Dan Griffin's Blog

Comments on security, PKI, smart cards, cryptography, and entrepreneurship.

The latest series of papers, just announced today, look pretty informative.

http://www.uninformed.org/?v=9

Permalink | Comments (0)

The NAP (Network Access Protection) DHCP (Dynamic Host Configuration Protocol) demonstration lab instructions provided by Microsoft (“Step-by-Step Guide: Demonstrate DHCP NAP Enforcement in a Test Lab” ) are a great way to ramp-up on NAP and to see the technology in action.  However, the lab has two shortcomings:

  1. It requires three separate machines, rather than just two.
  2. It doesn’t talk about using virtual machines, which is the most common configuration customers want to try.

Having experimented at great length, I can now share the following addendum to the lab instructions.  These steps will allow you to setup a two-VM NAP DHCP demo (requiring one virtual Vista client and one virtual Server 2008, RC1 or RTM when it’s available).  My test environment includes the latest (free) version  of VMware Server running on Windows Server 2003.  However, I would guess that any of the most recent VMware SKUs on any supported host OS will work.

I have also seen the same configuration work on Microsoft Virtual Server, but I won’t vouch that these specific steps will get you there.

I recommend reviewing both the following steps and the full lab instructions before getting started.  Seriously – doing so will save you a lot of time.  The lab steps actually aren’t as complicated as they first appear, because the text is actually super-specific.  But if you miss a single one, the demo just won’t work.

By the way, why do people prefer the DHCP lab over the other scenarios (IPsec, VPN, 802.1X) as a first attempt?  Because, as long as you can create a test environment (such as the one I discuss below) in which you won’t be interfering with some other deployed DHCP service, it’s the simplest configuration.  The others require additional server roles, such as Certificate Services, and are tougher to get working with just two VMs.

  1. Create a new VM with a custom (previously unused) Ethernet device.  Use VMnet2 for example.
  2. Setup Windows Server 2008 (WS08).  Note that for Vista and WS08 VMs, I configure 2 GB of RAM apiece.  Hence, your host needs at least 5 GB of RAM for smooth operation of this demo.  You can do it with less, especially if you have multiple fast hard disks to run in parallel, but it can be frustratingly slow.
  3. Once server installation is complete, configure its single NIC with static IP 192.168.0.1 (subnet mask 255.255.255.255, gateway 192.168.0.1, DNS server 127.0.0.1).  This resembles instructions in the lab.
  4. Using the new WS08 admin configuration screen, add the DHCP server role.  Then configure and enable the DHCP service.  Refer to the lab instructions for this, but don’t do the NAP portions yet.  And, specifically, don’t configure DHCP to require NAP yet.  But don’t forget to do so later!
  5. Create a new VM with the same Ethernet device as above.  That is, you’ll have two guest machines on one private network (on a single host).
  6. Setup Vista.  When complete, ensure that it’s configured for DHCP, and that it gets an IP lease from the WS08 DHCP server, using the first free address.  If this part doesn’t work, the rest of the lab won’t work either, so do network connectivity troubleshooting now and/or ask for help.  However, note that this private network doesn’t have internet access, which can make debugging painful.  Thus, if you get stuck here, you’ll probably have to experiment with some different virtual network settings.
  7. Now go back to the server VM and add the Active Directory role.  Then run dcpromo.exe.  Per the lab instructions, create a new domain in a new forest: contoso.com.  You may get a warning that there’s a network interface not bound to a static IP.  As long as you re-confirm that that’s actually not the case, I found it safe to ignore that.  Reboot, etc.
  8. Join the client VM to the new domain.  Upon reboot, re-confirm that the client still has its IP lease and can see the server.  If so, you’re good to go to complete the rest of the steps in the lab:  add the NAP role to the server, configure it, enable NAP in the DHCP service, enable NAP on the client, test that the built-in Windows SHA/SHV can auto-remediate the client firewall.

Advanced Studies:

After you’ve completed the remediation demo in the lab, you’ll probably want to pursue whatever broader agenda led you to start experimenting with NAP in the first place (for example, trying out my MSDN sample NAP plug-in  ;). In any case, not having internet access from those VMs is likely an obstacle.

This solution assumes that the VM host has full internet connectivity. 

  1. Shutdown the server VM.
  2. Add a second VMware Ethernet device to it, using whatever full-connectivity option has worked before (“Bridged,” typically). 
  3. Boot the server and ensure that both NICs are behaving as expected.  That is, that DHCP is still serving the private one, and that the new bridged one obtained an IP lease from the same DHCP server that’s serving the host machine. 
  4. Verify that you can reach the internet.
Permalink | Comments (0)

This resonates with me, since finding best-in-class collaboration tools that are well suited for a small company is … difficult. 

The list is here: http://o20db.com/db/setup.

Referenced from here: http://www.fastcompany.com/magazine/122/office-in-a-cloud.html.

Permalink | Comments (0)

A blurb in the Fast Company calendar for February 2008 references the launch of Windows Server 2008 on the 27th. 

http://www.fastcompany.com/magazine/122/now-february.html

They also reference a “key feature” of the product that does a “health check of every piece of technology … that a company brings into its network.”  That technology would be Network Access Protection, although I guess they decided not to reference it by name.

FC also references an IDC report that states that, for every dollar Microsoft earns on Vista and Server 2008, the ecosystem earns $18. Hop on board!

Permalink | Comments (0)

The Wall Street Journal reported on Friday that, at the Microsoft client division, sales ”rose 67% to $4.43 billion” and operating income rose 83%.

http://online.wsj.com/article/SB120120200992914097.html?mod=crnews

Previous post on this subject.

Permalink | Comments (0)

See you at ShmooCon

January 23, 2008

I am super excited that my talk proposal has been accepted for ShmooCon (Washington, D.C., Feb 15 - 17)! And - the speaker list has just been posted, so it’s official.

Remember - small hacker conferences are where everything interesting in the security field starts …

Permalink | Comments (0)

If you own or manage a website, you should check out the Google Webmasters tool at http://www.google.com/webmasters.  For example, it shows the top searches leading to your pages, which ones people clicked on, as well general crawler results and other tools.  Pretty cool!

Permalink | Comments (0)

I was very fortunate, while attending a Google open house in their Fremont (Seattle) office last night, to get a private tour of the facility (the tour group consisted of me and two friends, guided by a former colleague).

Let me summarize - Google looks like a great place to work! The in-office benefits include messages, free breakfast/lunch/dinner, and a big game room (Xbox, pool, air hockey, arcade machine).  Plus you’ll get a great salary and the opportunity to work with smart people.

So much for the perks. What’s it like to actually get meaningful work done there? Well, I don’t think you can learn that during just a quick visit. That said, based on the layout of the office, and from talking to employees, Google understands how to create a collaborative work environment.

It appears to be a very engineering-driven company. I got the impression that, especially in a satellite office, there could be disappointment if you want to collaborate with other disciplines (marketing, sales) in order to see your ideas bear fruit. But if you have more of a software-researcher mentality, it would probably be quite satisfying.

If you’re passionate about the web, about attracting new users, and about expanding and tuning the online advertising business, I can think of no better place to do it than Google.

Permalink | Comments (0)

Check out my “full length” interview (this is separate from the one I did with Mike Howard, previously posted) from the Microsoft TechEd Developers conference last November in swinging Barcelona. Be sure to drink some coffee before watching this, because I speak kind of slowly …

http://www.virtualteched.com/Videos/EU_1_dgriffin_FB_100.asx

Permalink | Comments (0)

Check out my new article in Security Pro VIP (from Windows IT Pro magazine) entitled “Managing Windows Firewall with VBScript”.

Direct link is here, although it requires a paid subscription.  You can see a short blurb about the article on this page (search for the title string to find it in the list).

Permalink | Comments (0)
Newer Posts »