Dan Griffin's Blog

Comments on security, PKI, smart cards, cryptography, and entrepreneurship.

Firms that use virtualization (including technologies such as Microsoft Hyper-V) are more efficient and as a result, more profitable:

Permalink | Comments (0)

OS Virtualization:

OS Deployment and OS/App Virtualization:

  • Chapter 1 Deploying a Modern OS, such as Windows 7
  • Chapter 2 Reducing Desktop Costs by Virtualizing the Desktop
  • Chapter 3 Reducing Desktop Costs through Application Virtualization
Permalink | Comments (0)

As part of testing Restorify, we’ve been using it to back-up our production Small Business Server 2003 machine. By the way, I blogged previously about the procedure for virtualizing that SBS machine; this has recently become easier.

The VHD of the SBS machine is 40 GB. This transfer data is based on a two-day window. In other words, we created a backup then created another one two days later (it would be better to do so every night, for example, in production, but we’re trying different scenarios to see how the thing scales).

The delta after two days was 300 MB, which is less than 1%.

What was the workload, exactly? In summary, the server hosts about 5 GB of LOB data under active usage. It is not running Exchange.

Edit: we’re much more efficient now; I updated the numbers above.

Permalink | Comments (0)

For MSPs configuring Windows Server 2008 R2 machines to run on customer sites, and for so-called “branch office” scenarios, we recommend the use of BitLocker. This whitepaper, although outdated (it’s for 2008, not R2), explains some of the reasons for this recommendation. In summary, small offices tend to be more exposed in terms of having a data drive walk out the front door, for example. Not that important stuff doesn’t get stolen from big companies all the time. But large data centers, on average, have better physical security.

The whitepaper also makes the case for consolidating branch office workloads using Hyper-V, and I agree with that recommendation as well. For example, JW Secure has a dedicated client machine for synchronizing our dynamic DNS record. It would be wasteful to run that on its own piece of hardware, though. Ditto for source control, file shares, etc. All virtualized, and thus easier to manage, backup, restore, move, etc.

The case for Restorify follows directly from this case for virtualization in branch offices and small business. Once you’ve consolidated the workload, you can now securely and easily replicate those entire images offsite. How long would it take to rebuild our old source control server, running on physical hardware? Probably two 12-hour days. How long would it take to rebuild our new virtualized source control server from an offsite image? Probably an hour plus driving time (unless our MSP hosts it temporarily for us, in which case you can remove driving time).

Final point tying this all together: running Hyper-V guests on a BitLocker-protected host drive is a supported configuration. That’s the main point of the whitepaper above, and the configuration we recommend for Restorify Client machines. We also recommend the use of BitLocker to go for protecting the initial full images in transit. Here’s a link to a newer whitepaper that discusses BL and BLTG.

Permalink | Comments (0)

I’m in the process of flattening and rebuilding my Lenovo T61 (widescreen = badass). It was previously running Vista SP2 and was starting to exhibit the kind of strange behavior that we’ve come to expect from computers that have been ridden hard for more than two years without an opportunity to revitalize.

It’s now running 64-bit Server 2008 R2, primarily so I have a convenient portable platform for demonstrating Restorify. Revitalization has been achieved.

Having become a bit more comfortable with the Windows BitLocker drive encryption feature than I was during the Vista era, it’s now our policy to use it on laptops. Here’s a step by step guide for turning on BitLocker.

Remember, if your computer has a TPM chip, BitLocker will by default use that chip for protecting the key which will in turn be used for encrypting your drive. This is good; it means that if your laptop is stolen, someone can’t simply remove the hard drive and read its contents from another computer. The protected drive can only be decrypted on the computer that has the exact TPM chip where the drive was encrypted.

On the the other hand, your stolen laptop can be booted with the drive still in it, and the data can still be attacked. That’s because certain common interfaces such as Firewall allow DMA (Direct Memory Access). So if the attacker can get such a device to be recognized by your laptop without having to login, he or she can read data directly from your system memory. Microsoft has documented this threat here (about half way down).

There’s no guarantee, with the DMA attack, that any particular piece of sensitive data stored on your drive will actually be in main memory, but it’s best not to risk it. The easy solution is to configure BitLocker to require a PIN at boot time.

First, configure local computer policy (via gpedit.msc, or by pushing out an updated group policy centrally) to allow (if not require) the TPM + PIN key protector on startup. That procedure is documented here (same guide as above). You should also require startup key backup to Active Directory (documented in the same guide).

Finally, run a command such as the following on your laptop(s):


C:\Windows\system32>manage-bde -protectors -add c: -TPMAndPIN
BitLocker Drive Encryption: Configuration Tool version 6.1.7600
Copyright (C) Microsoft Corporation. All rights reserved.

Type the PIN to use to protect the volume:
Confirm the PIN by typing it again:
Key Protectors Added:

    TPM And PIN:
      ID: {9205B1A3-36BE-4110-9353-00AB68022023}

Key protector with ID "{6998DDAB-E374-49EC-999A-F1BD13BE861B}" deleted.

Once BitLocker is setup, you should be aware that part of the key protection scheme employed by the TPM chip is to guard against major system configuration changes that could be part of an attack against a stolen machine. If the TPM suspects that something major has changed, it will prevent the drive from being decrypted (hence, you won’t be able to boot your computer). The following best-practices will give you three layers of defense against this happening:

  1. BitLocker creates a startup recovery key when you initially setup, and it recommends that you store that key on a separate USB fob. Follow that advice, and don’t lose the fob.
  2. Require startup key backup to AD, like I mentioned above.
  3. When making any major system changes, including most especially BIOS updates, pause BitLocker (press the Start button, type Manage BitLocker, hit Enter, click Suspend Protection).
Permalink | Comments (2)

Was just reading about Spiceworks: free, ad-supported IT network management software (thanks to the SBS Diva blog for cluing me into this one, although looks like The Diva raised some concerns about Vista support in an earlier post).

I haven’t tried the software yet myself, but it includes features for monitoring and help desk. What’s more, they claim to have 750K users. Those features, with that level of adoption: pretty cool.

This page on the Spiceworks site mentions that, if you don’t want to see ads, you can pay $20 per month. That’s actually still not bad for a product version that doesn’t have any artificial CPU, user, or node limitations.

On the other hand, at first blush, it would seem to imply that they value the current total of their usage-based ad impressions at $15 million per month, which sounds like an awfully big number. But then, these have the potential of being well-targeted ads, so maybe certain big IT advertisers value it that highly.

Could the ad-supported model work for Restorify? The answer, I think, is: maybe. For one thing, users of the Spiceworks app are depedent upon its GUI/console for much of the key functionality. In other words, getting good value from the app pretty much implies that you’re going to be seeing the ads (unless you pay the opt-out, of course).

In contrast, while Restorify doesn’t have a good server console yet (it’s on the TODO list), the product can be used effectively without one. After all, automated backups don’t require a console, just a warning (emailed, for example) if something’s going wrong (to a certain extent that would apply to Spiceworks as well; I guess the lesson here is that if your app is ad-supported, you want to implement your features in such a way as to make the GUI as sticky as possible). Ditto for restores.

Restorify’s new reporting - both real-time and periodic/monthly - features could benefit from a console. My conclusion is that, if I’m going to be dependent upon users viewing the console as often as possible, making the reporting feature as pretty and informative as possible is the best way to do it.

Permalink | Comments (0)

Last night’s Ignite Seattle 8 was a great example of a professional networking event cloaked as entertainment. Lots of late-20s, early-30s entrepreneurial folks getting together to discuss common interests over drinks, followed by several five-minute talks on a variety of topics. Very enjoyable - and well attended (supposedly more than 700 people).

I’ve heard it said that one of the San Francisco Bay Area’s best assets in creating an environment conducive to technology entrepreneurship is its culture of networking and open discussion of ideas, plus the availability of venues known to provide those opportunities. It doesn’t hurt that there’s a critical mass of startup-oriented talent, either.

There’s no debating that Seattle doesn’t have the same culture, but maybe that’s because we’ve learned taht there’s such a thing as over-sharing. I’d argue that we’ve got the talent, although folks tend not to be as startup-oriented. And while we may not have as many of the venues, Ignite Seattle is one really good one.

Permalink | Comments (1)