Dan Griffin's Blog

Comments on security, PKI, smart cards, cryptography, and entrepreneurship.

Check out ISO Recorder

February 27, 2009

Best utility I’ve found yet for burning ISO images to DVD. Download here.

Permalink | Comments (0)

Looking forward to TechEd! I’ll be staffing one of “The Learning Center” pods in the security area - will post an update as soon as I know which one.

Permalink | Comments (0)

I’m working on getting the Windows 7 Beta to install on a new Sony Vaio Z. It’s a nice laptop, but I really only need it for testing purposes, and getting Win 7 to install has so far been painful.

First tried a a boot DVD of the 64-bit version. I get all the way to the OOBE screen (setting a password) and then a IRQL bugcheck. Not sure which driver.

So I decided to try 32-bit, but for some reason the system won’t boot that DVD. It’ll boot on other systems, though, so I’m not sure what’s going on. I didn’t try burning another one. I suppose I could have also tried to restore Vista and do an upgrade, but that sounds even more painful than this.

Anyway, I had a spare external drive sitting around, and I more-or-less followed these instructions for getting the installer running from there instead of the DVD. Setup is still running; stay tuned …

Permalink | Comments (0)

TechEd 2009 is coming up …

February 22, 2009

TechEd is going to be in Los Angeles this year - the second week of May. How could I pass up an opportunity to not have to fly to the east coast for a great conference? I’ll be there!

Btw - rumor has it that there will be another PDC this year, its second year in a row, also in LA. I’m somewhat surprised that they’re doing PDC two years in a row, but the rationale is probably about building ISV momentum around the Windows 7 release. However, that doesn’t explain why they’re having TechEd and PDC in the same city. What about all of those folks in the northeast? Still, no complaints from me …

Permalink | Comments (0)

The Microsoft MVP Global Summit will be the first week of March - just a week away. I’ve never been before, since this is my first year as an MVP, but I’ve been hearing about it through the grapevine for a couple of years. Aside from the technology briefings, it sounds like a heck of a professional networking opportunity (and a big party …). Looking forward to it!

Permalink | Comments (0)

Just confirmed - the UPEK Eikon fingerprint reader that I ordered from Amazon arrived within a couple of days, and it’s a snap to complete a new fingerprint enrollment and do a biometric logon to Win 7 (latest Beta, 64-bit even!) with it.

Thus, we’ll be using these devices for this project.

Permalink | Comments (1)

I’ve been using an AuthenTec AES2810 USB fingerprint reader for my proof of concept development for this project so far, as I’ve blogged previously. However, although I found both their hardware and software to be high-quality, even on the Windows 7 Beta, I haven’t been able to find a reliable-sounding reseller. The issue is that I only have the one device, and we’re going to need more as we ramp up dev and test.

Instead, I learned that UPEK makes USB fingerprint readers that both (a) support Windows 7, and (b) are readily available retail, in this case via Amazon. The link to their drivers is here, including the note that all of their Eikon line (which is what’s available from Amazon) is supported in this scenario. Haven’t tested them yet; they’re due today or tomorrow. Will post an update.

Permalink | Comments (0)

Check out the dev spec posted here (for this project).

Most notable about the spec: we’ve got a plan for how to bootstrap a Windows AMI (Amazon Machine Instance) in such a way that we can have it immediately (but securely) install an arbitrary MSI package on boot. This is going to be a cool tool!

Permalink | Comments (1)

Regarding the EC2 Console sample (Windows Presentation Foundation) application, here’s the tentative feature list:

  1. In order to maintain the list of EC2 machine instances, and the current status of each, auto-refresh the client GUI at a preset interval. This applies when waiting for machines to shutdown and start-up, and waiting for volumes to be created. That way user doesn’t have to keep on hitting Refresh.
  2. Mouse pointer needs to indicate when something’s happening. Current EC2 console is bad at this, and also not very responsive.
  3. Filter AMIs for Windows-only by default
  4. Help matching on Availability zones, e.g. for instances and volumes. Windows is currently only available in 1B, so presumably always pick that as the default. When creating a new Volume, first ask if it applies to a specific instance. If it does, create the Vol in the same zone and then automatically attach it.
  5. Auto-configure to allow TermSrv from the IP address of the current host. Probably should handle dynamic IP address updates somehow, since many people will try to use this via cable broadband connections.
  6. Offer a shortcut link to shell exec a TermSrv window to the machine in question
  7. While decrypting the default password via the current AWS Console, IE always times out and repeatedly throws an annoying dialog. Find a way to decrypt the PEM file via Win32.
  8. Heartbeat on public DNS and Elastic IP (if bound) for each machine instance

Other feature requests and feedback is welcome. In the meantime, I’ll work on the developer specification.

Permalink | Comments (0)

In ramping up for this project, the first thing to do was to get a Windows Server instance running on EC2 and deploy a test web application to it. I figured that that experience would be typical of what most developers will need to do as they experiment with this cloud computing platform. In fact, it was easier than I thought it would be. Here are my “lab notes”:

I started with the existing AWS Management Console (I’d signed up for an account previously; you’ll need one in order to try any of this). The first step was to create a new machine Instance. I used the public one named “ami-45bf582c,” which is basically Windows Server 2003. I selected the medium CPU load, just because I wanted reasonable responsiveness while experimenting with things.

Next, I created and attached an “Elastic Block Store” volume. In other words, a persistent drive. Note that anything you save on a non-EBS drive is gone forever once the virtual host reboots. I actually ended up not needing the EBS volume for this testing, but it was comforting to know it was there in case, in the middle of my work, I decided I wanted to save something!

If you do create an EBS volume, be sure it’s in the same zone as the machine instance that you want to attach it to (currently, Windows machines can only run in zone us-east-1b, but that’s not the default zone when creating a new volume). Also, the current version of the AWS console has a bug in selecting the target instance when attaching a volume. The available instance (I had only one) doesn’t appear, even though it is in the same zone. Just hit okay on the dialog anyway; the volume will attach to the default instance (again, not sure what will happen if you’ve got more than one).

A few additional notes about preparing the Windows instance before deploying a test website:

  1. A static IP can be allocated and bound to the machine for testing, but that’s not required for this test. The public DNS name assigned to the instance is fine.
  2. Enable RDP for the machine group in question via the AWS console. There’s a built-in setting for this (called “RDP”), but it’s filtered (blocked) by default. I also opened up HTTP this way.
  3. Once I’d connected to the test machine instance via RDP, I removed the Windows Server 2003 IE hardening settings via appwiz.cpl in order to have a more functional Internet Explorer. That’s something you wouldn’t want to do for a production deployment.
  4. Also using appwiz.cpl, I installed the ASP.NET feature under Application Server in Windows components. That may not be a required step, though.
  5. In the IIS Management MMC snap-in, I enabled all of the web service extensions. Again, for a production deployment, you’d want to do this only selectively.

Now, what about the test web application? Visual Studio has a great feature for deploying web applications, namely, the Web Setup Project type. There’s a reasonable introduction to that feature here. I decided to use that approach for my test deployment.

However, once the MSI CAB built has been built for the test web site, there’s still the question of how to get it onto the EC2 machine instance. The ports I’d opened - RDP and HTTP - aren’t much help when it comes to copying files.

To digress briefly, I decided to experiment with using SMB (i.e., file shares) to copy the web site installer. Thus, I returned to the AWS console security group settings and opened up a few additional ports: 135, 139, and 445. To my chagrin, that doesn’t work; Amazon still blocks them:

>nmap.exe -v  -PN X.X.X.X -p T:80,135,139,445,3389

Starting Nmap 4.68 ( http://nmap.org ) at 2009-02-04 14:35 Pacific Standard Time
Initiating Parallel DNS resolution of 1 host. at 14:35
Completed Parallel DNS resolution of 1 host. at 14:35, 6.50s elapsed
Initiating SYN Stealth Scan at 14:35
Scanning ABC.compute-1.amazonaws.com (X.X.X.X) [5 ports]
Discovered open port 80/tcp on X.X.X.X
Discovered open port 3389/tcp on X.X.X.X
Completed SYN Stealth Scan at 14:35, 2.58s elapsed (5 total ports)
Host ABC.compute-1.amazonaws.com (X.X.X.X) appears to be up … good
.
Interesting ports on ABC.compute-1.amazonaws.com (X.X.X.X):
PORT     STATE    SERVICE
80/tcp   open     http
135/tcp  filtered msrpc
139/tcp  filtered netbios-ssn
445/tcp  filtered microsoft-ds
3389/tcp open     ms-term-serv

What to do instead? I took the easy way out: zip up the web installer MSI, email it to myself, and open it on the EC2 instance. Note - this is one reason that you’d need to disable IE hardening for testing purposes, otherwise you probably wouldn’t be able to logon to your webmail site.

What to do for deployment into production? Amazon suggests using FTP or FrontPage Server Extensions. I wouldn’t recommend the former, since the password is sent cleartext, unless you’re piping it through (a Windows build of) SSH. Regarding FPSE, I tried installing them via Add/Remove Programs and got an error about missing installation media. Thus, the solution will be some combination of scripting and keeping certain tools and media on an EBS volume.

In any case, once I’d installed the test web site via the email attachment, it worked fine the first time around, including remotely via the public DNS name.

Permalink | Comments (0)
Newer Posts »