SIA200: Cyber Security Defenses: What works today

This is one of those sessions that you sit back and just don’t know what to say at the end, it’s so good and so profound. The message is if your company hasn’t yet gotten compromised, it will. Once a workstation is compromised, it takes on average only 24-48 hours before the attacker escalates to domain admin and literally owns your entire network. Pass the hash attacks can be done in as little as 6 minutes, or less, and is used in nearly every attack today. Even a single privileged account used on the wrong computer can lead to the compromise of an entire domain. It is extremely critical that you understand these attacks, and the measures required to mitigate them.

They gave one example of Wells Fargo. They are the poster child for securing their environment in such a way that they have no permanently active domain admins, server admins, or workstation admin accounts. Yet they can effectively operate in a highly secure manner. Doing the pass the hash attack against Wells Fargo would be extremely difficult. Yes, you can remove permanent administrator rights from everyone, including all of IT, and still efficiently function. In fact, if you want to mitigate a major attack vector, you MUST do this. Deploy all the IDSes, firewalls and sniffers you want, but they can’t hold a candle to properly locking privileged user accounts and completely rethink how you use them. This is NOT an option.

This session was so jam packed with information that I didn’t get more than 75% of the highlights captured below. If you attended TechEd this is a must watch video for everyone. Hopefully it will be posted on Channel 9 so everyone can watch it. It’s just that good (and scary).

  • Determined Adversaries and Targeted Attacks (DA/TA)
    • Think “organizations stealing data with full-time employees (FTEs)” not casual hackers or viruses
    • If you are targeted, they want (and may already have) your IP
    • Even if you don’t think you could be targeted, you probably are a target. They may not want the secrets to your widgets, but maybe they want something else you have like banking contract details for a business partner. Or maybe they really DO want the secret to your widgets.
  • DA/TA Common Technical Tactics
    • Gain control of your identity store – Find out who is who, who works for who, what groups people are in, etc. Capturing credentials are secondary, since they already own your network. Knowing who is who in your org is key for the adversary.
    • Public Data – Admin rights, interesting projects/groups. Even without domain admin rights, AD provides a lot of data to authenticated users with the right tools.
    • Secrets – passwords/hashes for users
    • Download terabytes of your data
      • Large initial exfiltrations typically
      • Then target specific data
    • Hide custom malware on multiple hosts. Some only calls back every few weeks or months. Very, very hard to detect.
  • Cyber Attack Techniques
    • Targeting, phishing, pass the hash, custom malware, application exploit.
      • Note: Pass the hash is extremely worrisome. Pentesters can get domain admin in 6 minutes, and the average APT can get domain admin in 24-48 hours.
      • Only ONE instance the MS team is aware of that the attacker did NOT use pass the hash. Everyone knows it and uses pass the hash.
      • SQL injection is HUGE and extremely scary.
    • Pass the Hash – Here’s how it works
      • Bad guy targets workstations en masse
      • Users running as local admin compromised, bad guy harvests credentials
      • Bad guy starts ‘credential crabwalk’
      • Bad guy finds host with domain privileged credentials, steals, and elevated privileges
      • Bad guy owns the network  and can harvest whatever they want
      • Bad guys can create workstation problems so the helpdesk has to login and fix it, thus capturing credentials
      • *Windows Credential Editor* (security researcher tool) Demo
        • wce -e (sits and waits to grab credentials)
        • wce -s (used to inject hash and access resource like fileshare)
        • wce -w (pulls plaintext password out of memory)
      • Windows stores passwords with reversible encryption in memory, regardless of password length or whether you disable the “reversible encryption” GPO option
  • What can be done?
    • Know what matters
    • Effective workstation and server defenses
    • Protect Key identities and roles
  • Protecting the Crown Jeweles
    • Do not try to protect all assets equally – you can’t
    • Identify and protect intellectual property that is valuable to the org and to potential attackers
      • Foreign and domestic competitors
      • Would-be competitors
      • Governments, etc.
    • Multi-factor authentication (smart cards, etc.)
    • Strict security requirements
    • Hardened systems
    • Asset isolation
    • Concentric rings of security
  • Protect your Hosts
    • Move users out of local admins groups
    • Get current / stay current
    • Implement exploit mitigation
    • Patching, compliance, and configuration management
    • End-user education
  • Get Current/Stay Current
    • All applications must be updated
    • #1 patch, patch, patch. Don’t take months to update software.
    • Not just OS patches – OS only attacked 15% of the time, 85% are app attacks
    • Firmware attacks are now a concern – HP printers need a firmware update for a remote firmware exploit
    • Make sure the devices and appliances that protect your network
    • Windows 8 secure boot protects against firmware attacks
    • Printers are a huge problem…update firmware!!!!!
  • Microsoft EMET (Enhanced Mitigation Experience Toolkit)
    • No application re-compile required
    • Mitigations apply to opted-in application and its plug-ins
    • Strongly recommended
    • With Windows XP and using EMET, the number of exploitable attacks went from 120 to 7
  • Effective End-User Education
    • Do your end-users know that the most likely way they can be exploited is by visiting a website you go to all the time and trust?
    • Do your end users know what their anti-malware warning looks like? Include screenshot of virus warnings in your user training materials.
  • Asset Isolation
    • Firewalls are old news
    • Do traffic analysis, who needs to talk to what?
    • Should server A speak to server B?
    • Should workstation A be able to connect to all servers?
    • It not, isolate!
    • Do detailed traffic flow analysis for internal traffic. Bing netflow analysis.
  • Creative Destruction
    • Gartner term for a method decommissioning legacy applications and systems
    • Catalogue the entire environment (most customers do not have, and what they do)
    • Identify redundancies (FedEx did this)
    • Create new specs for what their applications need to do x, then identify a cloud provider and do a whole sale migration effort
  • Protect your AD and key identities
    • Practice credential hygiene
    • Implement multi-factor authentication
    • Reduce broad and deep privileges
  • Credential Hygiene
    • Privileged accounts log onto sufficiently secured hosts
    • Domain admin logs on to Internet connected workstation = Security of entire domain entrusted that workstation
    • ***Separate the risk from privileged credentials
    • Can require detailed design/re-design of privileges, host security, and logon rights GPOs
    • Rule of thumb: Protect admin workstations at the same level of the servers/apps administered by accounts using them
  • Compartmentalization
    • Production domain admins – Very infrequently used
    • High Business Impact server admins (HBI)
    • Server Admins
      • SQL admins
      • Exchange Admins
      • SharePoint Admins
      • Server Admins
    • Workstation admins
  • Multi-factor authentication
    • What you know (password, PIN, etc.)
    • What you have (smart card, token, cell phone, etc.)
    • Biometric measurement (fingerprint, retina, etc.)
    • Ensure remote attackers can’t use identity over internet
      • Smart cards can be remotely duplicated
  • Privilege Reduction
    • Why? Because it only takes one privileged account to:
      • Modify GPOs
      • Place malware on DCs
      • sID history manipulation
      • Migration APIs
      • Debugger attacks
      • Disk editors
      • A lot of other bad stuff
    • Eliminate accounts that have both broad and deep privilege
    • Have NO permanent enterprise admins, domain admins, administrators. You SHOULD have to check out the password every time you need to use it.
    • Wells Fargo is a case study for an admin free active directory. If someone gets added, lots of people are paged. Company can function normally!!
  • Role-Based Access Controls (RBAC) for IT
    • Least privilege model for IT operations
  • Use jump servers
    • Domain admins cannot logon to any server, workstations,
    • Give each admin their own personal jump box VM and power it down after it is used so cached credentials are not kept.
  • Privileged Identity Management
    • Time-bound, workflow generated, monitored and reported
  • Mechanics of RBAC (IT) and PIM
    • Powerful proxy accounts are NOT preferable
    • Push back on vendors that require “domain admin” or other powerful service accounts. Customers have the power to change vendor’s behavior, not Microsoft.
  • Sample Approaches to secure built-in Administrator Accounts
    • Set administrator account flags
      • Account is disabled
      • Smar card is required for interactive logon (even if you don’t use smartcards)
      • Account is sensitive and cannot be delegated
      • Audit and laert on any changes to account
      • Create/modify domain-level GPO and deny computer access
  • Microsoft offers a whole host of security based services to help implement best practices and help organizations recover from compromises, and help harden against them.

WCL286: Windows 8 Malware Resistence

This was a REALLY great session on the significant advances Microsoft has made in Windows 8 to increase its security posture. They claim whole classes of attacks have been mitigated by a combination of Windows 8 and hardware features such as UEFI and TPM. There are other security features that don’t rely on the very latest hardware, such as much stronger ASLR and DEP for OS components. Although not specifically mentioned in this session, Windows Server 2012 is built on the same code base so many of the features mentioned below apply to WS 2012 too.

Note, if you are thinking of virtualizing Windos 8 for VDI, there is no hypervisor that can virtualize a TPM module. So you will not get a lot of the benefits of trusted boot, measured boot, and remote attestation that you get with physical Windows 8 instances on appropriate hardware. So if you will be using Windows 8 for VDI, make sure you understand what security features you cannot take advantage of and how the loss of those features will affect your security posture.

One cool scenario that is possible with a physical Windows 8 instance, UEFI, TPM and Windows Server 2012 file server is the ability of the file server to validate the health claim of the Win8 client before it allows access to the file share. The validation utilizes the very secure boot process, measured boot, and other features to ensure an extremely high degree of confidence that the OS has not been tampered with and is trusted. But this remote attestation is only available on physical Windows 8 clients with a UEFI and a TPM. So VDI implemenations will not be able to use this powerful security feature.

The speakers had a lot of jam packed slides, so I didn’t get all of the information written down. If you have access to the recorded session on Channel 9 or MyTechNet, I strongly urge you to listen as it will be a well spent 75 minutes, if you value security in the enterprise.

Session Summary:

  • Windows 8 Investments in client security
    • Protect and Manage threats
    • Protect Sensitive data
    • Protect Access to Resources
    • Microsoft spent more on security in Windows 8 than any previous OS
    • “Groundbreaking” malware resistence
    • Pervasive device encryption
    • Modernized Access Control – Virtualized smart cards (no longer need a physical card); Dynamic access control
  • Challenges that we can face in combating malware
    • Vulnerabilities can be minimzied but not completely eliminated
    • Malware can compromise a PC before it starts
    • Malware can compromise anti-malware by tampering or starting
    • Malware can hide from anti-malware software
    • Anti-virus is always playing catch-up with latest malware
  • Secure Hardware
    • Why UEFI?
      • What is UEFI? An interface that is built on top of and replaces the legacy BIOS
      • Key benefits: Architecture-independent
      • Key security features: Secure boot, encrypted drive support for Bitlocker, Network unlock support for Bitlocker
      • Windows certification requirement on Windows 8 certified devices
    • Trusted Platform Module 2.0
      • TPM value proposition – Enables commercial-grade security via physical and virtual key isoloation
      • TCG standard evoluation: TPM 2.0
        • Algorithm extensible allows deployment in additional countries (China, Russia)
      • Windows 8 TPM support enables implemention choice
        • Discrete TPM
        • Firmware-based (Intel’s Platform Trust Technology)
    • Feature Usage of TPM in Windows 8
      • Bitlocker: volume encryption
      • Bitlocker: Volume network unlock
      • Measured boot
      • Virtual smart cards
      • …More
  • Securing the Code and Core
    • Preventing vulnerabilities – Software Development Lifecycle
    • Tools: Thread modeling, Static Code Analysis, Fuzzers
    • Reduce the ability to exploit vulnerabilities
      • Analyzed telemetry to determine requirements
      • Add mitigations to reduce the impact of exploits
      • ASLR, DEP, Windows Heap, process integrity levels. ASLR has been VASTLY improved in Windows 8 (higher entropy), applied to a broader memory space and to critical OS. DEP has been greatly increased as well, and now OS has much broader DEP protection.
      • MS says the IQ of an attacker will need to be much higher to combat these new security enhancements. Quite different from what’s in Windows 7.
  • Securing the Boot
    • Legacy boot: BIOS, OS Loader (Malware), OS Start
    • UEFI Secure Boot: Native UEFI, Verified OS Loader Only, OS Start
      • The firmware enforces policy, only starts signed OS loaders
      • OS loader enforces signature vertification of Windows components.
    • Securing and Maintaining UEFI
      • UEFI is secure by design
        • UEFI firmware, drivers, applications and loaders must be signed
        • UEFI database lists trusted and untrusted keys, CAs and image hashes
        • Secured rollback feature prevents rollback to insecure version
        • Untrusted option ROMs can not run
      • Maintaining UEF with Windows Update
        • Updates to UEFI firwmare, drivers, applications and loaders
        • Revocation process for signatures and iamges hashes
      • UEFI remediation
        • UEFI able to execute UEFI firmware integrity check and self-remediate
        • UEFI able to recover Windows boot manager if integrity checks fail
    • Trusted and Measured Boot
      • Trusted Boot
        • End to end boot process protection
          • Windows operating system loader
          • Windows system files and drivers
          • Anti-malware software
        • Ensures and prevents
          • A compromised OS from starting
          • Software from starting before Windows
          • 3rd party software starting before anti-malware
        • Automatic remediation/self healing if compromised
      • Measured Boot
        • Creates comphrehnsive set of measusrements based on trusted boot execution
        • Can offer measurements to a remote attestation service for analysis
      • Trusted Boot: Early Load anti-malware
        • Windows 7 Legacy Bios -> OS Loader (malware) -> 3rd party drivers (malware) -> Anti-malware start -> Windows logon
        • Windows 8: Native UEFI -> Windows 8 OS Loader (signed) -> Anti-malware start (signed) -> 3rd party drivers -> Windows Logon
        • Secure boot loads anti-malware early in the boot process
        • Runs WinRE in the background and does extensive remediation checks and pulls trusted binaries out of the trusted store. No prompts, no user interaction used. Completely automated.
      • Measured Boot
        • Windows 7: Bios (measured)-> MBR & Boot sector (measured)-> OS Loader (measured) -> Kernel initialization -> 3rd party drivers -> anti-malware software start
          • Measurements of some boot components evaluated as part of boot
          • Only enabled when bitlocker has been provisioned
        • Windows 8: UEFI (measured) -> Windows 8 OS Loader (measured)-> Windows Kernel & Drivers (measured) -> Anti-malware software (measured) -> 3rd party drivers -> Remote attestation
          • Measures all boot components
          • Measurements are stored in a TPM
          • Remote attestation is now available
        • Remote attestation allows allows a file server (for example) to validate only trusted computers with a health claim can gain access.
    • Secureing After the Boot
      • Protecting the system from know and unknown threats
        • Windows Defender is now a full fledged product
        • Protects against full range of malware, not just adware or malware
        • Real-time active protection
        • High performance
        • Optimized for the user experience
      • System Center Endpoint Protection (SCEP) adds managemanility
        • Shares same anti-malware engine with Windows defender
    • Securing the System Post Boot – Metro Apps
      • Windows store contains Trustworthy Apps
        • ISV onboarding and app screening process
        • Community based ratings and reviews
      • Installation
        • Handled completely by the OS
        • Discrete and private location for each app
      • Application capabilities
        • Run with low provilege
        • Access to Resources
        • Contracts – Apps can advertise their service to other apps or OS
    • Internet Explorer 10 – Smart Screen
      • Application reputation has been moved into core
      • Protects users regardless of browser, mail, IE, etc. client
    • Internet Explorer 10 – Enhanced protected Mode
      • Difficult to exploit due to ASLR
      • Tabs and Process Isolation
      • Requires user interaction to gain access to user data
      • Do Not Track (DNT) capability
  • Windows Editions and Device Considerations
    • All Windows editions editions contain basic new security features (trusted boot, smartscreen, etc.) but other features like Bitlocker are only on Professional and higher
    • Windows RT always uses device encryption powered by Bitlocker
    • Windows 8 certified devices will have UEFI, and need TPM 2.3.1 for secure boot

DBI328: Building the Fastest SQL Servers

Brent Ozar, Microsoft Certified Solutions Master (MSCM), www.brentozar.com

This was a REALLY great session that was both practical and filled with great technical details and good take away information. #1 takeway is “TempDB is like a public toilet: You never know what’s in there.” LOL Clearly Brent Ozar knows his stuff, and has a ton of resources on his web site. This session was focused on building the fastest SQL server possible, and making it easy. If you are DBA or run SQL in your environment (and who doesn’t if you are a MS shop), even if you don’t need blazing speed, this session had a lot of good sizing and performance tips. Below are several links to additional resources on his site:

SQL Server Setup Checklist
SQL Perfmon Counters
SQL Virtualization Best Practices
SQL IO Performance Testing
SQL 2012 Data warehouse reference design

He was flying through the slides and they were packed with content, so I didn’t get everything down. If his session is posted on Channel 9, check it out. His slides weren’t posted when I wrote this, so I can’t fill in the missing details. Even if you aren’t using the reference hardware in some of the links below (like HP and Dell) it still gives you great sizing and performance data you can translate to your own hardware.

  • How Microsoft Designs SQL Server Appliances
    • Systematically review thousands of SQL servers
    • Distill use cases down to a few common patterns
    • Choose HW components that are very likely to work great for those patterns
    • Publish an incredibly detailed test checklist to make sure the hardware is working as designed
  • Session Agenda
    • Define common SQL server use patterns
    • Understand the right hardware for a pattern
    • Recognize the server designs we can reuse
    • Learn how to test our own hardware
  • Define common SQL server use patterns
    • OLTP: Transactional Processing
      • How it’s accessed: Inserts
    • Data warehousing
      • Loaded in short windows overnight, then read-only with big reads through the day for reports
      • Just a few tables, but many historical records in each table, and often over 1TB of data
      • 10 years of sales history, stock prices, patient history, etc.
    • The real difference: OLTP (batch users requests per second) wants its to finish instantly, data warehouse can wait a bit longer (say 30 seconds)
  • The Right Hardware for Pattern OLTP
    • Hardware at it’s simplest: Memory 64GB, Drives 100GB, CPU
    • OLTP scenario: 50GB table
    • Right hardware for the fastest OLTP
      • Instant queries = cache all data in memory
      • Minimize data size (drop extra indexes)
      • Wide stripe data across all drives in the array (even log files)
    • Instant transactions = blazing fast log file
      • SSD RAID10 for multiple databases
      • Can get away with dedicated RAID10 magnetic for single DB
    • Avoid locking issues = blazing fast TempDB with RCSI
      • Read committed snapshot isolation
      • Bing: TempDB files SGAM contention – Multiple files for TempDB (1/8 to 1/4 the number of cores = 1 TempDB files); E.g. 16 cores = 4-8 data files
      • DO count hyperthreads as cores for this calculation
    • I didn’t say blazing fast data drives
      • Once the data is in cache, data drive speed rarely matters
        • SQL server restarts will mean slow performance
        • Aggressive monitor data size, memory size
        • When you run out, things get ugly fast
      • Bottom line: Cache the whole DB in memory and not much else matters
  • The Right Hardware for Pattern Data warehouse
    • Hardware at it’s simplest: 256GB memory, 1TB drives, CPU
    • Instant queries = Maximize memory size
    • Minimize data size (drop extra indexes, right-size fields)
    • See data warehouse links at the beginning of this article
    • Maximum CPU core consumption Rate (MCR) 200MB/Sec good rule of thumb
  • Reference Material
  • Test Storage Quickly with CrystalDiskMark
    • Pick 5 tests, 4000MB test file, drive letter
    • Only look at the sequential and 4K QD32 (queue depth) results
    • Sequential: Roughly akin to backups, large table scans
    • 4K QD32: Vaguely similar to active OLTP server or TempDB
    • MCR is most similar to Sequential read metric
  • Test Storage Slowly with SQLIO
    • See link at start of article for SQLIO tips from Brent
    • Lots of possible options collect the whole set
    • Use a test file larger than your SAN’s cache (say 20GB)
    • Don’t run on a live server
    • Only look at these numbers from the output: IOs/Sec and MBs/sec (MCR)
    • Test drives of different sizes but doesn’t need to test all drives
  • Your Goals
    • Test with CrystalDiskMark to get a quick idea
    • Try two simultaneous CrystalDiskMark tests against two different drive letters to see if your multipathing works
    • When that works, amp up to SQLIO and really push it
  • How to Reduce Storage Throughput Needs
    • Keep memory free for SQL server data caching
    • Merry-go-round scans with SQL server enterprise edition make a huge difference in storage performance and throughput
    • Give OS 10% of the total server memory, or 4GB, whichever is GREATER
  • Defined common SQL server use patterns
    • OLTP: I want the query to finish instantly
    • DW: I want the query to finish in 30 seconds
  • Very important to perform SQLIO performance baseline…EXTREMELY IMPORTANT
  • If you virtualize, only use one instance per VM.

    WCL290: App-V 5.0 What’s New

    This was a great session on the new enhancements in App-V 5.0. The App-V 5.0 beta is now out, so you can give in a spin around the virtual block. Immediately you will see that both the admin console (which is now a web page) and the client feature the Metro UI. Under the covers there are a lot of changes, and will really help you if you are using App-V with VDI. One of the biggest changes is that no longer does App-V use the Q drive, or any drive, for that matter! Also gone is the 4GB package size limit, and full PowerShell support. If you are using App-V 4.6 or looking at virtualizing applications, you must check out the beta.

    Full Session notes:

    • Session Agenda
      • Managing App-V 5.0
      • Virtual Application Connection
      • Virtual Application Execution
      • Shared Content Store
    • Server App-V just released (see MMS 2012 presentation for more details)
    • App-V 5.0 beta is now out so go check it out
    • App-V 5.0 Pillars
      • Integrated Platform
        • Virtual applications work like installed applications – Virus scans now work
        • Virtual applications use Windows standards
        • No dedicated letter required
      • Flexible Virtualization
        • Multiple App-V applications can share the same environment
        • Designed to support highly integrated applications
        • Preserve existing investment in App-V
      • Powerful Management
        • New web-based management interface
        • Optimized for VDI with one work flow for updating the shared content cache
        • Rich PowerShell scripting allows automation and customization
    • Key Changes between 4.6 and 5.0
      • 4.6: Uses dedicated drive letter (Q drive), 5.0: no more dedicated drive
      • 4.6: 4GB package limit, 5.0: no more 4GB limit
      • 4.6: Isolated from local applications, 5.0: Virtual application extension (OS talk to native apps)
      • 4.6: Share middleware with dynamic suite composition, 5.0: Share peer applications with virtual application connection
      • 4.6 Read-only shared cache supports VDI, 5.0: Shared content cache can be updated with normal workflow (no more hoops to jump though)
      • 4.6: limited command-line scripting, 5.0: Rich PowerShell scripting for sequencer, client and server
      • 4.6: installed management console, 5.0: web based console (built on Silverlight)
    • App-V 5.0 Packaging
      • New package format
      • Similar UI to 4.6 SP1 but very different under the covers
      • Easily convert 4.5+ packages to the new format (done through PowerShell)
      • New file extension (.appv)
    • App-V 5.0 Dynamic Configuration
      • Modifies a Package’s Virtual environment
        • Virtual subsystem overrides
        • Disable virtual subsystems
        • Script support
      • Dynamic Configuration Types
        • Dynamic deployment configuration
        • Dynamic User configuration
        • Can combine
      • No package update is needed
        • Modify existing package content
        • Add to an existing package
    • Deployment and User Configuration
      • Deployment configuration – File you apply to the package and it applies to all of the users.
      • User Configuration – Affect the user on the machine, per user per package. Uses the same package file, but different configuration file.
    • Virtual Application Connection
      • Creates virtual bubbles that applications can share, such as apps with complicated dependencies
      • Examples include Word and Visio. Now you can edit a Visio diagram in Word.
      • Easily create application connections with in the management GUI. No package changes are needed.
      • A package can be in multiple package groups (e.g. Java)
      • Configuration is separate from the packages (XML file)
      • System Center 2012 SP1 will fully support App-V 5.0
      • Fully manageable with PowerShell
    • Virtual Application Extension
      • Extension point is registered natively with Windows
      • Global visibility – native to virtual, virtual to virtual
      • Supported Subsystems:
        • Shortcuts
        • File Type Association
        • AppPath
        • URL protocols
        • Software clients
        • COM local servers
      • No configuration to get this to work (e.g. click on a link in IE to automatically open Outlook using the URL mail protocol hook)
      • Best Practices
        • Is the interaction well defined? Does the OS of a native application need to interact with the Virtual Application?
        • Application connection – Use for virtual-to-virtual
    • Shared Content Store
      • Store applications centrally
      • Save disk space in VDI/RDS
      • Applications are excluded from the shared store
      • Applications can be updated per the usual process

    DBI317: Optimizing SQL in a Virtual Environment

    Denny Cherry, Independent Consultant (www.mrdenny.com @mrdenny)
    vExpert 2012, Microsoft Certified Master, MVP

    This session covered some helpful tips for virtualizing SQL server, be it on Hyper-V or VMware. Yes you can virtualize SQL and still get excellent performance. But there are some special considerations that you need to be aware of. Most of the tips apply to many applications, but some are SQL specific. The speaker’s slides and commentary were pretty high level, so this wasn’t quite as technical as I was expecting.

    Session summary:

    • High level Topics
      • Diagnosing Performance Problems
      • Balloon Memory Drivers
      • Memory deduplication options
      • Storage Configuration options
    • Diagnosing Performance Problems
      • Check host and Guest CPU numbers
      • Check host for CPU thrashing
      • Check host and guest for disk IO latency
      • On VMware check % Used % Rdy time
    • Balloon Memory Drivers
      • Only does something when the host is out of memory. Under normal conditions it does nothing.
      • Prevents host from paging physical memory to the host’s swap file
      • Should be enabled
      • Lock pages in memory within the SQL server config should be disabled unless enabled for a specific reason
    • Memory reservations
      • Recommended that it be set to a portion of the allocated memory (SQL server + some for OS)
    • Memory deduplication Options
      • Great for OS memory
      • Doesn’t work at all for SQL server
      • Doesn’t hurt performance, but don’t count on it to conserve host memory
    • Storage Configuration Options
      • IO is the same if the disks are physical or virtual
      • Use automatic tier adjusting technology if possible except for SQL logs (use RAID 10)
      • Keep OS, data, logs, tempdb on separate disks
      • Use 64K NTFS allocation size
      • Make sure partitions are aligned (default in Server 2008 and later)

      TechEd 2012 Content on Channel 9

      For those of you that didn’t attend TechEd 2012, some of the content is available on Microsoft Channel 9. You can check it out here. Some killer content this year, so be sure to check out the sessions of interest to you and tune in!

      MGT312: Deep Application Management with MS SC Configuration Manager 2012

      This was a good session about Configuration Manager 2012, and the new (more modern) way to deploy applications to the enterprise. Gone is the ‘package’ model (well not gone, you can still use it) but in is the the new Application model. It’s built for the 21st century and how users are consuming IT services. Some goodies about what’s coming in Configuration Manager 2012 SP1 were also leaked. Such as (drum roll)…support for Mac OS X application deployment, and deploying Metro 8 style apps directly from the Microsoft Store without repackaging! Support for App-V 5.0 will also be included as well. Yipppeee!

      Session summary:

      • Need for a new application model
        • End users are changing the way they do work – Ultra mobility, lots of devices, new generation with new expectations
        • Apps are changing – AppV, SaaS, Datacenter hosted (VDI, remote apps), mobile apps
        • SC 2012 re-wrote the definition of an app
      • User-Centric Application Delivery
        • General Info: Administrator Properties, end user metadata
        • Deployment Type: Detection method, install command, requirement rules, dependencies, supersedence
        • Application package: App-V, Windows Script, Windows Installer, CAB
      • User-targeting – Much smarter targeting (only primary devices, not kiosk, not a conference room computer, etc.)
      • State-based application management
        • Detection method should determine if any action should take place
        • Install/Uninstall
        • Regular evaluation to check for and enforce compliance
        • Rules determine applicability of software
          • Rules are per-deployment type
          • Evaluated in real time on the client
        • If present or not applicable, don’t download content
        • Detection method is a new concept in CM 2012
      • Requirement Rules
        • Properties of users or devices (e.g. memory, disk space, OS type, etc.)
        • Evaluated in real time on the client
        • Evaluated before content is downloaded
      • Global Conditions
        • Foundation of requirements rules
        • Properties of users and/or devices that make delivering software appropriate
        • Global conditions are system artifacts (e.g. don’t install on personal devices, or not on tablets)
        • Global expressions (mix and match with and/or rules to build complex requirement rule)
      • Rich Application Relationships
        • Dependencies and supersedence
        • 1 to n dependencies
        • And/Or expressions as well
      • Content Distribution
        • Distribution Point Groups – Automatic distribution of content to DPs
        • Distribute Content Wizard – Multiple packages to multiple DPs at once
        • Content Library
        • Bandwidth control
      • Content Monitoring
        • Progress of distribution
        • Ability to validate content on a distribution point
        • Updates package compliance in the monitoring node
      • Application Deployment
        • Replaces “Advertisement” from 2007 and earlier
        • Two deployment purposes (required or available)
        • Two actions: Install or uninstall
      • User Device Affinity
        • User can set affinity, IT can set affinity, multiple devices can be primary
        • Import from CSV file, can set at OS deployment time, during mobile device enrollment, or manually by administrator
      • On Demand installation – Real time installation, don’t have to wait for advertisement or a timer
      • Built-in Deployment types
        • MSI
        • Script
        • App-V
        • Windows Mobile 6.x
        • Nokia
        • Citrix XenApp connector under development
      • App-V Configmgr 2012:
        • Requires App-V 4.6
      • Coming CM 2012 SP 1
        • Windows 8 Metro Apps
        • Deep Links – Reference from CM into Microsoft Store. Admins do not need to repackage
        • Mac OS X Applications- DMG, MPKG, PKG, .APP
        • App-V 4.6 SP2 Support – Windows 8
        • App-V 5.0 support
          • Connection groups (Lync and Office, Word and Visio, etc.). Allows the applications to communicate with each other in the virtual sandbox
          • Create within CM console
        • PowerShell Provider

      WSV307: Windows Server 2012 IP Address Management

      This was a great session on the all new IPAM (IP address Management) feature that comes free with Windows Server 2012. Gone are the days of managing your IP address space with Excel spreadsheets. Say hello to automatic DNS, DHCP, AD server discovery so you can centrally track and manage your IP addresses, DHCP scopes, DHCP options, DHCP reservations, static IPs, and tag entries with your own metadata. Tag your CEO’s iPAD (err.. Windows 8 RT tablet) in IPAM, for example, then sync that data into MS Service Manager. Or track the history of a IP address through DHCP renewals and user logons.

      For a version 1.0 product this has a lot of features that will immediately make it useful for organizations. I hope in a future service pack or R2 release that they will automate the integration with SCOM, VMM, Service Manager, and AD site/services for a truly comprehensive IP address management solution. The service is super easy to install and does not require a SQL server. The PowerShell interface lets you easly import/export data so you can script integration with the forementioned products (SCOM, VMM, SM, ADDS).

      Session highlights include:

        • What IPAM? IP Address Management (IPAM) complements MS DHCP and DNS offerings.
        • Comes as a feature in the box with Server 2012, with no additional cost
        • Understanding IPAM
          • Example of problems IPAM helps: Track organizations IP addresses, find free IP addresses, DHCP scope is full, etc.
          • IPAM Options – 1) Spreadsheets 2) In-House tools 3) Commercial appliances 4) WS 2012 IPAM
        • WS 2012 IPAM Overview
          • Address space management (ASW)
          • Network Discovery (DNS, DHCP, DCs)
          • Multi-server management – Centralized console
          • Visibility and audit – Track and audit changes for compliance
          • Components and Interactions
            • IPAM Server – Uses SQL-like database (WID) (built-in)
            • IPAM client – Win8 w/ RSAT or WS 2012
            • Agentless for DHCP, DNS, DC, NPS server
            • 5 roles for access control (IPAM Administrators, IPAM Address manager administrators, MSM Administrators, users, audit administrators)
            • Supports distributed deployment and windows backup/restore
            • Can import data from an external source/system
            • IPAM external data integration
              • Import CSV via GUI with any number of fields
              • PowerShell to pull data and export data
            • Configurable utilization warning thresholds
              • Find and Allocate and IP address – Tries to ping IP address, then looks at DNS to see if the address is in use.
            • Address Space Management (ASM) Features
              • Can set an expiration date for an IP address if you wish
              • Can create and delete DNS host records from the console
              • Correlates DHCP renewals, user logons
              • Can create DHCP reservations directly from the console
              • Plan, allocate, monitor, track IP addresses
              • Multi-server management (MSM) Features
                • Launch MMC directly from the IPAM console to manage features not in the IPAM GUI
                • Monitor server availability and health
                • Multi-select scopes and reconfigure an item (say DNS server) across multiple servers
                • DNZ zone monitoring through IPAM
                • Find and replace feature for DHCP scopes (e.g. find a DNS server IP and replace it with a new IP across all scopes)
                • Monitor DHCP scope utilization
                • Track DHCP configuration changes
                • External Data Integration from AD Directory Services
                  • Import/export from GUI
                  • Import/Export from PowerShell
                • IPAM SC VMM Integration
                  • SCM 2012 SP1 VMM can send data to IPAM (one-way)
                • Supports IPv4 and IPv6
                • Audit who, what and when
                • Audit IP address/user/machine activity
                • Real-time allocation and usage trends
                • Agentless architecture
                • Custom meta-data
                • Powerful filter/search
                • PowerShell support is somewhat limited (mostly import/export)
                • Scales up to several 100,000 addresses
                • Export IPAM information into Service Center so you know what devices or what (e.g. tag device in IPAM as CEO’s IPAD)

            WCL306: Enhancing User State Virtualization through MDOP

            Anthony Smith, Senior Product Marketing Manager, Microsoft
            Briton Zurcher, Senior Program Manager Lead, Microsoft

            Microsoft has had roaming profiles for over a decade, but in today’s world they are no longer adequate and come with a lot of headaches. Microsoft UE-V (User Environment Virtualization) transforms the roaming profile into a sleak user virtualization solution that allows IT to selective roam specific settings between machines, operating systems, and in realtime. No longer do you need to log off a computer to synchronize profile settings back to a server. No longer are you limited to only roaming between the same flavor of OS. No longer do logons download 100MB of profile junk.

            UE-V operates on demand and at application runtime, and supports Windows 7, Windows 8, Server 2008 R2, and Server 2012. Think of it as AppSense lite (very lite), but similar in nature, but included free in the Microsoft MDOP package. No server side infrastructure is required, like a database, except a simple file share like a user’s existing home directory. Release date was not disclosed, but I suspect it will be later this year as beta 1 is now out, and beta 2 due by the end of June 2012. Although it is fairly bare bones, it looks like a good free solution to help lessen the pain of roaming profiles. If you need an industrial strength solution, then third-party solutions like AppSense could be an option as well.

            Session summary:

            • UEV (User Environment Virtualization) Beta 2 will be available by the end of June 2012
            • Why? Unique workstyles, desktop virtualization, more mobile, multiple devices
            • Roaming for flexible workstyles – Do not need to logon/logoff to roam settings between machines
            • UEV benefits: Roam app experience regardless of deployment method, and just target the apps you want to roam. OS experience roams between versions (Win7, Win8, Server 2012, etc.), very little infrastructure required, integrates with desktop virtualization products (App-V, etc.)
            • Change the device but keep the experience, enable a personal experience across many devices
            • EUV Capabilities
              • No longer reconfigure the OS and applications on each device
              • Works across physical and virtual deployment methods
              • Roam settings between Windows 7 and Windows 8 in beta 2, and Server 2008 R2 and WS 2012 remote app servers
              • Operates in offline mode when disconnected
              • This does NOT roam the user data – Use folder redirection for that
              • Smart policies determine experience synchronization
                • Only loads desktop experience at logon
                • Application experience loads on demand at app open time
                • When you close out the app, it synchronizes back to the central server
                • Settings that affect login times are not enabled by default (typically subsecond delay) but you can easily enable this feature
                • Last writer wins in case of collisions, but happens at the OS or application level, not all at once like existing roaming profiles
              • Works with traditional applications, App-V and remote app
            • Simple and Versatile: Choice in what to roam
              • Settings location templates capture on a per-application basis using settings location templates
              • Templates are XML-formatted
              • How to obtain them: default provided, IT created, community shared
              • Beta 1: In-box templates: Office 2010, IE9, IE10, Windows accessories, themes, ease of access settings
              • Beta 2: IE8, desktop settings (start menu), taskbar, folder options, region/language
              • Some browser settings roam between settings (bookmarks, home page)
              • IT can choose to span roaming settings between app versions if the app supports it
              • Can roam between 32-bit and 64-bit, if they are compatible
              • Office settings will not roam between 32-bit and 64-bit Office installs (separate settings for each flavor)
              • UE-V Generator will autodetect settings that it assumes should roam
              • Only roams settings in HKCU and setting/configuration files
              • Can specify specific files to roam or use wildcards as well
              • Group policy will override UE-V settings if there is a conflict
            • Community shared templates
            • Generator automatically detects registry keys and file locations and you can add/remove others as needed
            • ADMX template for GPO control will be available in Beta 2
            • End point must have access to the XML files to update their template stores. A scheduled task is configured and can be pointed to a file share or local directory
            • PowerShell cmdlets to reload and list available templates (get-uvtemplate). No GUI to re-load templates.
            • Advanced Template Functions – Manually change XML template for now
              • Registry and file Exclusions
              • Suited Application/Common settings support
              • Multiple processes
              • Spanning versions (up to 4)
              • Architecture separation (32-bit or 64-bit)
              • ShellProcess Designation
              • File and registry paths based on known folders, registry values
            • Rollback Settings
              • Per application per machine IT can get the user experience back to when UE-V first saw that application.
              • No snapshot or history preserved, except the state of the very first application launch
              • Could possibly leverage VSS snapshots or backup software to restore interim states. Not officially supported, but should work as the data is simply compressed binary files.
            • Integrated and scalable architecture that requires almost no server infrastructure beyond a file share
            • Agent will store settings in a user’s home directory, hide it and set appropriate permissions
            • May support ThinApp, they are doing validation checks

            WSV329: Architecting Cloud Infrastructure Using Windows Server 2012

            Yigel Edery, Principal Program Manager, Microsoft
            Joshua Adams, Senior Program Manager, Microsoft

            This was a high level overview of various Hyper-V enhancements that make Windows Server 2012, cloud ready, according to Microsoft. It walked the audience through some architectural considerations when deciding on what technologies you should look at.

            • Windows Server 2012 is Cloud Optimized: Multi-tenant clouds, high scale and low cost datacenters, manageable and extensible
            • Summary
              • Dynamic and multi-tenant: Network virtualization, QoS, performance metrics, Live and Storage migrations
              • High scale and low cost compute: Larger hosts, large VMs, large clusters
              • High scale and low cost network: DCB, SR-IOV, RDMA, NIC teaming
              • High scale and low cost storage: Hyper-V over SMB, ODX, storage spaces, thin provisioning, synthetic fibre channel
              • Manageable and extensible: PowerShell, Hyper-V extensible switch
            • Datacenter Reference Architecture
            • Primary considerations: Workloads, Networking, Storage, Resiliency
            • Understanding Workloads
              • Cloud-aware stateless apps or legacy/stateful apps?
              • Workload performance requirements – 2 socket servers usually offer best ROI, apps networking patterns and the need for SR-IOV, mixing different servers to serve different workloads
              • Are workloads trusted? Level of isolation between workloads, QoS policies
            • Networking
              • Primary considerations: Isolation of traffic flows at physical and virtual level, type of infrastructure, NIC offloads
              • Typical Hyper-V server traffic flows
                • VM traffic
                • Cluster traffic
                • Storage traffic/CSV
                • Live Migrations
                • Management
              • How many NICs do I really need on each server?
                • WS2012: Run everything through the virtual switch, one physical network
                • Use Port ACLs, QoS, DCB and VM QoS to enforce isolation and performance guarantees
              • Infiniband vs. 10 GbE cs 1GbE
                • 1Gb Ethernet: Adequate performance for many workloads
                • InfiniBand (32Gb and 56 Gb): Very high performance, low latency, RDMA included (SMB 3.0). Needed only when you want extreme bandwidth
                • 10Gb Ethernet: Great performance, RDMA optional, QoS (DCB), new offloads
              • Hardware Offloads for Scalability & Performance
                • HW QoS via DCB
                • RDMA – For SMB storage stack only and optimized for performance
                • Receive Segment Coalescing (RSC)
                • Receive side scaling (RSS)
                • Virtual Machine Queue (VMQ)
                • Guest IPsec Task Offload (IPsecTO)
                • SR-IOV – For raw performance
            • Storage
              • Considerations: Cost/performance, block vs. file, Manageability, vendor preference, existing investments, approach to scaling
              • Storage scaling approaches: Compute and storage scale together (local SAS with storage spaces); Compute & Storage scale independently (iSCSI, FC, RDMA)
            • Resiliency
              • Infrastructure resiliency – VM is not designed to handle failures, so double up all infrastructure. Most common for the enterprise.
              • App-Level Resiliency – VMs designed to handle failures (e.g. guest clustering), or downtime acceptable. Lower end industry standard server, single infrastructure. Most common in cloud providers like Azure and Amazon.
            • Configuration 1: Non-converged Configuration (Traditional Enterprise)
              • Dedicated HBA, Fibre Channel block storage, separate NICs for VM traffic
            • Configuration 2: Converged Datacenter network + File Server Storage
              • 10GbE networks, file server for VM storage,
            • Configuration 3: Converged Network and Storage
              • Local SAS storage, but use extenisble network switch over 10GbE
              • Define multiple VLANs
              • Weighted vNIC option is only through PowerShell, not GUI
            • Configuration 4: DAS, Non-clustered Configuration
              • Relies on application for HA
              • Still able to live migrate to another node
            © 2017 - Sitemap