WindowsNetworking.com - Monthly Newsletter - April 2014

Welcome to the WindowsNetworking.com newsletter by Debra Littlejohn Shinder, MVP. Each month we will bring you interesting and helpful information on the world of Windows Networking. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to: dshinder@windowsnetworking.com

1. Open Season on Open Source?

Arguably the month's biggest news on the security front was the Heartbleed vulnerability in OpenSSL, but it was no April Fool's prank. Heartbleed is a serious flaw in the open source implementation of the Secure Sockets Layer/Transport Layer Security (SSL/TLS) protocol that may have put millions of web users at risk.

You can read more of the details about how the Heartbleed exploit works in my blog post over on GFI's Patch Central. But the short story is that users who have visited web sites in the last two and a half years that use OpenSSL to encrypt sensitive transmissions are worried that their personal information and/or passwords may have been compromised.

The media, aided by some over-zealous "experts" who want to make headlines, has grabbed hold of this story and made a genuinely serious security issue sound worse than it really is. According to the BBC News, the public is being urged to change all of their passwords. Now, it's never a bad idea to reset your passwords on a regular basis, but there is no need to rush out and change the passwords for every web service you use in response to this disclosure.

That's because Heartbleed only affects web servers that are using OpenSSL. And according to estimates, that comprises somewhere between 17 and 20 percent of the servers on the web. Now, some of those are big players: Facebook, Google, and Yahoo were all vulnerable. However, Microsoft, Apple, and many other web sites that use proprietary versions of SSL were never vulnerable to this. That means, for example, users should change their Gmail passwords but it's not necessary to change Hotmail/Outlook.com passwords.

Heartbleed itself has been discussed in great depth and I'm not going to replicate all of the info that's already out there here. What I want to discuss are some of the implications of this vulnerability and the public reaction to it.

One thing that strikes me is that the tech journalists who have long given open source software a pass are not shrugging this one off. For a long time, we've heard from the "cool kids" (i.e. the Linux/UNIX aficionados who hate Microsoft with a passion) that "open source is more secure than proprietary software." The idea is based on the premise that because any and everyone can access the source code, the community can – and will – quickly detect any security vulnerabilities and create fixes for them, so you don't have to wait for some company that owns the copyrights to do it.

On the surface, it sounds logical, but I never quite bought it. It seemed to me like one of those grand plans that sounds good in theory but doesn't necessarily work quite so perfectly in practice. And I think this Heartbleed bug confirms my skepticism. This vulnerability in a widely-used open source product has been in existence since at least December 2011 and it's just now being brought to our attention and fixed. Some of the vulnerable sites patched it quickly and others dragged their feet. The public is confused and upset and getting conflicting information:
"Change all your passwords right now!"
"These are the passwords you need to change."
"Don't change your password until you know that the site has been patched."

The days following the disclosure were pretty chaotic. And unlike with proprietary software, nobody is sure who to hold accountable. That's because the tradeoff for not having a company "own" the software and control what others do with it is that you don't have a company that assumes the responsibilities of ownership, which include the responsibility to look for flaws in that software and issue fixes for them before those flaws become public knowledge (and thus more likely to be exploited).

I'm not arguing here that proprietary software is inherently more secure than open source – although there are some arguments that could be made in that vein. I'm just saying that the widely held belief that open source is inherently more secure than commercial software is a myth. My heart bleeds for those who are just now finding that out, the hard way.

By Debra Littlejohn Shinder, MVP
dshinder@windowsnetworking.com

=======================
Quote of the Month - Don't judge each day by the harvest you reap but by the seeds that you plant. – Robert Louis Stevenson
=======================

2. Windows Server 2012 Security from End to Edge and Beyond – Order Today!

Windows Server 2012 Security from End to Edge and Beyond

By Thomas Shinder, Debra Littlejohn Shinder and Yuri Diogenes

From architecture to deployment, this book takes you through the steps for securing a Windows Server 2012-based enterprise network in today’s highly mobile, BYOD, cloud-centric computing world. Includes test lab guides for trying out solutions in a non-production environment.

Order your copy of Windows Server 2012 Security from End to Edge and Beyond. You'll be glad you did

   


Click here to Order your copy today

 


3. WindowsNetworking.com Articles of Interest

Failover Clustering in Windows Server 2012 R2 (Part 1)
Microsoft made a large number of improvements to its failover clustering feature in Windows Server 2012, but they didn't stop there. Windows Server 2012 R2 brings us even more new features and functionalities. Some of the changes are small improvements that make the admin's life a little easier and others are significant improvements. In this article, I revisit the topic of failover clustering with an eye on what's new and different.

Deploying Windows Azure Pack (Part 4)
This is the fourth article in a series, and in it Mitch Tulloch walks through the process of preparing a test environment for deploying Windows Azure Pack.

Maintaining Networks without an IT Staff
For companies and organizations without a full-time IT staff, properly maintaining the network and PCs can be quite challenging. The network tends to get attention only when there are major problems. In this article, Eric Geler shares share some tips that can help, whether you're the resident tech from an organization that lacks a real IT staff or you're an IT contractor helping those types of organizations.

Windows Server 2012 R2 and BYOD (Part 5)
Brien Posey continues the discussion of configuring Windows Server 2012 R2 for a BYOD environment. In this article, you will complete the configuration of the Active Directory Federation Server, and begin preparing your Web server for use by BYOD devices.

4. Administrator KB Tip of the Month

Cluster Aware Updating in Windows Server 2012 R2

Cluster Aware Update, sometimes referred as CAU, was first introduced in Windows Server 2012 for failover clusters. This feature automates the software updating process on clustered nodes while maintaining the availability.

CAU works automatically on cluster nodes running Windows Server 2012 or Windows Server 2012 R2. CAU is an automated feature that enables you to update clustered servers with little or no loss of availability during the update process. During an Updating Run, CAU transparently performs the following tasks:

  • Puts each node of the cluster into "maintenance mode"
  • Moves the clustered roles off the node
  • Installs the updates and any dependent updates
  • Performs a restart if required
  • Brings the node out of maintenance mode
  • Restores the clustered roles on the node
  • Moves to update the next node

Note: Hyper-V VMs are live migrated to available Hyper-V Node in the cluster maintaining the availability of the virtual machines.

For more great admin tips, check out http://www.windowsnetworking.com/kbase/.

5. Windows Networking Links of the Month

6. Ask Sgt. Deb

QUESTION:

Hi Deb,

I'm running a VMware ESX deployment and currently using a SAN for storage. We've been considering moving away from SAN storage and use file based storage. One of the requirements we have is support for NFS. We've been considering Linux based solutions, for file based storage, but we're wondering if Windows Server 2012 R2 might have something to offer in this area? Thanks! – Nelson.

ANSWER:

Hi Nelson,

Great question! While SANs have been the standard in enterprise datacenters for some time, file based storage is becoming more popular. File based storage is a good alternative to traditional SAN storage because it's relatively easy to provision. And as I'm sure you're aware, a good example of this is shown by the trend of deploying and running VMware ESX based virtual machines from file-based storage that is accessed over the NFS protocol.

The good news is that Windows Server 2012 R2 includes updated NFS support that works with NFS 4.1 and can take advantage of many other performance, reliability, and availability enhancements that are available throughout the storage stack in Windows Server 2012 R2.

Check out some of these key features:

Storage for VMware virtual machines over NFS. This is the one that you're most interested in. In Windows Server 2012 R2, you can deploy an NFS file server as a high availability storage back end for VMware virtual machines. Critical components of the NFS stack have been designed to provide transparent failover semantics to NFS clients.

NFS 4.1 protocol. Some of the features of NFS 4.1 include a flexible single-server namespace for easier share management, full Kerberos version 5 support for better security (including authentication, integrity, and privacy), VSS snapshot integration for backup, and Unmapped UNIX User Access for easier user account integration. Windows Server 2012 R2 supports simultaneous SMB 3.X and NFS access to the same share, identity mapping by using stores based on RFC-2307 for easier and more secure identity integration, and high availability cluster deployments.

Windows PowerShell. Over 40 Windows PowerShell cmdlets enable you to perform remote management for every aspect of NFS file server.

Simplified identity mapping. Windows Server 2012 R2 includes a flat file based identity-mapping store. You can use Windows PowerShell cmdlets to provision Active Directory Lightweight Directory Services (AD LDS) as an identity-mapping store and to manage mapped identities.

For more information on the Windows Server 2012 NFS file server, check out http://technet.microsoft.com/en-us/library/jj592688.aspx