For anyone that is looking to lock down their systems, please take a look at the new SCM…just released to the download center!
The Microsoft Security Compliance Manager has baselines and specific threats and Countermeasures for every setting for your servers (and Roles) and applications (at least the ones included in the tool, which is a lot).
Once you build your baseline and any changes (you can compare the two) meaning that the Microsoft baseline recommendation and any specific changes you have made and see the implications of that change.
In addition, you can export the baseline to a GPO and a “Desired Configuration” in SCCM. So not only can you set the policy, but you can get actual desired configurations on your machines…and see who is “really” compliant!
Key Features Include:
-
SCM 2.5 includes Windows and Office client product baselines that deliver on Computer, Domain, and User scenarios.
-
SCM 2.5 provides ready-to-deploy policies and DCM configuration packs that are tested and fully supported. Our product baselines are based on Microsoft security guide recommendations and industry best practices, allowing you to manage configuration drift, address compliance requirements, and reduce security threats.
-
Additional SCM 2.5 client product baselines are included in the download, including Windows 7 SP1, Windows Vista SP2, Windows XP SP3, Office 2010 SP1, Exchange Server 2010 and Internet Explorer 8.
-
Gold master support which enables you to be able to create a snapshot of a reference machine or import an existing Group Policy to quickly build Configuration Manager DCM packs.
-
The ability to Configure stand-alone machines and deploy your configurations to non-domain joined computers using the new GPO Pack feature.
-
Customize and deploy one of the 64 pre-built DCM packs or group policies that cover multiple operating systems, server workloads and client applications.
-
Take advantage of the deep security expertise and best practices in the updated security guides, and the attack surface reference workbooks to help reduce the security risks that you consider to be the most important.
-
SCM configuration baselines are integrated into the System Center 2012 Service Manager Process Pack for IT GRC to provide oversight and auditor-ready reporting of your compliance activities.
Next steps:
I love my Windows Phone 7…it’s a great OS running on a Samsung Focus Flash Machine…
Every time I take it out, people always ask about it…and I tell them that I also have a few other devices that I use (devices I gathered along the way…).
One of them used to be this…IPhone…I don’t know exactly what happened…but…I just had to share…and ask if anyone has encountered something like this…
Imagine, you are enjoying your smartphone…talking,listening to music…angry birds…and then ALL of a sudden…you hear a noise, and it starts to blow up right in front of you….!!!
This is what it looks like…
Looks like something in the battery went terribly wrong and it just blew up…and expanded the whole machine from the inside….
Has anyone ever seen anything like this?!
ouch…
With SCVMM 2012 (and the whole suite) coming out next month…there are a lot of super cool features that I think that ITPROs will really want to leverage…
One of them, is Dynamic Optimization!
During Dynamic Optimization, VMM migrates virtual machines within a host cluster to improve load balancing among hosts and to correct any placement constraint violations for virtual machines.
Dynamic Optimization can be configured on a host group, to migrate virtual machines within host clusters with a specified frequency and aggressiveness.
Aggressiveness
Aggressiveness determines the amount of load imbalance that is required to initiate a migration during Dynamic Optimization. By default, virtual machines are migrated every 10 minutes with medium aggressiveness.
When configuring frequency and aggressiveness for Dynamic Optimization, an administrator should factor in the resource cost of additional migrations against the advantages of balancing load among hosts in a host cluster.
Dynamic Optimization can be set up for clusters with two or more nodes.
A few Caveats…
If a host group contains stand-alone hosts or host clusters that do not support live migration, Dynamic Optimization is not performed on those hosts.
Any hosts that are in maintenance mode also are excluded from Dynamic Optimization.
Finally, SCVMM will only migrate highly available virtual machines that use shared storage.
Some of the other cool features are Power Optimization…which we’ll take a look at next time…
C U Soon!
Tal
Hi there,
Some of you might have seen my post in regards to Coreinfo.exe from sysinternals in regards to checking if your servers (CPUs) have SLAT (Second Level Address Translation)
http://technet.microsoft.com/en-us/sysinternals/cc835722
Just a quick update to something we found in the field for those of you that have the Hyper-V Role enabled…it turns out that the tool needs to be run without Hyper-V enabled in order to verify correctly if you have SLAT…
In essence…you have two three options (good to know before hand)
1) Check before you enable hyper-V
2) Check from a dual boot…such as Windows 7 (if you have such a scenario…like a laptop running both editions…)
3) Uninstall the Role 
yeah…I know…
If you don’t have the Hyper-V Role installed, then you are good to go!
C U Soon,
Tal
For those about to buy some new Hyper-V hardware…
“Hyper-V requires a 64-bit system that has Second Level Address Translation (SLAT),” explains Hyper-V program manager Mathew John in Microsoft’s Windows 8 blog. “SLAT is a feature present in the current generation of 64-bit processors by Intel & AMD. You’ll also need a 64-bit version of Windows 8, and at least 4GB of RAM.”
SLAT is a form of hardware virtualization that is included in newer versions of Intel and AMD processors, such as Intel’s Core i3, i5 and i7 processors and AMD’s Barcelona processors. Hyper-V always required some form of hardware virtualization, but this is more restrictive than the current specs.
if you want to check if your servers support SLAT…try out this cool tool…by Mark Russinovich!
http://technet.microsoft.com/en-us/sysinternals/cc835722
On an Intel processor, a star (*) on the line EPT means that SLAT is supported.
On an AMD processor, a star (*) on the line NP means that SLAT is supported.
If a dash is on the line EPT or NP, then your processor does not support the function SLAT and you cannot use Windows 8 Integrated Virtualization.
Bottom line…if you are buying a new server now…for Hyper-V…I would strongly recommend checking for SLAT…without it, you wont be able to upgrade and you’ll have to buy a new Processor…
cu soon!
Tal
Once upon a time…not soo long ago…
“NEW ORLEANS, May 6, 2003 — In his keynote address today at the 12th annual Windows® Hardware Engineering Conference (WinHEC), Bill Gates, chairman and chief software architect at Microsoft Corp., will showcase a concept of a Dynamic Data Center (DDC)”
http://www.microsoft.com/presspass/press/2003/may03/05-06dynamicdatacenterpr.mspx
I remember hearing about it for the first time, and thinking WOW…wouldn’t that be something…Imagine designing a system, with a tool (like visio)…designing your application along with the infrastructure integration and right clicking…and sending to production.
Almost decade later, I was able to build one ( a Dynamic Data Center) in only 24 hours…well, ok…it was actually 3 days ( 8 hours at a time…) but after those 24 hours (3 Days) we had a full, state of the art “Dynamic Datacenter” (aka = DCS) up and running!
The DCS reference architecture and reference implementation are blueprints for designing and implementing customized DCS solutions. Both were developed by a worldwide team of Microsoft Consulting Services (MCS) experts on Windows Server, System Center, and Forefront technologies. The reference architecture and reference implementation are designed to accelerate deployments, ensure quality and consistency of delivery, and simplify account planning and engagement scoping.
A few terms to know..
Hydration
The Datacenter Services Solution is built using the Hydration v5 Framework. The framework is a lightweight scripting engine built on the Microsoft Deployment Toolkit 2010 Update 1. It allows for the building and sharing of Hydration Packs which define configuration and installation scripts for groups of products that make up a service. It also provides mechanisms to validate known-good configurations that are deployed using task sequences.
Fabric
The fabric is all infrastructure and systems under the scope of control of the reference architecture. The fabric can consist of multiple sites and datacenters.
Sites / Datacenters
A physical location or site housing one or more resource pools.
Resource Pools
A resource pool is comprised of server, network, and storage scale units that share a common hardware and configuration baseline but does not share a single point of failure with any other resource pool (other than the facility itself). Note that a resource pool could be subdivided further into Fault Domains with the definition of a fault domain being a group of physical infrastructure with a common configuration that doesn’t share a single point of failure with any other fault domain. For simplicity, in our solution a resource pool and a fault domain are equivalent.
Scale Units
A scale unit is a set of server, network, and storage capacity that is deployed as a single unit and is the smallest unit of capacity deployed in the fabric. Depending on the customer size, a scale unit may be a 4-node Hyper-V cluster or a full rack of 64 blade servers. It is typically sized as the average new capacity required quarterly in the environment. So rather than deploy a single server at a time, when additional capacity is needed, a new scale-unit is deployed to meet the need and leave room for the remainder of the growth anticipated in the quarter.
DCS Conceptual Architecture
Private Cloud IaaS is an advanced state of IT maturity that has a high degree of automation, integrated-service management, and efficient use of resources. Virtualization can be a key enabler of IaaS but in most models, including the NIST cloud definition, virtualization as common, not and essential, attribute.
An infrastructure that is 100 percent virtualized may have no process automation; it might not provide management and monitoring of applications that are running inside virtual machines (VMs) or IT services that are provided by a collection of VMs. In addition to virtualization, several other infrastructure-architecture layers are required to achieve the essential cloud attributes.
A rich automation layer is required. The automation layer must be enabled across all hardware components—including server, storage, and networking devices—as well as all software layers, such as operating systems, services, and applications.
The Windows Management Framework—which comprises Windows Management Instrumentation (WMI), Web Services-Management (WS-Management), and Windows PowerShell—is an example of a rich automation layer that was initially scoped to Microsoft products, but that is now being leveraged by a wide variety of hardware and software partners.
A management layer that leverages the automation layer and functions across physical, virtual, and application resources is another required layer for higher IT maturity. The management system must be able to deploy capacity, monitor health state, and automatically respond to issues or faults at any layer of the architecture.
An orchestration layer that manages all of the automation and management components must be implemented as the interface between the IT organization and the infrastructure. The orchestration layer provides the bridge between IT business logic, such as "deploy a new web-server VM when capacity reaches 85 percent," and the dozens of steps in an automated workflow that are required to actually implement such a change.
The IaaS solution’s primary purpose is to host other layers such as the PaaS and SaaS.
The final layer is the user interface layer providing interfaces for both service providers and service consumers.
This is what the Core architecture looks like….
And a Few Shots from my Build….
Server Manager and VMM….
CPUs and RAM….
The Datacenter Services Basic Portal…
Assigned Quota Units out of the overall 100 units available on the Resource Pool…
I love these provisioning portals…this is where almost anyone can ask for a machine…here they can choose from a predefined template…small, medium, large….or silver, gold…whatever makes sense…
Choosing where and which….
As you can see, we are moving rapidly towards Dynamic Datacenters…with advanced portals…you’ll see more and more of templates and Services that can be automatically deployed to the datacenter….and can scale…up and out…
This is one cool example that not only is simple…but also worked amazing…(note: This is a different system…not the DCS that I built…)
Once you choose your template and what you want on it…the magic starts!
For those wondering….DCS 2.0 (Next Generation Aka: ….(Windows 8 and System Center 2012)…)….is right around the corner….
Summary
I hope you enjoyed this intro and my experience with today’s DCS….We all know that we are just at the beginning and I am super excited about this evolution!!
CU Soon…
Tal
Hey everyone! I know you are going to love this…for all of us that might still be on the keyboard with Windows 8…here it is…the full list of commands!
And of course…that infamous Win + C for the charms 
If you were looking for those server bits ( Datacenter Edition) you can find them here..
http://technet.microsoft.com/en-us/evalcenter/hh670538.aspx?ocid=&wt.mc_id=TEC_108_1_33
So, finished the installation, syspreped my first machine and I am ready to go…
(you’ll find it in c:\windows\system32\sysprep\sysprep.exe)
The First thing that you’ll see is the new Server Manager…Very Cool!!
The new Server Manager, not only lets you see your servers in one place, but also lets you install Roles and Features from one Central location!
for Example, when I installed my AD role, it gave me a list of the possible servers (local and remote) that I can install on…
Looks like everything is green for now…on to the next role…
ISO almost downloaded…from the feel of it…it looks like a LOOOOOT of people were waiting to download the bits…(Read = ALLLOOOOT)….
It almost here, and may the installation begin…!
It’s time to take a deep look at allll the new features:
- Dynamic Access Control
- Secure Boot
- Measured Boot
- New PKI Features
- New AD features
- New Group Policy Features
- New VDI features
- New Remote Desktop Features
- Hyper-V Features
- Powershell 3.0
- Windows to Go (very very cool)
- and Muuuuuch much more…
There is sooo much in Windows 8, that this is truly a game changer! truth be said, I am excited!
Get the Bits here…
http://windows.microsoft.com/en-US/windows-8/iso
100k Changes from the dev preview…
http://venturebeat.com/2012/02/29/microsoft-launches-windows-8-consumer-preview-with-over-100k-changes-from-dev-preview-live/
See you soon,
Talsa
As some of you might know…the Windows 8 consumer preview is coming out on Thursday!!! This is going to be a game changing release and I super excited about it.
Many of you have seen the metro UI from the developer preview that was released at the build conference…Amazing as that is…it is truly just the tip of the iceberg…
Windows 8 has raised the bar in sooo many areas, that IT Pros and Developers are really going to love this state of the art OS…
In the upcoming months, I’ll cover all the latest and greatest…so…stay tuned…the journey to windows 8 begins!
See you soon!
Tal
חבילת שירותי הענן Office 365 מציעה ללקוחות שליטה מוחלטת במידע שלהם, פרטיות מלאה ואמצעי אבטחה קפדניים. טל שריד מסביר בדיוק איך זה עובד
מאת: טל שריד, Microsoft Consulting Services
ארגונים רבים נמצאים בשלב של בחינה או מעבר לשירותי ענן כחלק ממערך המחשוב שלהם. כמו בכל שירות חדש בתחום, השאלות הראשונות של המנכ"לים ואנשי ה-IT עוסקות באבטחה של המידע. הדאגה העיקרית היא כיצד המידע נשמר, היכן הוא נשמר ומי אחראי על ניהול האבטחה באופן שוטף.
חבילת שירותי הענן של מיקרוסופט, Office 365, קבעה סטנדרטים חדשים בענף בכל הקשור לאבטחה ושמירה על פרטיות המידע. לאחרונה השקנו אתר מיוחד, trust.office365.com , שמציג בצורה ברורה ושקופה לחלוטין את כל המידע לגבי ניהול האבטחה בשירות Office 365. האתר מספק מידע מקיף על הצעדים שבהם נוקטת מיקרוסופט לשמור ולהגן על המידע, וכן מידע טכני למנהלי IT בנוגע לניהול מדיניות אבטחה ארגונית בנוסף על ההגנות הקיימות.
מיקרוסופט מבססת את שירותי הענן שלה על ארבעה עקרונות עיקריים: פרטיות, שקיפות, רגולציה ואבטחת מידע.
פרטיות
מיקרוסופט דוגלת בעקרון פשוט: המידע שלך הוא רק שלך. בגלל זה אנחנו לא סורקים את המיילים שלכם, לא מנצלים מידע מהמסמכים שלכם כדי להציג לכם פרסומות או כל דרך אחרת שבה המידע שלכם חשוף למישהו אחר.
מתוך התפיסה הזאת מיקרוסופט מפרידה לחלוטין (פיזית ולוגית) בין שירותי הענן המיועדים לצרכנים לבין שירותי הענן המיועדים לעסקים. בנוסף החברה מציעה מגוון כלים שמאפשרים לכם להעביר את המידע שלכם לרשותכם במידה ותהיו מעוניינים בכך. ניתן לראות פירוט מלא יותר של אפשרויות הפרטיות בעמוד העוסק בשימוש במידע הפרטי שלכם.
שקיפות
תחום נוסף שזוכה להתייחסות משמעותית במהלך המעבר לענן הוא השקיפות לגבי הטיפול בנתונים של הארגון. במיקרוסופט השקיפות היא חלק אינטגרלי מהשירות. בכל שלב הלקוחות יכולים לראות את מקום האחסון הגיאוגרפי של הנתונים שלהם במערכות Office 365. מקום האחסון נקבע על פי כתובת המשלוח של החברה בזמן ההרשמה.
כחלק מהשקיפות אנחנו מציגים גם את מדיניות ברורה בנוגע לעובדים המורשים לטפל במידע שלכם.
רגולציה ותקינה
שירותי Office 365 של מיקרוסופט נבדקים כל העת על ידי חברות חיצוניות, כדי להבטיח עמידה בתקנים בינלאומיים. שירות Office 365 הוא שירות הישומים המשרדי הראשון בעולם שזכה להסמכת ISO 27001. ההסמכה בודקת את כל המאפיינים של אבטחת השירות לרבות אבטחה פיזית, אבטחה לוגית, נהלי עבודה וכלי ניהול שמוטמעים בשירות.
אבטחה
אבטחת מידע היא חלק בלתי נפרד מתהליכי הפיתוח של מיקרוסופט כבר יותר מעשור. מיקרוסופט היא מהחברות הראשונות בעולם שעסקו באבטחת שירותים מקוונים כמו הוטמייל ו-Bing לעשרות מיליוני גולשים. הנסיון האדיר שנצבר בחברה מיושם בשירות Office 365. במערכת האבטחה של השירות משולבים מספר מנגנונים כמו שילוב בין שכבות אבטחה שונות, ניטור בלתי פוסק והגבלת הרשאות גישה. כדאי לקרוא את ה-Whitepaper שפרסמנו בנושא אבטחה של Office 365.
טל שריד הוא מומחה הגנת מערכות ומתמחה בתשתיות ענן וענן פרטי בקבוצת היעוץ של מיקרוסופט ישראל(MCS)
Someone asked me about this today, so i decided to post it.
Many organizations are looking for a way to track and know when their SSL certificates are about to expire. in Come VerifySSL.
VerifySSL is a free tool, that tracks SSL Certs and tells you when the certs are about to expire…
take a look at the easy to use UI…
Hope you find this useful…
More Posts
Next page »