Archives for June 2012

New HP Service Pack for ProLiant (2012.06.0 (B))

Yes, it’s that time of year for HP to release their updated HP Service Pack for ProLiant, which is now up to version 2012.06.0 (B). You can find the 514 page release notes (yes that is not a typo, 514 pages) here. This update includes a number of fixes to SUM (now up to version 5.1),  firmware for a slew of Gen8 servers, firmware updates for other servers, and driver updates for Windows/Linux. As always these support packs have 12 months of support. To download the HP SPP click here. You can find a good documentation matrix here for this and previous versions.

New HP ESXi 4.1 U2 and 5.0 U1 Custom ISO Media

UPDATE 10/26/12: A new blog post with updated links is here.

HP just released their June 2012 VMware ESXi 4.1 U2 and ESXi 5.0 U1 ISO installation media. Nearly every driver in this custom ISO has been updated from the previous release. You can find the entire driver set versions here. HP did NOT roll in the latest security updates, so they are still just shipping ESXi 5.0 build 623860. As of the date of this writing the latest build is 721882, which addresses a number of security issues.

You can download the ESXi 5.0 custom image here and the ESXi 4.1 custom image here. As always, these updates are free to download but you do need to register. If you wish to build your own HP custom ISO with the security patches rolled in, check out my article here. However, use the latest drivers listed in the HP media release notes, not the older versions referenced in my previous blog article.

Give the plethora of driver updates, I would recommend you download the updated drivers from the driver set page here and push them out via VUM to your production servers, after adequate testing.

HP Virtual Connect Firmware Update v3.60

For all of you HP Bladesystem customers, here’s a heads up that HP released v3.60 of their Virtual Connect firmware package. You can download the full Release Notes here. Take note that this release fixes a couple of security issues, so even if the bug fixes don’t apply to you, consider updating to resolve the known security issues. Also, in the list of known issues there is an outstanding unresolved security issue for CVE-2010-4180 that you should be aware of, which is a cipher downgrade attack against OpenSSL. This was discovered 2010, so it’s a bit disappointing that HP can’t fix this in a more timely fashion.

The following issues have been resolved in the VC 3.60 release:

• Resolved an issue where the restore domain operation would fail if any of the storage blades were in
a power-on state.

• Resolved an issue with concurrent server hot-plug that could leave a server disconnected from assigned networks. Applied to servers with Flex-10 or Flex-Fabric ports with assigned profiles.

• Resolved an issue observed on multi-blade servers with a multi-port mezzanine card where HP-UX had an extended boot time and the EFI driver did not attach to the multi-port mezzanine card. This happened when a multi-port mezzanine card had only a single Ethernet connection assigned to a port and the other ports did not have connections assigned.

• Resolved an issue with the HP VC 1/10Gb-F module when using mixed media types (RJ45 and SFP) in an LACP channel, where when the VC module was reset, the channels using SFP did not rejoin either channel.

• Previously, to enable SMIS you also had to enable SNMP. Now SNMP and SMIS can be independently enabled.

• Resolved an issue where the downlinks from some HP servers were shut down by SmartLink during a firmware upgrade.

• Resolved an issue where the CLI did not block restoring a configuration when any of the servers were still powered on.

• Resolved an issue where the VCM GUI did not allow ‘@’ and ‘#’ as part of a VCM user password, but the VCM CLI did not have these restrictions.

• Resolved an issue where VC or VCEM changed the boot order with the FC HBA boot parameters being configured, and the end result was not what was expected.

• Resolved an issue where VCM enabled server ports with no network connections. For example, if a simple server profile had only one Ethernet connection, which mapped to LOM1, then only LOM1
should be enabled. However both LOM1 and LOM2 were enabled.

• Resolved an issue where if a pair of FCoE connections were added or removed from a profile with
sufficient Ethernet network connections to be using subport2, unexpected behavior may have occurred for the subport2.

• Resolved an issue where using the HP BLc Virtual Connect 1Gb RJ-45 Small Form Factor Pluggable Option Kit (Part Number 453154-B21) or HP BLc VC 1Gb SX SFP (Part Number 453151-B21) on a HP VC Flex-10 10Gb Ethernet Module for c-Class BladeSystem caused Cyclic Redundancy Check (CRC) errors during normal operation after a period of time, and then the link might go down. This issue only occurred with the HP VC Flex-10 10Gb Ethernet Module. When the link went down, Virtual Connect reported the link as down; however, the link to the external switch was still maintained. This fix resolved the Engineering Advisory c03208179.

• Resolved an issue where OpenSSH used by VC was vulnerable to NIST alerts CVE-2008-5161 and
CVE-2008-1483.

• Resolved an issue where the Apache HTTP Server used by VC was vulnerable to the NIST alert for
Denial Of Service Vulnerability CVE-2011-3192.

VMware Security Patches Released for Several Products

VMware released a security advisory on June 14, 2012 and patch for a variety of virtualization products. Details of the affected products and the vulnerabilities are below. You can download the ESX(i) patches from here.

VMware Product Running Replace with/
Product Version on Apply Patch
============= ======= ======= =================
vCenter any Windows not affected
Workstation 8.x any 8.0.4 or later
Workstation 7.x any 7.1.6 or later
Player 4.x any 4.0.4 or later
Player 3.x any 3.1.6 or later
Fusion 4.x Mac OS/X 4.1.3 or later
ESXi 5.0 ESXi ESXi500-201206401-SG
ESXi 4.1 ESXi ESXi410-201206401-SG
ESXi 4.0 ESXi ESXi400-201206401-SG
ESXi 3.5 ESXi ESXe350-201206401-I-SG
ESX 4.1 ESX ESX410-201206401-SG
ESX 4.0 ESX ESX400-201206401-SG
ESX 3.5 ESX ESX350-201206401-SG

VMware Host Checkpoint File Memory CorruptionCertain input data is not properly validated when loading checkpoint files. This might allow an attacker with the ability to load a specially crafted checkpoint file to execute arbitrary code on the host.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2012-3288 to this issue.

The following workarounds and mitigating controls might be available to remove the potential for exploiting the issue and to reduce the exposure that the issue poses.

Workaround: None identified.
Mitigation: Do not import virtual machines from untrusted sources.

VMware Virtual Machine Remote Device Denial of Service
A device (for example CD-ROM or keyboard) that is available to a virtual machine while physically connected to a system that does not run the virtual machine is referred to as a remote device. Traffic coming from remote virtual devices is incorrectly handled. This might allow an attacker who is capable of manipulating the traffic from a remote virtual device to crash the virtual machine.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2012-3289 to this issue.

The following workarounds and mitigating controls might be available to remove the potential for exploiting the issue and to reduce the exposure that the issue poses.
Workaround: None identified.

Mitigation:

  • Users need administrative privileges on the virtual machine in order to attach remote devices.
  • Do not attach untrusted remote devices to a virtual machine.

SIA200: Cyber Security Defenses: What works today

This is one of those sessions that you sit back and just don’t know what to say at the end, it’s so good and so profound. The message is if your company hasn’t yet gotten compromised, it will. Once a workstation is compromised, it takes on average only 24-48 hours before the attacker escalates to domain admin and literally owns your entire network. Pass the hash attacks can be done in as little as 6 minutes, or less, and is used in nearly every attack today. Even a single privileged account used on the wrong computer can lead to the compromise of an entire domain. It is extremely critical that you understand these attacks, and the measures required to mitigate them.

They gave one example of Wells Fargo. They are the poster child for securing their environment in such a way that they have no permanently active domain admins, server admins, or workstation admin accounts. Yet they can effectively operate in a highly secure manner. Doing the pass the hash attack against Wells Fargo would be extremely difficult. Yes, you can remove permanent administrator rights from everyone, including all of IT, and still efficiently function. In fact, if you want to mitigate a major attack vector, you MUST do this. Deploy all the IDSes, firewalls and sniffers you want, but they can’t hold a candle to properly locking privileged user accounts and completely rethink how you use them. This is NOT an option.

This session was so jam packed with information that I didn’t get more than 75% of the highlights captured below. If you attended TechEd this is a must watch video for everyone. Hopefully it will be posted on Channel 9 so everyone can watch it. It’s just that good (and scary).

  • Determined Adversaries and Targeted Attacks (DA/TA)
    • Think “organizations stealing data with full-time employees (FTEs)” not casual hackers or viruses
    • If you are targeted, they want (and may already have) your IP
    • Even if you don’t think you could be targeted, you probably are a target. They may not want the secrets to your widgets, but maybe they want something else you have like banking contract details for a business partner. Or maybe they really DO want the secret to your widgets.
  • DA/TA Common Technical Tactics
    • Gain control of your identity store – Find out who is who, who works for who, what groups people are in, etc. Capturing credentials are secondary, since they already own your network. Knowing who is who in your org is key for the adversary.
    • Public Data – Admin rights, interesting projects/groups. Even without domain admin rights, AD provides a lot of data to authenticated users with the right tools.
    • Secrets – passwords/hashes for users
    • Download terabytes of your data
      • Large initial exfiltrations typically
      • Then target specific data
    • Hide custom malware on multiple hosts. Some only calls back every few weeks or months. Very, very hard to detect.
  • Cyber Attack Techniques
    • Targeting, phishing, pass the hash, custom malware, application exploit.
      • Note: Pass the hash is extremely worrisome. Pentesters can get domain admin in 6 minutes, and the average APT can get domain admin in 24-48 hours.
      • Only ONE instance the MS team is aware of that the attacker did NOT use pass the hash. Everyone knows it and uses pass the hash.
      • SQL injection is HUGE and extremely scary.
    • Pass the Hash – Here’s how it works
      • Bad guy targets workstations en masse
      • Users running as local admin compromised, bad guy harvests credentials
      • Bad guy starts ‘credential crabwalk’
      • Bad guy finds host with domain privileged credentials, steals, and elevated privileges
      • Bad guy owns the network  and can harvest whatever they want
      • Bad guys can create workstation problems so the helpdesk has to login and fix it, thus capturing credentials
      • *Windows Credential Editor* (security researcher tool) Demo
        • wce -e (sits and waits to grab credentials)
        • wce -s (used to inject hash and access resource like fileshare)
        • wce -w (pulls plaintext password out of memory)
      • Windows stores passwords with reversible encryption in memory, regardless of password length or whether you disable the “reversible encryption” GPO option
  • What can be done?
    • Know what matters
    • Effective workstation and server defenses
    • Protect Key identities and roles
  • Protecting the Crown Jeweles
    • Do not try to protect all assets equally – you can’t
    • Identify and protect intellectual property that is valuable to the org and to potential attackers
      • Foreign and domestic competitors
      • Would-be competitors
      • Governments, etc.
    • Multi-factor authentication (smart cards, etc.)
    • Strict security requirements
    • Hardened systems
    • Asset isolation
    • Concentric rings of security
  • Protect your Hosts
    • Move users out of local admins groups
    • Get current / stay current
    • Implement exploit mitigation
    • Patching, compliance, and configuration management
    • End-user education
  • Get Current/Stay Current
    • All applications must be updated
    • #1 patch, patch, patch. Don’t take months to update software.
    • Not just OS patches – OS only attacked 15% of the time, 85% are app attacks
    • Firmware attacks are now a concern – HP printers need a firmware update for a remote firmware exploit
    • Make sure the devices and appliances that protect your network
    • Windows 8 secure boot protects against firmware attacks
    • Printers are a huge problem…update firmware!!!!!
  • Microsoft EMET (Enhanced Mitigation Experience Toolkit)
    • No application re-compile required
    • Mitigations apply to opted-in application and its plug-ins
    • Strongly recommended
    • With Windows XP and using EMET, the number of exploitable attacks went from 120 to 7
  • Effective End-User Education
    • Do your end-users know that the most likely way they can be exploited is by visiting a website you go to all the time and trust?
    • Do your end users know what their anti-malware warning looks like? Include screenshot of virus warnings in your user training materials.
  • Asset Isolation
    • Firewalls are old news
    • Do traffic analysis, who needs to talk to what?
    • Should server A speak to server B?
    • Should workstation A be able to connect to all servers?
    • It not, isolate!
    • Do detailed traffic flow analysis for internal traffic. Bing netflow analysis.
  • Creative Destruction
    • Gartner term for a method decommissioning legacy applications and systems
    • Catalogue the entire environment (most customers do not have, and what they do)
    • Identify redundancies (FedEx did this)
    • Create new specs for what their applications need to do x, then identify a cloud provider and do a whole sale migration effort
  • Protect your AD and key identities
    • Practice credential hygiene
    • Implement multi-factor authentication
    • Reduce broad and deep privileges
  • Credential Hygiene
    • Privileged accounts log onto sufficiently secured hosts
    • Domain admin logs on to Internet connected workstation = Security of entire domain entrusted that workstation
    • ***Separate the risk from privileged credentials
    • Can require detailed design/re-design of privileges, host security, and logon rights GPOs
    • Rule of thumb: Protect admin workstations at the same level of the servers/apps administered by accounts using them
  • Compartmentalization
    • Production domain admins – Very infrequently used
    • High Business Impact server admins (HBI)
    • Server Admins
      • SQL admins
      • Exchange Admins
      • SharePoint Admins
      • Server Admins
    • Workstation admins
  • Multi-factor authentication
    • What you know (password, PIN, etc.)
    • What you have (smart card, token, cell phone, etc.)
    • Biometric measurement (fingerprint, retina, etc.)
    • Ensure remote attackers can’t use identity over internet
      • Smart cards can be remotely duplicated
  • Privilege Reduction
    • Why? Because it only takes one privileged account to:
      • Modify GPOs
      • Place malware on DCs
      • sID history manipulation
      • Migration APIs
      • Debugger attacks
      • Disk editors
      • A lot of other bad stuff
    • Eliminate accounts that have both broad and deep privilege
    • Have NO permanent enterprise admins, domain admins, administrators. You SHOULD have to check out the password every time you need to use it.
    • Wells Fargo is a case study for an admin free active directory. If someone gets added, lots of people are paged. Company can function normally!!
  • Role-Based Access Controls (RBAC) for IT
    • Least privilege model for IT operations
  • Use jump servers
    • Domain admins cannot logon to any server, workstations,
    • Give each admin their own personal jump box VM and power it down after it is used so cached credentials are not kept.
  • Privileged Identity Management
    • Time-bound, workflow generated, monitored and reported
  • Mechanics of RBAC (IT) and PIM
    • Powerful proxy accounts are NOT preferable
    • Push back on vendors that require “domain admin” or other powerful service accounts. Customers have the power to change vendor’s behavior, not Microsoft.
  • Sample Approaches to secure built-in Administrator Accounts
    • Set administrator account flags
      • Account is disabled
      • Smar card is required for interactive logon (even if you don’t use smartcards)
      • Account is sensitive and cannot be delegated
      • Audit and laert on any changes to account
      • Create/modify domain-level GPO and deny computer access
  • Microsoft offers a whole host of security based services to help implement best practices and help organizations recover from compromises, and help harden against them.

WCL286: Windows 8 Malware Resistence

This was a REALLY great session on the significant advances Microsoft has made in Windows 8 to increase its security posture. They claim whole classes of attacks have been mitigated by a combination of Windows 8 and hardware features such as UEFI and TPM. There are other security features that don’t rely on the very latest hardware, such as much stronger ASLR and DEP for OS components. Although not specifically mentioned in this session, Windows Server 2012 is built on the same code base so many of the features mentioned below apply to WS 2012 too.

Note, if you are thinking of virtualizing Windos 8 for VDI, there is no hypervisor that can virtualize a TPM module. So you will not get a lot of the benefits of trusted boot, measured boot, and remote attestation that you get with physical Windows 8 instances on appropriate hardware. So if you will be using Windows 8 for VDI, make sure you understand what security features you cannot take advantage of and how the loss of those features will affect your security posture.

One cool scenario that is possible with a physical Windows 8 instance, UEFI, TPM and Windows Server 2012 file server is the ability of the file server to validate the health claim of the Win8 client before it allows access to the file share. The validation utilizes the very secure boot process, measured boot, and other features to ensure an extremely high degree of confidence that the OS has not been tampered with and is trusted. But this remote attestation is only available on physical Windows 8 clients with a UEFI and a TPM. So VDI implemenations will not be able to use this powerful security feature.

The speakers had a lot of jam packed slides, so I didn’t get all of the information written down. If you have access to the recorded session on Channel 9 or MyTechNet, I strongly urge you to listen as it will be a well spent 75 minutes, if you value security in the enterprise.

Session Summary:

  • Windows 8 Investments in client security
    • Protect and Manage threats
    • Protect Sensitive data
    • Protect Access to Resources
    • Microsoft spent more on security in Windows 8 than any previous OS
    • “Groundbreaking” malware resistence
    • Pervasive device encryption
    • Modernized Access Control – Virtualized smart cards (no longer need a physical card); Dynamic access control
  • Challenges that we can face in combating malware
    • Vulnerabilities can be minimzied but not completely eliminated
    • Malware can compromise a PC before it starts
    • Malware can compromise anti-malware by tampering or starting
    • Malware can hide from anti-malware software
    • Anti-virus is always playing catch-up with latest malware
  • Secure Hardware
    • Why UEFI?
      • What is UEFI? An interface that is built on top of and replaces the legacy BIOS
      • Key benefits: Architecture-independent
      • Key security features: Secure boot, encrypted drive support for Bitlocker, Network unlock support for Bitlocker
      • Windows certification requirement on Windows 8 certified devices
    • Trusted Platform Module 2.0
      • TPM value proposition – Enables commercial-grade security via physical and virtual key isoloation
      • TCG standard evoluation: TPM 2.0
        • Algorithm extensible allows deployment in additional countries (China, Russia)
      • Windows 8 TPM support enables implemention choice
        • Discrete TPM
        • Firmware-based (Intel’s Platform Trust Technology)
    • Feature Usage of TPM in Windows 8
      • Bitlocker: volume encryption
      • Bitlocker: Volume network unlock
      • Measured boot
      • Virtual smart cards
      • …More
  • Securing the Code and Core
    • Preventing vulnerabilities – Software Development Lifecycle
    • Tools: Thread modeling, Static Code Analysis, Fuzzers
    • Reduce the ability to exploit vulnerabilities
      • Analyzed telemetry to determine requirements
      • Add mitigations to reduce the impact of exploits
      • ASLR, DEP, Windows Heap, process integrity levels. ASLR has been VASTLY improved in Windows 8 (higher entropy), applied to a broader memory space and to critical OS. DEP has been greatly increased as well, and now OS has much broader DEP protection.
      • MS says the IQ of an attacker will need to be much higher to combat these new security enhancements. Quite different from what’s in Windows 7.
  • Securing the Boot
    • Legacy boot: BIOS, OS Loader (Malware), OS Start
    • UEFI Secure Boot: Native UEFI, Verified OS Loader Only, OS Start
      • The firmware enforces policy, only starts signed OS loaders
      • OS loader enforces signature vertification of Windows components.
    • Securing and Maintaining UEFI
      • UEFI is secure by design
        • UEFI firmware, drivers, applications and loaders must be signed
        • UEFI database lists trusted and untrusted keys, CAs and image hashes
        • Secured rollback feature prevents rollback to insecure version
        • Untrusted option ROMs can not run
      • Maintaining UEF with Windows Update
        • Updates to UEFI firwmare, drivers, applications and loaders
        • Revocation process for signatures and iamges hashes
      • UEFI remediation
        • UEFI able to execute UEFI firmware integrity check and self-remediate
        • UEFI able to recover Windows boot manager if integrity checks fail
    • Trusted and Measured Boot
      • Trusted Boot
        • End to end boot process protection
          • Windows operating system loader
          • Windows system files and drivers
          • Anti-malware software
        • Ensures and prevents
          • A compromised OS from starting
          • Software from starting before Windows
          • 3rd party software starting before anti-malware
        • Automatic remediation/self healing if compromised
      • Measured Boot
        • Creates comphrehnsive set of measusrements based on trusted boot execution
        • Can offer measurements to a remote attestation service for analysis
      • Trusted Boot: Early Load anti-malware
        • Windows 7 Legacy Bios -> OS Loader (malware) -> 3rd party drivers (malware) -> Anti-malware start -> Windows logon
        • Windows 8: Native UEFI -> Windows 8 OS Loader (signed) -> Anti-malware start (signed) -> 3rd party drivers -> Windows Logon
        • Secure boot loads anti-malware early in the boot process
        • Runs WinRE in the background and does extensive remediation checks and pulls trusted binaries out of the trusted store. No prompts, no user interaction used. Completely automated.
      • Measured Boot
        • Windows 7: Bios (measured)-> MBR & Boot sector (measured)-> OS Loader (measured) -> Kernel initialization -> 3rd party drivers -> anti-malware software start
          • Measurements of some boot components evaluated as part of boot
          • Only enabled when bitlocker has been provisioned
        • Windows 8: UEFI (measured) -> Windows 8 OS Loader (measured)-> Windows Kernel & Drivers (measured) -> Anti-malware software (measured) -> 3rd party drivers -> Remote attestation
          • Measures all boot components
          • Measurements are stored in a TPM
          • Remote attestation is now available
        • Remote attestation allows allows a file server (for example) to validate only trusted computers with a health claim can gain access.
    • Secureing After the Boot
      • Protecting the system from know and unknown threats
        • Windows Defender is now a full fledged product
        • Protects against full range of malware, not just adware or malware
        • Real-time active protection
        • High performance
        • Optimized for the user experience
      • System Center Endpoint Protection (SCEP) adds managemanility
        • Shares same anti-malware engine with Windows defender
    • Securing the System Post Boot – Metro Apps
      • Windows store contains Trustworthy Apps
        • ISV onboarding and app screening process
        • Community based ratings and reviews
      • Installation
        • Handled completely by the OS
        • Discrete and private location for each app
      • Application capabilities
        • Run with low provilege
        • Access to Resources
        • Contracts – Apps can advertise their service to other apps or OS
    • Internet Explorer 10 – Smart Screen
      • Application reputation has been moved into core
      • Protects users regardless of browser, mail, IE, etc. client
    • Internet Explorer 10 – Enhanced protected Mode
      • Difficult to exploit due to ASLR
      • Tabs and Process Isolation
      • Requires user interaction to gain access to user data
      • Do Not Track (DNT) capability
  • Windows Editions and Device Considerations
    • All Windows editions editions contain basic new security features (trusted boot, smartscreen, etc.) but other features like Bitlocker are only on Professional and higher
    • Windows RT always uses device encryption powered by Bitlocker
    • Windows 8 certified devices will have UEFI, and need TPM 2.3.1 for secure boot

DBI328: Building the Fastest SQL Servers

Brent Ozar, Microsoft Certified Solutions Master (MSCM), www.brentozar.com

This was a REALLY great session that was both practical and filled with great technical details and good take away information. #1 takeway is “TempDB is like a public toilet: You never know what’s in there.” LOL Clearly Brent Ozar knows his stuff, and has a ton of resources on his web site. This session was focused on building the fastest SQL server possible, and making it easy. If you are DBA or run SQL in your environment (and who doesn’t if you are a MS shop), even if you don’t need blazing speed, this session had a lot of good sizing and performance tips. Below are several links to additional resources on his site:

SQL Server Setup Checklist
SQL Perfmon Counters
SQL Virtualization Best Practices
SQL IO Performance Testing
SQL 2012 Data warehouse reference design

He was flying through the slides and they were packed with content, so I didn’t get everything down. If his session is posted on Channel 9, check it out. His slides weren’t posted when I wrote this, so I can’t fill in the missing details. Even if you aren’t using the reference hardware in some of the links below (like HP and Dell) it still gives you great sizing and performance data you can translate to your own hardware.

  • How Microsoft Designs SQL Server Appliances
    • Systematically review thousands of SQL servers
    • Distill use cases down to a few common patterns
    • Choose HW components that are very likely to work great for those patterns
    • Publish an incredibly detailed test checklist to make sure the hardware is working as designed
  • Session Agenda
    • Define common SQL server use patterns
    • Understand the right hardware for a pattern
    • Recognize the server designs we can reuse
    • Learn how to test our own hardware
  • Define common SQL server use patterns
    • OLTP: Transactional Processing
      • How it’s accessed: Inserts
    • Data warehousing
      • Loaded in short windows overnight, then read-only with big reads through the day for reports
      • Just a few tables, but many historical records in each table, and often over 1TB of data
      • 10 years of sales history, stock prices, patient history, etc.
    • The real difference: OLTP (batch users requests per second) wants its to finish instantly, data warehouse can wait a bit longer (say 30 seconds)
  • The Right Hardware for Pattern OLTP
    • Hardware at it’s simplest: Memory 64GB, Drives 100GB, CPU
    • OLTP scenario: 50GB table
    • Right hardware for the fastest OLTP
      • Instant queries = cache all data in memory
      • Minimize data size (drop extra indexes)
      • Wide stripe data across all drives in the array (even log files)
    • Instant transactions = blazing fast log file
      • SSD RAID10 for multiple databases
      • Can get away with dedicated RAID10 magnetic for single DB
    • Avoid locking issues = blazing fast TempDB with RCSI
      • Read committed snapshot isolation
      • Bing: TempDB files SGAM contention – Multiple files for TempDB (1/8 to 1/4 the number of cores = 1 TempDB files); E.g. 16 cores = 4-8 data files
      • DO count hyperthreads as cores for this calculation
    • I didn’t say blazing fast data drives
      • Once the data is in cache, data drive speed rarely matters
        • SQL server restarts will mean slow performance
        • Aggressive monitor data size, memory size
        • When you run out, things get ugly fast
      • Bottom line: Cache the whole DB in memory and not much else matters
  • The Right Hardware for Pattern Data warehouse
    • Hardware at it’s simplest: 256GB memory, 1TB drives, CPU
    • Instant queries = Maximize memory size
    • Minimize data size (drop extra indexes, right-size fields)
    • See data warehouse links at the beginning of this article
    • Maximum CPU core consumption Rate (MCR) 200MB/Sec good rule of thumb
  • Reference Material
  • Test Storage Quickly with CrystalDiskMark
    • Pick 5 tests, 4000MB test file, drive letter
    • Only look at the sequential and 4K QD32 (queue depth) results
    • Sequential: Roughly akin to backups, large table scans
    • 4K QD32: Vaguely similar to active OLTP server or TempDB
    • MCR is most similar to Sequential read metric
  • Test Storage Slowly with SQLIO
    • See link at start of article for SQLIO tips from Brent
    • Lots of possible options collect the whole set
    • Use a test file larger than your SAN’s cache (say 20GB)
    • Don’t run on a live server
    • Only look at these numbers from the output: IOs/Sec and MBs/sec (MCR)
    • Test drives of different sizes but doesn’t need to test all drives
  • Your Goals
    • Test with CrystalDiskMark to get a quick idea
    • Try two simultaneous CrystalDiskMark tests against two different drive letters to see if your multipathing works
    • When that works, amp up to SQLIO and really push it
  • How to Reduce Storage Throughput Needs
    • Keep memory free for SQL server data caching
    • Merry-go-round scans with SQL server enterprise edition make a huge difference in storage performance and throughput
    • Give OS 10% of the total server memory, or 4GB, whichever is GREATER
  • Defined common SQL server use patterns
    • OLTP: I want the query to finish instantly
    • DW: I want the query to finish in 30 seconds
  • Very important to perform SQLIO performance baseline…EXTREMELY IMPORTANT
  • If you virtualize, only use one instance per VM.

    WCL290: App-V 5.0 What’s New

    This was a great session on the new enhancements in App-V 5.0. The App-V 5.0 beta is now out, so you can give in a spin around the virtual block. Immediately you will see that both the admin console (which is now a web page) and the client feature the Metro UI. Under the covers there are a lot of changes, and will really help you if you are using App-V with VDI. One of the biggest changes is that no longer does App-V use the Q drive, or any drive, for that matter! Also gone is the 4GB package size limit, and full PowerShell support. If you are using App-V 4.6 or looking at virtualizing applications, you must check out the beta.

    Full Session notes:

    • Session Agenda
      • Managing App-V 5.0
      • Virtual Application Connection
      • Virtual Application Execution
      • Shared Content Store
    • Server App-V just released (see MMS 2012 presentation for more details)
    • App-V 5.0 beta is now out so go check it out
    • App-V 5.0 Pillars
      • Integrated Platform
        • Virtual applications work like installed applications – Virus scans now work
        • Virtual applications use Windows standards
        • No dedicated letter required
      • Flexible Virtualization
        • Multiple App-V applications can share the same environment
        • Designed to support highly integrated applications
        • Preserve existing investment in App-V
      • Powerful Management
        • New web-based management interface
        • Optimized for VDI with one work flow for updating the shared content cache
        • Rich PowerShell scripting allows automation and customization
    • Key Changes between 4.6 and 5.0
      • 4.6: Uses dedicated drive letter (Q drive), 5.0: no more dedicated drive
      • 4.6: 4GB package limit, 5.0: no more 4GB limit
      • 4.6: Isolated from local applications, 5.0: Virtual application extension (OS talk to native apps)
      • 4.6: Share middleware with dynamic suite composition, 5.0: Share peer applications with virtual application connection
      • 4.6 Read-only shared cache supports VDI, 5.0: Shared content cache can be updated with normal workflow (no more hoops to jump though)
      • 4.6: limited command-line scripting, 5.0: Rich PowerShell scripting for sequencer, client and server
      • 4.6: installed management console, 5.0: web based console (built on Silverlight)
    • App-V 5.0 Packaging
      • New package format
      • Similar UI to 4.6 SP1 but very different under the covers
      • Easily convert 4.5+ packages to the new format (done through PowerShell)
      • New file extension (.appv)
    • App-V 5.0 Dynamic Configuration
      • Modifies a Package’s Virtual environment
        • Virtual subsystem overrides
        • Disable virtual subsystems
        • Script support
      • Dynamic Configuration Types
        • Dynamic deployment configuration
        • Dynamic User configuration
        • Can combine
      • No package update is needed
        • Modify existing package content
        • Add to an existing package
    • Deployment and User Configuration
      • Deployment configuration – File you apply to the package and it applies to all of the users.
      • User Configuration – Affect the user on the machine, per user per package. Uses the same package file, but different configuration file.
    • Virtual Application Connection
      • Creates virtual bubbles that applications can share, such as apps with complicated dependencies
      • Examples include Word and Visio. Now you can edit a Visio diagram in Word.
      • Easily create application connections with in the management GUI. No package changes are needed.
      • A package can be in multiple package groups (e.g. Java)
      • Configuration is separate from the packages (XML file)
      • System Center 2012 SP1 will fully support App-V 5.0
      • Fully manageable with PowerShell
    • Virtual Application Extension
      • Extension point is registered natively with Windows
      • Global visibility – native to virtual, virtual to virtual
      • Supported Subsystems:
        • Shortcuts
        • File Type Association
        • AppPath
        • URL protocols
        • Software clients
        • COM local servers
      • No configuration to get this to work (e.g. click on a link in IE to automatically open Outlook using the URL mail protocol hook)
      • Best Practices
        • Is the interaction well defined? Does the OS of a native application need to interact with the Virtual Application?
        • Application connection – Use for virtual-to-virtual
    • Shared Content Store
      • Store applications centrally
      • Save disk space in VDI/RDS
      • Applications are excluded from the shared store
      • Applications can be updated per the usual process

    DBI317: Optimizing SQL in a Virtual Environment

    Denny Cherry, Independent Consultant (www.mrdenny.com @mrdenny)
    vExpert 2012, Microsoft Certified Master, MVP

    This session covered some helpful tips for virtualizing SQL server, be it on Hyper-V or VMware. Yes you can virtualize SQL and still get excellent performance. But there are some special considerations that you need to be aware of. Most of the tips apply to many applications, but some are SQL specific. The speaker’s slides and commentary were pretty high level, so this wasn’t quite as technical as I was expecting.

    Session summary:

    • High level Topics
      • Diagnosing Performance Problems
      • Balloon Memory Drivers
      • Memory deduplication options
      • Storage Configuration options
    • Diagnosing Performance Problems
      • Check host and Guest CPU numbers
      • Check host for CPU thrashing
      • Check host and guest for disk IO latency
      • On VMware check % Used % Rdy time
    • Balloon Memory Drivers
      • Only does something when the host is out of memory. Under normal conditions it does nothing.
      • Prevents host from paging physical memory to the host’s swap file
      • Should be enabled
      • Lock pages in memory within the SQL server config should be disabled unless enabled for a specific reason
    • Memory reservations
      • Recommended that it be set to a portion of the allocated memory (SQL server + some for OS)
    • Memory deduplication Options
      • Great for OS memory
      • Doesn’t work at all for SQL server
      • Doesn’t hurt performance, but don’t count on it to conserve host memory
    • Storage Configuration Options
      • IO is the same if the disks are physical or virtual
      • Use automatic tier adjusting technology if possible except for SQL logs (use RAID 10)
      • Keep OS, data, logs, tempdb on separate disks
      • Use 64K NTFS allocation size
      • Make sure partitions are aligned (default in Server 2008 and later)

      TechEd 2012 Content on Channel 9

      For those of you that didn’t attend TechEd 2012, some of the content is available on Microsoft Channel 9. You can check it out here. Some killer content this year, so be sure to check out the sessions of interest to you and tune in!