About This Blog

eventhorizon-med

This blog is about Windows PowerShell, Windows Server 2008 R2 (and “R1”), Windows 7 (and Vista), Exchange Server 2010’s (and 2007’s) Exchange Management Shell (EMS), and other more generic (and more application/service specific) applications of Windows PowerShell. Some notes on UNIX, Mac OS X, and Windows software could possibly live here as well. You may also find a few words on iPad, iPhone, and iPodTouch applications, software development, and integration with UNIX and Microsoft Windows, Exchange, and SharePoint systems.

• Graphic from: Event Horizon, Geoffrey Chandler (http://iasos.com/artists/chandler/)

iPad: Enterprise Launch Pad

gallery-software-calendar-20100127

 

SharePoint and Exchange integration for the iPhone and iPodTouch is one thing, but consider for a moment the XGA resolution display at 132 pixels per inch density iPad (Wi-Fi only) and iPad “3G” (Wi-Fi + 3G) for use with SharePoint, Exchange, and other enterprise applications. While these new devices’ merits for personal use may be interesting from a consumer electronics perspective (not just in a lap, wall, tabletop, or dashboard), their utility as mobile workstations in business environments large and small, public and private has humongous potential.

I’m not suggesting that every forklift operator in a warehouse, or every delivery person around the globe, any instructor with a projector, or every disk with a high definition workstation should abandon what’s currently working for them and jump on a new iPad. Well, it’s not a shipping product for another month or two (Wi-Fi first then the Wi-FI + 3G model), pending US FCC approvals. Also, with just an XGA display of 9.7″ (approx. 246 mm) there would be a lot of scrolling (swiping/panning) around to see everything in a big virtual display – there are just some times when a bigger display is good. These first models have no integrated front and back cameras for using video chat (e.g. iChat) wherever you go without a laptop/notebook.

However, with updated versions of the Calendar, Contacts, Mail, and other built-in applications which are targeted at the iPad’s 1024×768 (XGA) display instead of the classic 480×320 (half-VGA) of the iPhone and iPodTouch, the usability of Microsoft Exchange Server hosted features in this size device is far more fluid than in its smaller cousins. With updated versions of Safari and other built-in apps, using SharePoint could be far more productive than with a small display.

Indeed, authoring emails, notes, meetings, and other text input can use the landscape or portrait mode on-screen multi-touch multi-lingual context-sensitive keyboards. If you’re addicted to external physical keyboards, such an animal could be used as well, such as the recently announced optional keyboard, dock, and stand combination accessory. There are customary viewers for viewing Word, PowerPoint, and more kinds of documents. But what about authoring documents in SharePoint? Along with most of the 140,000 or so iPhone/iPodTouch applications which can run unmodified on the device in black-box or pixel-double modes, new applications can be (and are being) developed using the iPad SDK. Apple is releasing iPad-specific versions of Pages, Keynotes, and Numbers (like their Mac OS X iWork versions) which are highly compatible with Microsoft Word, PowerPoint, and Excel. These are add-on paid apps.

Remote Desktop into your servers and less portable workstations for running native Windows apps with this portable display and mobile touch access on either Wi-Fi, or (with the Wi-Fi + 3G model) 3G networks. If you’ve ever used Remote Desktop apps on the iPhone or iPodTouch, you likely know that not having to scroll as much or at all in such a light, highly-mobile device would be a great advantage over BlackBerry, iPhone, and other small portables without the fold-out form-factor of NetBooks and laptops, classic fold or invert style tablet PCs.

Apple’s finally-announced, soon-to-be-shipping iPad is different enough than most NetBooks, Tablet PCs, and Touch PCs in many ways I shall not bore you with here. Once I’ve had a chance to integrate some into enterprise customers networks, I hope to post a detailed review. Until then, let me know what you think the likelihood any of these devices will be either allowed onto your networks, into your facilities, or perhaps designed into your networks to run SharePoint apps, remote Windows apps, or device-local native apps. It’s not just about running games on a accelerometer touch tablet.

* Photo from Apple <http://www.apple.com/ipad/gallery/>

Back to Basics — Anyone? Anyone?

Screen shot 2010-01-21 at 00.57.56

 

User account management is, for many administrators, technicians, and help desk people, an everyday activity. Today some of my students suggested names for user accounts and an organizational unit as I was demonstrating some Active Directory administration in PowerShell version 2.0 on Windows Server 2008 R2. Evidently, several of my students are either John Hughes fans, or perhaps a Ben Stein fans? Regardless, here are a few tips on Active Directory management in PowerShell version 2.0. Yes, one of the user accounts is named “Ferris Bueller” after the movie which is engrained in the brains of these students.

One of the great features of PowerShell version 2.0 is that if you have imported the Active Directory module (Import-Module ActiveDirectory), there are several cmdlets available for working with AD DS or AD LDS directly and an AD: provider allow easy navigation through the directory.

For example, to navigate into the directory at the domain 777.wernerconsulting.com, you could use:

cd AD:dc=777,dc=wernerconsulting,dc=com

Within that context, creating a new object such as an organizational unit can be done relative to that location. Note that I had misspelled the last name of the titular character from the aforementioned film. We’ll fix that later.

new-adorganizationalunit “beuler”

cd “ou=beuler”

The New-ADOrganizationalUnit cmdlet can accept just the name part of the relative distinguished name of the OU without the need for the OU= tag. The Set-Location cmdlet (aliased as cd) however does need the actual RDN “ou=beuler.” Now, within this OU, other cmdlets can refer to that OU implicitly. For example, we could create a user account as follows.

new-aduser “Ferris Bueller”

Note that this basic user account does not have a password assigned, it is not enabled, and most of the exciting attributes which could be assigned have been left alone. Although this cmdlet accepts a few dozen parameters to specify attribute values at the time of creation, including the -OtherAttributes parameter which takes an associative array (hashtable) value, we have used the simple form here.

Before using subsequent cmdlets to make that user account useable and productive, let’s go up a level and fix the name of the OU.

cd ..

rename-adobject “ou=Beuler,dc=777,dc=wernerconsulting,dc=com” -NewName Bueller

cd ou=bueller

The “cd ..” navigates up a level in the directory just as it would in the registry, a certificate store, the file system, or via other hierarchical providers. The Rename-ADObject cmdlet is the one which does the real work of renaming the OU. Once that’s done we used cd again to get back into the cozy OU where the user account hangs out. Note that there is no need for quotation marks around the ou=bueller because there are no spaces or other crazy punctuation in that name.

Next, let’s make this user account useful by resetting its password and enabling the account.

Set-ADAccountPassword “Ferris Bueller” -reset

Set-ADAccountControl ‘Ferris Bueller’ -enabled $true

In the style used above, the Set-ADAccountPassword was given only the name of the user account and the -Reset parameter, therefore this cmdlet prompted for the new password. The -NewPassword parameter could be used with a SecureString value instead. If you are not resetting the password, but just changing it, the -OldPassword parameter must also be included.

The Set-ADAccountControl cmdlet allows management of a number of account control aspects of accounts, however we simply used the -Enabled parameter to make the account usable.

There is so much more that is possible with PowerShell version 2.0 and its various modules. If you can’t take a day off like our fictitious friend Ferris, at least spend some time getting to know this new flavor of the shell which comes with Windows Server 2008 R2 and Windows 7 and is downloadable for several older versions of Windows.

Mass Spectrometry of PowerShell Objects

For many people working with Windows PowerShell, the shell can sometimes transmute into an unknown maze of twisty little passages. Whether you’re an end user, technician, administrator, or developer, take a deep breath – there are a few simple tools and tactics which might help.

One technique which can shed some light into those twisty little passages is a lovely cmdlet called Get-Member. If you’ve been in a PowerShell class or read the PowerShell team blogs, you’ve probably heard this referred to as one of the “four pillars of discoverability.” Yet as with spelunking, shedding a little light tends to reveal more scary and vast unknown depths. In other words, the tools used to make sense of things can quite possibly make things more confusing initially. For example, here is a question someone recently emailed to me.

“In Windows PowerShell, I have been working with the Get-Member cmdlet. I have seen the following values for MemberType: Method, NoteProperty, ParameterizedProperty, Property, ScriptProperty, PropertySet, ScriptMethod, AliasProperty, and Event. What do they mean?”

 

There is hope. We needn’t delve into mass spectrometry to analyze PowerShell objects – they are luckily far simpler than molecular structure.

As Get-Member can reveal, PowerShell objects do typically have both properties and methods. If you’re familiar with true object-oriented programming languages, PowerShell’s properties and methods aren’t insanely different. If you have no clue what properties and methods are, here’s a brief synopsis.

A property is an aspect, a characteristic, and attribute, a data value of a object. For example, if you have an interactive host session, it’s user interface has a foreground color and a background color. These ForegroundColor and BackgroundColor are properties – just two data values which are attributes of the raw user interface of a console host session. Looking at $host.UI.RawUI.ForegroundColor shows an example of such a property value. The results from Get-WMIObject Win32_Volume can reveal Capacity and FreeSpace properties (among many others) of disk storage volumes.

A method is an interface to ask an object to do something. Invoking a method is like running a program – but sometimes on a more microscopic level – you’re requesting the object to do something specific. For example, one of the methods on a WMI Win32_Volume object is the DefragAnalysis() method which allows checking the fragmentation of the allocation units in the volume. Other methods can be used to perform the actual defragmentation, format the volume, mount it, create a mount point, or check the structure of the volume.

Different kinds (classes) of objects have different properties and methods. Furthermore, even different objects of the same type (class) will have different values for their properties and distinct resultant behaviors via their methods. That’s the basics. Now, back to the question. When using Get-Member, different kinds of properties and methods may be revealed. Here’s a quick synopsis of some of their meanings:

  • Property – a basic property that is a part of the .NET object, and not PowerShell specific
  • Properties – basic .NET properties as well as all other types of properties described below
  • PropertySet – property sets are collections of properties which are predefined, such as PSConfiguration on a process
  • AliasProperty – a shorthand notation for another property, such as WS as an AliasProperty for WorkingSet
  • CodeProperty – a .NET property for the class of the object rather than a distinct property per instance
  • NoteProperty – a PowerShell addition to an object which extends beyond the .NET properties
  • ParameterizedProperty – a property that takes parameter values and calculates a result, like a ScriptProperty
  • ScriptProperty – some PowerShell script code for “get” and “set” (read/write) access to a calculated property
  • MemberSet – a predefined set of properties and methods
  • Method – a basic .NET method for the object, which is not PowerShell specific
  • Methods – all basic, code, and script methods
  • CodeMethod – a class method which isn’t specific to the instances of that class
  • ScriptMethod – a PowerShell addition which runs some script code when invoked
  • Event – when action are performed on the object or its state changes, the defined event can be sent

These brief synopses don’t get into the full capabilities, but hopefully can start you on the right path to not being so overwhelmed by the possible kinds properties and methods.

Certainly, if you have questions on a specific type of object member or the ramifications of distinctions between .NET and script properties or methods, don’t hesitate to ask.

We Got the Prints Off Your Trackpad/Mouse…

ist2_4027298-fingerprint-vector

Every time I come across fingerprint, fingervein, retina, iris, and other sorts of biometric scanners, I think of various science-fiction movie characters Arnold Schwarzenegger and others have played, and numerous scenes in which some bad guy borrows someone else’s body part to gain biometric access to a secure area or system. But I assure you, biometrics are real and they are good. For computers of all shapes and sizes, for telephones, building, office, laboratory, and data center access, can biometrics with Mac, Linux, Solaris, Windows and such operating systems be effectively utilized?

Let’s focus on a smaller question – what support does Microsoft Windows 7 and Windows Server 2008 R2 offer in terms of biometrics? Having authentication and subsequent authorization based on biometrics is not new in Windows if you consider third-party hardware and software, yet now Microsoft is making fingerprint devices and has included significant support for such devices from many vendors in these recent versions of Windows.

Be careful. Even Microsoft lists some of their own fingerprint reader as not 32-bit nor 64-bit compatible with Windows 7. And there’s a note on another Microsoft site which states “The Fingerprint Reader should not be used for protecting sensitive data such as financial information, or for accessing corporate networks. We continue to recommend that you use a strong password for these types of activities.” Clearly, if you’re not careful, there could be some concerns aside from how to authenticate people who have no fingers, certain cancer patients, and other people whose fingerprints aren’t reliably readable. I hope you don’t have to worry about someone borrowing a finger to gain access to your systems.

Yet there are many positive aspects to this huge step down the road to integrated biometric security which Microsoft has just taken. Windows Server 2008 R2 and Windows 7 both support the Windows Biometric Framework (WBF) which not only allows intrinsic security features such as interactive logon and user account control (UAC) to use fingerprint authentication, but also allows third-party applications to utilize such benefits.

Note that the new biometric features support both stand-alone computers and those in domain environments, as clearly stated more than once in TechNet’s “What’s New in Biometrics” article. Still, multi-factor authentication such as adequately secure passphrases (not simple passwords) along with fingerprint scanners can provide greater security. Better still, smartcards plus biometrics offer a potentially more secure combination.

Am I suggesting that everyone dive into the fingerprint scanning pool and abandon passwords all together? No, not yet and not without smartcards, and not without a good system lifecycle design which includes recovery and remediation options for all scenarios. This step Microsoft has taken to reduce the dependence on third-party hardware and software for such an integral facet of the operating system as authentication is of immense significance. Please keep two things in mind as you evaluate such technologies. First, Microsoft refers to the control panel, group policy, framework, and driver aspects generically as biometrics rather than just specifically fingerprints, so expect more options in the near future. Second, be sure to involve help desk, network security, and directory personnel in design of the pilot project(s) for evaluation and broader deployment. Although smartcards and biometrics can both offer significant advantages over the woes of password insecurity, they each have their own costs in the operational and support infrastructure.

Oh, and one more thing. Don’t forget to stock up on alcohol wipes and have all users wipe their fingerprints off their laptops each time they’re done using them, or ask them to wear gloves except when they’re authenticating.

Smartcards in Windows 7 and Windows Server 2008 R2

One of my favorite features of Windows 2000 was its built-in support for smart cards. As Windows has evolved since then, through XP and Server 2003, to Vista and Server 2008, and now with Seven and Server 2008 R2, we have greater and more solid support for smartcards. In this article, I’d like to describe the current support in Windows 7 and Server 2008 R2 for smartcards; a later article will delve into fingerprint reader (biometrics) support.

One of the Windows 7 and Windows Server 2008 R2 changes includes support for the United States Federal Government Employee and Contractor Personal Identity Verification (PIV) extensions to the Common Access Card (CAC) use of smartcards. A vendor of biometrics or other identity verification hardware which is compliant with the PIV standards can issue specialized drivers through Windows Update. When an end user inserts their PIV-compliant smartcard for authentication, the appropriate device drivers can potentially be downloaded to the Windows 7 workstation automatically. This extends the basic smartcard plug and play functionality with support for PIV-compliant systems. There is even a generic driver included with Windows 7 in support of scenarios where a specific driver is not available.

But what if you don’t work for the U.S. Federal government – is there anything else new in the way Windows 7 supports smartcards which could be useful to you?

Since Windows 2000, there has been support for using smartcard public key (PK) authentication for the initial Active Directory-based Kerberos authentication at user logon. As the standards for this have evolved, newer versions of Windows have kept up. Windows 7 and Windows Server 2008 R2 implement the Internet RFC 4556 called PKINIT which describes this public key initial (PKINIT) authentication as an open specification.

Windows Vista introduced an update to the Cryptographic Application Programming Interface (CryptoAPI) used in Windows 2000 and XP – this update is called the Cryptography API: Next Generation (CNG). This CNG has been further enhanced in Windows 7 and Windows Server 2008 R2 for additional plug and play capabilities similar to the PIV driver update ability via Windows Update, but for supporting smartcards in any application software that implements the CNG. Therefore, any line-of-business (LOB) applications which are properly developed could integrate with basic and enhanced smartcard functionality.

Let’s go back to the updates to PKINIT support and smartcard logon. Diffie-Hellman (DH) and Rivest-Shamir-Adleman (RSA) forms of public key cryptography and the classic forms of shared secret key cryptography (e.g. DES, 3DES, RC4) have been supported in Windows for many years. But when the combined with the CNG support of Elliptic Curve algorithms for public key cryptography (e.g. ECDH, ECDSA) and more modern shared secret key algorithms (e.g. AES128 and AES256) and longer key lengths for hashing (e.g. SHA384), the modern versions of the Kerberos and PKINIT in Windows 7 and Windows Server 2008 R2 can provide a solid foundation in your security infrastructure which support PIV extensions as well.

For securing documents, email, and other network traffic, the combination of CNG, PKINIT, and PIV can be extended to IPsec, S/MIME, and XPS for a powerful array of features targeted at deployments requiring defense in depth strategies. What if you want to encrypt whole disk volumes? If you’re using the Enterprise or Ultimate editions of Windows 7, smartcards can be used to unlock BitLocker encrypted disk volumes. Again, if you need PIV support, any specialized device drivers can be downloaded via Windows Update.

It’s a matter of evolution rather than earth-shatteringly new features, however Windows 7 and Windows Server 2008 R2 strongly continue the tradition of Windows support for smartcards which began with Windows 2000. What has changed is the ease of deployment and management of smartcards in Windows, enhancements to security with newer protocols and algorithms, and support for newer multi-factor authentication standards in an authentication, authorization, auditing system. Are you using smartcards yet? Or are you still trusting your systems to password/passphrase security?