August 2007 - Posts
Today, i want to share with you the 4 major processes of NAP.
Health Policy Validation Process
Through a set of Health Compliance policy, NAP will determine if a particular client requesting validation complies to the policy specified.
Typical things a validation check for (but not limited to);
1. Is Host Based Firewall Protection turned on?
2. Is an Anti Virus software installed, up to date and running?
3. Does it contain the latest software updates?
Network Access Limitation
For clients that do not comply to the Healthy Policy, NAP will limit access to the network by quarantining the client to a particular part of the network.
In this part of the network, lets call it the remediation network, is a chance for the non-compliant client to gain access to resources to help it be compliant. For example, WSUS Server, AV server etc.
You can also choose to not quarantine the client and do just a log for reporting purposes.
Automatic Remediation
When a non-compliant client gets quarantined, it is given a chance to update and get compliant. NAP clients can perform a series of updates such as contacting the WSUS server etc. The purpose is to make the client compliant which will subsequently allow it to gain access to the network.
You can also turn off auto-remediation and have NAP point to an internal server and highlight non-compliance to the user and provide information on how to gain compliance.
On Going Compliance
For the duration of the connection, NAP ensures the client remains compliant and the health policy is enforced.
What happens, in simple, is that a client will receive a health certificate when it is in compliance. When a status change, the health certificate is destroyed. A status change and be firewall server being shut down, resulting in NAP removing the health certificate of the client. With this drop in status, the client is not healthy anymore. NAP will kick in a perform remediation. During this period, the client is quarantined and have only got access to the remediation servers. Once compliant again, the health certificate is issued again, and the client is subsequently let onto the network.
Well, that's it for the time being. Got lots of meeting today and tomorrow.
Will catch up again. ;-)
/Dennis
SharePoint MVP, Loke Kit Kai, was looking for information on how Microsoft implements SharePoint.
Within Microsoft, we have a group know as MSIT, which takes care of all IT needs internally. Noam Nathan, which is Singapore's new IT Manager pointed me to a showcase of how MSIT does SharePoint.
http://www.microsoft.com/technet/itshowcase/sps.mspx
I was very impressed by the type of information available on how Microsoft uses our own products and how open we were in communicating these information. I guess these software won't be successful if it didn't meet even our own requirements. Dog-Fooding ;-)
Thanks to Noam for the link.
/Dennis
The Small Business group will be having a group meeting at Microsoft.
The details are as follows;
Date: 21st Aug 2007
Time: 6.30 pm to 9.00pm
Venue: Microsoft Singapore
Topics:
1. Implementing Business Process with Microsoft WSS3.0 Workflows
2. Roundtable Discussions & Q&A
For details, Visit http://sgsug.sg/forums/thread/769.aspx
A book by Harry Brelsford will be given away to one of the lucky attendee.
/Dennis
New in Windows 2008 and Windows Vista, there is a WMIC command you can use to quickly find out the version or SKU (Stock Keeping Unit) of the version of your windows. This command is useful if you are faced with a Core installation of Windows Server 2008.
In this screen shot, traditionally in Windows, we'll use the command "winver" to identify the build and version of Windows you're running. Works fine in GUI version of Windows. However, in a new SKU of Windows Server 2008 is the Core installation, without the GUI. The Winver command doesn't work.
Making use of this new property, try out this command:
"wmic path win32_operatingsystem get OperatingSystemSKU /value"
It will return a value like this.
In this case, 14 is returned, which indicates this is Enterprise Server Core Edition.
You can find a list of reference for the values here. http://msdn2.microsoft.com/en-us/library/aa394239.aspx
/Dennis
Meang Teik from Hitachi, told me about it through email. I was absolutely stunned. <LOL> Its motivation like this from people in the IT industry that grew the passion in me to share my knowledge and help them grow.
I was speaking at TechEd SEA 2006 on 2 main topics. I believe i still have the link available at http://sgwindowsgroup.org/teched
Anyway, the blog entry is at http://aradpda.blogspot.com/
TechEd organizers for this year did a contest for those who blog about TechEd. This same guy won !! http://www.microsoft.com/malaysia/techedsea2007/blog-winner.mspx
But this year round, i didn't really have much time to prepare for it. I'll still be at TechEd meeting people, but i will probably not be speaking. :-( Hopefully i don't disappoint anyone.
I'll still be sticking around at the MVP Booth.
/Dennis
Network Access Protection, aka NAP, from Microsoft, is fast becoming highly recognized by Enterprise IT as a new, upcoming and very promising solution to a long requested protection for any networks.
So exactly what is it? I'm trying to avoid getting technical here so we can get an understanding about it.
The network that is precious
Core routers, switches, wires, wireless APs all over. What do they do? They hook up the clients and the servers, put them together on the same communication medium and let magic work. Easy said, but i have a lot of respect for Networking Guys. Kudos.
Now, every piece of information on the wire can be deemed as important, need to be secured and should be resilient against intruders. Agree? I'm sure you'll say yes. Well, you're supposed to.
Think again, what could go into that wire. Logon IDs and passwords, that research document that could fetch you millions, that secret love letter you are sending to the girl/guy in the other end of the office etc.. Alright, i think you got the point. You want to protect your network.
What's the problem?
As your network gets heavily depended on for business operations, you will come to a stage where you have to make data highly available. You will start beginning introducing remote access elements to your network solution.
That's good because your staff can now work from home, that hotspot at Macdonalds, or even from customer's place. You will usually implement a VPN solution for remote access. In any case, you're allowing a machine into the network from a remote location.
Because of the so many avenues of accessing your network, you inevitably open up a whole avenue for someone to attack your network, steal your data, cause disruptions etc.
How can you be sure, the computer which was used to VPN in has the following;
1. Latest Anti Virus signature
2. Firewall running
3. Latest System Updates applied
4. Or any other security requirements you may have.
How can you be sure, the computer that plugs into the network faceplate, is a machine that can be trusted?
What can you do?
You can implement NAP. Microsoft's answer. The system admin can define policies governing network access. You can stipulate that the client must be healthy and meet all the corporate access policy before it is allowed to connect to the server. It works in all networks. There are of course several components to it.
It can help you easily say that the computer/machine that is connected to the network, before granting it access to the corporate network and services, run a series of test and configuration against it. If found to be non compliant, the machine could be isolated and be given a chance to get compliant, before you allow it to get into the network to access resources.
Learn about it.
Here's a Whitepaper about NAP. Please take come time to read it. There are various network access control solutions that i know out there, but nothing is quite close to what NAP can offer.
Frequently Asked Questions about NAP
NAP Platform Architecture
Watch this space again. I'll be talking more about NAP in preparation for a few events coming up. Will be using this space to share what i know about NAP. The Windows 2008 Insiders group will be covering NAP in the upcoming August meeting.
/Dennis
http://www.salary.sg/2007/income-percentile/
this on is interesting. You can benchmark your current salary in Singapore and see which Percentile you belong to.
Hey, the more you make, the higher your tax bracket. ;-)
/Dennis
Having talked about Server Manager in the previous post. We can have a very quick look at installing the Web Server role. Web Server in W2k3 has taken on a tremendous overhaul i would say. Many things has been re-written. You might be quite so very lost when you first look at it. The new interface makes good sense.
Most of the time when an IT Pro looks at IIS, they're really concerned about configuring it, and not so quite bothered by the "Content View" which is presented by default in IIS6. Serious, those of you who have seen it in IIS6 actually use the content view. I don't. In fact 90% of the time, i got my web designers to supply the content, while i go to IIS Manager to configure it. Key thing, i don't touch the content. So content view is relatively useless to me.
Lets look at how you use the Server Manager to Add a Role and the wizards takes out all the guess work. Many things has also been changed. Bits of the IIS server doesn't get deployed until you tell it to. So features like Integrated Authentication is something you can add. ASP.NET support, ASP Support, CGI Support and etc.
Adding the Server Role
From Server Manager, under Roles, Click on the Add Role. Its really easy, so intuitive, you won't miss it.
I just want to catch some screen shots here and share the installation experience with you. Click on Next to go to the Server Roles Dialogue. Here, you will see most of the Roles that W2k8 can run as. There is a Streaming Services Role that isn't here, but can be added by an Add-On to make it appear. Anyway, just Click on the Web Server Role.
Once you click on the Web Server roles, the wizard will detect that several mandatory components are needed for a base IIS to be functional. Take a look at the required components, were you aware they are the minimum for IIS to run? you probably don't. :-)
Click on Add Required Features to continue and click on Next to progress further. You are then given an Introduction to IIS. Click on next to start loading the features you need in IIS.
The entire IIS has been quite deeply "componentized". So whatever web app you put into IIS7 (basic setup), will break for sure. Reason why normally those web apps break is because the feature isn't loaded. Scroll down the list and take a look. I've for a portion of that list here.
Just wanted to highlight under Security. You will see Basic Authentication, Windows Authentication, Digest and various other mechanism. By default, anonymous is loaded. Nothing else unless you specify. Select the Features you need and continue.
On the next page, you're give the summary of the installation and you will then begin installation. After which, your Windows Server 2008 is now a web server. Have fun.
/Dennis
In the upcoming release of Windows Server 2008, many features has been reorganized. Take for instance, Add/Remove Programs isn't there any more. Its been replaced by Control Panel features similarly to the one laid out in Windows Vista. Since Windows Server 2008 (W2k8 Server) will be Microsoft's next Big Wave, we'll talk about W2k8.
Many of the interfaces has been redesigned and having asked several IT Pros that i've shown about W2k8, more than 80% of them like being about do manage a server from a Single Console for more than 60% of the routine tasks.
Most things related to managing the server has been placed into a new console known as the Server Manager. You can access Server Manager from under Administrative Tools.
Click on Server Manager brings up the console. The console is made up of several components giving you a very quick view of your server. You used to have to navigate a few other places in Windows 2003 to be able to obtain the same piece of information which you can easily find in W2k8.
From this console, you can have a very quick view to the following; Computer Information, Security Information, Roles and Features summary, Resources and Support.
Computer information,
you can have a quick view of Computer name, Workgroup, Networking Information, Is remote desktop enabled? and the ProductID. You can also make a quick change if needed. Neat isn't it. I love it. On clicking the portion highlighted in the picture by Red Arrow, it will bring up the relevant panels for you to make changes.
Security Information
you can get information on the Firewall status, if Automatic update is enabled, when it was last updated and what were the updates and if IE has got its Enhanced Security Enabled. Likewise, like the previous, you can quickly click on the relevant item and make immediate changes.
Roles and Features
you can list manage the roles and features of your server. Say you want to make your Server a web server, you add the Web Server Role. If you want DHCP Server, you add the DHCP Server Role. If you need .NET 3 Framework for things like CardSpace, you add the .NET 3 Framework features. If you need Remote Server Administration Tools, you look for it in the Features. Well, there are too many things to cover for that one, but you get what i mean. I'll cover it seperately on what is in there.
Resources and Support
Lastly, you can use the last one to help you to gain access to resources, for example, Community Support. When was the last time you had to frantically look for your vendors for help. Now you can tap on the power of Community Support. Oh, before i forget, CEIP. Customer Experience Improvement Program. This won't take up a lot of resources and doesn't send out sensitive information that identifies who you are. Please enable this if possible. Microsoft uses this piece of information to help us improve our products to serve you better.
That's it for now. I'll come back with more.
/Dennis