April 28, 2006
Virtual Server 2005 R2 Service Pack 1 Beta 1 Is Now Available!
A beta of Virtual Server 2005 R2 service pack 1 is available today for download. Virtual Server 2005 R2 service pack 1 will support the hardware virtualization capabilities developed by AMD and Intel. By supporting both AMD Virtualization and Intel Virtualization Technology, customers will be provided better interoperability, strengthened isolation to prevent corruption of one virtual machine from affecting others on the same system, and improved performance for non-Windows guest operating systems. The beta of Virtual Server 2005 R2 service pack 1 is available at www.microsoft.com/virtualserver.
Microsoft will have two betas of Virtual Server 2005 R2 SP1. Beta 2 is scheduled for calendar Q4, with general availability in Q1 2007.
Beta 1 of Virtual Server 2005 R2 service pack 1 includes:
- Intel Virtualization Technology compatibility
- Host Clustering technical white paper and the VB script
Beta 2 is planned to include the features of Beta 1 plus:
- AMD Virtualization Technology compatibility
- Active Directory integration and management features
- Volume Shadow Service
The Beta 1 download is available via Microsoft Connect. Select the Virtual Server 2005 R2 SP1 Beta program from the list of available programs that appear here:
Posted by Paul Adare at 08:42 PM
April 21, 2006
Interesting RMS Issue
So I'm working on an RMS deployment for a customer and we ran into a weird issue that up until now I'd never seen before so I thought that I'd share the problem and what we finally discovered to be the cause of the problem.
If a user, let's call her Alice since RMS is a cryptographic application, created a piece of protected content using the built-in Office protection methods (IOW not using a custom template) and assigned another user, say Bob, a specific set of limited rights on the content, when Bob opened the content, rather than having the limited rights assigned appeared to have full control of the content. Now if Bob were to create a piece of protected content, and assigned limited rights to Carol, when Carol opened the protected content, she had the correct rights assigned. Similarly, if Carol assigned rights on content to Bob, everything worked as expected. If Bob or Carol assigned rights on content to Alice, Alice had the correct rights when opening the content. So the problem only occurred when Alice was protecting content. Finally, if Alice protected content using a custom template, everything worked as expected.
Examining the EULs issued to Bob or Carol showed that regardless of the protections assigned by Alice, Bob and Carol had the OWNER right, which is similar to NTFS full control, in the EUL.
Cause and Resolution
After opening a case with Microsoft's CSS we discovered what was causing this problem. The customer uses the email attribute of security groups to list the email address of the owner of each group. They do this so that they have a point of contact for adding user accounts to the group in question. This was the cause of the problem we were seeing. It turned out that Alice was the owner of a group that contained Bob and Carol and because of the practice of adding the group owner's email address to the email attribute of the group anyone who was a member of that group was being granted OWNER rights to the content. Removing Alice's email address from the email attribute of the group, and flushing RMS' group cache resolved this problem.
The other side effect of this issue is that any member of a group that contained Alice's email address in the email attribute would have OWNER rights on the content, even if they had not been specifically assigned rights on the content.
The reason that this behaviour did not appear when using custom templates is that the templates used the special RMS group Anyone which obviously doesn't have an email attribute.
The customer in question is going to fix up the security groups that affect their pilot deployment, however, this behaviour may well prevent them from pursuing a broader deployment of RMS.
Hope this helps.
Posted by Paul Adare at 05:29 AM
April 19, 2006
Want the Performance Improvements in Virtual Server 2005 R2 But Still Want to Use Virtual PC 2004?
In addition to some new features (host based clustering using iSCSI, x64 support, etc.) VS 2005 R2 also includes some fairly significant performance improvements. What if you're running, and want to keep on using VPC 2004 but you'd still like to have the performance improvements that VS 2005 R2 provides? Now that VS 2005 R2 is free, there is a simple solution to this problem. If you install VS 2005 R2 on a system that already has VPC 2004 installed, a number of components that are shared between the two products will be installed and will then be available to VPC 2004. These shared components contain most of the performance improvements in VS 2005 R2 and as such will be available to VPC 2004 after installing VS 2005 R2. Note that if you don't plan on using VS 2005 R2 you don't need to have IIS installed before installing VS 2005 R2. Also note that you won't get any of the new features as these are all VS specific, however, you will get the benefit of the performance improvements.
This will also allow you to take advantage of the latest version of the Virtual Machine Additions which ship with VS 2005 R2. To use the new Additions you can either manually mount the ISO from Program Files\Microsoft Virtual Server\Virtual Machine Additions in a VPC guest or, if you want to be able to install the updated Additions using the Action menu item in VPC, copy the VMAdditions.iso file from that folder to the Program Files\Microsoft Virtual PC\Virtual Machine Additions folder, replacing the existing Additions ISO.
April 18, 2006
Microsoft Executive Circle Webcast: Security360 with Mike Nash: Building a Secure, Connected Infrastructure with Digital Certificates
Brian Komar, my business partner, is Mike Nash's guest on today's Microsoft Executive Circle Webcast. Should be a good one!
Posted by Paul Adare at 06:52 AM
IdentIT Inc. Finally Has A Decent Web Site
Brian and I decided that it was finally time for IdentIT Inc. to have a proper web site so I built and published one. The URL is http://www.identit.ca.
Posted by Paul Adare at 06:48 AM
So after an extended absence, that I'm sure most folks have not even noticed, I've decided to try to keep my blog up to date. There, didn't that make your day?