Search This Blog

Saturday, March 29, 2014

Secure Your Virtual Machine Using BitLocker

 

Hey Lai, How do I secure my virtual machine ? With Windows Server 2012 or 2012 R2, we can mount the virtual disk and copy the data out. Besides with Import fix on Windows Server 2012 R2, we can copy the virtual disk to another Hyper-V and run it without any problem. Yes we do have active directory for authentication but people still can get the content by mounting the virtual disk. My organization data is vulnerable. Can you help me to secure my data?

Lai > Sure no problem. For your scenario, you can implement BitLocker on a virtual machine. BitLocker encrypts the hard drives on your computer to provide enhanced protection against data theft or exposure on computers and removable drives that are lost or stolen, and more secure data deletion when BitLocker-protected computers are decommissioned as it is much more difficult to recover deleted data from an encrypted drive than from a non-encrypted drive.

Here is the step on how to configure Bitlocker.

Installation

Install Bitlocker features by Using Server Manager. Select BitLocker Drive Encryption.

image

Configuration Local Policy

Configure some setting on VM local policy. Type gpedit.msc and navigate to

Computer Configuration | Administrative templates | Windows Components | Bitlocker Drive Encryption

image

Operating System Drives:-

  • Choose drive encryption method and cipher strength – AES 256 bit (military grade encryption algorithm)

image

  • Enforce drive encryption type on operating system – Enabled

image

  • Require additional authentication at startup – Enabled. Bitlocker can work with TPM. Since our virtual machine do not has TPM, we can use password as well.

image

On fixed data drives (for other disk- data):-

  • Set enforce drive encryption type on fixed data drives – Enabled

image

Configuration Control Panel

Go to Control Panel | Select BitLocker Drive Encryption

image

Select your drive and click Turn on BitLocker.

image

Select the mode on how to unlock drive at startup. Since it is a virtual machine, we select “Enter a password”

image

Enter your password –> this is the password that you need to key in on every vm restart.

image

In case you forget the password, you can use recovery key by get recovery key. For our case, we select “Save to a file”. Keep this file in a secure location for future recovery.

image

Restart the VM to start encryption. Below is how the screen will look like when restart. User need to enter the password to unlock and boot to the operating syste. This is the process on every time the Virtual machine restart.

image

Once VM has restarted, it will start the encryption process. Just continue to do your work while the system perform encryption in the background. It will take a while for the encryption process. Once complete, your virtual machine is secure and encrypted.

image

Mount using the any Hyper-V Host:-

image

The Drive G is locked and you cannot mount the virtual disk to get the data. Even you move the virtual disk to another Hyper-V, you also cannot view the content.

Bitlocker is available on the following server operating system:

  • Windows Server 2008
  • Windows Server 2008 R2
  • Windows Server 2012
  • Windows Server 2012 R2

Verification

  • Mount the virtual disk – SECURED
  • Move the VM to another Hyper-V – SECURED

For more question about Bitlocker, check out the FAQ here.

Friday, March 28, 2014

Unable to Backup VM Using DPM–VSS issue

 

Just received a call from customer on problem

  • a. Unable to backup virtual machine using DPM
  • b. Protection group created but no replica

Scenario:-

  • a. Windows Server 2012 Hyper-V
  • b. Two node cluster
  • c. Backup using DPM 2012 SP1

Event log reported, few errors on ID 8194. But frankly speaking can’t find anything from Internet.

5

Other test:-

a. Try backup a folder/files using DPM. Still failed.

b. Try backup using Windows Backup. Guess what? It is still failed.

Then it is not DPM issue. So the ball pass back to VSS.

Without further due, I’m decided to use diskshadow tool which available part of Windows Server 2008 and Windows Server 2012. It is a tool that exposes the functionality offered by the volume shadow copy services (VSS).

To execute, open command prompt and type

C:\Diskshadow
Diskshadow > set context persistent
Diskshadow > set verbose on
Diskshadow > begin backup
Diskshadow > Add volume D: alias VolumeD

1

Received an error message “The provider does not support volume shadow copies for this volume in this context “

Diskshadow > list providers

It only list 2 providers. I did a comparison on 2nd node. The 2nd node consists of 4 provider. So that’s mean missing two provider in the registry. You can check from here:-Under

HKEY LOCAL MACHINE\SYSTEM\CURRENT CONTROL SET\SERVICES\VSS\PROVIDERS

2

The missing registry value:-

3

4

Resolution:-

a. Access to 2nd node registry, export the 2 missing provider

b. Import 2 missing VSS provider into the 1st node registry.

Here is the outcome of the export registry value:-

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS\Providers\{89300202-3cec-4981-9171-19f59559e0f2}]
@="Microsoft File Share Shadow Copy provider"
"VersionId"="{00000001-0000-0000-0001-000000000001}"
"Version"="1.0.0.1"
"Type"=dword:00000004

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS\Providers\{89300202-3cec-4981-9171-19f59559e0f2}\CLSID]
@="{FCE59DA7-7BAC-40DA-8D21-3E7311BA51CD}"

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS\Providers\{b5946137-7b9f-4925-af80-51abd60b20d5}]
@="Microsoft Software Shadow Copy provider 1.0"
"VersionId"="{00000001-0000-0000-0007-000000000001}"
"Version"="1.0.0.7"
"Type"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS\Providers\{b5946137-7b9f-4925-af80-51abd60b20d5}\CLSID]
@="{65EE1DBA-8FF4-4a58-AC1C-3470EE2F376A}"

Testing

a. Test using DPM to start backup. Now I was able to backup the virtual machine without any problem.

Case closed…Some how the VSS provider is missing and causing the backup to failed.

Thursday, March 27, 2014

Countdown : Earth Hour 2014

 

image

Join us this year Earth Hour 2014 ! The event is held worldwide towards the end of March annually, encouraging individuals, communities households and businesses to turn off their non-essential lights for one hour as a symbol for their commitment to the planet.

Countdown Clocks

Monday, March 24, 2014

Starwind:- Buy StarWind Now and Pay Later!

 

Exclusive Offer: Buy StarWind Now and Pay Later!

 

The quarter is coming to a close, and StarWind wants to help you meet your business goals. Buy any StarWind product edition to build a fault-tolerant and high availability SAN by March 31, 2014 and pay later*!

To learn more about this fantastic offer, contact StarWind Sales Team directly:sales@starwindsoftware.com
Contact us!

* Terms of payment 90 days net upon signing the invoice.

Sunday, March 23, 2014

Setup Identity Access Infrastructure Using Windows Azure Active Directory

 

We are going to explore on Window Azure Active Directory. Some people tend to misunderstand the concept of on-premise active directory vs Azure Active Directory and always assume both is the same and work exactly like Active Directory in Azure VM.

How Windows Azure Active Directory is different?

image

It’s allow centrally manage users’ access to Windows Azure and other Microsoft online services like Microsoft Office 365 and other non Microsoft Saas application.

We can provisioning and de-provisioning of user accounts stored in cloud directory to the SaaS application that your organization uses.

To get started, you need to have Windows Azure or Office365 subscription.

Where do we get user account?

a. Manual create from Windows Azure Management Portal

b. Existing Office365 directory

c. Sync from on-premise Active Directory

Tool to use - Active Directory Sync Tool. It will provide one way sync user account and password.

To download this tool, click here.

image

image

Once synced, you can verify directory synchronization from Windows Azure Management Portal.(Active Directory | Users)

  • Highlighted in yellow – is an account create an user account from Azure Management Portal
  • Meanwhile the rest of the account – is the result of sync from on premise Active Directory

image

You can verify access to Windows Azure Active Directory Portal by using the following URL:- http://activedirectory.windowsazure.com/ 

image

Login as Global Administrator will provide full access to manage Windows Azure Active Directory.

image

Login with “User Role” - only able to view own details and change their own profile.

image

Future:-

Application Access

Next step is configure Application Access through Windows Azure Active Directory. For our lab example, we are using Box (www.box.com)

1. Click Add, select BOX as an application that your organization use. Make sure you have a BOX subscription either Business (allow for 1 SSO Integration) or Enterprise (allow an Unlimited SSO).

2. Once the application is added, simply follow the steps in the management portal to complete the connection

image

Step 1:- Configure Single Sign on- For our testing purpose, I’m selecting “Password Sign Sign On”. If you select Windows Azure AD Single Sign On, do remember to send the metadata file to Box support team in order to enable SSO.

image

Step 2:- Enable user provisioning to Box once a user is assign to the BOX. Here you are require to enter your BOX subscription credential to allow authorization to use Windows Azure SSO on BOX.

image

Step 3:- Granted user which you would like to give access to Box.

image

Finally, perform testing an application access by login to Application Access Panel:-

http://myapps.microsoft.com.

Only user which has granted access will be able to see their application listed in the portal.

image

Here are list of applications that you can test

a) Dropbox for Business

b) Google App for Business

c) Skydrive

d) Office365 for Exchange Online

e) Office365 for Sharepoint Online

For more complete list of app support Windows Azure Active Directory, please check out here. There are total of 1021 app which support integration with Active Directory and Single Sign On.

Thursday, March 20, 2014

Clean Up Unwanted Disk on Windows Azure After Virtual Machine Has Deleted

 

You can delete a cloud and vm by using Windows Azure management portal.

image

Some of you may select “Delete the attached disks”. This option will delete the virtual machine plus the attached the virtual disk. However, when you view from virtual machines | Disks, you can still view your existing disk is still there. (sometimes)

image

The weird part is, try to select the virtual disk and the option “DELETE” is dimmed.

image

This is how I managed to delete it by using Cloud Xplorer.

1. Connect to your Azure Storage

2. Select the virtual disk and select Break lease. If you did not select this option, you will receive an error message “"There is currently a lease on the blob and no lease ID was specified in the request.” This is because still got lease locks on disks which were used in VM, which were since deleted.

image

3. Once the lease has break, you can select the disk and delete it.

image

4. On the Windows Azure Portal,it will still display the disks is still available. For my case, I have waited for few days, before it is disappear or able to select DELETE button. It probably took few days to replicate the resources.

Note:- Test it on your own risk. It is not supported. (Just my lucky try). Hope this help if you do encounter this problem. If problem persist, then you should contact Windows Azure support team.

Visio Stencils for Hyper-V and Vmware

 

Looking for visio stencils?

Veeam provides a FREE collection of Hyper-V and Vmware virtualization Visio stencils that can be used by administrators, system integrators and datacenter managers to create their own diagrams in Microsoft Visio 2003, 2007, 2010 or 2013 as part of your Hyper-V or VMware deployment planning.

imageimageimageimage

To download, click here

Enjoy!

Friday, March 14, 2014

Contest :- Guess Where is Veeam 100,000th Customer?


image
Veeam is about to get its 100,000th customer and is launching an interactive contest for a chance to win a trip around the world and other prizes (Google Glass, iPad and Microsoft Surface).
To participate, visitors need to register and predict the location of Veeam’s 100,000th customer on the interactive map. The closer you are to the right spot, the better chance you have to win the trip around the world and other prizes.
We currently have a live pre-registration page. The main contest will start next week.
Join in on the fun! We hope you will participate and celebrate this great achievement with us.
Guess the location here: http://world.veeam.com/
For more information: http://world.veeam.com/veeam_tc_2014.pdf

[updated 26 March 2014]
The contest is now live. Feel free to place your marker and hope you can win the contest.

Good luck.





Saturday, March 8, 2014

Running Remote Desktop Services in Windows Azure

 

Yesterday we received a memo regarding  electrical power shutdown maintenance  conducted by TNB at our data center location.  That’s mean no electrical power for few days during this weekend and UPS or generator won’t be able to sustain to boot up servers at data center. One of the server is our Remote Desktop Services and it is running multiple application for mobile users who are using Surface RT, android tablet and Ipad.

Too bad, we don’t have another data center to use Hyper-V Replica to failover the VM. Sad smile

With no electricity, mean they won’t be able to access their application and continue working.

But we not too worry about it as we’ve successful setup Hybrid Cloud and move some workload to Windows Azure and one of them is Remote Desktop Services.

Architecture

architecture

This above  figure depicted that we have setup an additional domain controller at Windows Azure and constantly replicate active directory object with on premise Active Directory.

Then we have created two virtual machine: Remote Desktop Gateway and Remote Desktop Server (holding RDS Web, RDS Broker, RDS Session Host)

* This is just a simple deployment. It is recommended to setup Availability Set and Load Balancing.

For more information, please refer to:

Supported

  • Session Host running Remote Desktop Services is supported running in Windows Azure.
  • VDI using Remote Desktop Services is NOT supported to run in Windows Azure

For more information, please refer to

Licensing

Microsoft quoted

    • Service providers can offer hosted solutions through RDS running on Windows Azure as long as they obtained RDS SALs (Subscriber Access Licenses).
    • Volume Licensing customers who have active Software Assurance on their RDS User CALs are entitled to RDS CAL Extended Rights, which allow use of their RDS User CAL with Software Assurance against a Windows Server running on Windows Azure or other service providers’ shared server environments.
    • Multi-tenant hosting is restricted in the Product Use Rights of Windows Client, such as Windows 7 or Windows 8. Windows Client Desktops are not available on either Windows Azure or on any other Service Provider such as Amazon or Rackspace.

For more information about license, you can refer to here.

Configuration

At Windows Azure

Deploy several virtual machine to host active directory, RDS Gateway and RDS Servers.

To deploy RDS roles, refer to here.

At client machine

For Ipad and Android tablet, download Remote Client at Google Play store or Apple Store

imageimage

For Surface RT

  • Install the certificate that you use previously to setup Remote Desktop Services on your Surface RT
  • Configure Remote App and Desktop Connection to point to RDS Web

SNAGHTML8cf8322

Final result

image

Remote App available on Surface RT. Mobile users can access directly to the application by selecting the app. The communication between thin client to RDS Gateway is using port HTTPS (TCP 443). RDS Gateway will encapsulate the RDS traffic to TCP 443.

image 

For vpn client, they can directly access to RDS Web Server by using browser.

SNAGHTML8c7685d

Conclusion

Now we can run Remote Desktop Services using Windows Azure. No longer require to host it internally or on premise.

With Windows Azure infrastructure, it allow us to scale virtual machine when require , meet the workload demand and achieve 99.95% availability by setting up availability set in Windows Azure.