Crime:

Politie Tweet_gallery_image

When you translate the text to English, you’ll notice that the Dutch government is actually discouraging using Internet Explorer for the time being. As a side note, they tell us that no solution will become available for Windows XP.

With the list of mitigating factors and workarounds available to protect against exploitation of the vulnerability in Internet Explorer, and the availability for updates for organizations that have purchased Windows XP extended support, I feel the whole tweet can be discarded, regardless of the good intentions it was written with.

    

Concluding

The impact of this Internet Explorer / Flash vulnerabity is relatively low, since code can only be executed with the privileges of the logged on user account.

When you communicate to colleagues, end-users and customers, make sure you give them proper advice.

The attack is non-exploitable when Adobe Flash Player for Windows is updated to version 13.0.0.206 or up and at least one of the actions in the list of mitigating factors and workarounds is performed.

These vulnerabilities, CVE-2014-1776 and CVE-2014-0515, are business as usual.

Further reading

New Zero-Day Exploit targeting Internet Explorer Versions 9 through 11 Identified in Targeted Attacks
Security flaw puts all Internet Explorer users at risk, exposes Windows XP 
Microsoft Races To Fix Massive Internet Explorer Hack: No Fix For Windows XP Leaves 1 In 4 PCs Exposed 
Windows XP is permanently vulnerable to the newest Internet Explorer zero-day flaw 
0-Day Vulnerability in Internet Explorer Threatens Windows XP 
Internet Explorer hack spells trouble for Windows XP users 
There's A Dangerous Bug In Internet Explorer, But Microsoft Won't Fix It For Windows XP Users  
US, UK govt: Friends don't let friends use Internet Explorer – try Chrome or Firefox

Is your organization ready for Windows 8.1? Part 15, Roaming Profile incompatibilities

In extensively managed networking environments, devices are generally domain-joined and employees gain mobility across these devices through folder redirection, offline files and roaming profiles. VPN access is mostly available, but when looking closely you might distinguish the occasional DirectAccess implementation.

In these environments, mobility over several devices, for instance a desktop and a laptop, often, offers challenges in terms of applications, settings and access to data.

While the above solutions offer a functioning environment when all devices run the same Operating System, it’s a different story when one device runs another or previous Operating System version.

In the past…

In the past, Roaming Profile incompatibilities have resulted in version 2 profiles. This distinction made sure colleagues with Windows XP and Windows Vista/7 devices could continue working effectively on both platforms, enjoying the same data, but not necessarily the same settings.

You probably remember the Username.V2 Roaming Profile folder names, if, at some point in the past, you’ve implemented Roaming Profiles on devices running Windows Vista, and beyond, in a Windows 2000 Professional / Windows XP Professional-based networking environment.

In the Windows 8.x era

To make matters more complicated, but more robust towards the people using devices with different Windows versions, Microsoft has updated the profile format in Windows 8. According to Microsoft KnowledgeBase article 2887239, the updated profile format, causes profiles to be incompatible between Windows 7 (and Windows Vista) on one side and Windows 8 and Windows 8.1 on the other side of the equation.

This means, that when a colleague switches from a Windows 7-based device with Roaming Profiles configured to a Windows 8-based device with the same Roaming Profiles configuration, the user profile is updated to the new Windows 8 format and the user profile is no longer compatible with the Windows 7-based device. But, both profiles are version 2 profiles.

Now, when you’re migrating your organization to Windows 8.1 from Windows 7 (and prior)and you’re not able to migrate all PCs for a specific colleague at one moment in time, this will cause problems when the colleague switches back and forth.

    

Introducing Version 3/4 profiles

Luckily, you can configure Windows 8 and Windows 8.1 to create a different Roaming Profile. This Roaming Profile, then gets a dot, a ‘v’ and a version number appended to the folder name.

The version number corresponds with the version of Windows that is used on the device on which you want a different Roaming Profile:

  • Windows 7 and Windows Server 2008 R2 add the string .v2 to the folder name.
  • Windows 8 and Windows Server 2012 add the string .v3 to the folder name
  • Windows 8.1 and Windows Server 2012 R2 add the string .v4 to the folder name.

Thus, on Windows 8.1, Roaming Profiles become designated as version 4 profiles.

Implementing version 4 profiles

This is achieved by making a change in the Windows registry and rebooting.

Note:
According to Microsoft KnowledgeBase article 2890783, the update that adds this functionality to Windows 8.1 is included in November 2013 update rollup. Make sure you have this update installed on devices where you want to use version 4 profiles.
  
Note:
The update is also available in Windows 8.1 Update 1.

To perform the specific registry change, follow these steps:

  1. Swipe in from the right edge of the screen, and then tap Search. Or, if you are using a mouse, point to the lower-right corner of the screen, and then click Search. In the search box, type regedit, and then tap or click regedit

         When you are prompted for an administrator password, type the password. If
         you are prompted for confirmation, provide confirmation.
      

  2. Locate and then tap or click the following registry subkey: 

    HKEY_LOCAL_MACHINE\System\CurrentControlset\Services\ProfSvc\Parameters
        

  3. On the Edit menu, point to New, and then tap or click DWORD (32-bit) Value.
  4. Type UseProfilePathExtensionVersion
  5. Press and hold or right-click UseProfilePathExtensionVersion, and then tap or click Modify.
  6. In the Value data box, type 1, and then tap or click OK.
         
    It should look like this:
         
    UseProfilePathExtensionVersion in Windows Registry (click for original screenshot)
           
  7. Exit Registry Editor.

After you configure the UseProfilePathExtensionVersion registry entry, you have to restart the computer.

After the reboot, Windows 8.1 creates a new Roaming Profile and appends the suffix ".v4" to the profile folder name to differentiate it from earlier Roaming Profile versions.

Of course, you can also use a Group Policy Preference (GPP) setting to add the registry key to Windows installations. You can target Windows 8.1-based devices specifically by either placing them in separate Organizational Units (OUs) within Active Directory Domain Services, or (when all devices reside in the same Organizational Unit) through WMI filters.

        

Concluding

If you need new Roaming Profiles for colleagues that experience Roaming Profile incompatibilities between Windows 8.1 and previous versions of Windows, implement version 4 Roaming Profiles with the registry change above.

Together with Folder Redirection, these colleagues should only experience different settings between two devices, but still have access to the files, folders and applications they need to perform their jobs.

Related blogposts

Is your organization ready for Windows 8.1? Part 1, Overview
Is your organization ready for Windows 8.1? Part 2, The best hardware for the job
Is your organization ready for Windows 8.1? Part 3, Start Button and Boot to Desktop
Is your organization ready for Windows 8.1? Part 4, Automatic App Updates
Is your organization ready for Windows 8.1? Part 5, Managing SkyDrive
Is your organization ready for Windows 8.1? Part 6, Start Screen Layout Management
Is your organization ready for Windows 8.1? Part 7, Managing Start Screen Theming
Is your organization ready for Windows 8.1? Part 8, Start Screen App Pinning
Is your organization ready for Windows 8.1? Part 9, Disable help tips in The New Interface
Is your organization ready for Windows 8.1? Part 10, Group Policy Caching
Is your organization ready for Windows 8.1? Part 11, IE Enhanced Protected Mode
Is your organization ready for Windows 8.1? Part 12, Assigned Access
Is your organization ready for Windows 8.1? Part 13, Quiet hours 
Is your organization ready for Windows 8.1? Part 14, Logon Script Delay    

Related KnowledgeBase Articles

2890783 Incompatibility between Windows 8.1 roaming user profiles and those in earlier versions of Windows 
2887239 Incompatibility between Windows 8 roaming user profiles and roaming profiles in other versions of Windows

Acknowledgements

Thanks to JSchlackman for pointing out some errors in a previous version of this blogpost.

Pictures of the Dutch 2014 TechDays

Last week, Microsoft Netherlands organized the 2014 TechDays at the World Forum in The Hague, where both Dutch and Belgian Developers and IT Professionals enjoyed two days of sessions, networking opportunities and catering.

On Wednesday April 16th, Raymond Comvalius and I were scheduled to deliver a 75-minute presentation on Bring Your Own (BYO), so we arrived early. Luckily, the event also started early both days, with the first sessions starting at 7:45 AM each day.

TechDays banners on the floor of the World Forum (click fr original photo)Entrance to the World Forum (click for original photo)Lanyards waiting to be used (click for original photo) 
Which one are you, Developer or IT Pro? (click for original photo)

Our session was scheduled for 10:50 AM in room Onyx. This room was fitted with 300 seats, a nice stage and two projection screens.

WP_20140416_10_31_18_ProWP_20140416_10_31_25_Pro 
TitleSlide
Our audience (click for original photo, provided by Microsoft Netherlands)I can do this with my eyes closed... (click for original photo, taken by Adnan Hendricks)Delivering. (click for original photo, taken by Arie de Haan)

Our session was great fun, and afterwards we received some great feedback. Needless to say I was proud of our achievement.

Proud TechDays Speaker (click for original photo, taken by Raymond Comvalius)

After our session, I dumped my stuff in the speaker room, switched from my blue Speaker polo to the orange Expert polo, and headed for the Ask the Experts (AtE) Area. I also spent the larger part of Thursday April 17th at the Ask the Experts (AtE) Area. A lot of my buddies were there and we had a lot of fun. The XBox One combined with Experts proved to be a real crowd pleaser.

XBox Experts (click for original photo, by Michel de Rooij)

I had a blast, and I hope you did too. Glimlach

See you at TechDays 2015? 

Updating Windows XP with all its updates

You may have read my blogpost on the actions admins need to take to continue working with Windows XP in their networking environments. It’s a long list. While many blogs and websites have shared similar information, one action is on everybody’s list:
Update Windows XP with the latest updates.

So, how easy is it to perform this task?

Without a fourth ServicePack for Windows XP, containing all the updates for Windows XP up till April 8th, 2014, it’s really about connecting a device running Windows XP to the internet and downloading the updates through Windows Update, or connecting a device to the corporate network and downloading updates from the on-premises Windows Server Update Services (WSUS) installation. This, of course, is not the best of ideas: Every security expert has warned against connecting Windows XP boxes to the internet or your corporate network after April 8th…

Straight from my toolbox comes a tool that helps you with this task:

  

WSUS Offline

WSUS Offline is an unofficial program, that you can use to update Windows installations for situations with no and low-speed Internet connectivity. It was previously known as "c't offline update" and "DIY Service Pack".

It allows you to simply check Microsoft products, after which it will fetch all the updates from Microsoft’s official FTP server. So far, this sounds like the official Windows Server Update Services (WSUS) that Microsoft offers, but Offline WSUS has another trick up its sleeve: After you’ve downloaded all the applicable updates, you can create a virtual CD/DVD (*.iso file) per product, per architecture (x86 / x64) and/or per language.

Version 9.1 of Offline WSUS was released on April 4th, 2014 and is the last version of Offline WSUS. This, then, is the version of Offline WSUS you want. You can get it from wsusoffline.net.

Tip!
After you’ve downloaded wsusoffline91.zip, check it is 2281694 bytes in size and use Microsofts File Checksum Integrity Verifier to check it has a SHA1 checksum corresponding to 369d17656164139de81f49c3c32192286c492b1b.

Next, extract the contents of the file and run UpdateGenerator.exe. Next, select the Legacy products tab. This is where you’ll find updates for Windows XP x86:

Legacy Tab in the WSUS Offline Update 9.1

Tip!
Download Office 2003 through WSUS Offline as well, when you’re running it in a networked environment, since support on this product also ended on April 8th, 2014.

Tip!
You can point WSUS Offline to your on-premises Windows Server Update Services (WSUS) installation to pull all the updates. Use the WSUS… button to this purpose. After successful download and tests, you can free up (expensive) hard disk space by cleaning up the Windows XP updates there.

    

Today, I’ve selected English and Dutch for Windows XP (including ServicePacks) and ended up with two virtual DVDs (*.iso files) in to iso subdirectory of where I unpacked to:

  • wsusoffline-wxp-enu.iso
    807 MB, 181 applicable updates
      
  • wsusoffline-wxp-nld.iso
    821 MB, 181 applicable updates

From each of these virtual DVDs, I can now use the UpdateInstaller.exe executable to update 32-bit installations of Windows XP without an internet connection, without hassle.

          

Concluding

WSUS Offline allows you to download updates for Windows XP (and Office 2013) to update them with Microsoft updates, once and for all. After that, you can easily run the executable from the (virtual) DVD or USB drive to update Windows XP without an internet and/or network connection, without hassle.

Related blogposts

So you want to continue using Windows XP? 
How to install Windows XP Mode for Application Compatibility 
Windows 7 Migration Checklist 
Windows 8 Migration Checklist  

Related downloads

Microsoft File Checksum Integrity Verifier

Further reading

Windows XP support has ended 
WSUS Offline Update 
Microsoft Windows Update 
Windows Server Update Services Home

Implications of the HeartBleed vulnerability on Single Sign-On and Federation implementations

heartbleedThis week, the Internet was abuzz with HeartBleed,a vulnerability in OpenSSL. This meant many secure websites and webservices, protected by OpenSSL, suddenly became a security risk and OpenSSL (and open source software, in general) suddenly became a lot less trustworthy.

About HeartBleed

The HeartBleed bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure Internet traffic. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs). CVE-2014-0160 is the official reference to this bug.

The HeartBleed bug allows anyone to read the memory of the systems ‘protected’ by the vulnerable versions of the OpenSSL software (versions 1.0.1 through 1.0.1f). This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.

HeartBleed and Microsoft

In formal communications, only when you’ve installed and configured OpenSSL you’d need to take action, when running Microsoft Operating Systems (OSs).

While this is strictly true, in the modern world of Single Sign-On and claims-based authentication, this might not necessarily be the right way to look at it…

     

Single Sign-On

Many organizations have implemented Single Sign-On (SSO) by integrating their applications into Active Directory Domain Services (AD DS). While Active Directory, itself, was not affected by HeartBleed, any application or service utilizing OpenSSL and integrating with said Active Directory can be used to leak information from Active Directory like usernames, passwords, SIDs  and token information.

Also, the private key used may be leaked, which, in turn, might contain information for a targeted attack against Active Directory Certificate Services (AD CS) and services relying on it, like Active Directory Rights Management Services (AD RMS).

Not until these OpenSSL implementations have been updated, the certificates in use have been replaced with different certificates (with a different private key) and users have changed passwords, the situation might be resolved.

Conclusion

Indeed, one single link in the authentication chain might cause the entire chain to fail…

Solutions

To remedy such a situation, first, the vulnerable version of OpenSSL should be upgraded to at least version 1.0.1g or recompiled with -DOPENSSL_NO_HEARTBEATS. Additionally, any certificates in use by the OpenSSL implementation need to be reissued.

From there on, you might ask or force users to reset their passwords, unless you’ve already deployed a multi-factor authentication solution. When a security token is required, a malicious party can not login to a service with just the password alone.

     

Claims-based authentication

So, claims-based authentication, must be safe then? Passwords can’t leak from OpenSSL, when the OpenSSL process (or deamon) doesn’t have it, right?

While it’s true that OAuth2, OpenID Connect and SAML2 endpoints at resource providers may not leak passwords, because these endpoints typically only have signed tickets, other risks are still present. Also, the endpoint of the identity provider might be protected by a vulnerable implementation of OpenSSL…

When you’re the resource provider in a claims-based authentication implementation, you should make sure the identity provider you have federated with are not running vulnerable OpenSSL implementations. Their signing key may have been compromised and, thus, a malicious party could sign tickets as if they would have originated at the identity provider.

When you’re the identity provider in a claims-based authentication implementation, you should make sure the resource providers you have federated with are not running vulnerable OpenSSL implementations. Examples of affected resource providers are Facebook, Yahoo and Google. The private key of their implementation(s) may have been compromised and a certificate may have been issued that allows a malicious party to pretend to be your resource provider to get signed tickets from you.

Conclusion

Indeed, one single link in the authentication chain might cause the entire chain to fail…

Solutions

To identify vulnerable identity and/or resource providers, use the tools at Filippo.io and/or the list on Mashable. Contact vulnerable identity and/or resource providers to have them upgrade their OpenSSL implementation(s) to at least version 1.0.1g or have their OpenSSL implementation(s) recompiled with -DOPENSSL_NO_HEARTBEATS. Additionally, they should reissue the certificates used by the implementation(s). 

From there on, you might ask or force users to reset their passwords, unless you’ve already deployed a multi-factor authentication solution.

       

Further reading

The Heartbleed Bug
Vulnerability Summary for CVE-2014-0160   
OpenSSL Security Advisory [07 Apr 2014]   
How to Protect Yourself From the Heartbleed Bug 
Information on Microsoft Azure and Heartbleed  
Heartbleed bug puts the chaotic nature of the Internet under the magnifying glass

Virtualization-safe(r) Active Directory in VMware environments, Part 2

In the first post of this series, I’ve shown how to uncover the VM-GenerationID, the random value that unlocks all that Windows Server 2012 Active Directory Domain Services magic, on VMware’s vSphere and Workstation virtualization solutions.

Today, I’m showing you how to interpret this value and how this value might be different between versions of the VMware solutions used and the version of the VMware tools used.

    

You’ll need specific versions of VMware ESXi

First of all, if you want to run Windows Server 2012 on VMware vSphere, you’ll need at least ESXi 5.0 Update 1, since this is the first version of the hypervisor on which VMware supports Windows Server 2012.

But, VMware has implemented the VM-GenerationID functionality, as designed by Microsoft, into its products in the summer of 2012. It used the whitepaper and example code shared by Microsoft in its products. It did not finish this work prior to March, thus ESXi 5.0 Update 1 (released March 15, 2012) does not include the VM-GenerationID functionality.

These VMware ESXi versions support the VM-GenerationID functionality:

  • VMware ESXi 5.0 Update 2 (Build 914586) and subsequent updates to ESXi 5.0
  • VMware ESXi 5.1 (Build 799733) and subsequent updates to ESXi 5.1
  • VMware ESXi 5.5 (Build 1331820) and subsequent updates to ESXi 5.5

One thing to know, however, is the VM-GenerationID functionality in ESXi 5.0 Update 2 was implemented (and released on December 20, 2012), based on a draft of the VM-GenerationID whitepaper. Microsoft made a significant update to this whitepaper and the example code it shared with VMware and Citrix, before making it final:

In the draft version of the VM-GenerationID whitepaper, the VM-GenerationID value was defined as a random 64bit value. In the final version of the VM-GenerationID whitepaper, the VM-GenerationID value was defined as a random 128bit value.

This means you will find significant smaller values in the virtual machine configuration (*.vmx) file on the host and in the (hidden) Microsoft Hyper-V Generation Counter system device in virtual machines running on top of VMware ESXi 5.0 Update 2, compared to virtual machines running on top of later versions of ESXi, including ESXi 5.0 Update 3 (released October 17, 2013).

You’ll need VMware Tools

Without the VMware Tools installed, a virtual machine running Windows Server 2012 (or up) will not be able to benefit from the VM-GenerationID capabilities, since the VM-GenerationID value will not be put in the virtual machine’s RAM.

Without the VM-GenerationID in RAM, a virtual Domain Controller will not be able to see when it is reverted to snapshot or cloned and you will not benefit from the virtualization safeguards in Active Directory Domain Services that make it virtualization-safe(r).

Of course, updating to a more recent version of the hypervisor, requires upgrading the VMware Tools in virtual machines running atop the hypervisor, to be upgraded, too, to remain in a supported state.

Besides running in an unsupported state, running virtual machines with version 5.0 Update 1 of the VMware Tools on top of ESXi 5.0 Update 2 (or up) will not enable the VM-GenerationID functionality, since 5.0 Update 1 of the VMware Tools does not support it yet.

     

Concluding

When you want to utilize the VM-GenerationID functionality in a networking environment, virtualized with VMware products, in a supported manner, you will need to:

  • Run ESXi 5.0 Update 2 (or up), ESXi 5.1, ESXi 5.5 as the hypervisor.
  • Have the VMware tools installed in the virtual machines.
  • Have the VMware tools version installed, corresponding to your hypervisor version.

  

Related blogposts

Virtualization-safe(r) Active Directory in VMware environments, Part 1 
List of Hypervisors supporting VM-GenerationID
Citrix XenServer joins the VM-GenerationID family
New features in AD DS in Windows Server 2012, Part 13: Domain Controller Cloning
New features in AD DS in Windows Server 2012, Part 12: Virtualization-safe Active Directory

Further reading

Cloning Windows Server 2012 Domain Controllers on vSphere 5
Windows Server 2012 VM-Generation ID Support in vSphere

Pictures of the three Dutch IT Camps (The unofficial Hyper-D Farewell Tour)

I’ve had the pleasure of hosting three Microsoft IT Camps in the past three weeks and with them, effectively, organizing the unofficial ‘Hyper-D Farewell Tour’…

Hyper-D (Daniel van Soest) and I hosted all three IT Camps, consisting of four half-day Windows Server 2012 R2 Camps and two half-day System Center 2012 R2 Camps, following this schedule:

Below is a selection of pictures of our audiences (350 unique visitors), the venues and, of course, our selves:

Our audience at Van der Valk Amsterdam (click for original photo)
Our audience at Van der Valk Vianen (click for original photo)
Our audience at Van der Valk Breukelen (click for original photo)
This is what it looks like from our point of view (click for original photo)
Hyper-D explaining Service Templates in System Center Virtual Machine Manager (click for original photo) Well catered... (click for original photo)
This is us! (click for original photo)
Best piece of feedback of the series: VM-GenerationID picked as the best part of the session (click for original photo)
Hyper-D and me after our last IT Camp (click for original photo)

Thank You!

      

Related blogposts

I’m hosting three (sold-out) Windows Server 2012 R2 IT Camps with Daniel van Soest 
I’ll be hosting a Microsoft Netherlands Datacenter Virtualization IT Camp with Tony Krijnen
Pictures of the December 11 IT Camp with Tony Krijnen

I’m speaking at the Dutch 2014 TechDays

I’m very excited to announce I’m listed to speak on the TechDays event, hosted by Microsoft Netherlands on April 16 and April 17, 2014 at the World Forum in The Hague.

Of course, just like previous Dutch TechDays events, I’m also on the roster for the Ask the Experts. This is my 4th consecutive year there…

About the Dutch 2014 TechDays

TechDays 2014 LogoTechDays is an international series of Microsoft events, hosted by Microsoft subsidiaries around the world. Microsoft Netherlands, just like last year, has decided to make the event a 2-day event, filled with both IT Professionals and Developers content.

Microsoft Netherlands has arranged for several highly rated international speakers, like John Craddock, Bryon Surace, Chris Jackson and Paula Januszkiewicz to present sessions, next to our own heroes Maarten Goet, Ronald Beekelaar, Ruben Spruijt, Steven van Houttum, Jeff Wouters, Kenneth van Surksum, Roel van Bueren and Alex De Jong.

 

About my session

I will be hosting a 75-minute session, together with Raymond Comvalius (Windows IT Pro MVP). Our session is titled Bring Your Own Device Essentials with Windows technologies and focuses on the new BYO and Identity capabilities found in Windows 8.1 (Update) and Windows Server 2012 R2 (Update).

As part of the session, Raymond and I will convince our audience on the practical use cases of claims-based authentication, multi-factor authentication, the web application proxy, workplace join and work folders where you would open the network infrastructure up to the outside world, but, at the same time, still remain in control through Windows Intune and integration with on-premises Microsoft technologies like Active Directory and System Center Configuration Manager ……

Our session is planned on April 16, 2014 between 10:50 AM and 12:05 PM.

Will we see you there?

  

Related blogposts

I will be speaking at NGNs and NGIs shared BYO Event
I’ll be speaking at Experts Live 2013 
I will be speaking at NIC 2014 
Raymond and I will be delivering our BYOD Show to High School students

First signs of the XPocalypse…

Xpocalypse      
The world, as a lot of people know it, is coming to an end on April 8, 2014: They’ll be cut off from the world, left out in the cold, doomed to live in a world of lawlessness and trapped in wars between good and (don’t be) evil.

Note:
I’m not talking about the religious end of time, but the end of support for Windows XP on April 8, 2014, commonly referred to as the XPocalypse.

Having left the world Windows XP on one the earliest betas of Windows Vista, I didn’t really take notice of the world of pain a lot of people still on Windows XP would have to endure. I posted a list of actions to perform when you want to keep on using Windows XP and thought that would’ve put IT administrators off of their plans to force this 12 1/2 year old Operating systems onto their end users.

Apparently, I was wrong.

I visited a tradeshow earlier this week, where I spoke to some (former) health professionals. Whenever I mentioned I was into Microsoft, I would get the strangest replies:

The end of support of Windows XP is a marketing move by Microsoft, which helps the sale of Macs.

I can no longer send e-mail through my Gmail account, when I’m on Windows XP. It’s not event April 8, yet!

Now, the last reply was a situation unknown to me, so I decided to investigate the situation.

The issue

In my exchange messages with the person telling me of this situation, I found out the person had no trouble creating, sending, forwarding and replying to messages on devices running Windows 7. His older Windows XP-based device was another story. He could not send mail on it. Also, he experienced the same behavior on the devices that one of the bigger hospitals in the region, offers to visitors to use. You’ve guessed it: Windows XP too.

Now, I’m guessing the hospital is conducting some strange research on how much abuse a visitor is willing to take. I can’t find another reason why they’d be insulting and exposing visitors to Windows XP…

Then, I turned to Google support. I looked into their browser support. They don’t offer any specific information for the consumer-grade GMail service, other than:

You can access Gmail through the Internet on browsers like Chrome, Firefox, Internet Explorer, and Safari on your computer.

In general, Gmail supports the current and prior major release of Chrome, Firefox, Internet Explorer and Safari on a rolling basis.

For its business users, Google does go into more detail on supported browsers for Google Apps:

As previously announced, Internet Explorer 11 launched on October 17, 2013, and as a result, we've discontinued support for Internet Explorer 9.

It is a very recent problem too, since people on Google’s product forums, only started noticing this behavior beginning March 21st.   

The solution

Apparently, Google wants people to use recent browsers and has found a way to lock out the hordes of loyal Windows XP users: Since Windows Internet Explorer 8 is the latest version of Internet Explorer they can upgrade to on Windows XP, they’ll need to get sucked into the Google ecosystem and use Google Chrome on their Windows XP-based devices.

For the visitors of the aforementioned hospital, using their locked-down visitor PCs, no cure is available.

     

Concluding

Time will tell if Google’s decision to lock out Windows XP users, using their default browsers, is a good thing.

On the other hand, if Windows XP-based devices collectively change into botnet zombies on April 9, 2013, Google might just have saved our inboxes from loads of unsolicited messages (if you’d believe malware would actually use the GMail website)…

Related blogposts

So you want to continue using Windows XP?

Virtualization-safe(r) Active Directory in VMware environments, Part 1

When you check my list with virtualization platforms that support Virtualization-safe(r) Active Directory through the Microsoft backed VM-GenerationID capability, you’ll notice that VMware has been supporting it in their products for a while now: Both VMware Workstation and VMware ESXi support it towards Windows Server 2012 and Windows Server 2012 R2-based Virtual Machines (VMs).

Unfortunately, I haven’t come across a VMware environment in a while and, thus, didn’t have time to look into the way VMware has implemented the feature. Yesterday, for my presentation at the Dutch VMware User Group Conference, I did.

So, let me kick off this series in which I’ll be sharing what it feels like to virtualize and clone Active Directory Domain Controllers safely on both platforms, with a blogpost on finding out whether your virtual Domain Controllers may benefit from the VM-GenerationID on the VMware-based hypervisors and, thus, may be safely virtualized and cloned.

     

Finding the VM-GenerationID

Within a VMware environment, two ways exist to find out whether your Windows Server 2012 and Windows Server 2012 R2-based Virtual Machines (VMs) leverage the VM-GenerationID:

  • Listed in the Virtual Machine Configuration (*.vmx) file on the host
  • Listed as a system device in the guest.

    

From the Virtual Machine Configuration

When you have access to the files of a VMware-based Virtual Machine, you can check the Virtual Machine Configuration file (*.vmx) file. When you open this file with your favorite text editor (for instance, Notepad), you can search for the line that starts with  vm-genid:

Contents of the vmx file for a Virtual Machine running on a VM-GenerationID-capable VMware-based virtualization environment (Click for original screenshot)

  

Through the (hidden) system device

As part of the VM-GenerationID Whitepaper that was published and shared by Microsoft, a system device needs to be presented to each Virtual Machine. As we’ve seen before on a Virtual Machine running on XenServer 6.2.0, after running the VMware tools, this device can be found in Device Manager (devmgmt.msc).

VMware, however, has decided to make the Generation Counter device hidden from the default view in Device Manager (devmgmt.msc) in Virtual Machines (VMs) running on its VM-GenerationID-capable virtualization products.

To see the device, the option Show hidden devices from the View menu needs to be enabled, first:

Show hidden devices option in the View menu of Device Manager (click for original screenshot) 

Then, as part of the list of System devices the Generation Counter device can be found:

The Microsoft Hyper-V Generation Counter in Device Manager in a VMware-based Virtual Windows Server 2012 installation (click for original screenshot)

I don’t know the exact reason why VMware has chosen to make the Microsoft Hyper-V Generation Counter device a hidden device on virtualized Windows Server 2012 installation. I can only imagine…

Perhaps the fact that every Windows Server 2012 and Windows Server 2012 R2-based Virtual Machine on every current VMware virtualization solution has a device with a name containing Hyper-V after the VMware Tools have installed, combined with the fact admins can’t disable this feature, is slightly embarrassing to VMware? 

  

Concluding

You can find out whether your virtual Domain Controllers may benefit from the VM-GenerationID on the VMware-based hypervisors through the Virtual Machine Configuration (*.vmx) file on the virtualization host and/or from the (hidden) system device in the guest.

Related blogposts

List of Hypervisors supporting VM-GenerationID   
Citrix XenServer joins the VM-GenerationID family     
New features in AD DS in Windows Server 2012, Part 13: Domain Controller Cloning 
New features in AD DS in Windows Server 2012, Part 12: Virtualization-safe Active Directory

Further reading

Cloning Windows Server 2012 Domain Controllers on vSphere 5  
Windows Server 2012 VM-Generation ID Support in vSphere

Pictures of CeBIT Hannover 2014

Last Wednesday and Thursday I visited CeBIT 2014 in Hannover, Germany with three of my esteemed colleagues: Adnan Hendricks, Michiel de Jongh and Bas Lips. We saw interesting new technology, met interesting people and concluded we, indeed, live in interesting times.

Our day at CeBIT started around 5 AM at our Delft Office, where we met to embark on our 4-hour drive to Hannover via Utrecht, Almelo and Osnabrück. It was a beautiful morning with a red moon just above the horizon and as we saw the sun rise it became apparent it would also become a nice day.

WP_20140312_08_44_21_Pro 

We arrived at the Hannover Messe at around 9:30 AM, via the infamous two-lane one-way highway. We parked at Ost 14, crossed the bridge and entered the Messegelände through Hall 3. Hall 3 was home to a booth by Topdesk, our sister company Dutch. We enjoyed a nice cup of coffee at their booth and acclimatized immediately. After all, we’re no CeBIT first timers…

In Hall 4, we encountered booths by T-Mobile, SAP, Salesforce and Microsoft. That’s right; their four booths covered a whole hall:

A Quick overview of Hall 3 at CeBIT 2014: T-Mobile, Microsoft and SAP (click for original photo)It was a beautiful day, but apparently T-Mobile expected it to rain (click for original photo)
Salesforce promoting their ideas on local software in a fun way at CeBIT 2014 (click for original photo)
The Microsoft booth at CeBIT 2014 (click for original photo)
Heike Ritter (Technical Evangelist, Microsoft Germany) delivering a presentation at Microsofts IT Pro Academy at CeBIT 2014. (click for original photo)

From Hall 4, we made our way through a couple of other halls at CeBIT and met several innovative new technologies, like the prosthetic hand from Touch Bionics, that enabled a woman to use the muscles in her underarm to move the fingers. An app on a device allowed her to program and tweak hand movements. This active prostheses allowed her to pick up and hold objects (without crushing them) and even shake hands.

While the personnel at Touch Bionics’ booth aimed at showing the internal working of their i-limb ultra with its active skin, sparking comparisons to RoboCop, this company also offers a skin matching program, making for perfect integration.

A couple of feet from this booth, Iameco showed their line of green electronics: PCs and laptops made from 100% recycled materials, like wood and aluminum. An impressive feat and well worth a second look, despite the fact that most employees probably prefer a new laptop to a ‘used’ one.

Another CeBIT 2014 Innovation Award winner, Kinematic Blocks, also was able to show off their technology: Robotics for children.

Kinematic Blocks demo (click for original photo)

This video illustrates their tech perfectly. I feel this is going to revolutionize the way toddlers are going to look at robotics and technology. The fact that they made their blocks 100% compatible with Lego Technics is a nice bonus. I wouldn’t be surprised if this tech made it to the top of the toys award lists.

We had a nice lunch and for the afternoon headed for the higher-numbered halls. CeBIT wouldn’t be CeBIT without halls and halls filled with South-East Asian companies, offering all kinds of IT-related means under the most straight-forward company names:

SpeedTech, the name says it all. (click for original photo) SeeTech, I see what you did there... (click for original photo)WP_20140312_15_22_06_ProBaudtec. As in modems... (click for original photo)
Hank Electronics, my favorite one (click for original photo)Another nice line-up of tech. (click for original photo)Routers and routers (click for original photo) With a company name like that, you don't have to question the quality. (click for original photo)

Also, we encountered the worldwide market leader in power supplies for ATM machines in the Hall with all the banking companies. I didn’t know them…

Of course, a visit to CeBIT wouldn’t be complete without a visit to the Munchner Halle.

A round of beers at the Munchner Halle (click for original photo)

Cheers! Glimlach