Saturday, December 31, 2011

Bitlocker Improvement in Windows Server 8

Overview
As the technology growth in this past few years, we have notice an opportunity for a risk to growth which will be targeting toward information that are stored inside the hard drive. In the past, we are looking into the waste container for any shredded information and we try to find the information from it. But now, everyone store data into hard drive. Do you really think all of us really secure those data?. What if your drive spoil and what you will do?. The first thing you will do is called for a replacement. This is where by the opportunity for the hacker come into picture. They have 50% opportunity to get hold of the data. I have test this on my self on the spoil hard drive, I am lucky enough for able to retrieve those. The work to get it back it is not hard. As what I did was put into the freezer for few hours and then I get back my drive to work for few hours which is enough for me to backup those data.

Now in the technology trend, we are working on virtualization. We can store the entire data center information into a portable drive. Chances to get those data might be high if the physical disk is not properly secure. Just imagine your entire Active Directory is inside the hard drive. From hacker perspective we can perform an on offline attack on it.

What I always believe, security is not a product. It is a tools to delay bad guys to perform damage and I do believe encryption is important.

Encryption tools
There is a lot of company provide encyrypton software such as truecrypt, checkpoint DLP, Symantec DLP and etc. What I want to cover today will be the Microsoft encryption. BitLocker Drive Encryption is a data protection feature available Windows Server 2008 R2 and in some editions of Windows 7. What it need to run will be a Trusted Platform Module 1.2 aka TPM but it also can be enabled without TPM. For the latest version of the Microsoft Windows Server it does provide a new improvement whereby it only encrypt the portion of the data that are stored into the machine.


Bitlocker Consideration
As you must aware as well, bitlocker can't protect your machine for malicious code what it does it only provide encryption. For server deployment, you might want to deploy to this to the branch office whereby the physical security it lower.


Here I would like to share some of the video clips on how to configure and also the difference on bitlocker.


Video Demo 1 : Installation of bitlocker on Window Server 8
For a direct link, please click install bitlocker on Windows Server 8.




Video Demo 2 : Bitlocker comparison Windows Server 2008 R2 VS Windows Server 8
For a direct link, please comparison on bitlocker


I am interested in hearing your feedback, so that I can improve my articles and learning resources for you.Here I would like to take this opportunity to wish you all have a wonderful holiday and happy new year:).

Saturday, December 17, 2011

Windows 8 boot from USB

Step by Step: Windows 8 To Go on a 16 GB USB memory stick

The steps of creating a USB boot it is almost the same for booting from vhd which I have cover in my earlier post on booting windows server from vhd. The only difference I see when you want to create the windows 8 to go is it need the bcdboot version. I will cover some of the differences later on.
Below will be the steps of preparing the USB stick, I haven't got chances to test this on 8gb but I believe it will work. The only difference here is I didn't assign any drive for the USB stick, but in VHD format you need to do so.

1)diskpart
2)select disk 1
3)select partition 1
4)delete partition
5)create partition primary
6)format fs=ntfs quick
7)active
8)exit 

You can use list disk to query all drives, and list partition shows all partitions on a drive. The select command selects the drive and the required partition. Above I used disk 1 and then I deleted an existing partition on the memory stick. Afterward I created a primary partition and formats it with ntfs. The active command made the stick bootable.

After terminating diskpart, we need to copy Windows files to the USB thumb drive using imagex.exe. This can be done, using the following command in a administrative console window.

imagex.exe /apply e:\vm\install.wim 1 e:\

Here I launched imagex.exe from the currect directory of my Windows 8 drive. E: was the folder (containing the setup media with the file install.wim) and E: was the drive letter of my USB memory stick. The number 1 defines, that only on Windows 8 edition should be copied.

After you have completed the neccessary steps, you will need to perform the last steps as shown as below.The command what it does is to copy the boot information to the USB stick. The only difference I see in the command compare to the previous version, it don't have the last parameter which I have highlighted in red as below.

bcdboot.exe e:\windows /s e: /f ALL

The next step will be restart your computer and select the USB boot during the startup by pressing F1( this will be depending on your hardware manufacturer).
Overall I see windows 8 to go is awesome, I have try to unplug the USB stick drive. I expect the machine to crash, but indeed it didn't happen. When I plug in back the windows resume. I have try this by opening a MP3. But for deployment purpose, I would see this need to be run on USB 3 because USB 2.0 is too slow.

I am interested in hearing your feedback, so that I can improve my articles and learning resources for you.

Thursday, December 15, 2011

Android Spy - Carrier IQ

Smartphones is getting popular and it become part of a basic communication tools. It does have a massive grow comparing to apple iphone. As you all aware android is an operating system for mobile devices. Recently an Android developer discovered a clandestine application called Carrier IQ built into most smartphones that doesn't just track your location; it secretly records your keystrokes, and there's nothing you can do about it.Check out the video above which show how it works


What is Carrier IQ, exactly?
Jump to 9:00 in the YouTube video below for the proof this is basically a keylogger running on your phone that you didn’t know about.



The comment given its to understanding on the user behaviour so that they can provide a better service to the users. But what do you think?

"Our action was misguided and we are deeply sorry for any concern or trouble that our letter may have caused Mr. Eckhart," the company said in response to the EFF's letter. "We sincerely appreciate and respect EFF's work on his behalf, and share their commitment to protecting free speech in a rapidly changing technological world."


Apparently FBI was aware on the Carrier IQ what it able to do and so on , but they are not willing to reveal anything including the usage. Some believe FBI use in investigation. The most worry part, the company claims Carrier IQ was installed 150 millions handset globally. MuckRock did sent an Freedom of Information Act request to the FBI, asking for "manuals, documents or other written guidance used to access or analyze data gathered by programs developed or deployed by Carrier IQ."

Wednesday, December 14, 2011

Securing Wireless Lans with PEAP and passwords

As what you have read on my previous post regard to the wireless peap attack, it does need to have certain weakness before we can exploit them. There are something you can do to protect for an unauthorized access.

To secure PEAP against key distribution attacks it is recommended that RADIUS shared secret is least 16 characters in length, consisting of a mixed-alphanumeric character set. The RADIUS shared secret should also be rotated on a semi-regular basis. 

Client


Ensure the common name (CN) of the RADIUS server’s certificate is defined. This setting will ensure clients only accept certificates that contain the specified CN.

Select only the trusted certificate authority (CA) that will be issuing the certificates. This will prevent attackers from using a certificate with the required CN but signed by a different CA.

By not prompting users to authorize new servers the decision to accept or reject certificates from unidentified RADIUS servers is taken away from the user. This setting will silently drop all requests whose certificate CN does not match that which is specified in Step 1.

By supplying an “anonymous” identity during the initial PEAP identity exchange attackers will be unable to leverage unencrypted usernames. This setting prevents against PEAP authentication attacks. Note: This configuration setting is only available in Windows 7 and above.

Thursday, November 17, 2011

Enable God Mode On Windows8

Windows 8 God Mode is a secret interface implemented by Microsoft that gives the user complete control over the Windows 8 OS.

In nut shell Windows 8 God Mode  is a basic folder that brings complete control of the entire operating system to a single desktop icon.

Unlocking Windows 8 God Mode

The beauty of this feature is that it is incredibly easy to unlock, and if the user does not like it - the icon can simply be dragged into the recycle bin to remove it. Please keep in mind this is not third party software, nothing needs to be downloaded or installed.

1. Right-click anywhere on the desktop and create a new folder.

2. Rename the new folder to “GodMode.{ED7BA470-8E54-465E-825C-99712043E01C}” (copy and paste everything except the quotation marks)

3. That’s it! A new folder titled “GodMode” will be on the desktop and double-clicking will activate it.

The screen above show you how it look like. Don't you see this is awesome:)
windows-8-unlock-feature

windows-8-unlock-feature



Monday, November 14, 2011

Booting Windows Server 8 from a VHD

In the previous, think some of you might heard about dual boot on a single machine. Have you ever think that you can do so with a virtual hard drive. The beauty of the VHD, when you are done with it, just delete it and make a new one.

In other area also, VHD provide a good performance in the Fixed Size disk and it do not require Hyper-V to boot them. Here I am going to explain some of the steps. They will be just 4 simple steps. Download the Windows Server 8 Preview and start to test it out your self at Windows Server 8 Preview download page.

Step 1 : Create Virtual Hard Drive by using diskpart.

  1. diskpart
  2. create vdisk file=”e:\winsrv8devprev.vhd” maximum=20000 type=FIXED
  3. select vdisk file=”e:\winsrv8devprev.vhd”
  4. attach vdisk
  5. create partition primary
  6. assign letter=W
  7. format quick fs=ntfs label=WINSRV8DEVPREV
  8. exit 

Step 2 : Preparation for installation.

  1. Create a folder in Drive e:\vhd
  2. Copy the install.wim from the cd\sources\install.wim to e:\vhd
  3. Download powershell script from http://archive.msdn.microsoft.com/InstallWindowsImage/Release/ProjectReleases.aspx?ReleaseId=2662
  4. After you have perform step 1 and 2, to proceed to the next steps you can either use step 3.1 or 3.2.But my prefer option will be using powershell

Step 3.1 : Installing WIM Image to VHD (powershell)

  1. Open cmd and cd to e:\vhd
  2. run powershell command and run the following command to change the behaviour of the powershell to allow any scripts to be loaded set-executionpolicy unrestricted
  3. .\install-windowimage.ps1 -WIM install.wim
  4. .\install-windowimage.ps1 -WIM install.wim -Apply -index 1 -Destination w:

 Step 3.2 : Installing WIM Image to VHD (imagex)

  1. Open cmd and cd to e:\vhd
  2. run powershell command and run the following command to start the installation "imagex /apply d:\install.vim 1 w:" 
Now we are good to move on, we have completed our setup on the virtual hard drive setup. We are ready to configure the virtual hard disk to be bootable in a non hyper-v setup. The following next step, you will have an easy option to configure and making sure the virtual hard drive can be boot. Each of the steps give you an idea what is required.

 

Step 4.1 : Configure vhd boot (1 step)

  1. bcdboot w:\windows

Step 4.2 : Configure vhd boot (4 step)

  1. bcdedit /copy {current} /d "Windows 8 Preview"
  2. bcdedit /set device vhd=d:\vhd\windows8.vhd
  3. bcdedit /set osdevice vhd=d:\vhd\windows8.vhd
  4. bcdedit /set detecthal on
    If you can't find the guid, below got some example where to look for guid which also known as identifier

    guid-identifier-windows-7-bcdedit

    I am interested in hearing your feedback, so that I can improve my articles and learning resources for you.

      Saturday, November 12, 2011

      Breaking Windows 8 Authentication

      Think all of the IT users know what does sticky key does. If you are not sure what is those , I got some good article that mention about it here. It may bring some good useability to some of the users. But it also can bring some vulnerabilities to the windows if it is not handle properly. What I want to show you here will be where by you have a scenario where by username is unknown and you will need to have access to the windows machine. Yet in the market there is plenty of tools to do so, but do you know that certain tweak in the windows you can gain access to the cmd and reset the password. Sethc is nothing but sticky keys program which is present in system32 files.

      The concern I want to raise here is, how many of us did aware of this issue?How many of us validate the files integrity in the server in a week?


      Step for Windows XP
      Step 1. Goto c:\windows\system32
      Step 2. Rename the file sethc.exe to sethc.exe.bak
      Step 3. Copy cmd.exe to sethc.exe
      Step 4. Now log off and in press the key 5 times


      Step for Windows 7, Vista, 8
      Step 1. Goto c:\windows\system32
      Step 2 Right click on sethc.exe and run as administrator.
      Step 3 Again right click on sethc.exe, open properties.
      Step 4 Click on Advanced tab , then on owner 
      Step 5 Click edit, change the owner from "trusted installer" to "administrator" and click apply.
      Step 6. Rename the file sethc.exe to sethc.exe.bak
      Step 7. Copy cmd.exe to sethc.exe
      Step 8. Now log off and in press the key 5 times

      Here you go, a sample video how it look like. You can view this video at my youtube channel as well @ http://www.youtube.com/watch?v=Fg913McTRIU



      Don't learn to hack... hack to learn!!!!

      I am interested in hearing your feedback, so that I can improve my articles and learning resources for you.

      Monday, November 7, 2011

      Wireless Attack on Microsoft Peap - Part 3 of 3

      Just to recap on what we have configure on the previous session.We have completed by installing the Wireless Pwnage Edition (WPE) which provide credential logging for credential logging for multiple EAP types including PEAP, TTLS, LEAP, EAP-MD5, EAP-MSCHAPv2, PAP, CHAP and others. It is part of the radius configuration which we need in our next steps.

      The next step would be configuring the hardware to support Wireless Pwnage Edition (WPE) so that we can break the wireless PEAP. The wireless devices must be configure to use the radius ip address from the Wireless Pwnage Edition (WPE).

      The last steps would be the most interesting part, where by we going to locate our target. In this demo, it is done in a control environment where by the client is authenticating using the Active Directory credential. The credential going to be sent over from the wireless access point to Microsoft IAS for validation.

      Now we need to force the client to connect to our Wireless Pwnage Edition (WPE) radius so that we can log down all the credential. I will show you 2 example here regard to the different on the logs where by the client use the notebook that is join to the Active Directory and also using standalone devices such as ipad, portable computer and etc. Please take note that , this attack often happen where by the users being left with the decision to trust or reject certificates from the unknown certificate of authority. The hackers  can exploit this deployment weakness by impersonating the target network’s AP service set identifier (SSID) and RADIUS server which I have cover in the previous article on Configure Radius server to log account information and configuring the wireless access point to divert all the request to the Wireless Pwnage Edition (WPE) radius. After we have all the information of the account, we can hack it in the offline mode.I will explain more later.

      By now we are ready to test the exploit
      1)start the radius server by typing the following command radiusd
      2)validate the logs by typing the following command tail -f /usr/local/var/log/radius/freeradius-server-wpe.log

      If you do see your username and password capture by the radius server that mean you have a weak configuration and you will need to measure in such a way, whether you have a strong password policy to mitigate the issue. I will cover more on my next article toward the 4 major steps that we need to do to ensure the security of the wireless network.

      As on the sample below, I have screen capture 2 samples on which one of the device is part of active directory and another device is a standalone which I use ipad in this lab. On this lab, the password is been hardcode to the dictionary for the sake of proofing how it works.

      Sample 1 : Attacking Ipad
      wireless peap attack on ipad

      wireless peap attack on ipad using asleap
      If you notice carefully, the username is capture as ckwong and we can see the challenge and response which have been capture by our radius server. The next step is to hack the password.As you can see on the result, we can break the password if it is part of our wordlist.

      Sample 2 : Attacking a machine that is join to active directory
      wireless peap attack on active directory client
      wireless peap attack on active directory client using asleap
      The attempt for hacking machine that is part of the active directory will be the same. The username is capture as ckwong and we can see the challenge and response which have been capture by our radius server. The next step is to hack the password. As you can see, we can't break it and it end with an error " Could not recover last 2 bytes of hash from the challenge/response". This happen because the different between the 2 attempt, the 2nd attempt does contain domain information.

      I am interested in hearing your feedback, so that I can improve my articles and learning resources for you.

      Related Article:
      3)Breaking the wireless security

      Tuesday, November 1, 2011

      Wireless Attack on Microsoft Peap - Part 2 of 3

      Wireless Hardware Requirement

      Now you have configure the Wireless Pwnage Edition (WPE) and you also need another hardware component which is the wireless device. You need to have a wireless device that support WPA Enterprise. But in market today, you can easily find those wireless devices. In the next step, you need to configure the wireless radius IP to your free-radius and you also need to key in the password as shown as below.

      Hardware Configuration for Wireless Peap Attack

      Hardware checklist preparation

      1)Making sure your wireless hardware device does support WPA-Enterprise
      2)Configure radius server IP into wireless device
      3)Configure radius server Shared Secret password which is test .This is the default password for Wireless Pwnage Edition (WPE).
      4)On the target wireless network device you need to configure the same wireless broadcast ESSID or Extended Service Set Identification.

      I am interested in hearing your feedback, so that I can improve my articles and learning resources for you.

      Related Article:
      3)Breaking the wireless security

      Sunday, October 30, 2011

      Wireless Attack on Microsoft Peap - Part 1 of 3

      Overview of Wireless Standard


      In the standard security industry, we have heard about attack against WEP which I have discuss in my previous article WEP Hacking, WPA and WPA2 attack and also PEAP. Peap also known as Protected Extensible Authentication protocol protocol that encapsulates the Extensible Authentication Protocol (EAP) within an encrypted and authenticated Transport Layer Security (TLS) tunnel. It  was jointly developed by Cisco Systems, Microsoft, and RSA Security. You can find more information regard to PEAP here.

      On this article, I am going to share with you on how to prepare a base attack machine against PEAP which use Microsoft Challenge Handshake Authentication Protocol V2 aka MSCHAPV2.

      Before we start take a look at the picture below. The picture show where is the boundary and area that the attacker can launch the attack. This is a distance vector attack. You must have a very strong antenna or your physical location is close to the users.

      Wireless Peap
      1)Extract free radius by typing the following command tar -jxvf freeradius-server-2.1.7.tar.bz2
      Extract Free Radius

      2)Copy the patch free radius to the extracted folder by typing the following command mv freeradius-wpe-2.1.7.patch freeradius-wpe-2.1.7.patch/
      Copy the patch free radius

      3)You can start patch the server by typing patch -p1 < freeradius-wpe-2.1.7.patch
      patch the server
      4)After you have completed all the steps, you may start configure the free radius by issuing the following command .\configure && make && make install && ldconfig
      Installing Crack version of freeradius
      Configure bootstrap
      Output of bootstrap
      Copy certificate

      You can also view my video channel @ Wireless Lan Attack.


      I am interested in hearing your feedback, so that I can improve my articles and learning resources for you.

      Saturday, October 29, 2011

      Security Concern on Windows XP


      Windows XP which it is a favorite operating system now have been become a decade old operating system. Windows XP have reach 10 years old and it is pretty long to carry an old technology. The security and vulnerability of the Windows XP increase year by years.As mention by Brandon's blog here, the software soon going to reach the EOS at 2014 and it is time to perform an upgrade to the latest version of the Windows operating system to meet the security compliance in the organization.

      A recent security newsletter by Microsoft it show that Windows XP contribute more infection in malware, virus and worms than the rest of the operating system.It would be recommend to upgrade to the latest version.

      So is it time to switch or do you plan on running Windows XP until your machine finally gives out and sputters its last blue screen of death? 

      Overview of Windows XP Security threat

      Malware Infection Rate

      I am interested in hearing your feedback, so that I can improve my articles and learning resources for you.

      Friday, October 28, 2011

      Change Windows Server 8 to Old Desktop environment

      As on previous blogs regard on Window Server 8 at New Windows Server Release by Microsoft article. I do have problem to find the shutdown button on the operating it self on the metro UI. But do you that we can do some minor changes on the registry and get back the old desktop windows environment?. After the changes, you can see the different on your task manager and also your windows desktop. This would be the exactly the same as you found in the Windows 7 environment.

      Steps to change windows 8 setting:

      1)in the registry, navigate to the path "HKEY_CURRENT_USER \Software \ Microsoft \ Windows CurrentVersion \ " and click on" Explorer ".On the right you will see the entry "RPEnable" and change the value to 0. You will notice an immediate effect on the server.There is no need to shutdown the windows server 8 to take effect.



      I am interested in hearing your feedback, so that I can improve my articles and learning resources for you.

      Thursday, October 27, 2011

      Windows 7 Vs Windows 8 Memory Usage

      I see there is slightly more memory usage on Windows 7 and Windows 8, but by the market price of today. I don't think that will be an issue. Anyway I have compare the 2 operating system as below.Click the picture above to see the difference.

      Windows 7 Vs Windows 8 Memory Usage
      I am interested in hearing your feedback, so that I can improve my articles and learning resources for you.

      Wednesday, October 26, 2011

      Packet Lost in Hyper-V VM

      Hyper-V Server Overview


      Part of the checklist implementation,the TCP Large Send Offload need to be set to disabled. It is not something new, everyone is writing and testing.Maybe the term you will see might not applicable when you are trying to transfer small files. You can test some of this behavior like in accessing the file and print services on the VM or you simulate a test to join the VM to the machine. You will see some packet lost during the period. If you do use wireshark to monitor the packet, you will see some of the packet is been alter with new information which mean data corruption. The feature can be disable in the device manager.

      Monday, October 24, 2011

      Ipad 2 Smart Cover Vulnerabilities

      We all get excited when the IOS 5 release with new feature and also enhancement on the product. In the "I" family, each of the product is protected by the 4 digit number. You can set the configuration to erase any data upon 10 invalid logon. In the previous physical hijacking, we can reset the password with some tools for ipad1, but now seem we just need to invest on the Smart Cover.

      The vulnerabilities which was found 3 days back, we can logon to any iPad 2 devices with some steps.You can test this on your own Ipad 2.

      How to re-create the issues:

      1) Lock a password protected iPad 2

      2) Hold down power button until iPad 2 reaches turn off slider

      3) Close Smart Cover

      4) Open Smart Cover

      5) Click cancel on the bottom of the screen

      There is some mitigation plan to secure the devices by disabling Smart Cover unlocking in the iPad 2 settings menu under the General tab.I will keep you guys posted if there is a permanent fix from apple.

      I am interested in hearing your feedback, so that I can improve my articles and learning resources for you


      Microsoft Hyper-V 3.0

      I have re-blog the above article from Michael Otey. I see the content is pretty good for you guys to know what you are going to expect from the Microsoft Hyper-V 3.0.


      "At the recent Windows Server Workshop at the Microsoft campus in Redmond Washington Jeff Woolsey, Principle Program Manager Lead for Windows Virtualization in the Windows Server and Cloud division presented the new features in the next version of their Hyper-V virtualization platform. In the introduction to the workshop Jeffery Snover, Distinguished Engineer and the Lead Architect for the Windows Server Division made the bold statement that with Microsoft it’s the third release is where Microsoft really gets it right and with regard to what Microsoft demonstrated in the next version of Hyper-V this is definitely true. The upcoming Hyper-V 3.0 release that’s included in the next version of Windows Server has closed the technology gap with VMware’s vSphere.

      Hyper-V 3.0 Scalability
      The days when Hyper-V lagged behind VMware in terms of scalability are a thing of the past. The new Hyper-V 3.0 meets or exceeds all of the scalability marks that were previously VMware-only territory. Hyper-V 3.0 hosts support up to 160 logical processors (where a logical processor is either a core or a hyperthread) and up to 2 TB RAM. On the VM guest side, Hyper-V 3.0 guests will support up to 32 virtual CPUs with up to 512 GB RAM per VM. More subtle changes include support for guest NUMA where the guest VM has processor and memory affinity with the Hyper-V host resources. NUMA support is important for ensuring scalability increases as the number of available host processors increase. 

      Multiple Concurrent Live Migration and Live Storage Migration
      Perhaps more important than the sheer scalability enhancements are the changes in Live Migration and the introduction of Storage Live Migration. Live Migration was introduced in Hyper-V 2.0 which came out with Windows Server 2008 R2. While it filled an important hole in the Hyper-V feature set it wasn’t up to par with the VMotion capability provided in vSphere. Live Migration was limited to a single Live Migration at a time while ESX Server was capable of performing multiple simultaneous VMotions. In addition, vSphere supported a similar feature called Storage VMotion which allowed a VM’s storage to be moved to new locations without incurring any downtime. Hyper-V 3.0 erases both of these advantages. Hyper-V 3.0 supports multiple concurrent Live Migrations. There are no limits to the number of concurrent Live Migrations that can take place with Hyper-V 3.0. In addition, Hyper-V 3.0 also provides full support for Live Storage Migration where a virtual machine’s files ( the configuration, virtual disk and snapshot files) can be moved to different storage locations without any interruption of end user connectivity to the guest VM.
      Microsoft also threw in one additional twist that vSphere has never had. Hyper-V 3.0 has the ability to perform Live Migration and Storage Live Migration without the requirement of a shared storage on the backend. The removal of this requirement really helps bring the availability advantages of Live Migration to small and medium sized businesses that came afford a SAN or don’t want to deal with the complexities of a SAN. The ability to perform Live Migration without requiring shared storage really sets Hyper-V apart from vSphere and will definitely be a big draw – especially for SMBs that haven’t implemented virtualization yet.

      VHDX, ODX, Virtual Fiber Channel & Boot from SAN
      Another important enhancement with Hyper-V 3.0 was the introduction of a new virtual disk format called VHDX. The new VHDX format breaks the 2TB limit that was present in the older VHD format and pushes the maximum size of the virtual disk up to 16 TB per VHDX. The new format also provides improved performance, support for larger block sizes and is more resilient to corruption.
      Hyper-V 3.0 also supports a feature called Offloaded Date Transfer (ODX). ODX enables Hyper-V to take advantage of the storage features of a backend shared storage subsystem. When performing file copies on an ODX enabled SAN the OS hands off all of the data transfer tasks to the SAN providing much high file copy performance with zero to minimal CPU utilization. There is no special ODX button. Instead ODX works in the backend. ODX requires the storage subsystem to support ODX.
      Companies that use fiber channel SANs will appreciate the addition of the virtual Fiber Channel support in the Hyper-V guests. Hyper-V 3.0 guests can have up to four virtual fiber channel host bus adapters. The virtual HBAs appear in the VMs as devices very like virtual NICs and other virtual devices.
      In another storage related improvement Hyper-V VMs will also be able to boot from iSCSI SANs.

      Extensible Virtual Switch & NIC Teaming
      In keeping par with the sweeping changes in Hyper-V’s compute capabilities and storage Microsoft also made a some of significant enhancements to Hyper-V’s networking capabilities. First, they updated the virtual switch that’s built into the Hyper-V hypervisor. The new virtual switch has a number of new capabilities multi-tenant capability as well as the ability to provide minimum and maximum bandwidth guarantees. In addition to these features the new virtual switch is also extensible. Microsoft provides a API that allows capture, filter and forwarding extensions. To ensure the high quality of these virtual switch extensions Microsoft will be initiating a Hyper-V virtual switch logo program.
      Another overdue feature that will be a part of Windows Server 8 is the built-in ability to provide NIC teaming natively in the operating system. VMware’s ESX Server has provided NIC teaming for some time. Prior to Windows Server 8 you could only get NIC teaming for Windows via specialized NICs from Broadcom and Intel. The new NIC teaming works across heterogonous vendor NICs and can provide support for load balancing as well as failover.

      The Magic Number 3
      As Jeffery Snover pointed out three does seem to be the magic number – at least for Hyper-V. Hyper-V 3.0 brings Microsoft’s virtualization on par with VMware’s vSphere. Businesses that are just getting into to virtualization or those businesses that may be bulking at VMware’s latest price increases will find Hyper-V to be a very cost effective and highly competitive alternative."

      Sunday, October 23, 2011

      Window Server 8 Performance Improvement

      It is been a while the product have been release for a test, but have you ever thought what are the improvement have on the latest version they have?. Look at the graph that have been presented during the buildwindows conference. The cpu and memory have been increase on each of the product release.


      One of the screenshot that I had was, how it look like if you have a lot of logical processor in your windows server.

      There are also a demand on the vCPU for the guest operating system where by it utilize 4 of the vCPU in the previous version. But don't worry in the latest version they do support more than enough for your VM to sustain and this is also mean that you can reduce the number of windows licenses needed to host for another VM.



      I am interested in hearing your feedback, so that I can improve my articles and learning resources for you.

      Thursday, October 20, 2011

      Overview Of Hyper-V Patches Update

      Have you wonder how many patches have been release since 1st October2009 till today 14th September 2011? You be quite surprise with the number patches they have till now. The most patches they have will be hotfix and mostly of them we don't install if we don't hit to the specific error. The chart below show the number of analysis of the patches that have been released. If you notice, there is quite a minimum patches for security vulnerabilities. 

      Summary of Microsoft Patches







      You can find more information regard to the patches on what it does and what it fix at http://social.technet.microsoft.com/wiki/contents/articles/1349.aspx.


      I am interested in hearing your feedback, so that I can improve my articles and learning resources for you.

      Tuesday, October 18, 2011

      Task Manager improvement in Windows Server 8

      Although this is not a big topic, but I see it is good to be shared. Task manager is the most common application that is use for the system administrator to check for server performance, hung process and etc. But in the previous version on Windows 7 it is much better than the previous version.

      But it is still a bit complicated to use when you will like to check which application that use a lot of CPU, memory , disk and network. Although it is embedded into the task manager which we call resource monitor.

      This is what it look like in resource monitor and it contain too much detail. On the latest enhancement on the task manager Microsoft have change the UI to have a better user experience.

      In the latest version of Window Server 8, the UI change.The objective will be always to target what you want to view.
      If you click on the more details it will bring you to another screen.


      Processes Tab



      Performance Tab
      1)It sure have a neat interface and if you see on the left hand bottom, launch resource monitor. This is the same as on the previous windows server version.

      Users Tab

      Detail Tab

       Services Tab

      Windows Authorization Manager in Hyper-V using Active Directory

      As per mention in my earlier port, we can use  AZMAN as base to control user access base on the requirement, however if your have a lot of team member that need to manage the server you have a nightmare in managing different authorization store.

      In Windows 2008, we can store authorization store into Active Directory Database. Before this can be implemented, you must make sure the active directory must be at least at windows 2003 functional level.

      Before you do so, you will need to download the sample script Authorization Store Script.Once you have download it, store into c:\.

      Now we are ready to install the component
      1)Open cmd and type the following command as below. The command will create a store inside active directory database.
      2)If the command successful, you will get the following screen.
      3)To make sure, the data have been created inside Active directory, open the Active Directory user & computers (dsa.msc) and click view and enable advanced feature. You shall see what you have just created.
      4)In order to configure the hyper-V server to use the role base access control, you need to configure the path into the virtualization keys as shown as below. The path of regedit is at HKLM\Software\Microsoft\Window NT\Currentversion\Virtualization and modify the value in the storelocation key.Please take note , wrongly configuration will cause VM can't be started


      5)Now should be able to see the configuration inside the azman. You can open the azman and verify the configuration by typing azman.msc. Now you will need to open the authorization store inside the active directory as what you have configure.
      6)In the previous example, I have show you the local store and this example will be from active directory.There is also option for MSSQL, but I think this option will use a lot of network traffic.



      7)Now you will need to configure the azman to let the user computer to have a read access to your active directory. To do that, you will need to open the security tab from the azman property.




      the computer name will be the hyperv server name that you will like the azman feature to be effective.


      8)The next step will be restarting the hyper-v services as shown as below.


      In the next article I will show you how to configure the roles to be given to the administrator team. Overall I see the azman is a good feature, but then again , if your infrastructure is not been secure it might become a nightmare for you. In this cases, Active Directory need to be properly manage, if there is corruption into it, your hyper-v services might be interrupted. From security standpoint, I won't be recommend this as there is dependency on the Active Directory. But I am not saying we can't use it, we just need to have a better planning in term of securing the AD.