As you know if you’ve been following my blog this week, Ignite 2015 took place in Chicago with hundreds of great sessions. In fact, this year all but one or two sessions were spot on. You can easily download all of the great Channel 9 recordings using the PowerShell script you can download here. The conference just ended today, so it might take a few days before Channel 9 gets all of the recordings up. Happy downloading!
Note: This was a great beginner level session for those not familiar with encryption, certificates or PKI. If you are in that boat, I would urge you to find the session video and watch the whole presentation. If you are a security professional and already know about these topics, then the content is probably too basic. I didn’t capture all the content below, but just took down some highlights what was covered.
Why am I here? Thanks to the NSA. Thanks to Edward Snowden. SharePoint, Lync, Exchange all need to be secure.
Shows screens of RDP SSL warnings, and browser SSL warnings.
Are you still using passwords? Phishing and fraud, password fatigue, pass the hash attacks
IoT (Internet of things) is adding new concerns of authentication (connected cars, medical, industrial sensors)
Non-repudiation – Ability to bind a human to a digital document
Privacy – Hot topic over the last 2 years due to NSA and Snowden. Challenges are not new.
Encryption – Encryption at rest, in transit, challenges: weak algorithms
Encryption at rest – Bitlocker, EFS, SQL TDE
Encryption in transit – SSL/TLS, IPsec, Office 365 message encryption
Azure RMS – AD RMS for On-Premises. Protect documents from Birth to end of life. Protection regardless of location.
Speaker goes over symmetrical, asymmetrical encryption, hardware security modules (HSM) technologies such as AES and shows how they work.
Use the tool IIS Crypto to disable/enable and change the order that ciphers are use. FREE.
Good ideas: Remove RC4, reorder suites, Update to 2012 R2, research ECC vs. RSA
Talks about Certificate Authorities, certificates, and their basic properties. Also discusses path of trust, and where to find certificates in Windows.
CA Lifetime planning: End certs – 2 years, intermediate CA – 4 years, root CA – 8 years. Renew certificates when 50% of their life has expired.
S/MIME – For Email encryption and digital signatures
- Shared secrets are easily breached
- Passwords are easily replayed and phished
- See previous “Microsoft Passport” session I blogged about for more info
- Security without convenience is dead in the water
- Keys are ideally generated in hardware TPM, software as last resort
- Single unlock gesture provides access to multiple credentials
- Browser support via JS/Webcrypto APIs to create and use Passport users
- Supports biometric authentication
- Convenient device logon and strong user authentication
- Enterprise level security and access to high impact data and resources via Microsoft passport
- Consistent inbox user enrollment
- Enrollment Steps – Face, iris, and fingerprint share the same design
- Usage – Authentication
- Recovery – User can delete enrollment data. Stored strictly on local device.
Enrollment – Find a face, discover landmarks, detect head orientation, build & secure vector based template
Recovery – After 5 failures it falls back to PIN or another auth method. After 32 failures the TPM is locked.
There’s an option to improve face recognition where it will take additional data points
It can also use fingerprints and will use between 21 and 40 points, all stored locally on the device
Only supports a single face mapped to a single account. No multiple faces for a single account.
Authentication vs. Identification
- Not every biometic modality is created equal
- False acceptance rate
- False rejection rate
- Liveness and anti-spoofing – Can detect dead fingers and high res photos
- Windows hello demonstrates false rejection rate of 1/100000
- Windows Hello False rejection rate is 2-4%
- Windows Hello requires liveness detection and anti-spoofing
- Microsoft has captured 13K faces for a representative sample
Microsoft Hello Camera can work without visible light. It operates on IR. Speaker demod showing a picture and phone to the camera and it did not work.
Microsoft goal is to make biometics non-susceptible to spoofing, offline attacks, etc.
Session: BRK3557: Baselining and Benchmarking AlwaysOn Availability Groups
In this session the speaker went through what SQL AlwaysOn availability groups is, and why the customer wanted to use it. Then he went through how he setup his testing, RAID levels, and listed the SQL perform stats that he monitored during the benchmarking. The speaker used a scripted run of SQLIO to perform his benchmark tests. He covered SQL IO sizes, number of threads, and how to scale up to simulate the customer’s environment.
He went into a long discussion about max threads, and how the type of query affects how many threads are spawned. SQL has a max number of worker threads, so understanding how many threads you are spawning when doing at-scale testing is important. He also tuned the cost threshold for parallelism to control the number of spawned threads.
In the end, he was successful in performing at-scale benchmarks and the customer’s system was implemented successfully. Be sure to check out the session recording for all of the gory details.
Note: This session had very densely packed slides and lots of demos. So I’ve changed things up and just included screenshots for this write up. If you want to run Nano I encourage you to check out the video recording to see all of the demos.
Voice of the customer: Reboots impact my business; Server images are too big; Infrastructure requires too many resources; Security impact
Demos that Server Manager GUI “just works” against Windows Server Nano 2016
Remotely Managing Nano Server:
Note: This session was jam packed with slides, text, and diagrams. The speaker was also flying through the material, so it was impossible to attempt to keep up. The session was very good, and quite technical. So if you deal with clustering in your daily job, check out the session recording for a boatload of good info.
- Stretch clusters can achieve low RPO and RTO
- Disaster avoidance is the new trend
- Considerations when stretching clusters: Networking, storage
Recommendations: Adjust intra-node heartbeat thresholds; understand
Cloud Witness in Windows Server 2016
- Leverages Azure as arbitration point
- Quorum configuration achieved without an extra site
- Writes a single blob per cluster
- Costs on Azure is extremely low…in terms of pennies
- Newly recommended quorum option
- Storage replica is a brand new feature in WS2016
- Block-level, volume-based synchronous & async using SMB 3.1.1
- Any Windows volume, any fixed disk storage, any storage fabric
- Baked into Windows..no need for third party storage
Hyper-V and General use file server are the main use cases for the tech preview. Not for SoFS.
Requirements & Recommendations
- Datacenter edition & Azure stack SKUs only
- Requires Active Directory (no schema updates, just Kerberos)
- >1Gb network between servers
- Disks: Must be GPT not MBR.
- Free space on logs on NTFS/ReFS volume
- Disk physical sector sizes must be the same (e.g. can’t mix 512e & 4K)
- Network latency: 5ms round trip
- Reality: 30-50Km apart
- Network bandwidth is based on IO of the app and IOPS
- Log volumes recommended on Flash (SSD, NVMe, etc.)
- These are *strong* recommendations
- Supports running inside a VM
Note: This session was 50% about what’s new in VMM 2012 R2, with 15-20 minutes on what’s new in VMM 2016. My take away is that MS is trying to listen to customers and make the product easier to use. But don’t expect any radical changes in VMM (which I think are needed) …just specific feature updates to keep up with the Hyper-V platform. They didn’t stay very long on the VMM 2016 slide, so I didn’t capture everything. See the session recording if you want the full scoop.
Update Rollup 6 was just released – New functionality added
VMM team is now shipping new features in URs, versus having to wait for an entire new release
Microsoft made a point of including user and automated feedback into the design of VMM, and bug fixes.
New Improvements in UR5/UR6:
- DHCP extension update
- New Linux OS versions added
- Maintenance mode behavior fixed
- Improved performance over WAN links
- Quicker VM deletion
- SQL 2014 support
- Integrate SAN remote replication with ASR
- New management of vSphere 5.5
- Added Azure & AWS connectivity & VM support
- ..many other on the list
Want to get early drops? http://aka.ms/joford
- Ease of use – workflow for host and storage cluster creation; simplified logical switch creation and deployment; Flexible bare mental provisioning; Improved diff disk managment
- Security and Infrastruture – Deploy guarded hosts, manage guarded hosts, protect tenant secrets, improved state consistency
- Expanded fabric management – Storage replication automation using Azure site recovery; Scale-out file server with SAN storage automation; storage QoS policy management.
Note: The focus of this session is on what’s new in Hyper-V technical preview 2. It will NOT cover all the new features, or features in future server builds. The presenter all flipped through the slides very fast, so I didn’t get all of the details. I recommend you watch the video if this topic interests you.
Nano server is the recommended deployment model for Hyper-V
Virtual Machine Protection
- Trust is the biggest blocker to cloud adoption
- MS wants customers to know their data is secure
- Virtual TPM and secure boot with Linux (Ubuntu 14.04 or later and SUSE)
- Shielded Virtual Machines – Supports bitlocker inside of the VM, plus other features
- Storage QoS
- Can set a policy that caps the IOPS across multiple VMs and they share the policy
- Great for service providers
- Host resource protection: Dynamically identify VMs that are not playing well and reduce their resource allocation. Can help protect against malware taking over resources.
- Today, if you have a temp network outage the hyperV cluster will panic and fall apart in a very bad way. If the storage outage goes above 60 seconds, I/Os will fail and the guest OS will likely crash.
- Virtual machine storage resiliency – VM is paused/suspended until storage access resumes
- Virtual machine cluster resiliency – 4 minute timeout for cluster services being stopped, with automatic healing. Another resiliency feature for flapping cluster services due to HW issues, and the host will be quarantined and VMs live migrated off after a certain period.
- Going to allow host based (agent free) backups with shared VHDXs
- Now you can back up cluster as easy as standalone servers
- Now allows online resizing of shared VHDXs
- New VHDX type: VHDS
Replica support for hot add of VHDX. When you add a new disk it added it’s into the non-replicated set.
Runtime resize of memory – For Ws2016 and Windows 10, you can increase/decrease the runtime memory while the VM is running.
Hot add/remove of network adapters. Applicable to Generation 2 VMs only.
Rolling cluster upgrade
- You can now upgrade a 2012 R2 Hyper-V to WS Tech Preview 2 with no downtime, no new hardware, and ability to rollback.
- Production checkpoints – Uses VSS instead of saved state to create checkpoint. Fully supported in production. FINALLY!
PowerShell Direct to Guest OS
ReFS Accelerated VHDX Operations – Instant fixed disk creation and merging of checkpoints. “Instantly” create fixed disks in about 3 seconds of almost any size. Merging checkpoints happens without data being copied.
Changing how we handle VM servicing
- Integration components are now distributed via Windows update
Evolving Hyper-V Backup: New architecture plus change block tracking is now native
VM Configuration files: VMCX and VMRS. Now a binary format efficient at scale
Datacenter inflection points: Physical machines, machine virtualization; Infrastructure hosting – early cloud; services IaaS, PaaS, SaaS; Containers – DevOps
Container Ecosystem: Container run-time; Container image; Image Repository
Image Creation: When a container is created it is a sanboxed area in the host operating system. An app thinks it is running on regular Windows, with NO differences. You can then package up that container and put it into a library. The container contains the OS image and app. The packages are immutable.
Demo: Showed off spinning up a Windows OS container in ~5 seconds, running CMD commands, then exiting and the container was deleted.
Demo: Showed a Visual Studio app that prints a string when run in a container. Changes the app (breaks it) and shows that v2 is broken in a container. Shows running v1 seconds later, which still works. Images are immutable.
You can constrain a container to x amount of CPU or network resources.
Ideal for distributed compute, scale out, databases, tasks, and web servers.
V1 support for containers: Nano server (born in the cloud) and server core (Traditional apps, highly compatible).
Container runtimes: Windows Server container; Hyper-V container. You can select the runtime by a docker flag. It truly is a runtime selection. Uses the exact same packages.
Works with many development frameworks like PHP, Go, Python, Node, Perl, Ruby, etc.
Containers are a new way of deploying applications, and also developing them. There is no SDK for containers. You just write for Windows, and containers are only how it’s packaged and deployed.
Container apps won’t work if you need physical access to devices.
What’s next? Summer preview of Windows server will feature containers. Hyper-V container preview will come later this year.
Microsoft will build NAT into Containers.
Demo: shows opening a RDP session into a container.
Day 1 container support will likely be for SQL and IIS. MS program mangers are working together to determine what other MS products will run in containers.
Docker hub will support Windows containers.
Note: This was a great session with the right balance of technical content. Demo gods were not with the speakers, so a couple of demos failed. Definitely worth viewing the video of though!
- Voice of the customer: Reboots impact my business, server images are too big, infrastructure requires too many resources, and security is a top concern.
- Windows Server Nano has been 10 years in the making
- Local admin GUIs on servers are poison
- Cloud Journey: (Azure does not have live migration). Patches and reboots interrupt service delivery.
- Microsoft realized they need a server OS optimized for the cloud
- A new headless, 64-bit, only deploy option. No RDP access.
- Zero footprint model – Server roles and operational features live outside of nano server. Standalone packages that install like apps.
- Full Windows server driver support (no special drivers)
- Roles: Hyper-V, scale out file server, and clustering. Core CLR, ASP.NET, and PaaS
- Anti-malware is built in
- Demos Hyper-V manager and failover clustering GUIs connecting to Nano server
- You can do offline domain join with nano server
- Eliminates the need to ever sit in front of a server
- Supports desired state configuration with SCCM. Supports core PowerShell and WMI
- Core PowerShell is available on Nano, not FULL PowerShell. Relies on CoreCLR, not full .NET which is not available on Nano server.
- Supports for all cmdlet types: C#, Script and CIM. Not all PowerShell commandlets are available. Approximately 600 commands available in tech preview 2.
- Intellisense for Powershell works on Nano
- Shows off bi-directional file transfer via powershell
- Remote server management tools: Web-based, includes replacement for local only tools (task manager, registry editor, event viewer, device manager, etc.) .GUI also manages server core and server with GUI.
- Nano server can be your cloud application platform
- Subset of Win-32
- Supports Windows server containers
- What runs on Nano? Chef, PHP, Nginx, Python 3.5, GO, Redis, MySQL, OpenSSL, Java, Ruby, SQLite
- Search Channel 9 for Nano videos
- Nano needs 1/10 the critical security patches that full server needs.
- Only 22 running services vs. 46 on full server
- 12 open ports vs. 31 open on full server
- Boot IO is 150MB vs. 255 for server core
- Setup time is 40 seconds, 5 minutes for server core
- Can PXE boot server Nano, deploy and customize in less than 3 minutes
- Disk footprint is 400MB vs. 5GB for core
- VHDX size is 400MB vs. 6.3GB for core
- No MSI support in Nano
- Focused on two scenarios: Cloud OS infrastructure, and born in the cloud apps
- Beginning of a HUGE refactoring process of the server OS. Only need the components you need should be installed.