Reap the rewards of the open-source community courtesy of Douglas Toombs from Windows IT Pro Magazine
Find your free tools:
"LocatePC"
"OCS Inventory NG"
"PRTG"
"SIW"
"SyncBack"
"TrueCrypt"
"WinDirStat"
"Wink"
"BareTail"
"Ethereal"
"FileZilla"
"NeWT"
"Ngrep"
"OpenSSH"
"WinDump"
"WinPcap"
"Winfingerprint"
"CamStudio"
"CDBurnerXP"
"Comodo Firewall Pro"
"DriveImage XML"
"GParted LiveCD"
"JkDefrag"
"PageDefrag"
"TestDisk"
So I apologise in advance that this news was out about a month ago, but thought it worth reposting because of the security implications - there are a lot of traps for the unwary and if you are in any doubt you might want to head over to http://www.scambusters.org/ to check if it’s real or not?
By Scott Dunn
A Flash-based advertisement that appeared last week on the USA Today site downloaded malicious code to users’ computers, generating erroneous warnings of a malware infestation and offering a phony solution.
The Flash vulnerability is so widespread that such "malvertisements" may be present on thousands of sites, but there are measures you can take to reduce your exposure.
Just opening the page puts you at risk
Visitors to USAToday.com last Thursday got more than they bargained for. A hacked Flash advertisement meant that merely viewing a page in your browser was capable of triggering a malware attack on your PC. According to an alert on the security site Websense, the ad can take control of the browser without any user interaction at all.
Two days after the ad appeared on the USA Today site, two prominent Utah-based news sites, DeseretNews.com and SLTrib.com, were found to have similarly dire banner ads. These ads directed users to various unexpected locations, including the site for AntiSpywareMaster. This destination has been called a "corrupt anti-spyware parasite" and a "fake program" by the RDV Group, a safe-computing organization.
News sites aren’t the only victims of what Sandi Hardmeier, who authors the blog Spyware Sucks, calls "malvertisements." The ads themselves may appear perfectly harmless, notes Hardmeier, who’s been recognized as an MVP (Most Valued Professional) by Microsoft. "The criminals behind such malvertisements . . . have no shame," she writes, "impersonating everything from WeightWatchers to Oxfam."
Advertisements are not the only source of the problem. The principal conveyors of this malicious code are Flash animations (or .swf files), which are commonly used to create intro screens, online video, and other Internet content in addition to Web ads.
Of particular concern are Flash files that are vulnerable to insertion of malicious code using a technique called cross-site scripting, or XSS.
This vulnerability was widely publicized earlier this year by Google researcher Rich Cannings and his co-authors in their book Hacking Exposed Web 2.0: Web 2.0 Security Secrets and Solutions. According to a report in the U.K.–based tech-news site The Register, a Web search revealed more than 500,000 vulnerable files on major Web sites.
A permanent fix is a long way off
Makers of Flash-building tools, including Adobe, Autodemo, TechSmith, and InfoSoft, quickly updated their development environments to patch the holes, according to a March story in The Register. But because many of the vulnerable files have to be regenerated from scratch, a titanic number of high-risk Flash files remain online.
Speaking at last month’s CanSecWest security conference in Vancouver, B.C., Cannings estimated that over 10,000 sites host the risky files, The Register reported.
But that estimate may be low. In his security blog, Jeremiah Grossman, founder and chief technology officer of WhiteHat Security, writes that "potentially hundreds of thousands" of Web sites could be at risk. "Reasonably workable fixes are going to be a long time coming," he adds.
Even diagnosing the problem can be a challenge, notes Spyware Sucks’s Hardmeier. She points out that advertising commonly appears on Web sites in one of two ways: either the Web site’s staff handles its own advertising and posts the ads directly, or the site is served ads from an advertising network, which typically manages the content.
Unfortunately, it isn’t always easy for sites or advertising networks to detect problem ads. "Malvertisements are coded to exclude particular IP addresses, cities, states, and even entire countries," Hardmeier explains. "It is standard operating procedure for a malvertisement to be coded so that it will not trigger a redirect if displayed on a computer within the IP range of the victim Web site or victim advertising network."
What you can do to protect yourself
Even though the long-term solution is for the providers of Flash-based content to create more-secure versions of their files, there are some measures users can take to protect themselves. These protections are not foolproof, but they at least reduce the risk of exposure to malware via compromised Flash files.
Some of these tips come from Andre Gironda, Secure SDLC Consultant and author of the ts/sci security blog, who posted his pointers in a comment to Grossman’s blog posting.
The no-Flash option
The most effective – albeit drastic – way to protect yourself from malware-bearing Flash files is to uninstall Flash entirely. Adobe provides a special tool for doing this; you can find instructions and a link for downloading this file in a Technote published on the Adobe site.
The part-time-Flash option
If going without Flash entirely is too extreme, you can limit the sites that use this and other risky plug-ins by installing free browser add-ons that let you manage active Web content more granularly:
For Internet Explorer, TurnFlash lets you toggle between blocking Flash files and allowing them to run. A tray icon lets you turn Flash on or off, but the setting takes effect only in any new IE windows that you launch, not in the existing browser window.
A similar utility called No! Flash also switches Flash on and off, but it also gives you the ability to turn off several other elements, such as Java applets and other scripts. As with TurnFlash, the changes take effect in the next IE window you open.
For Mozilla Firefox, a plug-in called Flashblock disables all Flash content on Web sites and replaces it with a round Flash logo. You can selectively enable Flash files by clicking their icons.
For more comprehensive security, the plug-in NoScript not only disables Flash but also turns off Java, Silverlight, and other active Web elements. A NoScript icon in the Firefox status bar provides a pop-up menu for adding a site you trust to the add-on’s "whitelist," which enables all scripts and animations on the site (but not necessarily those on the site’s pages that are served up by ad networks). You can also right-click a link in Firefox to set its NoScript options via the context menu.
The minimal option
At the very least, update the Flash Player software on your system to the latest version (9.0.124.0 or higher). In the last three months, Adobe has patched a number of security holes in this product. The update won’t protect you from all buggy Flash files on the Web, but it will make your browsing much safer.
You can download the latest Adobe Flash Player from the Adobe Web site.
After you install the update, run the free Secunia Software Inspector online malware scanner to find old versions of the Flash Player that may have been left behind on your system. Secunia’s on-screen report will show the path and filename of the old files you need to delete. You may have to run the inspector more than once to make sure all the old files are deleted. If you delete a needed file by mistake, simply run the newest Flash Player installer again to correct the problem.
One danger posed by Flash bugs is the ability of hackers to get your login credentials for a given site. Andre Gironda recommends creating multiple Firefox profiles, each with its own NoScript (or, if you prefer, Flashblock) settings. He uses his Flash-enabled profile to browse sites such as YouTube, but he exits that browser and launches his Flash- and script-blocked copy of Firefox when he conducts online banking and visits other sites that require logins.
To set up a Firefox profile, do the following:
Step 1. Choose Start, Run. Type cmd.exe and press Enter.
Step 2. At the command prompt, type:
"C:\Program Files\Mozilla Firefox\firefox.exe" -profilemanager
Then press Enter. (Note that the quotation marks are required and that your path may differ.)
Step 3. If you want Firefox to prompt you for a profile each time you launch it, uncheck the option Don’t ask at startup in the Firefox — Choose User Profile dialog box.
Step 4. Click Create Profile and follow the steps in the wizard to name your new profile. Repeat the steps to create a second profile. For example, you might name one profile Flash-Yes and another Flash-No. When you’re done, click Exit.
Step 5. Rather than being prompted for a profile each time you open Firefox, create separate shortcuts to launch each profile. For example, if you have a shortcut to Firefox in your QuickLaunch toolbar or on the desktop, drag the shortcut with the right mouse button pressed, drop it, and choose Create Shortcuts Here.
Step 6. Right-click one of your Firefox shortcuts and choose Properties. Click the Shortcut tab and edit the command line so it ends in with -p followed by a space and the name of one profile. For example, the entire command line might read:
"C:\Program Files\Mozilla Firefox\firefox.exe" -p Flash-Yes.
Repeat these steps for a second shortcut to launch your other Firefox profile.
Step 7. You may need to download and install one of the plug-ins described above for these profiles and configure each profile’s browser differently. However, any changes you make should be saved with that profile, so they will be in effect the next time you launch it.
A complete solution to high-risk Flash files may not come any time soon. Until the creators and managers of these files can ensure a high degree of safety, users have to be extra cautious to avoid the risks of Flash-borne malware.
For more on Flash security vulnerabilities, see Windows Secrets contributing editor Mark Edwards’s Apr. 10 PC Tune-Up column.
Just a word of warning…!!!
The lovely missus this afternoon called out that there was "some Virus Alert thingy on the computer screen" and did I want to sort it out? Being as bright as she is she knew that one thing you don’t do is to run any download that you didn’t initiate yourself?
Natalie had simply been trying to find a recipe on the Internet that she had just seen on a cooking show. It looks like as part of viewing that website the *proported* scanning process kicked in claiming that I was infected by 3 "high risk" viruses and offered to disinfect my Computer if I clicked on OK - not surprisingly it is not possible to actually cancel this installation - the only way to halt the install/scan at this point would appear to be to use Task Manager to kill IExplorer?
I must say that this looked pretty convincing, and it would not surprise me in the slightest that this would be getting a lot of success out in the wild with most average users
Now just for those of you that think this is all a bit too much and this stuff doesn’t happen much at all, have a look at some of the details from Google’s Online Security Blog as noted by ITnews
"It has been 18 months since we started to identify web pages that infect vulnerable hosts via drive-by downloads, i.e. pages that attempt to exploit visitors by installing and running malware automatically," the Google blog stated yesterday.
"During that time we have investigated billions of URLs and found more than three million unique URLs on over 180,000 sites automatically installing malware."
Google’s team also reported that around two per cent of malicious websites are delivering malware via advertising.
So even at 2% of sites that means that if you only browse to 7 sites a day then there is a good chance you have been infected that week? Scary thought?
So news is in courtesy of Alessandro that it looks like it’s quite possible that folks will no longer be able to run ESX as a guest OS inside VMware Workstation. We all know it’s not a good idea - but sometimes it’s the easiest way of being able to demonstrate or troubleshoot issues when you don’t have handy access to an ESX Server.
VMware Workstation 6.5 doesn’t allow ESX as guest anymore
Friday, April 11, 2008 | 0 Comments |
No matter how much VMware is extending its HCL, a large number of users is still looking for ways to install the company flagship hypervisor ESX (formerly ESX Server) inside Workstation virtual machines.
Being one of the most wanted feature ever, hacks to achieve the goal proliferated, and our post about how to run ESX Server 3 inside a Workstation 6 virtual machine is one of the most article ever read.
Said do the community disappointment in discovering that the new Workstation 6.5 beta 1 prevents the hack mentioned above doesn’t come by surprise.
One of the VMware employees that addressed the complains anyway is mentioning (but not promising) the possibility to run again ESX inside a VM since the Workstation 6.5 feature list is not finalized yet.
virtualization.info: VMware Workstation 6.5 doesn’t allow ESX as guest anymore
DISCLAIMER: If you decide to flash ANY device with something other than the Vendors correct firmware then you are on your own!!!
Moving on from a previous post the other day regarding "Supercharge Your Wireless Router With Open Firmware - Wired How-To Wiki" I was chatting to my brother and it turns out that he has recently been having troubles with his Billion device and as a consequence of it being out of warranty he decided to buy an ASUS WL-500G
And now I can see why, not only is it a Wireless Access Point with ADSL but it also has 2 x USB 2.0 ports as well so that this can effectively act as a mini NAS unit as well by hosting additional storage <see table below>
Model
|
Ver.
|
Platform & Hz
|
Flash
|
RAM
|
Wireless NIC
|
Switch
|
USB
|
Status
|
WL-500g Deluxe
|
|
Broadcom 5365 @ 200MHz
|
4MB
|
32MB
|
Broadcom (integrated)
|
in CPU
|
2x v2.0
|
Supported
|
WL-500g Premium
|
1
|
Broadcom 4704 @ 266MHz
|
8MB
|
32MB
|
Broadcom 4318 (mini-PCI)
|
BCM5325
|
2x v2.0
|
Supported
|
WL-500g Premium
|
2
|
Broadcom 5354 @ 240MHz
|
8MB
|
32MB
|
Broadcom (integrated)
|
?
|
2x v2.0 (SMC USB2520)
|
WiP
|
WL-500W
|
|
Broadcom 4704 @ 266MHz
|
8MB
|
32MB
|
Broadcom 4321 (mini-PCI)
|
BCM5325
|
2x v2.0
|
WiP/Kamikaze
|
But the real neat part is that with his help I was also able to discover that there is a complete OpenSource effort at OpenWrt
About OpenWrt
OpenWrt is an extensible Linux distribution that runs on Linksys WRT54G/GS routers, as well as some related hardware. Unlike many other distributions for these routers, OpenWrt is built from the ground up to be a full-featured, easily modifiable operating system for your router. In practice, this means that you can have all the features you need with none of the bloat, powered by a Linux kernel that’s more recent than most other distributions.
This is where I obtained the information in the table above (link - TableofHardware) - at the very least if you are considering purchasing some form of Wireless Access Point then you should really glance through this table and satisfy yourself that have made the right choice on Hardware?
So back to OpenWrt, is it for you? well it is based on Linux so it is somewhat command line driven etc. and it’s more than likely that as much as this might provide a benefit to some, they will be put off by the install method and the possibility of bricking their device?
So if that is the case then simply move on to: X-Wrt, "OpenWrt for end users"
About Us:
X-Wrt was started because there was a need for end user extensions to OpenWrt, such as an enhanced web management console (webif). For a long time now it has been established that OpenWrt is the best firmware in its class. It far exceeds other firmwares in performance, stability, extensibility, robustness, and design. We at X-Wrt decided it was long past time for end users to get access to this superior firmware.
We are a separate project from OpenWrt due to the difference in focus and development ideals. We are considerably more pragmatic than OpenWrt and have the goal of providing solutions today, while OpenWrt has a more idealistic development philosophy and intends to perfect the firmware core, no matter how many rewrites and how much time it takes. This difference in development attitude creates a complimentary atmosphere that benefits everyone.
So how easy is this to install? Follow the screen shots from here at Installation
Recently I have been looking in to some issues relating to mixed Novell and AD Authentication at customers sites and there does not seem to be too much information that is readily available so I thought it might be useful if I post some of the details and links here as a helper to others? 
One of the most interesting points is that it would appear that Novell really hasn’t done much to the Novell Client in quite a while, and even with the advent of Vista it has not so much revisited the classic 4.91 SP4 version but simply created a new one from scratch that has no backwards compatibility or any relationship to the 4.91 version….
Also something to be aware of is that quite some while back it would appear that Novell did try for a Catalogue of sorts that may or may not have been somewhat similar to AD’s implementation but it was dropped from NDS ver. 8.x and above - so if you are trying to get Contextless Login working the only other real alternative is to use a method of creating an Alias for all Users in one specific OU and then referencing all Logins to search that one specific OU at login.
Now if you are like me, this appears to be almost laziness on the part of the developers? Surely they could do better than this? And even if you do get Contextless Login working what it actually amounts to is that the user can use either the short User ID <davidca> or the UPN <david.caddick@novell.com> and when you either use:
you will then find that the Contextless Lookup is evoked and your user name is changed to match the Case of exactly what it is the NDS
One of the most useful documents would appear to be this one:
Configure AutoAdminLogon for Novell Clients for Windows NT/2000/XP
AutoAdminLogon can be implemented in any of the 5 combinations listed below. For each version of the client, we will describe which combinations can be implemented and how to implement those combinations.
Auto login to NDS and NT
Auto login to NDS and manual login to NT
Auto login to NT and manual Login to NDS
Auto login to NT and disable login to NDS
Manual login to NDS and NT
There is also this document that is more specific to Terminal Server/Citrix Presentation Server XenApp Server environments:
LDAP Contextless Login in Terminal Services Environments
In all versions of the Novell Client for Windows 2000/XP/2003 prior to and including Novell Client 4.91 SP3, the LDAP Contextless Login support will only perform a contextless lookup if a user interactively changes the contents of the "Username:" field or the "Tree:" field of the Novell Client login dialog.
As such, the LDAP Contextless Login support was not able to benefit scenarios involving Windows Terminal Services environments where TSClientAutoAdminLogon was being used in conjunction with credentials pre-supplied in the terminal connection, and/or with TSClientAutoAdminLogon in Citrix Metaframe environments that were launching published applications.
The widely used workaround for this limitation was to move or alias eDirectory users into a single container, such that in absence of contextless login support the terminal service environment could successfully default to a single context for all eDirectory user logins.
If you do have issues relating to getting Contextless Login working correctly the most authorative document I could find would appear to be this:
Setting Up LDAP Contextless Login and LDAP Treeless Login
Several large Novell customers have used LDAP Contextless Login to facilitate the merging of several trees in to one global tree. Before LDAP Contextless Login, users were often annoyed by being required to change their context information in the login screen when changes took place in the tree structure. This resulted in IT costs to manage and support the change. LDAP Contextless Login makes it easier for users to work in the new global tree because it makes it unnecessary for the users to manage or know about changes to their organization’s name or its placement in the hierarchy. Because users no longer need to enter their context to authenticate, the context can be changed on the back end as many times as necessary without the users needing to know and without the costs associated with managing and supporting these changes.
The Lightweight Directory Access Protocol (LDAP) is an Internet communications protocol that lets client applications access directory information. It is based on the X.500 Directory Access Protocol (DAP) but is less complex than a traditional client and can be used with any other directory service that follows the X.500 standard. Lightweight Directory Access Protocol (LDAP) Services for Novell eDirectory is a server application that lets LDAP clients access information stored in eDirectory.
If your network has LDAP Services for Novell eDirectory set up on your eDirectory tree and you are running Novell eDirectory 8.5 or later, users who are logging in to the network from Windows can log in to the network without having to enter their context in the Novell Login screen. To log in, users need to know only their username, password, and the name of the tree that is running LDAP Services. Optionally, you can also have users log in to the network without having to specify the eDirectory tree name.
User objects can be located in the tree by username or e-mail address. You can also enable wildcard searches. If wildcard searches bring up multiple usernames, the user is prompted to select his username.
It is something of a shame that Symantec is not making the best of this acquisition, especially when you consider the amount of change and hype in the Virtualization space over the last 14 months since Symantec announced the purchase?
I made the comment only a few weeks ago (Thinstall quick out of the blocks) that it was quite gratifying to see good technology not sitting by the sidelines waiting for the politics and marketing to settle before it can again back on with getting the work done - but in this case it looks like Symantec are still dragging the chain?
Symantec creates an Endpoint Virtualization Business Unit
Friday, March 21, 2008 | 0 Comments
After over one year since the acquisition, Symantec is finally operating the integration of Altiris in its corporate departments.
It’s not clear anyway if and in which way the security giant will pitch the successful Altiris application virtualization product: SVS.
The subsidiary in fact will disappear inside the Symantec Security and Compliance department, while a brand new Endpoint Virtualization department will be created, as reported by eWeek.
There are no details available yet but this reorganization may mean just two things:
- the first option is that Symantec plans to use SVS only to deliver virtualized versions of its endpoint security agents (the anti-virus is probably the first in the list)
- the second option is that Symantec will seriously enter the corporate desktop virtualization market, a space where VMware, Microsoft and few others are already busy with VDI, application virtualization and virtual machines security wrappers
In the first case Altiris SVS would be clearly out of the application virtualization market. In the second case Symantec may soon need more than just SVS to compete with the other players.
virtualization.info: Symantec creates an Endpoint Virtualization Business Unit
Well I do find this amusing as last night we were just watching the Top Gear episode where Ranulph Clarkson and Ranulph May attempt to race Ranulph Hammond to the North Pole using a truck - as ever Jeremy Clarkson is forever the irreverent motor mouth and larrikin in a likeable way and we actually found ourselves cheering for Hammond to beat them with the Dog Sled.
So it’s no surprise to see Clarkson so spectacularly misjudge how easy it can be to have your Banking details abused? I guess he has learnt a little about how technology works? ;-)
Clarkson’s ’steal my ID’ stunt backfires
Top Gear chap shoots self in foot
Gobby TV presenter Jeremy Clarkson has been forced to reverse his position after he lost money after publishing his bank account details in a newspaper column.
The Top Gear presenter rather rashly published his account details in a column in The Sun to back up his claims that the child benefit data loss furore, which resulted in the loss of unencrypted CDs containing bank details of 25m people, was a lot of fuss about nothing.
Clarkson published his bank account number and sort code, along with clues to his address, insisting that the worst that could happen was that someone could pay money into his account.
Days later Clarkson was forced to admit he was wrong after an unidentified prankster set up a £500 direct debit from the presenter’s account in favour of charity Diabetes UK, the BBC reports.
“The bank cannot find out who did this because of the Data Protection Act and they cannot stop it from happening again,” Clarkson said in a column published in the Sunday Times. “I was wrong and I have been punished for my mistake.”
Clarkson, never one to shy away from colourful or controversial commentary, is now hopping mad over the data loss. “Contrary to what I said at the time, we must go after the idiots who lost the discs and stick cocktail sticks in their eyes until they beg for mercy,” he said. ®
Judging by my limited experiences with Vista the "security" sounds like it might be a case of how much security you need to turn off until your Server actually communicates with the other devices and runs the Applications correctly?
Other than that I’m looking forward to seeing just how much can be accomplished with Power Shell, it’s certainly got my Brother excited
10 things to consider when making a Windows Server 2008 upgrade decision
Windows Server 2008 is expected to officially launch in February of next year, but many companies are already preparing for the next generation of Windows server software and trying to decide whether, and when, to upgrade. Release candidate evaluations are available from the Microsoft Web site and many IT departments are already trying it out in their testbed labs. Exciting-sounding new features and promised improvements on the old ones make the upgrade tempting.
In this article, we’ll look at 10 things you should consider in making the upgrade decision, including eight good reasons to upgrade as soon as possible and two equally good reasons you might just want to hold off for a while.
Note: This information is also available as a PDF download.
Reasons to upgrade
First, let’s take a look at some reasons to upgrade your network infrastructure and/or individual servers to Windows Server 2008.
Reason #1 to upgrade: Security, security, security
The most compelling reason to upgrade to Windows 2008 sooner rather than later is really at least half a dozen reasons, but they all add up to one thing: improved security. And just as the most important factor in buying real estate is location, in today’s interconnected IT world, the most important factor for most of us in selecting an operating system is security.
Here are some of Windows Server 2008’s new or improved security mechanisms:
- Network Access Protection (NAP) provides a way for administrators to exert more control over which computers connect to the network by checking for compliance with security policies and isolating those that don’t have the proper service packs and updates installed, antivirus and firewall software installed and enabled, proper configuration settings, and so forth.
- Read-only Domain Controller gives you a way to restrict the replication of the complete Active Directory database when deploying AD. This is useful when you need to run additional applications on a DC or it’s in a place that’s not physically secure, because changes can’t be made to the AD database through it.
- Federated Rights Management Services allows for better protection of sensitive data by integrating RMS with AD FS so companies with federated relationships can exchange protected files.
- BitLocker full disk encryption (also supported by Vista Enterprise and Ultimate editions) enables you to prevent unauthorized persons from booting into the server even if they have physical access.
- Secure Sockets Tunneling Protocol (SSTP) remote access VPN allows you to create an SSL VPN with strong authentication and transport-level security that will pass through firewalls that block PPTP and L2TP traffic.
- Improved certificate services offer enhancements such as support for enrolling routers and other network devices for certificates, health monitoring of CAs with PKIView, support for Online Certificate Status Protocol for better management of revocation information, and improvements to Web enrollment.
These are only a few of the specific security mechanisms in Server 2008, which also includes the new Windows firewall first introduced in Vista, Windows Defender, service hardening, User Account Control (UAC), and more.
Reason #2 to upgrade: Virtualization
Virtualization is all the rage for businesses from enterprises down to small businesses. Running servers in virtual machines (VMs) allows you to have the logical separation you need so that your Exchange mail server, your Web server(s), your file server(s), etc., have the security benefits of running on separate operating systems. But you also get the cost savings of running all those separate computers on a single physical machine.
Server consolidation is one of the biggest uses for virtualization technology, but it’s not the only one. VMs also make it much easier to test new operating systems or applications or to run multiple operating systems (such as XP and Vista) simultaneously.
Microsoft’s hypervisor virtualization technology has been in the works for quite some time. Code named “Viridian,” it has been announced as Hyper-V and will be available both as an add-on for Server 2008 and a stand-alone server product. Hyper-V can run a variety of operating systems in virtual machines, including 32- and 64-bit Windows and Linux.
Reason #3 to upgrade: Performance
Server 2008 includes numerous enhancements to increase server and networking performance. The “next generation” TCP/IP stack in Server 2008 (and Vista) include TCP receive window auto-tuning and compound TCP (CTCP), which maximizes the throughput on connections with large receive windows. Wireless networking performance has also been greatly increased.
Windows System Resource Manager (WSRM) is integrated in Server 2008 and can enhance performance by allocating resources according to your needs. With increased performance for Storage Area Networks (SAN) and Direct Attached Storage (DAS) in clustering, better virtualization performance with Hyper-V, performance enhancements to IIS, better PKI performance in checking for revoked certificates, better performance for remote terminal services users with TS Gateway and other performance enhancements, better performance is a good reason to upgrade to Server 2008.
Reason #4 to upgrade: Server Core
Server 2008 gives you two installation options: You can install the full operating system with the familiar graphical interface and built-in applications, such as Internet Explorer, or you can install just the Server Core, a more minimalist environment for command-line administration. Server Core includes the important subsystems — networking, file system, security subsystem, RDP, WMI, etc. — but doesn’t include the desktop shell, most applications (IE, mail, WordPad, etc.) or the .NET framework. You do get a few GUI utilities, such as Task Manager, Regedit, and Notepad (for editing scripts, viewing log files, etc.). Server Core provides a more secure environment (fewer applications and services to exploit), easier management, and better performance.
Reason #5 to upgrade: Server Manager
Server Manager is a new administrative tool in Server 2008 that’s like a much more sophisticated version of the familiar Computer Manager MMC. You can use it to assign roles to the server (Web server, file server, etc.), configure settings, and so forth. It provides a centralized place for managing most aspects of your server. Server Manager is exclusive to Windows Server 2008 and won’t run on previous versions of Windows, not even Vista. For those who prefer to work in the “dark place,” there’s a command-line version of Server Manager, ServerManagerCmd.exe. It’s especially useful for automating the deployment of multiple servers that are configured alike.
Reason #6 to upgrade: IIS 7.0
The latest version of Internet Information Services (IIS) provides many improvements over its predecessor. This application is now modular, and you can install only the components you need. That makes it more secure, increases performance, and makes it easier to manage. For example, if you don’t need FTP services, don’t install them.
IIS has been designed to be as secure as possible out of the box. That is, most components are not installed unless you explicitly choose to install them. ASP, ASP.NET, and similar services are not installed by default. Other security enhancements include built-in URL filtering, a new and more secure account for anonymous users, automatic sandboxing (isolation) of applications on the server, and more.
The IIS management tool has gotten a makeover, too. It’s more intuitive and more task-oriented. And a new command-line tool, AppCmd.exe, replaces numerous administration scripts that were used in IIS 6. IIS 7 can also be managed with Windows PowerShell. PowerShell is the command-line interface and scripting language that was code named Monad, and it provides a more UNIX-like environment for IT pros who are comfortable with the command line. Many tasks can be performed more quickly at the command line, and can be automated through scripting.
PowerShell can be downloaded from the Microsoft Web site and run on Windows XP SP2, Server 2003 SP 1, Server 2003 R2, and Vista, as well as Server 2008, but it is especially designed to administer Server 2008 roles, such as Terminal Services and IIS 7.
Reason #7 to upgrade: Terminal Services enhancements
If your business relies on a thin client model based on Windows Terminal Services, you’ll find plenty of improvements in Server 2008. It starts with version 6.0 of the Remote Desktop Connection (RDC) client software, which is included in both Vista and Server 2008. This client lets you use network-level authentication (NLA), which authenticates clients before the user logs on. This provides better security by eliminating the window of opportunity during which attackers might intercept credentials or do other dirty deeds. Another security enhancement is server authentication, which prevents clients from connecting to a malicious terminal server that’s spoofing the real one.
There are also improvements to the user experience. Higher resolution (up to 4096 x 2048) is supported and you can configure customized widescreen aspects such as 16:10. A welcome improvement is the ability to spread the terminal session display across multiple monitors (so long as they all have the same resolution settings). 32-bit color depth is also supported, and you can now use ClearType font smoothing in terminal sessions. Things are looking good.
Other improvements to Terminal Services include Display Data Prioritization (which provides better network utilization) and the ability to use desktop themes and even the Aero interface in terminal sessions. Printing is easier, too.
Server 2008 Terminal Services users with domain accounts can log on once (single sign-on) if they’re using Windows Vista as the client OS. And there are many other under-the-hood improvements that make Terminal Services better for both users and administrators.
Reason #8 to upgrade: Active Directory enhancements
With Server 2008, Microsoft has consolidated services that were separate in previous versions of the operating system. Active Directory is now integrated with the following:
- Certificate Services (which is now called Active Directory Certificate Services, or AD CS, and offers many improvements)
- Active Directory Rights Management Services (AD RMS), which provides control over what recipients of documents and e-mail messages can do with those files
- Active Directory Federation Services (AD FS), which provides for identity management across a federation
Improvements to Active Directory itself include enhancements to the auditing service, granular password and account lockout policies, and the ability to restart the directory services without rebooting the domain controller in Restore mode. Last but not least, Server 2008 gives us the Read Only Domain Controller (RODC), which can be deployed in locations without the best physical security.
Reasons to wait
All of the above are reasons you may be chomping at the bit to roll out Server 2008. On the other hand, there are also a few good reasons you might want to wait before upgrading.
Reason #1 to wait: Compatibility issues
As with Vista, because of the new security architecture in Server 2008 there are likely to be some applications that won’t run on it. These include many antivirus and other security applications that access the kernel, backup programs, and applications that check the operating system version prior to installation. Programs that interact with IIS may also have problems, since it has so many changes.
You’ll want to check out all your mission-critical applications in a testbed environment before making the decision to deploy Server 2008. Don’t just test whether they’ll install; some apps may appear to install with no problem but then have problems working properly. If your important business applications won’t run stably on Server 2008, you’ll have to wait until the application vendor makes upgrades or patches available or switch to different applications before you can make the operating system upgrade.
Reason #2 to wait: Cost factors
If you have many servers, the licensing cost of upgrading to Server 2008 could be significant. You’ll want to take an inventory and determine just what that cost will be and whether the benefits are worth it, given your specific needs. And don’t forget that the cost of the software isn’t the only consideration here.
Let’s face it: There’s a price for increased functionality with every new operating system, and part of that price almost always comes in increased hardware requirements. Just as Windows Vista requires more powerful computers than XP to run properly, Server 2008 makes greater hardware demands than Server 2003. Microsoft specifies a minimum 1GHz processor (1.4 GHz for the 64-bit version) and recommends a 2GHz or better machine. For Itanium, an Itanium 2 processor is required. Although 512 MB of RAM is specified as the minimum, a more realistic recommendation is 2 GB or more, and you’ll need from 10 to 40 GB of available disk space.
Many servers currently running Server 2003 don’t meet those criteria, so you may have to factor in the cost of buying new server systems or performing hardware upgrades to your existing servers to run Server 2008.
Back when I was focused on Citrix Servers and helping people get the best out of existing Terminal Server and Citrix Server installations it was somewhat surprising how many Applications AND Developers all do their own thing in whatever way they like with no regards to Standards like these.
There was similar material from Microsoft regarding Server 2003 and I always kept the details in template email ready for when asked. Anyway, these links below should start you off in the right place?
Windows Server Software Logo Program Online Forum
- Participate in the Windows Server Software Logo Program Online Forum where you can chat with other developers, post questions, and discuss technical topics, problems, and suggestions. This forum is monitored by Microsoft staff who can answer both business and technical questions.
- Home page for the Windows Server 2008 operating system.
- Download an evaluation copy of Windows Server 2008 RC0.
- The tool to run Windows Server 2008 certification in-house, the same tool the test vendors use.
- The tool to run Windows Server 2008 certification in-house, the same tool the test vendors use.
- This highly-automated tool will help you quickly determine baseline compatibility with Windows Server 2008
- Create two snapshots of fixed drives, registry settings, drivers, and services at different points in time and compare them to view differences.
Windows Server 2008 Application Compatibility Cookbook
- The Cookbook covers the most common application compatibility issues and provides tips how to modify your applications or redesign them to help provide a quality experience with Windows Server 2008 and/or the Windows Vista operating system.
Top 10 Steps for Developing Applications on Windows Server 2008
- This document details the top 10 issues to avoid when developing applications for Windows Server 2008.
Windows Server 2008 Software Logo Specifications
- Technical requirements of a server application and its client components must meet in order to become Certified for Windows Server.
Windows Server 2008 Software Logo Test Framework
- The Framework describes tests that verify an application’s compliance with Works with Windows Server 2008 requirements.
Windows Server 2008 Works with Specifications
- Technical specification outlining requirements that allow server applications to receive the Works with Windows Server 2008 designation.
Windows Server 2008 Works with Test Framework
- Includes detailed information for technical managers and testers preparing software applications for the Works with Windows Server 2008 program detailed information verification tests.
Windows Server 2008 Technical Library
- Microsoft TechNet page with detailed information on Windows Server 2008 technologies.
Developer Curriculum for Windows Server 2008
- Designed for software developers and solution architects, this fast-paced seminar series provides on-demand webcasts and labcasts about the new features and technologies in Windows Server 2008.
- Portal for ISV developer training and events on MSDN.
