Thursday 12th June – Day 3 of Tech-Ed 2008 – Orlando Florida

My remote access from the hotel sucks!, Actually Internet access performance is bad. The performance is so bad that it’s going to take 25 minutes just to update my mailbox. It was pretty bad yesterday so I dropped one of our WAN engineers a note along with a trace route I’d taken. Tonight I did some additional checking and it looks like it’s the local Internet connection that’s the problem. One of the hops is dropping something like 20% of the traffic so I’m going to wait to blog Thursdays sessions. I’ll see if a connection from the conference tomorrow performs better.

Wednesday 11th June – Day 2 of Tech-Ed 2008–Orlando Florida

Early morning start, got the buss from the Hotel at about 7:30am and got to the Convention center just after 7:45am. Had a quick bit of breakfast and then off to the first session at 8:30am. The first session was on DNS by Mark Misani so I got there a bit early. Just as well as this was one of the larger rooms, 300+ but 5 minutes in to the session the ushers had stopped people coming in until they could find an empty see for them. I’m only going to give a bit of a write up about the DNS session as I’m tired and anyway a couple of the sessions I don’t have slide decks for as they haven’t been posted yet.

I attended six sessions today, one of which was during lunch;

• SVR370: DNS 2008 Style: How Name Resolution Changes in Windows Server 2008 Infrastructures
• SEC354: A Hackers Diary: How I Can Hack Your Vulnerable Services and How You Can Stop Me
• LUN61: Do These Ten Things Now or Else Get 0wn3d! – this was the lunch time session
• MBL452: Windows Mobile as Secure as Blackberry: Are You Joking?
• IDA350: Active Directory Rights Management Services (AD RMS)
• SVR384: Licensing Your Windows Vista and Windows Server 2008 Systems: Everything You Know Is Wrong

SVR370: DNS 2008 Style: How Name Resolution Changes in Windows Server 2008 Infrastructures

I’m posting this presentation here. The file is a PowerPoint 2007 file, that’s what Microsoft are using these days. I haven’t tried to convert it to a 2002/2003 format as yet. Mark Minasi has been around a long time, from the DOS days (NOT Denial of Service, Disk Operating System), Marks says he’s 60. He has a deep knowledge of Microsoft Active Directory and networking, including DNS. I have some notes that I need to go through to add to this post but there was one thing that jumped out as being of potential use in cleaning up old DNS domains, that is the ‘DNAME’. This is a new, standards based, DNS record type. You can read about it on slide 37. Simple put what it does is allow you to replace one domain name with another when doing look ups. So that, an acquired company that uses, oh lets say acme.com could use this DNAME record to basically replace acme.com with newcompanyname.com. Now there’s a bit more to it than that, naturally but this would seem to have potential for merging new companies in to our corporate infrastructure.

 

SVR384: Licensing Your Windows Vista and Windows Server 2008 Systems: Everything You Know Is Wrong

Okay, so I only read the title, not the write up. I thought it was going to be about how Vista, and the bit I was really interested in, Windows Server 2008 is licensed. Boing! wrong. This was about Enterprise Activation of Vista and Windows Server 2008. Licensing, especially last thing in the afternoon, is going to be hard but this …. I did learn a thing or two, between naps (just joking, maybe), that I’ll add to this post once I have re-read my notes. It’s coming up to midnight here and I have a long day ahead of me tomorrow. I get to go to Universal Studios 8:00pm to midnight 🙂

Tuesday 10th June – Day 1 of Tech-Ed 2008 – Orlando Florida

Well actually day two for me but day one for the conference proper. The day started with the Keynote speech, by Bob Muglia, Senior Vice President of the Server and Tools Business at Microsoft, which I missed, on purpose. Instead I did some email and wrote the first blog entry and hence missed all of the crowds heading to the Orlando Convention Center. I headed out over there just before 10:00am, for the first breakout session at 10:30am.

I attended four sessions today;

• SEC252: Notes from the Field: Implementing a Military Grade Security Access Solution
• SEC355: Privacy: The Why, What, and How
• IDA351: Active Directory Read Only Domain Controller in your Enterprise
• UNC360: Protect. Preserve. Discover. Compliance and governance in Exchange Server 2007

SEC252: Notes from the Field: Implementing a Military Grade Security Access Solution

A Swedish company, TrueSec, talked about what they’d done for Volvo and how they’d designed and implemented a capability for Volvo users to be able to connect to a high security (military) network securely. It’s a bit to involved to go in to in this post but in involved an ISA server on the entry point, another ISA server in to the highly secure network. In between the ISA’s is a Terminal Server and inside the secure network was another Terminal Server. Users have certs to gain access through the ISA and use SmartCards to log in to both Terminal Servers, no credential pass though – it wasn’t technically possible. The picture below shows the setup.

 

SEC355: Privacy: The Why, What, and How

A Steve Riley presentation, always interesting. In this case talking about privacy, what is it, do we have it etc. A couple of things that came out of it that would probably be interesting to look into;

• Block 3rd party cookies, in IE
• use a host file to block Ads etc. Yes I know we have Bluecoat but what about laptop users on travel. (

  http://www.mvps.org/winhelp2002/hosts.htm)

IDA351: Active Directory Read Only Domain Controller in your Enterprise

I won’t go in to a lot of detail on this one but it does have a lot of potential. Deploying RODC can be done securely without having to have a Domain Admin at the site. It would allow us to reduce the number of Domain Admins we have, deploy RODC in places that we normally wouldn’t think of deploying a DC. It also has potential for intra-company DMZ’s¹ and possibly Extranets.

For an intra-company DMZ I’m wondering if it will solve the issue with the SharePoint people picker. Put an RODC in the DMZ to allow it to talk back to a full DC, via IPSec tunnel?, on the internal network. When SharePoint wants to talk to an internal DC it talks to the RODC. I have talked with some Microsoft people here about this. They thought it might work but weren’t sure. I’ll have to go back as they have someone they thought would know more who wasn’t at the desk when I was there. Note! Microsoft Exchange does NOT work with an RODC. It requires write access to a DC. Whilst the RODC can

Some links to RODC resources;

• http://go.microsoft.com/fwlink/?linkid=120840
• http://go.microsoft.com/fwlink/?linkid=120845
• http://blogs.technet.com/natem

¹ Intra-company DMZ – This is a DMZ between different parts of a company that are separated by a firewall. This configuration can occur in global company’s, or those that have, for whatever reason, segregated various lines of business using firewalls.

 

UNC360: Protect. Preserve. Discover. Compliance and governance in Exchange Server 2007

This turned out to be a short session. The presenter went through his material very quickly. Even so there were a number of items that did come out of it;

• All emails go through Transport Hubs, even mailbox to mailbox. This means you can use the Transport hub to apply rules to the message traffic
• You can use rules on the Transport Hub to
  • help prevent information leakage (doesn’t inspect attachments though)
  • Send NDRs to users saying that their email violated some policy. i.e. put a rule in place to check for SSN and send an NDR. This leads to the question, can you just send a notification to the user but send the email anyway – based on sending an email to the UK?
• Internal email transport is ALL encrypted. As Exchange 2007 supports Mutual TLS it leads to the question, why not use MTLS between the Exchange 2007 server and the perimeter email system. Therefore all email transport on our network would be encrypted.
• Journaling rules, would allow us to put rules in place to journal emails from specific people (Legal Holds?). The email is sent to a specified mailbox, possibly on a totally separate system. The journaled email contains the original email plus who the email was sent to and by whom. This piece also shows you what distribution list the recipient was on. It also shows CC’ed and Bcc’d recipients.

This ‘stuff’ requires the Exchange Enterprise premium CAL for the Journaling rules. If we go down this path then ALL users would require this CAL. In the past we’ve split users in to those on our network, Enterprise CAL, and those on site (military bases etc.) who only access remotely therefore they’d only need the Standard CAL. With Journaling they’d need the Enterprise premium CAL as well.

 

Some photos from the 1st day

 

Where is every one, at the Keynote speech, unlike me.

 

IT refreshments, yummy lots of processed sugars.

 

Where’s the sun? Florida is supposed to be sunny and hot. Well I guess one out of two isn’t bad, it is hot.