Monthly Archives: August 2013

Configuration Manager Documentaion update August 2013

The Configuration Manager team at Microsoft released a huge number of updates today regarding the System Center 2012 R2 release –>
http://blogs.technet.com/b/configmgrteam/archive/2013/08/29/announcement-configuration-manager-documentation-library-update-for-august-2013.aspx

And something I was waiting for, finally showed up! how to create a VHD from a task sequence –> http://technet.microsoft.com/en-us/library/dn448591.aspx

Back in action! and what’s happening

After 4 weeks with MCT traning courses (It takes alot time to prepare and took alot of spare time for me) but now im back and as part of it Im focusing on my book writing, as I have now signed a deal with a publisher to write a book about System Center, ill come back in more detail when I have gotten further in the process.

Right now a lot is happening in the market.

Windows Server 2012 R2, Windows 8.1 and System Center 2012 R2 has gone into RTM as will be publically available on October 18th.
 
You can read what is new in my previous post here –>
https://msandbu.wordpress.com/2013/06/20/whats-new-in-windows-server-2012-r2-and-system-center-2012-r2-intune/

And for those stuck under a rock VMware has already had their yearly conference VMware and have announced a lot of new stuff.
I haven’t gotten around to see all that is new but I can tell that VMware is also focuing alot on network virtualization and created their own plattform where partners can place their software.

http://www.vmware.com/files/pdf/vsphere/VMware-vSphere-Platform-Whats-New.pdf

But either way if you are a Microsoft person or Vmware the competition is gettig tough.

There is also some changes that has happend in Azure lately,
* Updates in the IaaS management portal experience
* Traffic Manager (Easier to create load-balancing rules directly in the portal)
* SQL Always On support in Azure.

So stay tuned for more posts, have something planned for configuration manager and for operations manager. Smilefjes

Citrix licensing for Access Gateway and Netscaler

Wopptidoh!
Something I’ve been wanting to write for a long time since I always get some questions regarding licensing on either Access Gateway / Netscaler Gateway or Netscaler I thought I would write a post so others stumbling in the dark might benefit from it as well.

Now Netscaler Platform licenses (This depending on what Netscaler you have, gives you features inside the Netscaler appliance (for instance Standard, Enterprise or Platiunm)

The physical appliance (MPX or SDX) and VPX (virtual) on the Netscaler is licended pr Mac address this can be obtained from the CLI by running the command lmutil lmhostid –ether

(So for the sake of it, when you buy a platform license of Netscaler which is Standard or higher) you will get a Netscaler Gateway Platform license as well.

Example:

root@ns1# lmutil lmhostid –ether
lmutil – Copyright (c) 1989-2006 Macrovision Europe Ltd. and/or Macrovision
Corporation. All Rights Reserved.
The FLEXlm host ID of this machine is “00d068107316”

This info has to be entered in mycitrix.com license site and allocated to.

If you get any error messages these can be viewed under the /var/log/license.log file.

Access Gateway Platform license on the other hand are licensed on the hostname of the appliance. You must upload this license to increase the Independent Computing Architecture (ICA) connections up to 10000.
root@ns# grep hostname /nsconfig/rc.conf

Netscaler Gateway platform license also uses the hostname to generate a license file.
The same goes for Universal licenses for both Netscaler and Access Gateway editions.

Import note thou that Citrix Receiver DOES NOT USE a Universal license (they only need platform license) This is only needed for Smart Access and endpoint scan etc.

Another import note is that with version 10.1 it will say 0 ICA users, this is because of with version 10.1 it is unlimited ICA connections http://support.citrix.com/article/CTX138561
You can view this by using show license

Now for older solutions like CAG 5.0 (You can either use a license server or a license on the same host) http://support.citrix.com/article/CTX128869 for Standard edition
If you wish to install the license on a CAG 5.0 appliance you need the MAC address of the appliance if you wish to install it on a license server you need to specify the host name of the licensing server.

Access Gateway VPX Express gives you rights for 5 concurrent users on a 12-month plan.

Going forward

So as of right now Im taking a vacation from blogging a couple of weeks ahead, why ? Right now I am having 4 MCT traning courses in a row which takes up a lot of time preparing and energy.
Another thing that happens recently is that I have been asked to author a book regarding System Center (not going to tell about what topic yet, its a secret! Smilefjes )

And since both of these are going to take most of my time some months ahead there is going to be less updates then usual and when I have started on my book im going to reveal what the subject is about so stay tuned!

Securing Hyper-V 2012R2 hosts and VMs

Microsoft has implemented a lot of new cool security features in Hyper-V on the 2012R2 release, and most importently statefull firewall and network inspection features.

From the 2012 release, Microsoft introduced features like
* ARP Guard https://msandbu.wordpress.com/2013/04/03/arp-guard-in-hyper-v-2012/
* DHCP Guard
* Router Guard
(These three functions are also included in regular network devices from most vendors)

image

The use of Bandwidth control as well is useful for limiting for instance DDOS attacks.
* Bitlocker with Network Unlock (To protect a VM from theft)
* NVGRE (Network virtualization, which is not a security feature but it can be used to define each customer to its own network segment without the use of VLANs (This offers security since it is not able for instance to use VLAN-hopping)
* PVLAN (In many cases the use of VLANS still has its purpose for instance you can define three types of PVLANs (Isolated, Promiscuous and Community)
* VM stateless firewalls (Not on the indvidual VM but on the Hyper-V traffic going to the VMs) But these had pretty limited functionality (Which was restricted to IP-ACL, couldn’t define port or TCP EST)
* Bitlocker for CSV (Encrypt everything in a cluster)

So what else has Microsoft implemented of Security mechanisms in the OS-stack with the new R2 release ?

Not much info here yet.. but they are mostly related to hyper-v networking rules, new generation VMs with UEFI boot options (UEFI enable secure boot which makes it harder for rootkits to get installed)
image

What else can you do to secure your hosts and VM*s running on Hyper-V?

Microsoft has released a built-in baseline configuration that you can start from Server Manager this has some rules that It can use to scan if your hosts are according to best-practice, this offers you tips on what you should do.

image

Microsoft also offers other tools that can be used deploy security according to best practice  (This uses Group Policy for deployment of security settings)  for instance Security Compliance Manager http://www.microsoft.com/en-us/download/details.aspx?displayLang=en&id=16776

image

Installing all Hyper-v hosts as Server Core will also limit the attack surface on the hosts since it does not install all the unnecessery components like Internet explorer, .Net framework etc.
Which makes the host less open for attacks. (And also don’t use RDP there have been many security holes here which hackers have taken advantage of so If you need to enable RDP use NLA as well)

Monitoring / Antivirus and Patching

Integration with System Center also can prove to be quite useful for many reasons.
Which can offer you features like
* Anti-malware / Anti-virus (Configuration Manager)
* Patch management (Virtual Machine Manager / Configuration Manager)
* Baselining and remediation (Configuration Manager / Virtual Machine Manager)
image
* Monitoring (Operations Manager)

But this will require a number of agents being installed on all VM’s for instance Configuration Manager with Endpoint Protection and Operations Manager (and VMM agent on Hyper-v hosts)
(NOTE: You can enable baseline configuration in Operations Manager as well, instead of using Server Manager and with the integration of System Center Advisor you will get more intel)

image

Now Microsoft recommends that the parent partition to be as clean as possible, therefore they recommend not installing AV on the Hyper-V hosts (Since you will also suffer some performance loss), but if it is a part of the company policy.
Remember that if you install endpoint protection for Hyper-V hosts, put exclusions for these folders.“%PROGRAMDATA%MicrosoftWindowsHyper-V”
C:ClusterStorage
You can read more about it here –> http://social.technet.microsoft.com/wiki/contents/articles/2179.hyper-v-anti-virus-exclusions-for-hyper-v-hosts.aspx

When regarding firewalls, each host running Windows has Windows Firewall enabled by default, should we then use Hyper-V port ACLs also ?
Hyper-V port ACLs follow the virtual machines so if you move them to another host, the ACL sticks. But they have different features.
The built-in firewall from Windows can allow Applications to communicate and is not restricted to a port or protcol, the firewall can also use IPsec.
While a Hyper-V port ACL can check if it is a statefull connection while the built-in firewall cannot. Hyper-V port ACL can also measure the traffic bandwidth that goes trough.
For many reasons you should use for built-in firewall for most cases (Create Group policies for the most common use server roles) and in more extreme cases where you need to lock down more and controll the traffic flow more you deploy and hyper-v port ACL.

You should also move your management traffic to a dedicated NIC outside of other traffic so it is not so easy to “sniff” on your traffic.

RBAC (Role Based Access Control) an easy rule of thumb is to split user rights where you can.
For instance an hyper-v administrator should not have admin-rights on VMs and vice versa.
If  you are using SCVMM you should create custom User Roles (For instance you can define a user role that (Group 1) has access to which can be used to administrate their hosts (Which is under a host group) and access to certain run as roles)

image

Sysinternals also should be used when evaluating your security for instance to see if there are any open ports that shouldn’t be open by using TCPView
http://technet.microsoft.com/en-US/sysinternals
image

Make sure that your internal network is configured as it should.
By disabling CDP on access ports (If you are using Cisco)
Enabling all ports as Access Ports (Portfast) so you can’t be hijacked by STP attacks.

image

Other resources:
http://www.microsoft.com/en-us/download/details.aspx?id=16650 This is an old security guide from Microsoft but alot of it still applies today.

Might also mention that there are some third party solutions that you can use to secure Hyper-V.

5-Nine –> http://www.5nine.com/
Watchguard –> http://www.watchguard.com