Kurt Shintaku's Blog

If you attended the “Heroes Happen Here” launch event for Microsoft Windows Server 2008, Visual Studio 2008, and SQL Server 2008, (and you stayed to retrieve your handout bag) you received a special DVD book/binder containing:

• Windows Server 2008 Enterprise Edition (both 32-bit & 64-bit edition discs)
• Visual Studio 2008 Standard Edition
• SQL Server 2008 Developer Edition Community Technology Preview 5.0 (November 2007)

What was also included in the front of the book, along with the licensing terms document was a voucher with a unique PIN on it for a complimentary copy of SQL Server 2008 Standard Edition when it releases.

• This valuable voucher expires EOD on June 2^nd, 2008.  (As in this coming Monday.)

ACTION:  Take the PIN printed on this voucher and go to http://www.sqlserverheroes.com to register it ASAP.  That voucher is useless after June 2nd!

The product will be PHYSICALLY shipped to you at the address you register with.  There is a frequently asked questions list available at:  http://www.sqlserverheroes.com/faq.aspx

The net-net of the article is that both security software such as  rootkit detection products and ESPECIALLY antivirus software really don’t protect users against rootkit installations.

ANTIVIRUS IS NOT ENOUGH
No antivirus program tested was able to detect all the rootkit vectors they were tested against, meaning that the world for the most part is vulnerable to some sort of rootkit, being that most people only have antivirus software installed on their machines as opposed to specialized anti-rootkit tools.

VISTA UAC SAVES THE DAY
Windows Vista User Account Control however was able to detect & block every rootkit installation attempt.  This provides users with at least a fighting chance to defend themselves from rootkit installations.

I’ve seen this a lot recently, implemented by folks that I would otherwise respect:  IT Departments setting users up with fingerprint-based
Windows domain authentication.

This is a bad idea. 

Recently, the topic came up again and was discussed internally amongst some of the techs here at Microsoft.

FINGERPRINTS ARE WEAK KEYS
Although many vendors attempt to refute this, fingerprints are generally weak keys used to protect stronger keys – the Kerberos token used by Active Directory.

The number of data points that are collected by fingerprint scanning devices represent a keyspace that is smaller with lower entropy than Microsoft’s own "strong password" restrictions.  In other words, in using a fingerprint for identification, you’d have a solution more vulnerable to brute force attacks than a typewritten password. It should be noted that brute force doesn’t necessarily imply "random password attempts" against the Active Directory:  Solutions like hash lookups on pre-cached tables stored on dual layer DVDs are known to rapidly accelerate attacks.

COPYING YOUR IDENTITY – STEALING YOUR FINGERPRINT
A coworker also pointed out that it’s relatively trivial to capture someone’s fingerprint then submit the capture to a fingerprint device as your own login.  The whole "CSI-picks-up-the-person’s-fingerprints-from-a-glass-of-water" trick very much works via the fairly well-publicized rubber cement technique:

• EXPLANATION: 
  http://www.schneier.com/crypto-gram-0205.html#5
  http://cryptome.org/gummy.htm
• VIDEO:  ftp://ftp.ccc.de/pub/video/Fingerabdruck_Hack/fingerabdruck.mpg

There aren’t really any known economical ways of preventing this as well.  While vendors have moved to a "swipe-and-scan" type of reader in most systems, this is ultimately equally vulnerable as well. 

FINGERPRINTS:  CONVENIENT FOR CONSUMERS, INSECURE FOR ENTERPRISES
There’s still very much a reason to look at fingerprint identification.  Securing things like your online mail account or the password to your blog might be good reasons to have fingerprint authentication for convenience to the consumer. 

For Enterprise customers however, there are so many other more secure solutions with relatively equal costs associated with them yet with much more flexible administration.  Here’s something to think about:

• Microsoft sells fingerprint identification hardware solutions, and yet…
• Microsoft uses smartcard authentication for every employee.

And by the way, what happens when someone’s been compromised?
…how does the Domain Administrator revoke your finger?

• For a more thorough discussion of the topic, read:
  It’s Me, and Here’s My Proof: Why Identity and Authentication Must Remain Distinct 
  http://www.microsoft.com/technet/community/columns/secmgmt/sm0206.mspx

Last month, one of my great dreams as a geek at Microsoft were fulfilled.  Today, a piece of technology that I’ve been yearning for for over 12 years finally became available to me.  Today, I got to experience something that has been on my hot list for a very long time.

Today… my Exchange Mailbox is "Unified Communications" enabled.

1. Hyperlinked Dialing
   Anytime a phone number is prefaced anywhere on my computer (within a Word document, in a Outlook email, in a Web page in Internet Explorer) with the prefix of "TEL:", I can with a single click dial the phone number.  My computer will automatically leverage Office Communicator and initiate a regular phone call through the speakers/microphone of my computer.  For example:

                 tel:3105551212

2. Roaming VOIP Phone
   Any person calling my office number not only rings the phone in my office but also rings my computer’s "soft phone" if I’m connected to the Internet.  This means that I can "pick up the call" on my computer and talk to the caller through the speakers/microphone on my computer, and if the call originates on Microsoft’s VOIP network, it’s received in full 64kbps high fidelity, i.e. CD quality audio.

   So I can be in Hawaii and if people call my office phone, I can pick up the call in the middle of a Starbucks using a Bluetooth headset… or just the speakers and microphone on my laptop if I’m in the privacy of my hotel room.

3. Converged Inbox & Voicemail
   Anytime a voicemail is left, it automatically appears in my Outlook 2007 inbox and appears as more than just an "attachment" which is the way most unified communication’s voicemail appear.

   Outlook examines the voicemail object and presents the voice mail as a SPECIAL object in Outlook which allows a person to not only listen to the voicemail but also rapidly type comments and notes into the same Outlook object.

   And y’know that ‘visual voicemail’ stuff that Apple has for the iPhone?  GOT IT.

4. Outlook Voice Access
   My Email, Calendar, & Contacts are all accessible over the phone from a central 800 phone number – the same phone number, I use to access my voicemail.

   When you call the phone, you can do all of the following using your voice or your keypad:

1. Read your email
2. Read back your calendar
3. Cancel meetings, request meeting rescheuling
4. Look up people’s contact info
5. …and more!

Advanced Group Policy Management v3.0 (part of the Microsoft Desktop Optimization Pack) is now available in beta through the connect site – but not as an open beta. 

It features support for 64bit, GP Pref, localization, customizable permissions and purging of history data. Through the customizable permission customers can enforce the use of AGPM. GA will be around end of Q3 CY08.

Details on new feature support:

• Full x64 support
  Both the client and server components fully support x64 architecture and operating systems. There is a 64 & 32 bit version of both the client and server. Wow64 is not be supported. This means that a 64-bit version of AGPM must be installed on a 64-bit version of the host Operating System and a 32-bit version of AGPM must be installed on a 32-bit version of AGPM. Communication between different bitness client and server is fully supported. This means that a 64-bit AGPM client can communicate with a 32-bit AGPM server and a 32-bit AGPM client can communicate with a 64-bit AGPM server.
  
• Windows Vista SP1 & Windows Server 2008
  Significant changes have been made to the GPMC in these OSs and AGPM depends on the GPMC interfaces extensively. Therefore this version of AGPM is only installable on Windows Vista SP1 with Remote Server Administration Toolkit (RSAT) or Windows Server 2008. Windows Vista SP1 does not have the GPMC integrated into the operating system. The GPMC needs to be installed on Windows Vista SP1 through an optional tool called RSAT prior to installing either the client or server.
  Note: Although version 2.5 will still be available for customers who do not plan to upgrade to these operating systems, version 3.0 client or service will not communicate with the version 2.5 client or service.
  
• Customizable permissions
  Version 3.0 allows the permissions deployed to a GPO to be customized. The default permissions are the same as version 2.5, however, custom permissions can be configured for each domain. The permissions configured on the “Production Delegation” tab will replace any permission already on a production GPO when it is controlled or deployed from the AGPM server. Applying the above permissions to the production GPO when taken into AGPM control will prevent changes to production GPOs from outside of AGPM as soon as a GPO is controlled.
  
• More robust change tracking
  The AGPM history has been changed to track more changes made to GPOs such as when/who made a request, when/who Approved/Rejected the request, when/who made changes to AGPM delegation, etc.
  
• Purge Historical data
  This version gives the AGPM administrator the ability to purge old data by specifying on the AGPM Server tab how many historical versions to retain. Purging old data deletes the data (GPO backup) from the archive so this data is no longer be accessible. The information about the historical action is, however, retained in the history and an entry is recorded in the history that data was purged. This means that if a checked in GPO from 6 months ago was purged, reports, etc. cannot be run against it but the history view still shows that a check-in was performed.
  
• Group Policy Preferences Support
  This version fully supports the new Group Policy Preferences (GPP) functionality added to Windows Server 2008.
  
• General UI improvements
  Changes have been made to field names and ordering to better describe the information contained in the field. Additionally the order in which the fields are displayed has been changed to make more pertinent information easier to find.
  
• Localization
  Localized in 13 additional languages which will be available 3 months after English version ships. (Beta is English only)

BETA REGISTRATION
If you are a customer of mine and are interested in participating, please contact me and I can help get you enrolled.

Check this out:  It’s a 39 Minute, 227MB Silverlight video showcasing 31 different demos of some of the latest and coolest innovations/developments from Microsoft Live Labs. (Be sure to check out the 9 Gigapixel photo zoom demo of Sea Dragon & Virtual Earch HDView.  We’ve had this for half a decade now but it’s only now possible for public consumption)

ENTIRE VIDEO:  http://gobeyond.net.nz/thirtydemos.htm

1. Microsoft Research Group Shot
2. Sea Dragon (TED Video)
3. Photosynth
4. Microsoft Research HD View (Auckland, Wellington)
5. Virtual Earth (Live Labs on the Map)
6. Bill Buxton’s Presentation from Expression around the Clock
7. Microsoft Surface
8. Silverlight 1.1 Alpha Surface Demonstration (Video Support)
9. French Silverlight 1.0 Application (Script#)
10. Tablet Features in WPF – Inking Over Video Sample, Ink Support Silverlight 1.0, Silverlight Ink SDK Sample
11. Silverlight 1.0 Inking Search Sample
12. Live Image Search (filters)
13. Tafiti Search Visualization
14. GPS location based interactive community (Where is Frank?)
15. Silverlight 1.1 Alpha Invaders – Code
16. Contoso Bicycle Club – Windows Live Quick Applications
17. Live Messenger Integration Demo – Details
18. http://backgroundmotion.com – Code/ Source Code
19. Microsoft Popfly
20. Windows Live Photo Gallery
21. Windows Home Server
22. LCI Intégrale
23. Livestation
24. WebGuide
25. hsn.tv
26. thirteen23 :: denounce
27. How About It?
28. the-hub.tv
29. Glenn Conner Interview – Amazon Demo Silverlight 1.1 Alpha
30. Building a 3D WPF Gesture Application – Code
31. Building a Video Player in 8 mins with Silverlight 1.0

On May 20th Microsoft announced with Citrix, the immediate availability of a new branch office appliance that optimizes application delivery to remote branch offices.

This appliance accelerates applications over the Wide Area Network and pre-positions application content closer to branch office users, called the Citrix Branch Repeater this appliance will be sold by Citrix as part of the Citrix Delivery Center™ product family, an end-to-end infrastructure designed to help customers transform static datacenters into dynamic delivery centers.

Just as digital television repeaters amplify and retransmit media signals to homes in a given neighborhood, Citrix Branch Repeater sits between corporate datacenters and branch offices, amplifying and retransmitting applications to branch office users. The Citrix Branch Repeater provides an ideal complement to application virtualization solutions, enhancing application delivery and performance while simultaneously delivering critical Windows Server infrastructure services in the branch.

News in the branch office market has been dominated in recent years by WAN optimization appliances. These appliances accelerate access to applications over the WAN and minimize bandwidth utilization. This compelling value prop allows customers to centralize their server infrastructure while mitigating challenges of performance degradation and reducing their monthly WAN costs. Over the last year we have seen these appliances, often built on Linux, move up the stack and offer services such as print, DNS, DHCP, authentication, and security. WAN optimization appliances with Windows Server present a tremendous opportunity for us to protect the Windows socket in the branch office to ensure that our customers remain committed to our core infrastructure services from the datacenter to the branch. We believe this socket will be a valuable platform on which to sell additional services such as management, security and unified communications offerings to the branch customer. As customers investigate WAN optimization alternatives, it is critical that we engage them early to help them understand the value of joint solutions like the Citrix Branch Repeater.

While the current version of the Citrix Branch Repeater is built on Windows Server 2003 and ISA Server 2006, Citrix has begun development and testing of the Branch Repeater on  Windows Server 2008 and will provide an update on availability of these versions of the Windows 2008 based product at a later date.  

The enclosed press release and FAQs contains more detailed information. We have also scheduled an Academy Live session on June 3rd titled – Branch Office Infrastructure: Partners Competitors, and Opportunities. This session will cover this announcement as well as branch office products from our partners Cisco and Packeteer.

Hyper-V RC1 was released to web and is now available for testing. Please note the linked details related to upgrading and testing.

In addition, the most current details can be located in Taylor Brown’s blog. This is also an excellent resource as you move forward with your solutions.

• http://blogs.technet.com/virtualization/archive/2008/05/20/hyper-v-rc1-release-available-on-microsoft-download-center.aspx

One key item to note is the inability of the VMM beta to be used with RC1. If you are also testing VMM please review the details located in Rakesh Malhorta’s VM Management TechNet blog:

• http://blogs.technet.com/rakeshm/

Windows Server 2008 x64 Hyper-V RC1 Update – KB950049
This is the Hyper-V RC1 package for Windows Server 2008 x64. This package must be installed on Hyper-V server’s (physical machines).  It includes the Hyper-V Server components for Full and Core installs, the Hyper-V Integration Components for Server 2008 x64 (see note below for RC1 improvements over RC0) and the Hyper-V Management Components for Full Windows installs.
Note This package is permanent.  Once installed, it cannot be uninstalled.  So you can’t go back to RC0 or Beta after installing RC1.

Windows Server 2008 x86 Hyper-V RC1 Update – KB950049
This is the Hyper-V RC1 package for Windows Server 2008 x86. This package includes only the Hyper-V Management Components for Full Windows installs and the Hyper-V Integration Components for Server 2008 x86 (see note below for RC1 improvements over RC0).  It does not contain the Hyper-V Server components, Hyper-V is x64 only!
Note This package is permanent.  Once installed, it cannot be uninstalled.  So you can’t go back to RC0 or Beta after installing RC1.

Hyper-V Management For Windows Vista SP1 -KB949587 
I highly recommend John Howard’s 5 part post on Hyper-V Remote Management.
Windows Vista SP1 – x86 Update
Windows Vista SP1 – x64 Update

Hyper-V RC0 to RC1 Upgrade Considerations

• Saved-state files are not supported between RC0 and RC1 releases of Hyper-V.  All virtual machine saved states should be discarded before upgrading to RC1, or prior to resuming virtual machines after upgrading to Hyper-V RC1. 
• Online snapshots contain virtual machine save-states and thus online snapshots taken with Hyper-V RC0 are not supported after updating to Hyper-V to RC1.  Either apply any online snapshots and shut down the VM or discard the virtual machine save state associated with the snapshot before or after the update to Hyper-V RC1.
• System Center Virtual Machine Manager 2008 Beta does not support Hyper-V RC1.
• New Integration Components (ICs) must be installed for your supported guest operating systems.  Integration Components are specific to the build of Hyper-V.  RC1 Integration Components for all supported Windows Operating Systems are provided using the ‘Action’ -> ‘Insert Integration Services Setup Disk’ action.

RC1 Integration Components for all supported Windows Operating Systems are now part of the IC Setup Disk.  This now includes Windows Server 2008!  Simply install the Hyper-V RC1 Integration Components for Windows Server 2008 the same way you do all other Windows ICs (‘Action’ -> ‘Insert Integration Services Setup Disk’). 
Note You need to close the found new hardware wizard before setup will begin on all Windows Operating Systems.

Improvements Over Hyper-V RC0
In addition to bug fixes and stability improvements we also made some additional changes largely based on feedback from customers.

• Integration Components For Windows Server 2008 guest’s included in Integration Services Setup Disk
• New Graphics for Hyper-V Manager and Virtual Machine Connection – including a “Now” icon in the snapshot pane
• IPv4 Address Migration – when creating a new Virtual Network bound to an adapter with a static IPv4 address the IPv4 settings are migrated to the new virtual adapter

Both TechNet & MSDN are now hosted completely on Hyper-V, Microsoft’s "Hypervisor" technology for Server Virtualization. 

These are two of Microsoft’s largest Internet properties:

• Technet receives 1 million hits daily
• MSDN receives 3 million hits daily

We believe this is a great demonstration of the scalability, performance and reliability of Hyper-V. 

Below is a link to a whitepaper on the migration implementation:
DOWNLOAD:  http://www.virtualization.info/2008/05/microsoft-migrates-msdn-and-technet-on.html

And in case you are interested in downloading the Hypervisor itself (for use with Windows Server 2008):
DOWNLOAD:  http://www.microsoft.com/downloads/details.aspx?FamilyID=7edaa89f-9f64-488d-93c0-858d2d8799df&DisplayLang=en

QUESTION:
What do all of these web sites have in common?

• Hawaiian Airlines
• Viacom
• Paul Mitchell
• Pfizer
• Microsoft
• Jabra
• Xbox
• Verizon Business
• Viacom
• LoJack Corporation
• Library of Congress
• Energizer Battery
• AMD Developer Central
• Thomson
• U.S. Marines
• Kroger
• Fiat
• Swatch
• Victorinox – Swiss Army
• AMD Developer Central
• Canon Technology Solutions
• Dell Financial Services
• SpeakTech
• ShareSquared

.
.
.

ANSWER: 
Every web site listed is running on an externally facing implementation of Microsoft Sharepoint Technologies.  Some "Windows Sharepoint Services"-based, most "Office Sharepoint Server 2007"-based.

• http://www.wssdemo.com/Pages/websites.aspx
• http://blogs.msdn.com/nay/pages/moss-based-internet-sites-live.aspx