Entries tagged with feature of the week - TechNet Edge

Feature of the Week: Windows Server 2008 Hyper-V Scripting

Volker Will — Thu, 13 Nov 2008 17:59:00 GMT

Virtualization is on everybody's mind — and with good reason. It's a critical, sea-changing concept with wide-reaching implications. The idea that you can make pools of dynamic resources with unlimited capacity available to users anywhere at any time is extraordinary.

Because it is so vital, Microsoft^® is committed to driving the adoption of virtualization. However, unlike today's conventional wisdom, we don't view virtualization as an isolated, tactical tool. Rather, since virtualization can have a profound impact on your entire operation from the datacenter to the desktop, Microsoft believes it should be embraced as part of an enterprise-wide infrastructure strategy.

Windows^® Management Instrumentation or WMI is the essential underlying technology for managing Windows Server 2008 Hyper-V. WMI allows administrators and IT professionals full access to the Hyper-V stack.

Virtualization WMI Classes

Hyper-V does not expose a COM API for scripted management like previous products from Microsoft. Instead, Hyper-V is managed by working with WMI classes. Make sure to browse the MSDN section on the virtualization WMI classes to become familiar with the different classes and their properties.

Software Requirements

For today’s Feature Of The Week we will use VBScript and PowerShell. In order to write VBScript code, you may use PrimalScript by SAPIEN Technologies or your preferred editor Notepad. To write Windows PowerShell scriptlets, you must have at least Windows PowerShell 1.0 installed. Windows PowerShell is an optional component for Windows Server 2008 and can be installed by using the "Add a Feature" option in Server Manager. Finally, for the VB.NET and Visual C# code snippets, you can use Visual Studio Express.

Ok, assuming you have these tools installed, let’s go ahead and start scripting!

Scripting Hyper-V with VBScript

In the examples we are going to expose, we will be doing very simple Hyper-V WMI querying. In this case, the script we want to write will list all of the Virtual Machines (VMs) running in a local Windows Hyper-V installation (you can find this script in the code snippets included with this newsletter).

Here’s how you find the information using VBScript:

The first line of the script sets the variable strComputer to “.” which is used to specify the name of the server to query the WMI service (in this case, the local server). If you wanted to connect to a remote instance, then you would only need to change this to the name of the remote machine.

The second line obtains the WMI service object from the virtualization namespace. The next section gets the name of the host on which this script is running, then queries for the Msvm_ComputerSystem object that represents the host. Since ExecQuery() returns a collection, it is necessary to get the single object in the collection using a For Each loop.

After we have the host, we query for all Msvm_ComputerSystem objects associated with that host via Msvm_HostedDependency objects. These objects represent all the VMs running on that host. Finally, the foreach statement is responsible for displaying the ElementName and Caption properties of each virtual machine. Pretty straightforward, don’t you think?

Scripting Hyper-V with PowerShell

PowerShell has to be, without a doubt, one of the most useful — if not the most useful — scripting technologies on the Windows platform. Not only does it allow you to write powerful scripts but it also allows you to utilize .NET objects —something that VBScript cannot do.

One of the key features of PowerShell is how easy it is to understand. It follows noun-verb syntax, and that makes the comprehension of scripts very straightforward.

Let’s get back to our original example. If you recall, we wanted the script to output the names of the virtual machines with their installation date. The script to do this in PowerShell follows:

Just like in our previous example, the first line uses the Get-WMIObject (which can be abbreviated as gwmi) command to obtain the WMI object for the host in the virtualization namespace. A list of all Msvm_ComputerSystems is piped over to the next command. The where clause is responsible for finding the parent partition — this is analogous to the if statement we introduced in the VBScript. Once again, we make a second WMI query to find all VMs hosted on this machine. Finally, the last line is used to display the elements ElementName and Caption. An example on what the output looks like in our test machine follows:

You will find that this is a lot easier than the VBScript solution. Reading the script and understanding is also easier than the VBScript solution; you could probably understand what the script is doing if you had never read the description on what it does.

That’s it of this week’s FoW on Hyper-V scripting.

Feature of the Week: Announcing Web Application Installer (Beta)

Joey Snow — Wed, 15 Oct 2008 21:23:00 GMT

ITPro - Feature of the Week

Hey it’s me again. Back with more IIS 7 goodness. It’s hard not to talk about all of this IIS stuff with the I featured last week as well as all of the really cool IIS extensions. This week I give you a look at another brand new tool. Have you been wanting to run some of the more popular community PHP and .NET web applications on Windows Server? Don’t know where to start? Do you want to make sure you have everything you need? Today we announce:

Web Application Installer (Beta)

Who’s it for? IT Professionals, Website Administrators, and Website Developers.

When does it ship? Web Application Installer (Web AI) is currently released in Beta form.

http://www.microsoft.com/web/channel/products/WebApplicationInstaller.aspx

What does it do? It’s a single tool that helps you gets you easy access to popular community PHP and .NET web applications such as:

· Wordpress

· Graffiti

· DotNetNuke

· Drupal

· osCommerce

· PHPBB

Web AI does all of the work such as checking your computer for the required prerequisites, configuring IIS7, downloading applications for their source locations in the community, and installing the application. I was shown one example where Wordpress was deployed by simply launching the Web AI installer, selecting Wordpress from the list of applications and telling the installer your credentials as well as what type of website that should be installed.

Sounds cool, but what version of Windows does it run on? Web AI runs on Windows Server 2008 and Vista SP1.

Do I have to use IIS? Can I run it on Apache? Web AI relies on IIS extensions so no. You need to run IIS 7.

If I don’t have IIS7 or a database on my system will it install it for me? The Web AI applications require IIS 7 and a database to work. If you have access to a remote SQL Server database or even a MySQL database, the installer can install the applications on one machine and create the required databases on another. Of course you could go Microsoft Web Platform site.

Where can I get more information?

Microsoft’s Web Platform Site

IIS.net forums on Web AI

Web AI Readme file

Forefront Stirling Policies : Feature of the Week

David Tesar — Thu, 11 Sep 2008 15:32:00 GMT

Even in Beta 1 of Forefront Stirling you can check out the security policy capabilities the product has. I know what you’re thinking – “whoopee, more policies”, but what you can do with the policies in Stirling are quite impressive.

What can you do with Stirling policies?

For each policy, you can easily specify granular compliance settings for Forefront Client Security (FCS), Forefront Server for Exchange (FSE), and various other security state assessments AND specify granular automated actions to be taken to remediate - all from a single console. Some ideas for what you might do with Stirling policies:

If a client doesn’t have the correct firewall or latest anti-malware updates, remediate this using NAP.
Scan email using two engines and when a virus is found to be sent via email, clean the virus and initiate a full client virus and anti-malware scan using FCS
Audit to verify your IIS 6/7 and SQL 2005 servers have appropriate security settings enabled
If a client is doing a port scan or quickly sending a large number of emails, quarantine their computer using NAP, block their outbound internet access through TMG, scan their email for viruses with FSE, and do a full virus scan with FCS

In updates past Beta 1, you can eventually expect even more capabilities and integration with other Forefront products.

How does it work?

There are two major components – the policy and the target group. The policy contains all of the settings you are checking for and/or the remediation steps. The target group can be a user, group, computer, OU, or domain. A policy can be bound to one or more target groups and precedence can be set to determine priority if there are conflicts in policy settings. Under the hood, you have Enterprise Security Assessment Sharing (ESAS) and SCCM doing the majority of the communication work related to the policies – which I’ll cover in more depth in future posts.

What’s the catch?

In order to get this functionality working, you’ll need to have the core Stirling infrastructure in place and then utilize the vNext for FCS and FSE installed (if you create policies related to these settings). Also, for the NAP functionality to work – you’re going to need to set up a NAP infrastructure separately.

GET STARTED
Forefront Stirling Homepage

[update] Schedule and Strategy Update for Forefront "Stirling" and Endpoint Protection

Find out more about the new approach to align with customer client infrastructure management that will help simplify deployment and reduce costs.

Feature of the Week: URLScan 3.0 for IIS 7.0

Joey Snow — Thu, 28 Aug 2008 07:01:00 GMT

Back in April there were reports that surfaced stating that web sites running on Internet Information Services (IIS) had been compromised by an automated attack that used vulnerabilities in web pages that did not follow security for best practices. These websites were taken advantage of via SQL injection attacks. While the only way to completely prevent SQL injection attacks is by following proper development best practices, URL Scan 3.0 is an updated IIS feature that will allow server administrators to help mitigate SQL injection attacks until the web application can be updated to protect against SQL injection. This post will provide more details on the latest version of this technology.

URL Scan 3.0

Who’s it for? IT Professionals and Website Administrators.

When does it ship? URL Scan 3.0 was released to the Web on 8/21/08 and can be downloaded from the following locations:

· 32 Bit: http://www.iis.net/go/1697

· 64 Bit: http://www.iis.net/go/1698

(Wow looking at those nice clean URL’s makes me want to post about another new IIS feature. I guess more on that later.)

What does it do? When installed and configured on a server running IIS 5.1 or higher, URLScan can scan incoming http requests and if the request contains content that is undesirable (like a SQL injection attack), that request can be rejected. By filtering these requests, URLScan helps prevent unwanted requests from potentially damaging the web application or even the web server.

How is URLScan different than the request filtering module that ships with IIS 7? The request filtering module does not have the ability to filter based on query strings like URLScan 3.0 does. Also you cannot specify rules applying to multiple parts of an HTTP request.

So didn’t URLScan exist before? Yes. URLScan 2.5 was originally released as part of the IIS Lockdown Tool and if you are using URLSCan 2.5, you can use your existing configuration file with URLScan 3.0 and everything will function fine. Plus you get the added URLScan 3.0 features!

What are the new URLScan 3.0 features? While the configuration format of URLScan 3.0 is the same as it’s predecessor, there are a number of new sections in the configuration to support the following new features:

· Deny rules can be independently applied to a query string, all headers, a particular header, a URL or a combination of the above.

· Configuration change notifications are propagated to the IIS worker processes so configuration changes don’t require worker process restarts.

· The global DENYQUERYSTRING section of the configuration file allows you to add deny rules for query strings and include an option to check the un-escaped version of the query string.

· The global ALWAYSALLOWEDQUERYSTRINGS section allows for the specification of safe query strings that will bypass all query string checks. (This feature was not in the previously released URLScan 3.0 beta).

· Descriptive configuration errors are now available in W3C formatted logging. This feature was also not available in the beta.

· Escape sequences like (%0A%0D) can now be used in deny rules allowing to deny CTRLF and other sequences involving non-printable characters.

How can URLScan be setup? URLScan can be setup up either as a global filter or a site level filter. A global filter is triggered for every HTTP request sent to the server. Site level filters are only invoked for HTTP requests sent to particular sites on a IIS server. Starting with URLScan 3.0 site filters can be used in conjunction with global filters.

Where can I get more information?

URLScan 3.0 FAQ

Using URLScan

Common URLScan Scenarios

IT Pro Feature of the Week: MMS Announcements

Adam Bomb — Thu, 01 May 2008 22:48:00 GMT

It’s Thursday, and that means one thing: Time for another Feature of the Week! Since I’m on location (along with Joey, who does in fact know everyone) at MMS (Microsoft Management Summit) this week, I thought I’d just give you a roundup of the announcements Microsoft made at the event

MMS Announcements Roundup

Beta availability of Virtual Machine Manager 2008 Available immediately for download, VMM 2008 provides complete management of Virtual Server, Hyper-V and VMWare virtual machines. Also includes PRO (Performance and Resource Optimization) tips that can dynamically move and provision VMs to best use the resources available across all your virtual machine hosts.

Beta availability of Cross-Platform extensions for Operations Manager Utilizes industry standards and open source technologies like WS-Man and OpenPegasus to bring SCOM management to HP-UX, Solaris, and Redhat and SUSE Linux. Partners providing Oracle, MySQL and Apache management packs.

Release of Microsoft Operations Framework (MOF) 4.0 The first major MOF release in 5 years, this release moves beyond just operations to include the whole IT lifecycle. It also includes guidance that you can start implementing in just 20 minutes, and strong community engagement and interaction.

Configuration Manager SP1 Integration with Intel’s vPro technologies for deeper hardware layer integration. Asset Inventory Services – cloud based application catalog. Available in May

Configuration Manager R2 native integration of Application Virtualization distribution and streaming. SQL Reporting services and Forefront integration. RC in June.

Links

The Newly redesigned System Center home page

The MOF homepage

MMS coverage on TechNet Edge

Windows Server 2008 - Unix Interoperability

Adam Bomb — Fri, 14 Mar 2008 07:01:00 GMT

I used to bang the interoperability drum a lot – I still don’t think we do a good enough job as a company of telling the story of how well Windows plays nicely with others. Case in point: while perusing the Book of Longhorn looking for something to write about this week, I noticed just one or two brief mentions of Unix and our interoperability.

The good news is we still have a strong Unix integration story in Windows Server 2008. Read on for more details.

Unix Support in Windows Server 2008

Why do Unix Support? There are two main reasons:

· Maximize previous investments – we have interoperability with platform customers have already deployed, and administrators can leverage their existing knowledge and skills.

· Lower costs – few management tools reduces the cost of administration, management and migration

What are we actually offering? Unix support is spread across a few different roles and features in Win2k8:

· Telnet, both a server and client, for command line administration

· Services for NFS allows transfer of files between Windows and Unix machines.

· Subsystem for Unix-based Applications (SUA)allows you to compile and run Unix apps on Windows with minimal changes to the source code. It also provides 300 Unix commands, utilities, and shell scripts.

· Identity Management for Unix (IDMU) – password sync between Windows domains and many Unix flavors, and a Server for NIS that allows AD to act as a master NIS server for NIS domains.

Those all sound familiar – what’s actually new here? Windows Server 2008 is the first time we’re offering x64 versions of these tools – now with x64 SUA you can use it to port x64 or x32 bit Unix apps to x64 Windows. Most scripts should run without changes at all. This is the first time that we’re including all this functionality as part of the OS – it was previously offered via web download or on the supplemental disc in Server 2003 R2.

Get started

Services for Unix on Server 2008 site (worst site ever)

Telnet Operations Guide

Server for NFS on TechNet

SFU Team blog on MSDN

IDMU on TechNet

Windows Server 2008 - DNS enhancement nuggets

David Tesar — Thu, 06 Mar 2008 07:59:00 GMT

There are a number of enhancements to DNS in Windows Server 2008. There are already some lengthy articles on the features, so in this post I hope to give a quick “why you care” on each of the features and some nuggets of wisdom / insight. Here we go…

DNS on Server Core: I see this as a very useful scenario for most people who use DNS in conjunction with RODC in branch offices using the new primary read-only zone. You get all of the server core benefits such as improvements in performance, less patching, security, etc, and it can have all of the same core functionality as a regular DNS server. The easiest way to manage is remotely using the DNS MMC.

Background Zone Loading: Companies who have a large number of records in AD-integrated zones might have to wait 1+ hours to have DNS respond to queries after restarting. Now, DNS spawns off multiple threads to be able to respond to client queries right away. If the record in the zone hasn’t been loaded into memory yet and it is still in the process of loading the entire zone, it will query the node in AD, cache it in the zone, and return a response to the client.

IPv6 Support: Microsoft supports IPv6 in Server 2003, but it was a bit of a management pain and there were some other limitations. See Joseph Landies Cable guy article for the management/integration improvements made in WS08. Also, some other improvements:
· DNS servers can now send recursive queries to IPv6-only servers
· The server forwarder list can contain both IPv4 and IPv6 addresses
· DHCP clients can also register IPv6 addresses in addition to (or instead of) IPv4 addresses.
· DNS servers now support the ip6.arpa domain namespace for reverse mapping.

Make sure your critical apps are cool with receiving a response for an IPv4 address and an IPv6 address. I haven’t personally seen any app problems, but nonetheless, worth mentioning.

Primary read-only zone: This new zone type is also referred to as a “branch office zone” which is available on RODCs running DNS. The zone will make a read-only copy of all of the AD-integrated zones locally from a full DC. The easiest way to think about it is as a read-only secondary zone, but better due to the benefits of AD-integration (i.e. security, management, and you can easily replicate multiple zones).

Global Names Zone: This allows you to resolve single-label names in DNS as an aid to get rid of WINS. If you still need computer browsing, you have apps hard-coded to only use NetBIOS name resolution, or have really old clients & NT4 – sorry, you probably still need WINS. However, if you just need the single-label name support for things like custom-named internal websites or servers throughout your entire environment – this is the solution. There are quite a few things to consider with this, so I recommend reading the whitepaper listed below. A couple quick key limitations are a) this functionality only works with WS08 DNS servers and b) it also doesn’t support dynamic updates.

DNS Client changes: For Vista clients or WS08 servers, the DNS client has a few good changes:
· Periodic check to make sure the client is authenticating with a local DC (configurable via group policy). Previously, a client would only fail back to the closer DC when forced.
· Locate the nearest domain controller using the defined Active Directory sitelink costs instead of searching randomly. This is disabled by default, but good to enable when you have clients across slow site-links.
· Use link-local multicast name resolution (LLMNR), also known as multicast DNS or mDNS, to resolve names on a local network segment when a DNS server is not available.

Get Started
Windows Server 2008 & Domain Name Service: What's New (WS08 Blog by Kurt Roggen)
Changes in Functionality from Windows Server 2003 with SP1 to Windows Server 2008 (http) (doc version)
The Cable Guy DNS Enhancements in Windows Server 2008 (by Joseph Davies)
What's New in DNS in Windows Server 2008 (very short blurb on TechNet)
DNS Server GlobalNames Zone Deployment Whitepaper