Benjamin Derr at MyITForum.com

Outlook 2007 Previewer Pack

2007-03-06T01:21:00Z

I've been waiting for this for a while, and MS has answered:

Outlook 2007 PDF Previewer handler

If you are annoyed that all other attachments can be previewed in Outlook except PDF, download and install this MSDN pack of preview handlers – it includes all key previewers that work both in Outlook 2007 and in Vista File Explorer.

SCCM 07 First Impressions

2007-02-28T02:29:00Z

Over the weekend, I took the plunge, and upgraded my home SMS server to the Beta 2 release.

I was at SMS 2003 SP3 beta (he he).

I did a good backup, and ran the setup.

I was impressed by the new setup wizard, and the prerequisite checker. However, I would like to see either the required hotfixes included, or links to the hotfixes. One of the hotfixes mentioned was available only by PSS (Windows Server 2003 Post-Service Pack 1 COM+ 1.5 Hotfix Rollup Package 6). The MMC 3.0 hotfix was easy enough to find.

The setup steps were simplified, due to the upgrade. I did like that the setup actually showed the install tasks in serial order, instead of flashing by on the screen.

The new console does have a consolidated feel, and not a mashup of feature packs and technologies.

Overall, the console has the same feel as previous, just more additions.

Some other new/noticeable enhancements.

Boundaries can be subnet, AD site, or IP Range.
Certificates node
Accounts node
Approve/Blocking of clients. This doesn't seem to be fully implemented as of yet.
AssetMatrix is included,

I did notice an issue, and that was adding a new Remote Client Installation account seemed to crash the MMC. I have heard that you cannot have two accounts with the same name and different passwords (such as "Administrator"), and the MS response is "We're not fixing it".

I'll post more when i work with this some more.

RMS Blog

2007-02-25T01:07:00Z

For those of you interested in Rights Management Services (RMS), check out Matt Tinney's blog at http://rmsexpertise.blogspot.com/.

Matt is a fellow consultant with me at Certified Security Solutions.

SCCM 2007 Beta 2 Availability

2007-02-22T13:43:00Z

Microsoft has posted the Beta 2 for SCCM 07 up on the Connect site.

Thanks to Walter Eikenboom @ http://weblog.stranger.nl for noticing and posting this.

Centrify DirectControl - Part 1

2007-02-21T02:44:00Z

After working with the Centrify DirectControl 3.0.x product, and since I haven't seen much information on the web about it, I thought I would post my own experiences with the product. This isn't a critique of the product, but rather, a Microsoft/Windows consultant's experience with the product, and background on the product for people wanting to understand and learn more about the product and related technologies.

Terms and Definitions
Before we get started, a couple of basic product terms needs to be understood by the reader. I'll do my best to describe terms not covered in this section when I introduce them in later posts.

Agent:

The client daemon or service that is installed onto the Unix, Linux or MacOS hosts.

Admin Console:

The primary management tool used to administer the zones and Unix identity information within AD.

Zones:

From the CDC Admin Guide:

"A Centrify DirectControl zone is similar to an Active Directory domain or an NIS domain. Zones allow you to organize the computers in your organization in meaningful ways to simplify system management and the migration of account information from existing local files, NIS databases, LDAP servers, and other sources to Active Directory. "

What this really means:

Zones are used to control who can log onto a Unix system
Zones define the UNIX identity data available to the Unix hosts (User ID, Group ID, etc.)
A zone is NOT an OU, and you cannot apply GPOs to the zones.
You can delegate some basic permissions to the zones.

The following rules apply to zones:

A computer can only be a member of a one zone
A zone can contain multiple computers
Users and groups are added to a zone.

There are 3 zone types available with DirectControl. The difference between the three is how the data is actually stored within Active Directory. For the purposes of these series, we will assume that the R2/RFC2307 Schema and zones have been used, as there really is very little justification in using the other zone types.

The three zone types available are:

Standard zone: A standard zone stores Unix properties using the Centrify DirectControl data model. Within a standard Centrify DirectControl zone, Unix computers are treated as Active Directory clients served by the Active Directory domain controllers

Microsoft Services for UNIX (SFU) zone: A SFU zone stores Unix properties using the SFU schema extension. Within a Microsoft Services for UNIX zone, Unix computers are treated as NIS clients accessing a Network Information Services server and domain. If you select this type of zone, then click Next, you are then prompted to select the Windows domain and the NIS domain associated with the Windows Services for Unix (SFU) schema.

If you have raised the functional level of the Active Directory forest to Windows Server 2003, you can also choose to create zones that store Unix properties according to the RFC 2307 specification by selecting the Standard RFC-2307 zone type.

Service Connection Point:

A Service Connection Point (SCP) is used by Centrify to map the Unix identity data back to a real user, group, or computer Object, eliminating the need for redundant user and group objects.

More Information: http://msdn2.microsoft.com/en-gb/library/ms683956.aspx

RFC2307 Schema:

The schema standard implemented with Windows Server 2003 R2 to enable the PosixGroup and PosixAccount classes, which allow for RFC (read: standardized) compliant ways of storing Unix identity data into AD and enable applications to read and use the data, if required.

PosixAccount and PosixGroup Shadow Classes

The PosixAccount and PosixGroup are used by DirectControl to store the Unix identity information in Active Directory. This information is tied to the SCP object in the zone, and read by the Unix host at logon, etc. These classes contain information such as Unix ID (UID, similar to a SID), Group ID (GID), shell, home directory, primary group, etc. These are only possible with the R2 schema implemented, and the DirectControl zones created as an RS/RFC2307 capable zone

http://msdn2.microsoft.com/en-gb/library/ms683907.aspx

http://msdn2.microsoft.com/en-gb/library/ms683908.aspx

Kerberos

Kerberos, developed by MIT in the late 1980's, is a network authentication protocol. It is an open standard, and was adopted by Microsoft for use with Active Directory, moving Windows authentication from the proprietary NTLM to an interoperable authentication scheme.

Why Authenticate Unix Clients to Active Directory?

As Windows admins, we are used to the basic network authentication and authorization model with NT4 and Active Directory domains and forests. Unix admins, however, don't necessarily follow such models. By enabling Unix clients to Windows, the following benefits are realized:

Single source for user account and group membership data: By reducing the overall user account stores, it becomes much easier to manage user identities, provision and decommission users, and reduce the user burden of remembering multiple passwords. Additionally, as the groups are stored in AD, it becomes easier to manage group memberships as well.
Enable Single Sign On (SSO) or Reduced Sign On (RSO): By leveraging the native AD authentication protocol (remember Kerberos), we can do some really cool stuff like forwarding tickets. As an example, Centrify provides a kerberized PuTTY and OpenSSH product. From a Windows 2000 or higher system, and user can open a SSH session to a client, and not have to provide credentials as part of the Unix logon process. Taking this a step further, the user can "jump" to another server with another SSH connection, and have the 1st Unix host forward the credentials to the 2nd Unix host, and so on and so forth. This also incurs some security risk, which is outside the scope of this article. Additionally, Centrify provides agents for systems such as Apache and BAE to enable SSO to those systems as well.
Leverage Group Policies: DirectControl understands several native Windows GPO settings, such as a logon banner and time settings, as well as support for managing the agent configuration on the system. This can be extended by an organization.
Reduce the need for additional directory systems: Typically, Unix administrators would use a NIS domain or an LDAP directory such as Netscape's for A&A. This requires additional hardware, support, and perhaps integration with these systems and other directories, especially with provisioning systems. By using AD, you can leverage what you have today.
Regulatory compliance: By having all the user accounts in one place (AD), it becomes much simpler to track and audit user accesses. One such example is the SOX requirements of ensuring that user identities are managed and decommissioned appropriately. Organizations have a much more difficult time doing this when accounts are stored on local hosts, in the passwd file.

That concludes Part 1. In later parts, I will focus on preparing your environment, installation of the agent, and other caveats that I have come across.

Service Pack 2 for SQL 2005 Released to web

2007-02-21T02:38:00Z

Get it here:

http://www.microsoft.com/technet/prodtechnol/sql/2005/downloads/servicepacks/sp2.mspx

VirtualPC 2007

2007-02-21T01:48:00Z

Hopefully, everyone knows that VPC 2007 has been released as a free download. Get it here:

http://www.microsoft.com/windows/downloads/virtualpc/default.mspx

Here's some good VPC related links as well:

Some good tips from Matt Hestler's Blog:

http://blogs.technet.com/matthewms/archive/2005/09/09/410546.aspx

http://blogs.technet.com/matthewms/archive/2005/09/23/411478.aspx

http://blogs.technet.com/matthewms/archive/2005/10/07/412159.aspx

I must admit, however, that I'm more of a fan of VMWare's Virtual Server product. It's free, and in my experience, has better memory management, and less disk swapping/IO operations. I'll give the latest VPC a try. I also have been doing a fair amount of work with Linux (oh, the humanity!), which has required a virtualization product that can support Linux better than VS2005 can.

MMS 2007

2007-02-17T20:05:00Z

Just got signed up to go, see you all there!

Unix to AD Authentication

2007-02-17T19:54:00Z

One of the cooler engagements I've done lately has been work around Centrify's DirectControl product.

From Centrify's Website:

Centrify enables a secure, connected computing environment by seamlessly integrating your non-Microsoft systems, web applications, databases and ERP apps, and storage systems with Microsoft Active Directory.

In other words, DirectControl allows Unix systems to act and behave like Windows Clients, and leverage the native Kerberos authentication and LDAP authorization from AD. The product also leverages Group Policies to manage the systems as well.

One of the unique features found in this product that is not found in the Quest/Vintela or Centeris is that Centrify introduces a concept called zones. These zones allow for logon isolation, and allow you to have multiple Unix identity information for each Unix/Linux system. What this really means is that you can start using DirectControl without having to normalize the UID space right away, and can work on that over time.

Lengthy Absence

2007-02-17T19:51:00Z

I've been extremely busy lately, but have been taking a renewed interest in updating the blog.

I've been doing some pretty interesting engagements lately involving Disaster Recovery and Authentication and Authorization with Unix clients and Active Directory.

I'll post more on this later.

It's Been a While

2005-06-03T06:20:00Z

It's been a while, been busy on projects. Will Post when I get back.

Systems Management Certification Call to MS

2005-01-04T15:19:00Z

New Page 1

Great post about the need for a MS Systems Management Certification.

http://www.myitforum.com/blog/curban/archive/2004/12/18/861.aspx

MS Dumps Passport Service (kind of)

2005-01-03T17:30:00Z

New Page 1

Microsoft's Passport fails to travel far as Web strategy

Microsoft is abandoning one of its most controversial attempts to dominate the Internet after rival companies banded together to oppose it and consumers failed to embrace it.

The Redmond software company said Wednesday it would stop trying to persuade Web sites to use its Passport service, which stores consumers' credit-card and other information as Internet users surf from place to place.

The acknowledgment came after eBay posted a notice on its site Wednesday, saying it would drop Passport in late January and rely on its own service.

http://seattletimes.nwsource.com/html/businesstechnology/2002136272_passport31.html

OSD Notes

2004-12-15T21:10:00Z

New Page 1

Check the log files in the temp directory or the minint (root of the c:) for troubleshooting

Error code 16389 - check to make sure the file system is NTFS.

Changes to Patch Management with SMS 2003 SP1 WebCast Notes

2004-12-14T21:30:00Z

Here's a rundown of interesting notes from the MS webcast on 12/09/2004:

New patch management reports with SP1, will be more new reports for PM with SP2
Automatic insertion of new updates into the SMS database without waiting for clients to scan. This will only apply to new updates after the initial Security Catalog download. Additionally, by default, it will only address updates released within the last 30 days. There is a mechanism to change that value, but that was not addressed. Also, this is only security updates; this does not include Office updates. No mention of adding this feature was addressed, as this is a different product group.
SP1 introduces 3 new Inventory classes to the hardware inventory - extended software updates, vulnerability and scan package version.
Extended SU - 3rd party scan tools (such as Dell)
Vulnerability - look for SMS to get a vulnerability scanning tool next year. They did not give specifics on it, but they directed us to the support article on MBSA, so I would assume it would be MBSA information.
Scan Package version - see what clients are scanning on what version of the security catalog, as well as what patches are tied to what security catalog version.
They also briefly touched on WUS integration with SMS 2003. No real info, just a couple of quick sentences.
SP1 client has and integrated patch install agent, instead of being a separate component in SMS gold client. This is the patchinstall.exe component, the client side of the Software Updates piece (notification, scheduling, actions, etc.)