News Contact Company



March 27, 2012
Newsletter March 2012

Having trouble reading this email? View it in your browser.

TrueSec

News and Geek Stuff

March 2012

This is the last newsletter before the much anticipated MMS in Las Vegas. Fingers crossed that we will see some long awaited product releases from Microsoft. Next Live Meeting April 26, Mike and Johan will give a resume of the week in the “Best of MMS”. Register here if not already done so.

 The MVP Combo – The ultimate MDT 2012 and ConfigMgr 2012 training is coming up in Orlando. Kent and Johan are ready to guide you for a full week. Seats still available. This is a one of a kind week, where you get the chance to rub shoulder with Kent & Johan and test them with the issues you may see in your own environment.

Getting curios over what Windows 8 will bring? Mike Nystrom run his “Mastering Windows Server 8” with start in Minneapolis already in June and Michael Anderberg kicks off his “Mastering Windows 8 client in the enterprise” this summer. Michael A also contributes this month with his view on the Metro Start screen.

Our Security MVP Hasain Alshakarti introduces you to the authentication in Windows 8 using Virtual Smart Cards and Johan shares his experience with the Deduplication in Windows Server 8.

 

 

 

 

 

 

 

 

 


Kent Agerlund


Enabling Email approvals for your requested applications in Configuration Manager 2012


Johan Arwidmark


Windows Server 8 - Deduplication awesomeness

Hasain Alshakarti


Two-factor Authentication in Windows 8 with Virtual Smart Cards

Michael Anderberg
An Introduction to the Metro Start screen in Windows 8 Consumer Preview

 

Enabling Email approvals for your requested applications in Configuration Manager 2012

By default application approvals must be done from within the ConfigMgr 2012 administrator console. If you have Service Manager 2012 you can use that to implement an approval process.

For those of you who do not (yet) have Service Manager here is a tool that you can use. The solution consists of a Website and a Web Service. None of them have to be installed on the same server. Also there is no requirement to install any the components on the site server.

Download our beta 0.9 version here

How it works

The Coretech Application Approval Server (CAAS) is installed on the Site server and will monitor any approval requests made by users.

  1. A request is made by the end user from the software web catalog

 

 

  1. CAAS will monitor the request, look up the user in Active Directory and find the manager. In this example I’m my own manager.
  2. Send an approval mail to the manager.

  3. The manager approves or rejects the request.
  4. Request rejected by the manager

  5. Application approved by the manager and ready for installation.

 

Installing the Website

  1. Start the installation and click Next.

 

  1. Enter the FQDN, the Site Code and click Next. 

     
  2. Set a checkmark in the allowed actions and Click Next.

 

Allow Action by Id:
Allows managers to deny/approve requests that match an Id
http://fqdn/CAAWebsite?id=GUID
Required to work the the Coretech AA Service
Allow Action by User: Allows managers to deny/approve requests that match an User
http://fqdn/CAAWebsite?user=domain\username

Allow Action by Application:
Allows managers to deny/approve requests that match an User
http://fqdn/CAAWebsite?application=ApplicationName

Allow Wildcard:
Allows managers to deny/approve requests that match on wildcard
http://fqdn/CAAWebsite?id=C75%
http://fqdn/CAAWebsite?user=domain\userna%
http://fqdn/CAAWebsite?application=ApplicationNa%

  1. Select a Site to place the Virtual Directory.

Give the Virtual Directory a name (Default: CAAWebsite).

Choose an Application Pool that runs ASP.Net v4 in Integrated mode.

Click Next.

 

  1. Click Next to start the installation.

 

  1. Installation Complete, click Close.

 

Installing the web Service

  1. Start the Installation and click Next.

  2. Enter the FQDN of the Site Server and the the Site Code.
    Enter the FQDN of the Web Server that holds the Coretech AA Website.
    Enter the Virtual Path of the Coretech AA Website (Default: CAAWebsite).

 

  1. Enter the FQDN of the mail server to use, the port to use on the mail server and the mail address to send as.

 

  1. Enter the folder to install the Service, or keep the default.

 

  1. Click Next to start the installation.

 

  1. Installation is complete, click Close

 

A huge tribute goes to Claus Codam who is the main developer behind the tool.
//Kent

 

 

Windows Server 8 - Deduplication awesomeness

 

 

 

 

 

 

 

 

By Johan Arwidmark
Microsoft MVP – Setup and Deployment

 

It was mid-march when my main demo environment was reinstalled with Windows Server 8... I love the new Deduplication feature, a feature that removes duplicate chunks in files on the file system, even inside VHD files etc... Meaning if you have many files that are full or partly identical, the data will only claim the real hard drive space for the chunks in the files that are redundant.

Disclaimer:

Please note that Deduplication works best for content folder stores, virtualization depots or backup stores etc. It's not really intended for live, constantly changing data, like a running Hyper-V host. Even though that's exactly how I will use it in my lab environment. No guts no glory - What could possibly go wrong with beta software :)

Estimate the Deduplication savings

If you want to examine how much space you can save on a volume, without actually enabling Deduplication, you can run the ddpeval.exe tool. You can also copy the ddpeval.exe file from a Windows Server 8 installation to a Windows Server 2008 R2 machine and run it. Very useful to find out if your machine would benefit from a Windows Server 8 upgrade in terms of Deduplication. You can run ddpeval.exe against local drives or remote shares.

Here is the output from running ddpeval.exe on one of my Windows Server 2008 R2 deployment servers.




Enabling Deduplication

Deduplication is a File Services role that you add via server manager, and after doing that you can enable data Deduplication on your data drives (not the os volume).

In my demo environment I had a few Hyper-V hosts with about a terabyte of virtual machines and ISO files. After installing Windows Server 8 beta and restoring my backup of files, my disks looked like this... E.g. before adding Deduplication



Then I added the Deduplication file services role via server manager, and forced an immediate data Deduplication schedule (via the task scheduler). After about three hours or so my drives looked like this:



I
still have the same data on the drive, I just have 372 GB free space instead of only 73 GB. Life is good... :)

For more info about Deduplication, check out the following post:

Data Deduplication Planning and Deployment
http://technet.microsoft.com/en-us/library/hh831700.aspx

/ Johan

 

 

 

Two-factor Authentication in Windows 8 with Virtual Smart Cards

 

 

 

 

 

 

 

 

 

 

 

By Hasain Alshakarti
Microsoft MVP – Enterprise Security
Blog: http://secadmins.com

Virtual smart cards function much as conventional smart cards but differ in that they protect private keys using the TPM of the PC instead of smart card media. Private keys on the virtual smart card are protected by the cryptographic capabilities of the TPM: sensitive information stored on a smart card is encrypted using the TPM and then stored on the hard drive in its encrypted form. The unencrypted private keys are never used outside of the TPM keeping the keys secure from any malware on the host. Additionally, an attacker will not be able to access keys stored on the VSC, as they are securely encrypted using the TPM, and may be further protected by BitLocker drive encryption.

Virtual smart cards maintain the three key properties of conventional smart cards:

·        Non-exportability: all private information on the VSC is encrypted using the host machine’s TPM making it not possible to be used on a different machine with a different TPM. Additionally, TPMs are designed to be tamper-resistant and non-exportable themselves.

·        Isolated cryptography: unencrypted copies of private keys are loaded only within the TPM, and never into memory accessible by the OS. All cryptographic operations with these private keys occur inside the TPM.

·        Anti-hammering: the virtual smart card uses the anti-hammering logic of the TPM, which rejects brute force attempts for a period of time known as lockout.

Read more about Virtual Smart Cards in Windows 8 and how to evaluate the new function in the guide: Understanding and Evaluating Virtual Smart Cards

//Hasain

 

An Introduction to the Metro Start screen in Windows 8 Consumer Preview
by Michael Anderberg, MCT

When Microsoft unveiled the new user interface in the upcoming Windows 8, it was received by somewhat hesitation – “Eeh what?” “I don’t get it?” “Are they for real?” “I don’t like it!” “Now, this may all be good - but where can I find the real start menu?”.

Yet, every change that Microsoft has done to the start menu, since it first appeared back in Windows 95, has received that sort of comments initially. So what is it really and how does Microsoft intend it to work?

Well first of all, it’s not one thing. The goal of the Metro Start screen is multi-faceted and I will herein try to explain it as best I can. It is, not surprisingly there to aid in navigating applications and launching them from any kind of touch enabled device, be it a cell phone, slate class machine or desktop monitor. As anyone whom has ever tried navigating the present start menu with his or her fingers via a Remote Desktop session on a mobile device today can testify to, the present interface does not lend itself to a very easy way of interaction by touch. Hence, the Metro Start screen with its larger tiles is much more suitable in this regard. In fact some of the new parts of the interface like the Charms menu, which slides in from the right when one swipes from the right edge inwards on the screen, makes much more sense with a touch interface, than by mouse and keyboard although of course it exists in both environments.

Secondly, the Metro Start screen is the starting point of all of the so called Metro-style Apps, which are HTML5 based apps of the sort that we’ve come to know through our mobile devices of today. They launch seamlessly out of the interface, they always run full screen (although two at the time can be snapped beside each other) and when exited or “alt-tabbed” away from – they don’t really exit as a traditional app, but rather much more in the style of leaving a web page. There’s no save functionality in these apps, instead they auto-save every so often. What about your traditional apps you may ask? Microsoft always totes the fact that this is their main advantage over for example the iPad – that they can run your old legacy apps as well. This is true, but the older apps that are not Metro-style do not run inside of the Metro Start screen as such, instead you’ll see that Windows swaps over to the underlying desktop and there it will launch the application just as it does today on Windows 7 or Windows Server 2008 R2.

Which brings me to the other intended improvements with the Metro-style interface; In for example Windows 7 today, the start menu is of the, by now familiar, two-column style where the left part consists of your latest launched applications plus pinned dittos and the right part of some system short-cuts plus your My Documents etc. This is all very well but Microsoft has found through their telemetry that neither pinning nor custom sorting of items on the start menu is something in widespread use. Also users generally find it somewhat confusing that once they discover that the application they need is not in the list of latest launched – they need to click ‘All Programs’ and thereafter scroll up and down an usually quite long and often somewhat confusing list of application names and folders in an apparent random order. This makes every user needing to scroll up and down and strain to find the application they are looking for, loosing time every time they do so.
In Windows 8 with the Metro start screen, Microsoft can achieve two things at once, a start screen that can grow indefinitely to the right, sorted according to the user’s own choice plus having application icons that can actually change to show underlying information, for example the Outlook-icon can show the number of un-read messages without the user having to launch Outlook first, the Weather App can show a representation of the current weather at the user’s present location, a stock ticker app can show values and trends of stock, bonds and indexes of particular interest to the user etc. This makes for a livelier experience and saved time at the same time as it hopefully will be clearer to the user what to expect and where to find it.

In Windows Vista and even further so in Windows 7, Microsoft tried to introduce the users to using search rather than scrolling and clicking to find not only applications but also documents, pictures and various other files in Windows no matter to their respective location on the physical disk or network. So for example, to mention but a few of the many combinations there are, in this case related to searching for files and/or launching them;  <WINKEY> + F – Will display the File Search pane, <WINKEY> + Q – Will let you search (within) Apps using the new Search pane.  <WINKEY> + R – just as before, switches to the (classic) Windows desktop and display the Run box. <WINKEY> + W – now this one here takes you to the display Settings Search pane where you can search for settings rather than files. There are many more of these combinations and rest assured that if you are using a mouse and keyboard with Windows 8, in time these will become second nature to you and not require a moment’s thought.

In my humble opinion after spending quite some time with Windows 8 Consumer Preview – in time all users will accept the Metro Start screen in total acquiescence and the fuss will die down but at the moment it takes some getting used to.

 //Michael

Where to find us......

 

MVP Combo Pack- The Ultimate MDT 2012 and ConfigMgr 2012 training with Kent Agerlund and Johan Arwidmark

Orlando, FL

May 7-11

Mastering System Center Configurations Manager 2012 with Kent Agerlund

Irvine, CA

April 9-12

Mastering System Center Operations Manager with Kare Rude Andersen

San Francisco

April 30

Mastering Windows Deployment with MDT 2012 and ConfigMgr2012 with Johan Arwidmark

New York City
April 30
Mastering System Center Orchestrator 2012 with Jakob Gottlieb Svendsen Minneapolis May 21-23

 

 

Full schedule at http://www.truesec.com

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

This message was intended for '%%emailaddress%%'
Unsubscribe | To contact us please email info@truesec.com

TrueSec Inc.
8201 164th Ave NE, Redmond, WA 98052


 




TrueSec Inc    |     +1(425) 285-4477     |     info[at]truesec.com    |     Infrastructure    |     Security    |     Pentesting    |     TrueSec Inc. Website Privacy Statement