Weblog.BassQ.nl

Source: http://blogs.technet.com/softgrid/archive/2009/11/19/announcing-app-v-4-6-rc-and-integration-with-office-2010-beta.aspx

First of all, we are excited to announce the availability of App-V 4.6 RC! In August we announced the App-V 4.6 Beta. Since then we have taken in lots of customer feedback and continue to refine the App-V 4.6 release so that we can deliver a great product!  We invite you to check out the RC release by registering and downloading the App-V 4.6 RC release via Microsoft Connect, where you can also submit feedback directly to the team.

We’re not done though, in addition we’d like to share some great news and also announce our integration with Office 2010 Beta:

Microsoft Office 2010 Beta, Ready to be Sequenced With the Microsoft Office 2010 Beta Deployment Kit for App-V

As you know the Office team just completed a major milestone Microsoft Office 2010 Beta, congrats to the team!  Throughout the process of building Office 2010 the App-V and Office teams have been working very closely to make sequencing Office 2010 Beta possible with App-V 4.6 RC!  We have taken the feedback and requests from post-Office 2007 and App-V 4.5 releases, and have been hard at work implementing a solid integration experience for Office when App-V 4.6 releases in H1 2010.

So what’s Different when using Microsoft Office 2010 Beta and App-V 4.6 RC together?

Office 2010 has introduced a new piracy protection initiative, the Software Protection Platform (SPP) service.  This service uses a machine’s hardware characteristics and product key to activate the installation, which is performed during the first Office application launch.

Since the Office 2010 product activation is linked to the hardware on which Office is originally installed, customers who wish to deploy Office 2010 using App-V must physically install the SPP service on the sequencer machine before beginning the sequencing process – and on any client machines that will stream and run Office 2010.

Our engineering teams have collaborated to address the top customer issues that people were running into when virtualizing past versions of Office.   As a result, Office 2010 has a much more integrated user experience.  The Office 2010 integration delivers key productivity enhancements and a seamless user experience by enabling the following::

· Microsoft SharePoint Integration – You can open, edit, and save Microsoft Office documents using Microsoft SharePoint.

· Microsoft Outlook Fast Search – You can use Microsoft Windows Desktop Search to find specific messages in your inbox.

· MAPI Proxy – You can connect to your inbox using Microsoft Outlook Send To functionality.

· Microsoft Office Document Indexing – You can index your documents so that you can use Microsoft Windows Search to locate files.

· Virtual Mail Control Panel icon – You can use the Email icon in Control Panel to perform advance mail configuration.

· URL protocol handler – You can configure links in the browser and specify the appropriate associated Microsoft Office application.

· Send to Microsoft OneNote Printer driver – You can print documents to Microsoft OneNote.

To help customers facilitate this process, we have created the Microsoft Office 2010 Deployment Kit for App-V (Beta). The Deployment Kit contains both the required SPP licensing component and Office 2010 integration features.

And what’s even more exciting, you can get your hands on it now.

How Do I Sequence Microsoft Office 2010 Beta for App-V 4.6 RC?

1. Download Office 2010 Beta here

2. Download the Microsoft Office 2010 Deployment Kit for App-V (Beta)

3. Download App-V 4.6 RC on Microsoft Connect

4. Read the App-V recipe for sequencing Office 2010 Beta on Microsoft Connect.

For detailed information on whether your environment meets the requirements of Office 2010 and App-V 4.6 RC, please refer to the App-V recipe.

Please note: We are providing a recipe to support the sequencing and testing of these pre-release products on Microsoft Connect.  Please provide feedback via Microsoft Connect, by choosing FEEDBACK once logged into the App-V 4.6 Program.

We look forward to hearing about your App-V 4.6 RC and Office 2010 experience!

Source; http://blogs.technet.com/virtualization/archive/2009/12/10/Offline-Virtual-Machine-Servicing-Tool-v2.1-.aspx

Virtualization affects how we plan, build, deploy, operate, and service workloads. Customers are creating large libraries of virtual machines containing various configurations. The patch-state of these virtual machines are not always known. Ensuring that offline virtual machines are properly patched and won’t become vulnerable the instant they come online is critical.

I am therefore very pleased to state that the Offline Virtual Machine Servicing Tool v2.1 has now been released!

Congratulations to the Solution Accelerator team for this release!

The Offline Virtual Machine Servicing Tool 2.1 has free, tested guidance and automated tools to help customers keep their virtualized machines updated, without introducing vulnerabilities into their IT infrastructure.

The tool combines the Windows Workflow programming model with the Windows PowerShell interface to automatically bring groups of virtual machines online, service them with the latest security updates, and return them to an offline state.

What’s New?

Release 2.1 is a direct response to customer and Microsoft field requests to support the R2 wave. Offline Virtual Machine Servicing Tool 2.1 now supports the following products:
· Hyper-V-R2
· VMM 2008 R2
· SCCM 2007 SP2
· WSUS 3.0 SP2
· OVMST 2.1 also supports updates to Windows 7 and Windows Server 2008 R2 virtual machines.

Download here; Offline Virtual Machine Servicing Tool  2.1
More info; http://technet.microsoft.com/en-us/library/cc501231.aspx

Following quickly on the heels of the Windows 7 and Windows Server 2008 R2 launches (they have PowerShell 2.0 built in), Microsoft has released version 2.0 for all flavors of Windows since XP:

Windows Management Framework, which includes Windows PowerShell 2.0, WinRM 2.0, and BITS 4.0, was officially released to the world this morning. By providing a consistent management interface across the various flavors of Windows, we are making our platform that much more attractive to deploy. IT Professionals can now easily manage their Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 machines through PowerShell remoting – that’s a huge win!

PowerShell v2 has finally been released for ‘legacy’ OSes (Windows XP, Windows Server 2003, Windows Vista and Windows Server 2008)! I’m saying legacy OSes because the latest OSes are Windows 7 and Windows Server 2008 R2. You could also say the out-of-band releases have been released. This happened somewhere in the end of October 2009.

If you are having a hard time finding those, that’s because it is in included in the Windows Management Framework.

The Windows Management Framework includes:

• Windows Remote Management (WinRM) v2.0
• Windows PowerShell v2.0
• Background Intelligent Transfer Service (BITS) v4.0

Read more about it here.

Windows Management Framework Core (WinRM 2.0 and Windows PowerShell 2.0)

• Download the Windows Management Framework Core for Windows Server 2008 package now. (http://www.microsoft.com/downloads/details.aspx?FamilyId=863e7d01-fb1b-4d3e-b07d-766a0a2def0b)
• Download the Windows Management Framework Core for Windows Server 2008 x64 Edition package now. (http://www.microsoft.com/downloads/details.aspx?FamilyId=d37e25cf-db05-4b23-a852-cdf865d81b82)
• Download the Windows Management Framework Core for Windows Server 2003 package now. (http://www.microsoft.com/downloads/details.aspx?FamilyId=f002462b-c8f2-417a-92a3-287f5f81407e)
• Download the Windows Management Framework Core for Windows Server 2003 x64 Edition package now. (http://www.microsoft.com/downloads/details.aspx?FamilyId=909bbcf1-bd78-4e03-8c83-69434717e551)
• Download the Windows Management Framework Core for Windows Vista package now. (http://www.microsoft.com/downloads/details.aspx?FamilyId=f2fa1227-9a34-4e29-aa03-62f5c00e16f2)
• Download the Windows Management Framework Core for Windows Vista x64-based systems package now. (http://www.microsoft.com/downloads/details.aspx?FamilyId=0f73efa2-f8d6-45f3-a8f8-5cdc205b119a)
• Download the Windows Management Framework Core for Windows XP package now. (http://www.microsoft.com/downloads/details.aspx?FamilyId=60cb5b6c-6532-45e0-ab0f-a94ae9ababf5)

Windows Management Framework BITS (BITS 4.0)

• Download the Windows Management Framework BITS for Windows Server 2008 package now. (http://www.microsoft.com/downloads/details.aspx?FamilyId=e77925a9-58a2-428b-bb4f-714d49d0b889)
• Download the Windows Management Framework BITS for Windows Server 2008 x64 Edition package now. (http://www.microsoft.com/downloads/details.aspx?FamilyId=e749f4cd-74db-404a-bc30-765137cd3804)
• Download the Windows Management Framework BITS for Windows Vista package now. (http://www.microsoft.com/downloads/details.aspx?FamilyId=d7ae9660-bb13-4f0c-816b-85de3980ec1b)
• Download the Windows Management Framework BITS for Windows Vista x64-based systems package now. (http://www.microsoft.com/downloads/details.aspx?FamilyId=173c8a2d-b264-49ca-8d35-b6f234cbdaeb)

The Microsoft Baseline Security Analyzer provides a streamlined method to identify missing security updates and common security misconfigurations. MBSA 2.1.1 is a minor upgrade to add support for Windows 7 and Windows Server 2008 R2.

To easily assess the security state of machines in an environment, Microsoft offers the free Microsoft Baseline Security Analyzer (MBSA) scan tool. MBSA includes a graphical and command line interface that can perform local or remote scans of Microsoft Windows systems.

MBSA 2.1.1 builds on previous versions by adding support for Windows 7 and Windows Server 2008 R2. As with the previous MBSA 2.1 release, MBSA includes 64-bit installation, security update and vulnerability assessment (VA) checks, improved SQL Server 2005 checks, and support for the latest Windows Update Agent (WUA) and Microsoft Update technologies. More information on the capabilities of MBSA 2.1 and 2.1.1 is available on the MBSA Web site.

MBSA 2.1.1 runs on Windows Server 2008 R2, Windows 7, Windows Server 2008, Windows Vista, Windows Server 2003, Windows XP and Windows 2000 systems and will scan for missing security updates, rollups and service packs using Microsoft Update technologies. MBSA will also scan for common security misconfigurations (also called Vulnerability Assessment checks) using a known list of less secure settings and configurations for all versions of Windows, Internet Information Server (IIS) 5.0, 6.0 and 6.1, SQL Server 2000 and 2005, Internet Explorer (IE) 5.01 and later, and Office 2000, 2002 and 2003 only.

To assess missing security updates, MBSA will only scan for missing security updates, update rollups and service packs available from Microsoft Update. MBSA will not scan or report missing non-security updates, tools or drivers.
Choose the appropriate download below for English (EN), German (DE), French (FR) and Japanese (JA) for x86 (32-bit) or x64 (64-bit) platforms.

Download details Microsoft Baseline Security Analyzer 2.1.1 (for IT Professionals)
Source: http://bink.nu/news/microsoft-baseline-security-analyzer-2-1-1.aspx

I am a big fan of sysinternals tools and I use these tools quite often to debug OS related issues. These tools are quite useful when you want to understand internals of OS. Mark and his team has been doing a great job in keeping these tools up to date and adding new features once in a while. One such new tool that got released yesterday is Disk2VHD. You can download it here. Here is how TechNet link decribes this new tool.

Disk2vhd is a utility that creates VHD (Virtual Hard Disk – Microsoft’s Virtual Machine disk format) versions of physical disks for use in Microsoft Virtual PC or Microsoft Hyper-V virtual machines (VMs). The difference between Disk2vhd and other physical-to-virtual tools is that you can run Disk2vhd on a system that’s online. Disk2vhd uses Windows’ Volume Snapshot capability, introduced in Windows XP, to create consistent point-in-time snapshots of the volumes you want to include in a conversion. You can even have Disk2vhd create the VHDs on local volumes, even ones being converted (though performance is better when the VHD is on a disk different than ones being converted)

I downloaded this tool in the morning and experimented a bit on my Windows 7 system. Usage of this tool is straight forward. You see a dialog with all disk partitions as listed in the screen shot here. All you need to do is select all the partitions you want to export to a VHD and click “Create”. The VHD export will take sometime based on the overall disk size you selected. For my experiments, I just selected first two partitions. This is because I have all the BCD information on partition 1 and without that my new VHD will be meaningless. You may see lot of CPU/memory utilization while the export is in progress. On my system, it looked something like this.

Once the export is complete, I rebooted my system in to Windows Server 2008  R2 and created a virtual machine and attached the exported VHD. That is it. My virtual machine is ready with installed OS and all the applications I was running on the physical Windows 7 system.

As I powered on the VM, the first screen showed me the boot menu I usually see on my physical machine. This is because I never removed the additional multi-boot entries I had in the BCD stored on first partition.  This entries — if selected — won’t work because I did not export the partitions containing those OS images to the VHD.

At this point, I continued selecting the Windows 7 entry and started booting OS. Within a few seconds, I could see the user selection screen and after I logged in using my regualr user account, I could see all the applications working as usual. I also have Windows Virtual PC with WinXP mode in the VHD image. But — as I expected — that did not work as it requires hardware assisted virtualization which is something that will not be availble inside a virtual machine.

Windows Server Update Services 3.0 Service Pack 2 (WSUS 3.0 SP2) delivers updates to corporate environments from Microsoft Update. This release adds new features and fixes issues found since the release of the product.

WSUS 3.0 SP2 delivers important customer-requested management, stability, and performance improvements. Some of the features and improvements include the following:

• Integration with Windows Server 2008 R2.
• Support for the BranchCache feature in Windows Server 2008 R2.
• Support for Windows 7 and Windows Server 2008 R2 clients.
• Compliance Report
• Windows Update Agent (WUA) offers a collection of performance enhancements, user experience improvements, and bug fixes software updates.

WSUS 3.0 SP2 can be installed alone, or as an upgrade of WSUS 3.0 SP1.
This package installs both the WSUS 3.0 SP2 Server, WSUS 3.0 SP2 Administration Console components and WUA client for down-level operating system. You must install the server components on a computer that is running on Windows Server 2003 SP2 or later versions. You may install the Administration Console on a remote computer that is running one of the supported operating systems, see below the Supported Operating Systems section.
WSUS 3.0 SP2 Server Installation on Windows Small Business Server 2003
If you are installing the WSUS 3.0 SP2 product on Windows Small Business Server 2003, follow the instructions in Installing Windows Server Update Services 3.0 on Windows Small Business Server 2003.

Download Here: http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=a206ae20-2695-436c-9578-3403a7d46e40#tm

Today I have another great ebook to share with you. If you are interested in Microsoft virtualization solutions, then book “Understanding Microsoft Virtualization solutions” will be great resource for you. It is available as a free pdf download, and it covers Windows Server 2008 Hyper-V, System Center Virtual Machine Manager 2008, Microsoft Application Virtualization 4.5, Microsoft Enterprise Desktop Virtualization, and Microsoft Virtual Desktop Infrastructure. It’s been written by Mitch Tulloch with the Microsoft Virtualization team, it’s been published by Microsoft Press, it has 431 pages and it is available as FREE DOWNLOAD.

Download “Understanding Microsoft Virtualization solutions – from the Desktop to the Datacenter” free pdf ebook

Original article: Microsoft Press – Microsoft Virtualization Solutions Free E-Book by Brian Johnson

* Microsoft getting ready to unveil free anti-virus service

* Software maker says will soon put beta version on website

* Company employees testing it internally

Microsoft Corp is getting ready to unveil a long-anticipated free anti-virus service for PCs that will compete with products sold by Symantec Corp and McAfee Inc.

A Microsoft spokesman said on Wednesday that the world’s biggest software maker is now testing an early version of the product with its own employees and that it will “soon” make a trial version available via its website.

Microsoft has said that it will only include basic features for fighting viruses, which would likely make it comparable to the least-expensive products sold by Symantec and McAfee.

More at Paul Thurrott’s Super Site

http://community.winsupersite.com/blogs/paul/archive/2009/06/10/microsoft-will-soon-unveil-free-virus-software.aspx

Windows 7 ’s new XP Mode lets you seamlessly run virtualized applications alongside your regular Windows 7 applications—so your outdated software will continue to work. Before we begin, you’ll want to make sure your system meets the requirements:

• Processor: Processor capable of hardware virtualization, with AMD-V™ or Intel® VT turned on in the BIOS.
• Memory: 2GB of memory recommended.
• Hard disk requirement: 20MB hard disk space for installing Windows Virtual PC . Additional 15GB of hard disk space per virtual Windows environment recommended.

Make sure that your processor supports hardware virtualization, and double-check that the hardware virtualization setting is enabled in your BIOS (the setting is often not enabled although your processor may be supported). You can use the official Intel Processor Identification Utility if you are running Intel, or you can can use previously mentioned SecurAble to determine whether or not your AMD or Intel processor will support XP Mode.

Next, you’ll need to install two software packages on your PC:

1. Download and install the Windows Virtual PC Beta , which is the virtualization software that powers "XP Mode".
2. Download and install the Windows XP Mode Beta , which is a specially crafted XP virtual machine .

Once you’ve completed those steps and restarted your computer, run the Virtual Windows XP item in the start menu, add in a password and make sure to choose to remember the credentials if you want the integration features to work smoothly.

Once the wizard is complete, hopefully you will see a dialog that sets up XP for use, which will take quite a while. If you receive a message that hardware virtualization is not enabled, reboot your computer and check that the BIOS option is enabled, usually found under the advanced settings page.

If all goes well, you’ll see a Virtual Windows XP window, complete with a notification to install antivirus software—since XP Mode is nothing more than Windows XP in a virtual machine, you should take the advice and install your favorite antivirus application, especially if you’ll be downloading files in the VM.

At this point you will need to install your applications in Windows XP, and make sure to choose "All Users" anytime you are asked who to install the software for—the integration features won’t work with software that installs just for your user account. If you can’t install for everybody, you can simply choose "Open All Users" on the start menu, and copy a shortcut to the application into the start menu’s programs folder.

Once your applications are installed and shortcuts are in the All Users start menu, they will magically show up in the Windows 7 start menu under the Windows Virtual PC -> Virtual Windows XP Applications folder.

Depending on the state of the virtual machine, you will be prompted to close it in order to switch into "virtual application" mode. If the virtual machine was hibernated, you will see a slightly different prompt, but the general idea is that it can’t be running while you are in application mode.

And now, success! The Chrome window in the front is an XP-mode window—you’ll notice that windows running in XP mode don’t seem to take advantage of the slick Windows 7 drop-shadows, and you won’t see a thumbnail preview in the taskbar or Alt-tab.

In previous Pushing the Limits posts, I described the two most basic system resources, physical memory and virtual memory . This time I’m going to describe two fundamental kernel resources, paged pool and nonpaged pool, that are based on those, and that are directly responsible for many other system resource limits including the maximum number of processes, synchronization objects, and handles.

Paged and nonpaged pools serve as the memory resources that the operating system and device drivers use to store their data structures. The pool manager operates in kernel mode, using regions of the system’s virtual address space (described in the Pushing the Limits post on virtual memory) for the memory it sub-allocates. The kernel’s pool manager operates similarly to the C-runtime and Windows heap managers that execute within user-mode processes.  Because the minimum virtual memory allocation size is a multiple of the system page size (4KB on x86 and x64), these subsidiary memory managers carve up larger allocations into smaller ones so that memory isn’t wasted.

For example, if an application wants a 512-byte buffer to store some data, a heap manager takes one of the regions it has allocated and notes that the first 512-bytes are in use, returning a pointer to that memory and putting the remaining memory on a list it uses to track free heap regions. The heap manager satisfies subsequent allocations using memory from the free region, which begins just past the 512-byte region that is allocated.

Nonpaged Pool

The kernel and device drivers use nonpaged pool to store data that might be accessed when the system can’t handle page faults. The kernel enters such a state when it executes interrupt service routines (ISRs) and deferred procedure calls (DPCs), which are functions related to hardware interrupts. Page faults are also illegal when the kernel or a device driver acquires a spin lock, which, because they are the only type of lock that can be used within ISRs and DPCs, must be used to protect data structures that are accessed from within ISRs or DPCs and either other ISRs or DPCs or code executing on kernel threads. Failure by a driver to honor these rules results in the most common crash code, IRQL_NOT_LESS_OR_EQUAL .

Nonpaged pool is therefore always kept present in physical memory and nonpaged pool virtual memory is assigned physical memory. Common system data structures stored in nonpaged pool include the kernel and objects that represent processes and threads, synchronization objects like mutexes, semaphores and events, references to files, which are represented as file objects, and I/O request packets (IRPs), which represent I/O operations.

Paged Pool

Paged pool, on the other hand, gets its name from the fact that Windows can write the data it stores to the paging file, allowing the physical memory it occupies to be repurposed. Just as for user-mode virtual memory, when a driver or the system references paged pool memory that’s in the paging file, an operation called a page fault occurs, and the memory manager reads the data back into physical memory. The largest consumer of paged pool, at least on Windows Vista and later, is typically the Registry, since references to registry keys and other registry data structures are stored in paged pool. The data structures that represent memory mapped files, called sections internally, are also stored in paged pool.

Device drivers use the ExAllocatePoolWithTag API to allocate nonpaged and paged pool, specifying the type of pool desired as one of the parameters. Another parameter is a 4-byte Tag , which drivers are supposed to use to uniquely identify the memory they allocate, and that can be a useful key for tracking down drivers that leak pool, as I’ll show later.

(continue reading…)

TechNet, MSDN and Techbeta customers can download it now.

Consumers who want to test-drive the beta will be able to download it beginning Jan. 9 at http://www.microsoft.com/windows7 .

Here is the full press release:

Microsoft’s Ballmer Announces Availability of Windows 7 Beta and Windows Live

For TechNet, MSDN and Techbeta customers it is already available here;

Windows 7 Beta 64-bits (Download also this MP3 Fix !)
Windows 7 Beta 32-bits (Download also this MP3 Fix !)

Release notes Windows 7

How can I protect my terminal servers from Spyware, Malware, Trojans, Worms, Viruses and un-authorized software?

1. Start with a secure installation of the Operating System.  Windows Server 2003 installs by default with the users being able to create files and folders in the root of the system drive and Windows 2000 Server installs by default with the Everyone group having Full Control NTFS Permissions to the entire System Drive.  To lock down the System Drive on Windows 2000 Server, start with the following settings:

   1. Root of System Drive – Authenticated Users = "Read and Execute"

   2. Root of System Drive – Administrators = "Full Control"

   3. Root of System Drive – System = "Full Control"

   4. Program Files Directory – Authenticated Users = "Read and Execute"

   5. Program Files Directory – Administrators = "Full Control"

   6. Program Files Directory – System = "Full Control"

2. NEVER allow anyone to logon as an administrator or power user, unless they are a member of the IT Staff / IT Consulting Firm that is responsible for the server, and they are logging on to perform administrative functions, i.e. installing software, performing a backup…

3. Force "Empty Temporary Internet Files when browser closed" via Group Policy.  This will delete most bad files from the Temp IE location of the user’s profile, and leave only the cookie files.

4. Implement Roaming Terminal Server Profiles, Mandatory Terminal Server Profiles or Flex Terminal Server Profiles.

5. Enable DeleteRoamingCache in the registry, or via "Delete Cached Copies of Roaming Profiles " in Group Policy.  Since the Roaming Profile does not propagate the user’s Temp Directory, enabling this policy will usually delete that anything the user downloaded unintentionally.  This policy deletes the user’s local profile at logoff once it’s been successfully unloaded and copied to the roaming location.

6. Install the User Profile Hive Cleanup Service , which helps to ensure user sessions are completely terminated when a user logs off.  Without this service, user profiles are often not unloaded successfully which causes the copy to the roaming profile location and DeleteRoamingCache setting to fail.

7. Install a Terminal Server compatible anti-virus scanner on each terminal server, a VSAPI anti-virus scanner on each SMTP Server, and an anti-virus scanner at the Internet Gateway.

8. Set the Terminal Services Configuration Permission Compatibility to "Full Security" (Windows Server 2003) , or to "Windows 2000 Users" (Windows 2000 Server) . If you use the "Permissions compatible with Terminal Server 4.0 Users" (Windows 2000 Server) or "Relaxed Security" (Windows Server 2003), each user logging on is added to the TSUser Security Group, which has permissions and rights of the Power Users Group.

9. Enable Software Restriction Policies in Group Policy, to define which files can be executed by users.

10. If users need only one application, specify this program to start when they logon.  This can be done for everyone via Group Policy or Terminal Services Configuration , or for specific users via Active Directory or Local User Account.

11. Consider locking down the user environment with a FREE program like BrsSuite , designed by Terminal Server Security Expert "Fabrice Cornet", of FC Consult, Belgium .

12. Restrict access to applications normal users shouldn’t ever use, or that do not follow the policy restrictions in place, i.e. winfile and command.com

How can provide the most secure access to terminal servers from the Public Internet?  The RDP Protocol is secure and uses RSA Security’s RC4 cipher, at either 56 or 128 bits, however the following should be considered when providing access to terminal servers over the Public Internet:

1. Set the RDP-Tcp Encryption Level to "High" (Windows 2000 Server or Windows Server 2003)

2. Define and enforce a strong password policy .

3. If you require password authentication to access a Remote Desktop Web Connection (RDWC, aka TSAC or TSWeb), do so over an SSL Connection.  Since you have to logon to the Terminal Server, there really is no advantage to requiring authentication to access a RDWC.

4. Do NOT use traditional client-to-server VPN to provide secure access to Terminal Servers.  This may sound strange, but traditional client-to-server VPNs require connectivity over non-standard ports client software on the remote computer. These often prevent remote users from being able to connect.  In addition to the connectivity problems traditional VPN can cause, traditional client-to-server VPNs can open the corporate network to viruses, trojans or worms, because they extend the corporate network to the remote client.

5. Do consider providing secure access to terminal servers via SSL VPN or a Terminal Server Secure Gateway , as these can provide access over standard ports like 443 or 80, which makes connectivity easy for remote users.  These devices or software applications also provide access to a specific computer, or set of computers, instead of opening a secure tunnel to the entire corporate network.

This security update resolves a privately reported vulnerability in the Server service. The vulnerability could allow remote code execution if an affected system received a specially crafted RPC request. On Microsoft Windows 2000, Windows XP, and Windows Server 2003 systems, an attacker could exploit this vulnerability without authentication to run arbitrary code. It is possible that this vulnerability could be used in the crafting of a wormable exploit. Firewall best practices and standard default firewall configurations can help protect network resources from attacks that originate outside the enterprise perimeter.

Microsoft advices every Windows user / administrator to update their machines

Every currently supported Windows version is affected, so:

- Microsoft Windows 2000 Service Pack 4
- Windows XP Service Pack 2 and
Windows XP Service Pack 3
- Windows XP Professional x64 Edition and
Windows XP Professional x64 Edition Service Pack 2
- Windows Server 2003 Service Pack 1 and
Windows Server 2003 Service Pack 2
- Windows Server 2003 x64 Edition and
Windows Server 2003 x64 Edition Service Pack 2
- Windows Server 2003 with SP1 for Itanium-based Systems and
Windows Server 2003 with SP2 for Itanium based Systems
- Windows Vista and
Windows Vista Service Pack 1
- Windows Vista x64 Edition and
Windows Vista x64 Edition Service Pack 1
- Windows Server 2008 for 32-bit Systems
(Windows Server 2008 Server Core installation affected)
- Windows Server 2008 for x64-based Systems
(Windows Server 2008 Server Core installation affected)
- Windows Server 2008 for Itanium-based Systems

- Impact: Remote Code Execution
- Version Number: 1.0

For those looking for more details there will be a webcast hosted today at 1pm PST. Details below:

Microsoft will host a webcast to address customer questions on
this out-of-band security bulletin on October 23, 2008, at 1:00 PM
Pacific Time (US & Canada). Register for this out-of-band Security
Bulletin Webcast at
http://www.microsoft.com/technet/security/bulletin/summary.mspx .

http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx

Everyone should be on the look out for an emergency security update coming out from Microsoft today. This is a Critical update for most Windows operating systems, but is only rated as important for Windows Vista.

http://www.microsoft.com/technet/security/bulletin/ms08-oct.mspx

Even though it is only rated as Important on Windows Vista the fact that they are choosing to issue this patch out of band must mean there are active exploits so patch yourself as soon as possible.

As we all know, DHCP Servers are used to assign IP Addresses and other configuration information to client computers running almost any sort of operating system, ranging from regular desktop computers, through laptop computers, up to thin clients and mobile devices. All these require a DHCP server in order to get their TCP/IP configuration settings (unless you manually configure them). One of the major headaches around using DHCP servers was the fact that the moment a computer is connected to your network, it will ask for, and receive, an IP Address from any available DHCP. This will happen to both trusted and un-trusted computers, causing us, the administrators, a potential security risk.

Didn’t you ever wish you could use your Windows-based DHCP server to filter out unwanted MAC Addresses? Up to this point, the only option you had was either to labor through the process of configuring manual reservation for all your known DHCP clients, or use 3rd-Party filtering hardware.

Well, now you can!

Published a while ago by Raunak Pandya from the DHCP Server Team, a DLL that you can install on your Windows Server 2003 and Windows Server 2008 DHCP servers, and which helps administrators to filter out DHCP Requests to DHCP Server based on MAC Address. This DLL is called the “DHCP Server Callout DLL”.

Note: A MAC Address, or Media Access Control Address is the unique hardware identifier of a network interface card (or NIC), and comes in the format of 02-00-54-55-4E-01.

How does it work?

When a device or computer tries to connect to network, it will first try to obtain an IP Address from any available DHCP Server. When installed, the DHCP Server Callout DLL checks if this device MAC Address is present in known list of MAC addresses configured by administrators. If it is present, the device will be allowed to obtain an IP Address from the DHCP. Otherwise, the device requests will be ignored based on the action configured by administrator.

MAC address based filtering will allow the network administrator to ensure that only a known set of devices in the system are able to obtain an IP Address from the DHCP.  This DLL will help administrators enforce additional security into their network.

Issues solved by using the DHCP Server Callout DLL

The DHCP Server Callout DLL will help the network administrators to  solve either of the following problems:

• Allow only a specific set of known MAC addresses to obtain an IP Address from the DHCP server. This list can be easily compiled by using your server/client computer documentation, by using a good monitoring software such as SMS 2003, or by using WMI-based scripts. 
• Deny Machines belonging to set of MAC addresses from obtaining an IP Address from the DHCP server.

Unfortunately, DHCP Server Callout DLL can currently only perform one action. Either allow, or deny, specific MAC Addresses. It cannot do both.

The DHCP Server Callout DLL works on both Windows Server 2003 and Windows Server 2008 DHCP servers.

When installing, both the dll (MacFilterCallout.dll) and the Setup document (SetupDHCPMacFilter.rtf) are copied to the %SystemRoot%\system32 folder. On 64-bit operating systems, the location for installation is %SystemRoot%\SysWOW64.

Make sure you read the documentation before using the tool. As noted above, the documentation’s filename is SetupDHCPMacFilter.rtf, and you can find it in the %SystemRoot%\system32 folder.

You can download the MacFilterCallout application from MacFilterCallout.zip.

For another article on this topic, you can take a look at Microsoft Windows DHCP Team Blog : DHCP Server Callout DLL for MAC Address based filtering.