MVP Award!

I just got word that I have been awarded the Microsoft Most Valued Professional (MVP) Award for 2012, in the Directory Services discipline. This is a great honor, and I accept it humbly.

First off, thanks to those who nominated me and gave me advice on how to become an MVP, and also Microsoft for finding me worthy. I am really looking forward to connecting with the MVP community, and with the Directory Services group particularly. Also, thanks to everyone who has congratulated me on the award.

I have a lot of new ideas for new community content, so keep watching this space!

TechEd 2012: Day 4

Last day!

It has been a fantastic conference! A lot of interesting sessions for every timeslot.

I started out with Marcus Murray’s session about Advanced Persistent Threats (SIA303). I have been disappointed with Marcus’ sessions at earlier TechEds but this time I was positively surprised. Marcus, among other things, gave a good rundown on the RSA attack. Good session.

Being in a geeky mood, I next went to see Aaron Margosis and his Sysinternals Primer: Gems session (SIA311). I have read a lot of Aarons stuff before and it was great to finally see him in person. Aaron has also written a new book about the Sysinternals tools which I’m planning to get. If you’re interested it’s called Windows Sysinternals Administrator’s Reference.

In keeping with TechEd tradition the guys responsible for the agenda had placed Mark Russinovich’s last session at the very end of the conference. No doubt to make as many people as possible stay for as long as possible. I never leave before the conference ends, so this was no problem for me. The session was the 2012 edition of the Case of the Unexplained series. Mark had all new cases and it was a very fun session.

The last session of the conference was Andy Malone’s Cryptographic Chronicles, part 2 (SIA401). This was a continuation of an earlier session. This time Andy promised beer to whoever could break his cipher challenge. I did my best, but was unable to break it this time. (No one else did either, so I wasn’t too sad.) The session itself was very interesting and a nice conclusion to the conference.

We walked back to the city center, had some dinner, and went home. All in all a great week, both at the conference, and in Amsterdam. Already looking forward to next year!

TechEd 2012: Day 3

Day 3 and still going strong. Great conference so far!

The day started with another good session from Samuel Devasahayam. This time it was SIA312: What’s New in Active Directory in Windows Server 2012. A lot of new cool features in AD for Server 2012, first among which must be Dynamic Access Control.

After that Mark Russinovich gave a very interesting session about Windows Azure internals (AZR302). Azure is really a great service and it was very cool to hear a little about how it is built and run. Mark even had a new Dave Cutler story.

John Craddock was also at TechEd and before lunch I attended his “Windows Server 2012: A Techie’s Insight into the Hot New Features”. This was an OK session where John went through what he felt were the hottest new features in Windows Server 2012. His selection was Direct Access, Compound Tokens and Dynamic Access Control. You have to see John at least once every time you’re at TechEd.

During lunch we participated in Andy Malone’s interactive session about BYOD; SIA04-LNC Adventures in BYOD Land. This would have worked much better in a smaller room and with fewer people as the atmosphere in the big theater room at the RAI didn’t encourage the audience to speak up. Especially since Andy is known to speak his mind afterwards. But it was still interesting.

The last session of the day for me was Mark Russinovich’s “Malware Hunting with the Sysinternals Tools”. This was the best one so far in the conference. Mark gave us an update on the tools, and went on to dissect some of the latest malware, e.g. Stuxnet and Flame. We even managed to get a picture with the man! (I’m to his right in the picture, with the white shirt and glasses!)

TechEd 2012: Day 2

Lovely wheather in Amsterdam on our second day at Microsoft TechEd 2012.

Unfortunately I missed the second keynote (will have to catch that on video later).

Since I really like IPv6 I chose Edward Horley’s talk WCL324: IPv6 Bootcamp: Get Up to Speed Quickly as my first item of business. Ed, whom I have not seen before, delivered a great talk and had some very good advice on IPv6 deployments. I fully agree with his recommendation of disabling the IPv6 transition technologies, but leaving IPv6 itself enabled. You will have much more predictable network behavior then.

Next up I got a chance to meet an old hero of mine; Dr. Tom Schinder. Tom was/is the leading expert on ISA Server/TMG products. I have read his book on ISA 2000 and probably all of his blog posts on the subject. Tom has lately begun spending more time as an architect and gave a very interesting session on the foundations of cloud computing; AAP304: Private Cloud, Principles, Concepts and Patterns. The session basically explained why the System Center suite does what it does. I got to shake the good man’s hand later and have a quick chat. Unfortunately I didn’t have a change to get a picture with him. The camera on my HTC HD7 is just too poor.

In my first session after lunch, SIA200: Cyber Security Defenses: What Works Today, I also got a change to meet another speaker that I have heard a lot about; Robert Grimes. Robert wrote the Protect You Windows Network book together with Jesper Johansson. This is a great book that I highly recommend to anyone interested in security. Rober, and his co-presenter Mark Simos, gave us a fantastic 75 minutes of security information. Loved this session!

The day’s last session was Andy Malone’s SIA400 The Cryptography Chronicles: Explaining the Unexplained, Part 1. This is one of the very few level 400 sessions on TechEd and it was great. I am really fascinated by cryptography and Andy gave a really good introduction. He also had a little competition for the audience with a Caesar substitution cipher (which I was able to solve!). Unfortunately it had some mistakes so the plaintext read WE ARE AKK GEEGS, instead of the intended WE ARE ALL GEEKS. I talked to Andy later and he admitted that it had been pretty late when he put that one together. Part 2 will be on Friday.

We finished the day with a nice cruise on the Amsterdam canals.

TechEd 2012: Day 1

First day of the conference proper and we are, to use a Microsoft term; superexcited.

First item of business was the keynote delivered by Brad Anderson and a few others. Much attention was given to the upcoming launch of Windows Server 2012 and the new System Center 2012 Suite. Microsoft has a great story here and I’m having trouble seeing other companies with the same capabilities.

Next for me was Mark Russinovich’s Introduction to Windows Azure Virtual Machines (AZR208). This is a really interesting new capability of Azure, which also puts Microsoft in the IaaS market (previously Azure was only PaaS). Mark delivered a great talk as always. The man’s knowledge is impressive.

During lunch we caught Mark Russinovich and Scott Guthries live chat about Windows Azure. Questions were put to the panel via Twitter. That was really cool. I even got some of my own questions answered!.

Hacking sessions are always fun so after lunch I went to see Paula Januszkiewicz’ talk entitled “Crouching Admin, Hidden Hacker; Technologies for Hiding and Detecting Traces (SIA301)”. This was a huge let down as Paula just kept repeating old, well known security axioms like “Have a dedicated admin account” and “Don’t log on to workstations with your admin user”. Very boring and disappointing. As far as I could tell she didn’t cover any of the stuff the title of her talk indicated. Paula’s demo of Stuxnet, if you can call letting your VM become infected, failed, but that was due to the recently discovered deactivation feature of Stuxnet, although we did not know this at the time.

The last session of the day was SIA205 Running Active Directory on Windows Azure Virtual Machines. The talk was delivered by Samuel Devasahayam from the Directory Services team. Sam was a great guy and covered all the stuff you need to know before you deploy AD on Azure VMs. We met Sam later outside the conference center and had a nice chat.

Looking forward to tomorrow!

TechEd Europe 2012: Day 0

Today was pre-conf day. A whole day of focusing on a single subject. John Craddock delivered the goods in my selected session: Building Federated External Access for Microsoft SharePoint 2010. The TechExpo and the Hands On Labs areas were not open yet, so the conference hasn’t really started yet.

Very much looking forward to tomorrow, which will start off with the main keynote. That’s always fun. Later in the day I plan to catch some sessions on the new features in Windows Azure, and Mark Russinovich will deliver one of them!

TechEd Europe 2012: T -1

Hello again

1 day until @teched_europe starts!

Another nice day in Amsterdam, although it rained a lot today. Went down to the @AmsterdamRAI conference center to register for the event. New this year is self service registration, Microsoft taking lessons from the airline industry I guess. The RAI seems nice, but everything was pretty much closed, will see more tomorrow.

A few friends arrived today also. We’re going to have dinner and see  England vs. Italy in the European Cup.

TechEd Europe 2012: T -2

Hello all!

So it’s time for the long awaited return of the @teched_europe Conference here in Europe. This time in the wonderful city of Amsterdam, the Netherlands. It has been a long wait for us techno geeks since Microsoft decided to push the conference back to the summer timeframe instead of autumn. 18 months to wait is a long time!

Arrived in Amsterdam today, nice hotel, terrible Internet (writing this at the McDonald’s next door that has free WiFi). Taking in the sites today. More to follow!

If you want to know more about the Conference, have a look at: http://europe.msteched.com/

2 days until TechEd starts!

What’s special about the builtin Administrator account?

Every installation of Windows based on the Windows NT code base has a builtin admin account called Administrator. Every installation of Active Directory Directoy Services also has a builtin admin account called Administrator. (If you are running a version of Windows other than English, your accounts may be named something else.) This account provides complete access to files, directories, services, and other facilities. But are there other things that make these account special?

  • The Relative Identifier (RID) is always 500
    In Windows each Security Principal is identified with a Security Identifier or SID. The SIDs have two parts; the machine or domain component and the Relative Identifier (RID). The RID is simply a whole number incremented with one (1) each time a new Security Principal, typically a group or user, is created. The builtin Administrator accounts, whether they are in a local SAM database or in Active Directory, always have the RID 500. This means that if you know the domain or machine component of the SID, you also know the full SID of the builtin Administrator. From there it is easy to do a “reverse lookup” and find the actual username of the builtin Administrator, and then to start trying to break into it. (Some older code even lets you authenticate with the SID directly, as opposed to a username.) See next bullet.
  • The account cannot be locked out
    The builtin Administrator account cannot be locked out of the system no matter how many failed logon attempts it accumulates. This makes it a prime target for brute force attacks. Auditing can help you find out if someone is trying to do a brute force attack using the builtin Administrator account. Other, manually created, administrator accounts can be locked out, and therefore do not present a similar threat. Renaming your builtin Administrator account will afford you some protection, but be aware of the limitations of this; see previous bullet.
  • The account cannot be deleted
    At least not using the default Windows tools.
  • The account is disabled on client OSs as of Windows XP
    In Windows XP and onwards, the builtin Administrator account does not have a password and is disabled. During setup you are required to create at least one new account, and this account becomes an administrator.

Letting go of Windows NT 4.0…

Windows Server 2008 R2 Domain Controllers have left Windows NT 4.0 behind. Windows Server 2008 would still let the old guy play along, but no more. This fact is not apparant until you start to look closer:

  • DCPromo in Windows Server 2008 R2 will not let you select Windows 2000 mixed mode for your domain functional level.
    This in turn makes it impossible to add a Windows NT 4.0 BDC to your domain.
  • A trust cannot be created between a Windows NT 4.0 domain and a Windows Server 2008 R2 domain.
    The security changes introduced in Windows Server 2008 R2 prevent this. (http://support.microsoft.com/?id=942564)
  • Windows NT 4.0 compatible cryptographic algorithms are not enabled in a Windows Server 2008 R2 domain.
    They can be enabled, but this, still, will not let you create a trust between Windows NT 4.0 and Windows Server 2008 R2. (http://support.microsoft.com/?id=942564)

I guess it  was finally time to move along…