Re: Whitelisting
On Sun, Apr 15, 2012 at 22:31, Ken Schaefer k...@adopenstatic.com wrote: -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Subject: Re: Whitelisting On Sun, Apr 15, 2012 at 21:50, Ken Schaefer k...@adopenstatic.com wrote: For the SOHO end user, the vast bulk of infections are either: a) exploits in existing applications (Acrobat Reader, Adobe Flash, Java runtime, Internet Explorer) b) social engineering attacks, where the user is convinced to run/install some malware that they shouldn't. Despite code signing, users are still doing this. How will whitelisting help the above type of user? I can't see how it does - they will always have the ability to override whatever recommendation the AV (or protection application) provides. Simple - they won't have to worry about file.doc.exe (or VBS|JS|JAR|DLL|etc) embedded in their emails, or the random executables from the various web sites either are deliberately set up, or have been subverted, to issue malware. Those are actually the larger threat, AFAICT. So, it doesn't help with any exploits of existing apps, browser plug ins etc. And if Joe User goes to AcmeSoftwareCompany.com and is persuaded that BritnesSpearsNaked.exe is actually a legitimate file, and then tells his WhiteListing application that it should be added to the white list, then it'll still run. And Joe User will still be screwed. And if Joe User gets CheckOutDancingPigs.vbs in his email, and is persuaded that it's from his good Nigerian Prince friend Joanne User, and runs it, and tells his WhiteListing application that is should be added to the white list, then it'll still run fine. We already have UAC, and AV, and Smart Screen, and Integrity Level warnings, that warn users that the application might be something bad. Yet users still allow this applications to run. With Whitelisting, you are also requiring that the user decide what is legitimate and what is not. And users will continue to be socially engineering into believing that malware are legitimate files. Just like today. Whitelisting will slow application development/deployment even more, and will just result in more applications like Access and Excel that provide a semi-IDE to the end user that allows them to develop their own code/functionality. And resulting opportunities for code exploit. Bummer for them. Opportunity for those who can, and who can help them. Perhaps. Or maybe there's no ROI developing the feature in the first place. Or maybe exploits will just move to another area (Excel, Access application etc) that whitelisting doesn't cover. You're not addressing the point at all. Whitelisting helps those who help themselves (corporately or individually). Think of it as evolution in action. After that, then yes, bad data is a problem. But bad data is the smaller problem. That *is* the point. To drive the point home - If I had to choose between whitelisting applications and blacklisting data, I'd choose whitelisting applications, every time. I'll still have some risk in my environment, but that's, to me, acceptable. Kurt ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Whitelisting
To drive the point home - If I had to choose between whitelisting applications and blacklisting data, I'd choose whitelisting applications, every time. Why would you have to make a choice? They are not mutually exclusive options. To drive the point home - those words do not mean what I think you believe they mean. Whitelisting helps those who help themselves (corporately or individually). Think of it as evolution in action. Those people generally don't run into problems in the first place. Digital signatures, signed kernel mode code etc. can be used to verify that software you are running is mostly legitimate. The tools already exist for whitelisting applications running on your home computer - even Windows includes Software Restriction Policies, Applocker etc, but I doubt you've implemented it - it's simply too much hassle to create a digital signature of each and every single executable you want to allow, and then restrict each and every .dll or resource file that the .exe is allowed to load into its process space, and then also ensure that every application doesn't provide some shared memory space or other way for code to end up inside the permitted process. Cheers Ken -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Monday, 16 April 2012 2:14 PM To: NT System Admin Issues Subject: Re: Whitelisting On Sun, Apr 15, 2012 at 22:31, Ken Schaefer k...@adopenstatic.com wrote: -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Subject: Re: Whitelisting On Sun, Apr 15, 2012 at 21:50, Ken Schaefer k...@adopenstatic.com wrote: For the SOHO end user, the vast bulk of infections are either: a) exploits in existing applications (Acrobat Reader, Adobe Flash, Java runtime, Internet Explorer) b) social engineering attacks, where the user is convinced to run/install some malware that they shouldn't. Despite code signing, users are still doing this. How will whitelisting help the above type of user? I can't see how it does - they will always have the ability to override whatever recommendation the AV (or protection application) provides. Simple - they won't have to worry about file.doc.exe (or VBS|JS|JAR|DLL|etc) embedded in their emails, or the random executables from the various web sites either are deliberately set up, or have been subverted, to issue malware. Those are actually the larger threat, AFAICT. So, it doesn't help with any exploits of existing apps, browser plug ins etc. And if Joe User goes to AcmeSoftwareCompany.com and is persuaded that BritnesSpearsNaked.exe is actually a legitimate file, and then tells his WhiteListing application that it should be added to the white list, then it'll still run. And Joe User will still be screwed. And if Joe User gets CheckOutDancingPigs.vbs in his email, and is persuaded that it's from his good Nigerian Prince friend Joanne User, and runs it, and tells his WhiteListing application that is should be added to the white list, then it'll still run fine. We already have UAC, and AV, and Smart Screen, and Integrity Level warnings, that warn users that the application might be something bad. Yet users still allow this applications to run. With Whitelisting, you are also requiring that the user decide what is legitimate and what is not. And users will continue to be socially engineering into believing that malware are legitimate files. Just like today. Whitelisting will slow application development/deployment even more, and will just result in more applications like Access and Excel that provide a semi-IDE to the end user that allows them to develop their own code/functionality. And resulting opportunities for code exploit. Bummer for them. Opportunity for those who can, and who can help them. Perhaps. Or maybe there's no ROI developing the feature in the first place. Or maybe exploits will just move to another area (Excel, Access application etc) that whitelisting doesn't cover. You're not addressing the point at all. Whitelisting helps those who help themselves (corporately or individually). Think of it as evolution in action. After that, then yes, bad data is a problem. But bad data is the smaller problem. That *is* the point. To drive the point home - If I had to choose between whitelisting applications and blacklisting data, I'd choose whitelisting applications, every time. I'll still have some risk in my environment, but that's, to me, acceptable. Kurt ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage
RE: Whitelisting
One of the things I see mentioned below is the malicious browser based attacks ( BHO's, Malicious JavaScript, etc etc) and that is one area of weakness I see in the whitelisting solution. Other than that I agree it’s the right way to go. Being on the other side of Blacklisting, HIPS etc etc, it is a diminishing return over time when you have to write rule after rule to allow software to do things that aren't good coding practices, or worse, just to get the software to run. The other thing I would feel might be a weakness in the whitelisting solution, is if I allow a piece of software to run, and that software runs as a service and that service is remotely exploitable, than I can usurp the computer or any computer running that software, because I have exploited a trusted process. Again how can the whitelisting solution protect you from what you already have trusted if its flawed. Again layers of defense is still a valid argument here.. Z Edward Ziots CISSP, Security +, Network + Security Engineer Lifespan Organization ezi...@lifespan.org -Original Message- From: Ken Schaefer [mailto:k...@adopenstatic.com] Sent: Monday, April 16, 2012 2:24 AM To: NT System Admin Issues Subject: RE: Whitelisting To drive the point home - If I had to choose between whitelisting applications and blacklisting data, I'd choose whitelisting applications, every time. Why would you have to make a choice? They are not mutually exclusive options. To drive the point home - those words do not mean what I think you believe they mean. Whitelisting helps those who help themselves (corporately or individually). Think of it as evolution in action. Those people generally don't run into problems in the first place. Digital signatures, signed kernel mode code etc. can be used to verify that software you are running is mostly legitimate. The tools already exist for whitelisting applications running on your home computer - even Windows includes Software Restriction Policies, Applocker etc, but I doubt you've implemented it - it's simply too much hassle to create a digital signature of each and every single executable you want to allow, and then restrict each and every .dll or resource file that the .exe is allowed to load into its process space, and then also ensure that every application doesn't provide some shared memory space or other way for code to end up inside the permitted process. Cheers Ken -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Monday, 16 April 2012 2:14 PM To: NT System Admin Issues Subject: Re: Whitelisting On Sun, Apr 15, 2012 at 22:31, Ken Schaefer k...@adopenstatic.com wrote: -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Subject: Re: Whitelisting On Sun, Apr 15, 2012 at 21:50, Ken Schaefer k...@adopenstatic.com wrote: For the SOHO end user, the vast bulk of infections are either: a) exploits in existing applications (Acrobat Reader, Adobe Flash, Java runtime, Internet Explorer) b) social engineering attacks, where the user is convinced to run/install some malware that they shouldn't. Despite code signing, users are still doing this. How will whitelisting help the above type of user? I can't see how it does - they will always have the ability to override whatever recommendation the AV (or protection application) provides. Simple - they won't have to worry about file.doc.exe (or VBS|JS|JAR|DLL|etc) embedded in their emails, or the random executables from the various web sites either are deliberately set up, or have been subverted, to issue malware. Those are actually the larger threat, AFAICT. So, it doesn't help with any exploits of existing apps, browser plug ins etc. And if Joe User goes to AcmeSoftwareCompany.com and is persuaded that BritnesSpearsNaked.exe is actually a legitimate file, and then tells his WhiteListing application that it should be added to the white list, then it'll still run. And Joe User will still be screwed. And if Joe User gets CheckOutDancingPigs.vbs in his email, and is persuaded that it's from his good Nigerian Prince friend Joanne User, and runs it, and tells his WhiteListing application that is should be added to the white list, then it'll still run fine. We already have UAC, and AV, and Smart Screen, and Integrity Level warnings, that warn users that the application might be something bad. Yet users still allow this applications to run. With Whitelisting, you are also requiring that the user decide what is legitimate and what is not. And users will continue to be socially engineering into believing that malware are legitimate files. Just like today. Whitelisting will slow application development/deployment even more, and will just result in more applications like Access and Excel that provide a semi-IDE to the end user that allows them to develop their own code/functionality. And resulting opportunities for code
Re: Whitelisting
An example of using whitelisting technologies in the enterprise http://appsensebigot.blogspot.co.uk/2012/03/replacing-your-antivirus-software-with.html On 16 April 2012 12:46, Ziots, Edward ezi...@lifespan.org wrote: One of the things I see mentioned below is the malicious browser based attacks ( BHO's, Malicious JavaScript, etc etc) and that is one area of weakness I see in the whitelisting solution. Other than that I agree it’s the right way to go. Being on the other side of Blacklisting, HIPS etc etc, it is a diminishing return over time when you have to write rule after rule to allow software to do things that aren't good coding practices, or worse, just to get the software to run. The other thing I would feel might be a weakness in the whitelisting solution, is if I allow a piece of software to run, and that software runs as a service and that service is remotely exploitable, than I can usurp the computer or any computer running that software, because I have exploited a trusted process. Again how can the whitelisting solution protect you from what you already have trusted if its flawed. Again layers of defense is still a valid argument here.. Z Edward Ziots CISSP, Security +, Network + Security Engineer Lifespan Organization ezi...@lifespan.org -Original Message- From: Ken Schaefer [mailto:k...@adopenstatic.com] Sent: Monday, April 16, 2012 2:24 AM To: NT System Admin Issues Subject: RE: Whitelisting To drive the point home - If I had to choose between whitelisting applications and blacklisting data, I'd choose whitelisting applications, every time. Why would you have to make a choice? They are not mutually exclusive options. To drive the point home - those words do not mean what I think you believe they mean. Whitelisting helps those who help themselves (corporately or individually). Think of it as evolution in action. Those people generally don't run into problems in the first place. Digital signatures, signed kernel mode code etc. can be used to verify that software you are running is mostly legitimate. The tools already exist for whitelisting applications running on your home computer - even Windows includes Software Restriction Policies, Applocker etc, but I doubt you've implemented it - it's simply too much hassle to create a digital signature of each and every single executable you want to allow, and then restrict each and every .dll or resource file that the .exe is allowed to load into its process space, and then also ensure that every application doesn't provide some shared memory space or other way for code to end up inside the permitted process. Cheers Ken -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Monday, 16 April 2012 2:14 PM To: NT System Admin Issues Subject: Re: Whitelisting On Sun, Apr 15, 2012 at 22:31, Ken Schaefer k...@adopenstatic.com wrote: -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Subject: Re: Whitelisting On Sun, Apr 15, 2012 at 21:50, Ken Schaefer k...@adopenstatic.com wrote: For the SOHO end user, the vast bulk of infections are either: a) exploits in existing applications (Acrobat Reader, Adobe Flash, Java runtime, Internet Explorer) b) social engineering attacks, where the user is convinced to run/install some malware that they shouldn't. Despite code signing, users are still doing this. How will whitelisting help the above type of user? I can't see how it does - they will always have the ability to override whatever recommendation the AV (or protection application) provides. Simple - they won't have to worry about file.doc.exe (or VBS|JS|JAR|DLL|etc) embedded in their emails, or the random executables from the various web sites either are deliberately set up, or have been subverted, to issue malware. Those are actually the larger threat, AFAICT. So, it doesn't help with any exploits of existing apps, browser plug ins etc. And if Joe User goes to AcmeSoftwareCompany.com and is persuaded that BritnesSpearsNaked.exe is actually a legitimate file, and then tells his WhiteListing application that it should be added to the white list, then it'll still run. And Joe User will still be screwed. And if Joe User gets CheckOutDancingPigs.vbs in his email, and is persuaded that it's from his good Nigerian Prince friend Joanne User, and runs it, and tells his WhiteListing application that is should be added to the white list, then it'll still run fine. We already have UAC, and AV, and Smart Screen, and Integrity Level warnings, that warn users that the application might be something bad. Yet users still allow this applications to run. With Whitelisting, you are also requiring that the user decide what is legitimate and what is not. And users will continue to be socially engineering into believing that malware are legitimate files. Just like today. Whitelisting will slow
Re: ASB
Congratulations and the best of luck! -lc From: Webster webs...@carlwebster.com To: NT System Admin Issues ntsysadmin@lyris.sunbelt-software.com Sent: Monday, April 16, 2012 7:15 AM Subject: ASB Saw this on twitter from our own world famous ASB: is voluntarily transitioning to full time Information Security and IT Operations consulting in May 2012. See me today, if you have technology. All I can say is it is about time! As smart, dare I say brilliant, as ASB is, he should have zero problems finding work. Carl Webster Consultant and Citrix Technology Professional http://www.CarlWebster.com ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: ASB
On Mon, Apr 16, 2012 at 8:15 AM, Webster webs...@carlwebster.com wrote: All I can say is it is about time! As smart, dare I say brilliant, as ASB is, he should have zero problems finding work. Do you owe him money or something? ;-) Just kidding: I second both the forecast and the good wishes. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: ASB
Congrats! From: Webster webs...@carlwebster.com To: NT System Admin Issues ntsysadmin@lyris.sunbelt-software.com Sent: Monday, April 16, 2012 7:15 AM Subject: ASB Saw this on twitter from our own world famous ASB: is voluntarily transitioning to full time Information Security and IT Operations consulting in May 2012. See me today, if you have technology. All I can say is it is about time! As smart, dare I say brilliant, as ASB is, he should have zero problems finding work. Carl Webster Consultant and Citrix Technology Professional http://www.CarlWebster.com ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Hooray, I'm moving to VMware!
Someone else asked about this, but I didn't see a reply (although Postini frequently blocks messages from this list)... What factors led to you choosing VMware over Hyper-V? John Hornbuckle, MSMIS, PMP MIS Department Taylor County School District www.taylor.k12.fl.us - Original Message - From: David Mazzaccaro [mailto:david.mazzacc...@hudsonmobility.com] To: NT System Admin Issues [mailto:ntsysadmin@lyris.sunbelt-software.com] Sent: Fri, 13 Apr 2012 08:38:47 -0700 Subject: Hooray, I'm moving to VMware! Just got the ok to move forward with VMware/Citrix/Domain upgrade. I have 10 physical servers, and it looks like this will be the solution: 3 hosts: ($21k each) HP DL380 G7 E5660 Pair of 146 15k drives mirrored 196 G RAM - this was $45k alone Quad port gig adapter 2 Switches: ($1,800 each) HP 2910 1 SAN ($22,700) NetApp 2240 12 x 600GB VSphere Essentials Plus ($5,200) 6 Windows licenses ($13,600): Server 2008 Datacenter Windows/Xenapp licenses ($26,000) $40k services Install/config SAN, switches, hosts, VMware, new Citrix farm, 2008 Domain upgrade, P2V existing servers Total: $185,000 Sound good? ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
code signing certificate ?
All help is appreciated , have never done this before. We are going to start signing our scripts. I requested a code signing certificate from our Security group, we use Verisign. They handle all the Verisign certificates. They gave me back a *.PVK file. Shouldn't there also be a *SPC file as well? I've been looking at this for documentation on how to import the certificate: http://support.godaddy.com/help/5087 Wanted to verify this first, before I go back to our Security group. Thanks Christopher Bodnar Enterprise Achitect I, Corporate Office of Technology:Enterprise Architecture and Engineering Services Tel 610-807-6459 3900 Burgess Place, Bethlehem, PA 18017 christopher_bod...@glic.com The Guardian Life Insurance Company of America www.guardianlife.com - This message, and any attachments to it, may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are notified that any use, dissemination, distribution, copying, or communication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately by return e-mail and delete the message and any attachments. Thank you. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadminimage/jpeg
Re: code signing certificate ?
Didn't Webster and Brian cover this just last week? Mack S. Bolan On Mon, Apr 16, 2012 at 8:21 AM, Christopher Bodnar christopher_bod...@glic.com wrote: All help is appreciated , have never done this before. We are going to start signing our scripts. I requested a code signing certificate from our Security group, we use Verisign. They handle all the Verisign certificates. They gave me back a *.PVK file. Shouldn't there also be a *SPC file as well? I've been looking at this for documentation on how to import the certificate: http://support.godaddy.com/help/5087 Wanted to verify this first, before I go back to our Security group. Thanks *Christopher Bodnar* Enterprise Achitect I, Corporate Office of Technology:Enterprise Architecture and Engineering Services Tel 610-807-6459 3900 Burgess Place, Bethlehem, PA 18017 christopher_bod...@glic.com * The Guardian Life Insurance Company of America* * **www.guardianlife.com* http://www.guardianlife.com/ - This message, and any attachments to it, may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are notified that any use, dissemination, distribution, copying, or communication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately by return e-mail and delete the message and any attachments. Thank you. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadminimage/jpeg
RE: Hooray, I'm moving to VMware!
I'd assume ease of use and market leader. -Original Message- From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us] Sent: 16 April 2012 14:16 To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! Someone else asked about this, but I didn't see a reply (although Postini frequently blocks messages from this list)... What factors led to you choosing VMware over Hyper-V? John Hornbuckle, MSMIS, PMP MIS Department Taylor County School District www.taylor.k12.fl.us - Original Message - From: David Mazzaccaro [mailto:david.mazzacc...@hudsonmobility.com] To: NT System Admin Issues [mailto:ntsysadmin@lyris.sunbelt-software.com] Sent: Fri, 13 Apr 2012 08:38:47 -0700 Subject: Hooray, I'm moving to VMware! Just got the ok to move forward with VMware/Citrix/Domain upgrade. I have 10 physical servers, and it looks like this will be the solution: 3 hosts: ($21k each) HP DL380 G7 E5660 Pair of 146 15k drives mirrored 196 G RAM - this was $45k alone Quad port gig adapter 2 Switches: ($1,800 each) HP 2910 1 SAN ($22,700) NetApp 2240 12 x 600GB VSphere Essentials Plus ($5,200) 6 Windows licenses ($13,600): Server 2008 Datacenter Windows/Xenapp licenses ($26,000) $40k services Install/config SAN, switches, hosts, VMware, new Citrix farm, 2008 Domain upgrade, P2V existing servers Total: $185,000 Sound good? ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin -- MIRA Ltd Watling Street, Nuneaton, Warwickshire, CV10 0TU, England Registered in England and Wales No. 402570 VAT Registration GB 100 1464 84 The contents of this e-mail are confidential and are solely for the use of the intended recipient. If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax. You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: code signing certificate ?
I found this in the NTSys Archives: http://carlwebster.com/how-to-digitally-sign-a-microsoft-powershell-script-with-a-third-party-code-signing-certificate/ -lc From: Christopher Bodnar christopher_bod...@glic.com To: NT System Admin Issues ntsysadmin@lyris.sunbelt-software.com Sent: Monday, April 16, 2012 8:21 AM Subject: code signing certificate ? All help is appreciated , have never done this before. We are going to start signing our scripts. I requested a code signing certificate from our Security group, we use Verisign. They handle all the Verisign certificates. They gave me back a *.PVK file. Shouldn't there also be a *SPC file as well? I've been looking at this for documentation on how to import the certificate: http://support.godaddy.com/help/5087 Wanted to verify this first, before I go back to our Security group. Thanks Christopher Bodnar Enterprise Achitect I, Corporate Office of Technology:Enterprise Architecture and Engineering Services Tel 610-807-6459 3900 Burgess Place, Bethlehem, PA 18017 christopher_bod...@glic.com The Guardian Life Insurance Company of America www.guardianlife.com - This message, and any attachments to it, may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are notified that any use, dissemination, distribution, copying, or communication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately by return e-mail and delete the message and any attachments. Thank you. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Hooray, I'm moving to VMware!
Support for non MS operating systems, Fault Tolerance, Storage Vmotion for anything other than W2008R2 . John W. Cook Network Operations Manager Partnership For Strong Families 5950 NW 1st Place Gainesville, Fl 32607 Office (352) 244-1610 Cell (352) 215-6944 MCSE, MCP+I, MCTS, CompTIA A+, N+, VSP4, VTSP4 -Original Message- From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Monday, April 16, 2012 9:36 AM To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! I'd assume ease of use and market leader. -Original Message- From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us] Sent: 16 April 2012 14:16 To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! Someone else asked about this, but I didn't see a reply (although Postini frequently blocks messages from this list)... What factors led to you choosing VMware over Hyper-V? John Hornbuckle, MSMIS, PMP MIS Department Taylor County School District www.taylor.k12.fl.us - Original Message - From: David Mazzaccaro [mailto:david.mazzacc...@hudsonmobility.com] To: NT System Admin Issues [mailto:ntsysadmin@lyris.sunbelt-software.com] Sent: Fri, 13 Apr 2012 08:38:47 -0700 Subject: Hooray, I'm moving to VMware! Just got the ok to move forward with VMware/Citrix/Domain upgrade. I have 10 physical servers, and it looks like this will be the solution: 3 hosts: ($21k each) HP DL380 G7 E5660 Pair of 146 15k drives mirrored 196 G RAM - this was $45k alone Quad port gig adapter 2 Switches: ($1,800 each) HP 2910 1 SAN ($22,700) NetApp 2240 12 x 600GB VSphere Essentials Plus ($5,200) 6 Windows licenses ($13,600): Server 2008 Datacenter Windows/Xenapp licenses ($26,000) $40k services Install/config SAN, switches, hosts, VMware, new Citrix farm, 2008 Domain upgrade, P2V existing servers Total: $185,000 Sound good? ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin -- MIRA Ltd Watling Street, Nuneaton, Warwickshire, CV10 0TU, England Registered in England and Wales No. 402570 VAT Registration GB 100 1464 84 The contents of this e-mail are confidential and are solely for the use of the intended recipient. If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax. You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin CONFIDENTIALITY STATEMENT: The information transmitted, or contained or attached to or with this Notice is intended only for the person or entity to which it is addressed and may contain Protected Health Information (PHI), confidential and/or privileged material. Any review, transmission, dissemination, or other use of, and taking any action in reliance upon this information by persons or entities other than the intended recipient without the express written consent of the sender are prohibited. This information may be protected by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and other Federal and Florida laws. Improper or unauthorized use or disclosure of this information could result in civil and/or criminal penalties. Consider the environment. Please don't print this e-mail unless you really need to. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: code signing certificate ?
OK, the Security team has now provided me the SPC file. What I'm looking for is how to install the certificate with these 2 files (SPC, and PVK). According to the information I've found online you should be able to do this: pvkimprt -import 1.spc myprivatekey.pvk Which will them launch a wizard, or you can export directly to the PFX file by using this: pvkimprt -PFX 1.spc myprivatekey.pvk ISDCert.pfx Neither seems to be working for me. I get this error: Command line option syntax error: I'm doing this from a W7 machine Thanks Christopher Bodnar Enterprise Achitect I, Corporate Office of Technology:Enterprise Architecture and Engineering Services Tel 610-807-6459 3900 Burgess Place, Bethlehem, PA 18017 christopher_bod...@glic.com The Guardian Life Insurance Company of America www.guardianlife.com From: Lora Cates lora.ca...@rocketmail.com To: NT System Admin Issues ntsysadmin@lyris.sunbelt-software.com Date: 04/16/2012 09:42 AM Subject:Re: code signing certificate ? I found this in the NTSys Archives: http://carlwebster.com/how-to-digitally-sign-a-microsoft-powershell-script-with-a-third-party-code-signing-certificate/ -lc From: Christopher Bodnar christopher_bod...@glic.com To: NT System Admin Issues ntsysadmin@lyris.sunbelt-software.com Sent: Monday, April 16, 2012 8:21 AM Subject: code signing certificate ? All help is appreciated , have never done this before. We are going to start signing our scripts. I requested a code signing certificate from our Security group, we use Verisign. They handle all the Verisign certificates. They gave me back a *.PVK file. Shouldn't there also be a *SPC file as well? I've been looking at this for documentation on how to import the certificate: http://support.godaddy.com/help/5087 Wanted to verify this first, before I go back to our Security group. Thanks Christopher Bodnar Enterprise Achitect I, Corporate Office of Technology:Enterprise Architecture and Engineering Services Tel 610-807-6459 3900 Burgess Place, Bethlehem, PA 18017 christopher_bod...@glic.com The Guardian Life Insurance Company of America www.guardianlife.com - This message, and any attachments to it, may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are notified that any use, dissemination, distribution, copying, or communication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately by return e-mail and delete the message and any attachments. Thank you. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadminimage/jpeg
Re: code signing certificate ?
Have you looked at Webster's instructions yet? Mack S. Bolan On Mon, Apr 16, 2012 at 8:58 AM, Christopher Bodnar christopher_bod...@glic.com wrote: OK, the Security team has now provided me the SPC file. What I'm looking for is how to install the certificate with these 2 files (SPC, and PVK). According to the information I've found online you should be able to do this: pvkimprt -import 1.spc myprivatekey.pvk Which will them launch a wizard, or you can export directly to the PFX file by using this: pvkimprt -PFX 1.spc myprivatekey.pvk ISDCert.pfx Neither seems to be working for me. I get this error: Command line option syntax error: I'm doing this from a W7 machine Thanks *Christopher Bodnar* Enterprise Achitect I, Corporate Office of Technology:Enterprise Architecture and Engineering Services Tel 610-807-6459 3900 Burgess Place, Bethlehem, PA 18017 christopher_bod...@glic.com * The Guardian Life Insurance Company of America* * **www.guardianlife.com* http://www.guardianlife.com/ From:Lora Cates lora.ca...@rocketmail.com To:NT System Admin Issues ntsysadmin@lyris.sunbelt-software.com Date:04/16/2012 09:42 AM Subject:Re: code signing certificate ? -- I found this in the NTSys Archives: http://carlwebster.com/how-to-digitally-sign-a-microsoft-powershell-script-with-a-third-party-code-signing-certificate/ -lc -- *From:* Christopher Bodnar christopher_bod...@glic.com* To:* NT System Admin Issues ntsysadmin@lyris.sunbelt-software.com * Sent:* Monday, April 16, 2012 8:21 AM* Subject:* code signing certificate ? All help is appreciated , have never done this before. We are going to start signing our scripts. I requested a code signing certificate from our Security group, we use Verisign. They handle all the Verisign certificates. They gave me back a *.PVK file. Shouldn't there also be a *SPC file as well? I've been looking at this for documentation on how to import the certificate: * **http://support.godaddy.com/help/5087*http://support.godaddy.com/help/5087 Wanted to verify this first, before I go back to our Security group. Thanks *Christopher Bodnar* Enterprise Achitect I, Corporate Office of Technology:Enterprise Architecture and Engineering Services Tel 610-807-6459 3900 Burgess Place, Bethlehem, PA 18017 * **christopher_bod...@glic.com* * The Guardian Life Insurance Company of America ** ** **www.guardianlife.com* http://www.guardianlife.com/ - This message, and any attachments to it, may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are notified that any use, dissemination, distribution, copying, or communication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately by return e-mail and delete the message and any attachments. Thank you. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ *http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/*http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: * http://lyris.sunbelt-software.com/read/my_forums/*http://lyris.sunbelt-software.com/read/my_forums/ or send an email to *listmana...@lyris.sunbeltsoftware.com*listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ *http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/*http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: * http://lyris.sunbelt-software.com/read/my_forums/*http://lyris.sunbelt-software.com/read/my_forums/ or send an email to *listmana...@lyris.sunbeltsoftware.com*listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadminimage/jpeg
RE: Whitelisting
But, if we ever get to a world where whitelisting is the predominant means of execution control, the bad guys will, out of necessity, be relegated to exploiting flaws in applications through data files. I don't understand how you can have an exploit in a data file resulting in anything else but code execution. Data itself is harmless; it's the executables that cause harm. There will always be code executed, in some form or another (unless I'm misunderstanding your point). Alex From: Crawford, Scott [mailto:crawfo...@evangel.edu] Sent: Monday, April 16, 2012 12:25 AM To: NT System Admin Issues Subject: RE: Whitelisting Possibly...even probably. But, if we ever get to a world where whitelisting is the predominant means of execution control, the bad guys will, out of necessity, be relegated to exploiting flaws in applications through data files. A scanner that looks for signatures of exploits in files will be a useful tool. Assuming of course, all applications aren't secure. Sent from my Windows Phone _ From: Andrew S. Baker Sent: 4/15/2012 1:08 PM To: NT System Admin Issues Subject: Re: Whitelisting You can't. :) ASB http://XeeMe.com/AndrewBaker Harnessing the Advantages of Technology for the SMB market. On Sat, Apr 14, 2012 at 1:24 PM, Rankin, James R kz2...@googlemail.com wrote: How do you blacklist all possible bad data files? --Original Message-- From: Crawford, Scott To: NT System Admin Issues ReplyTo: NT System Admin Issues Subject: RE: Whitelisting Sent: 14 Apr 2012 18:02 A combination is needed. Whitelisting for traditional executable code and blacklisting for data files that exploit vulnerable white listed applications. -Original Message- From: Alex Eckelberry [mailto:a...@eckelberry.com] Sent: Saturday, April 14, 2012 10:10 AM To: NT System Admin Issues Subject: Whitelisting I'm curious, what's the general feeling about about whitelisting? As a former AV guy, I tend to prefer blacklisting, but I'm seeing signs things might be changing. Thoughts? ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Whitelisting
a) exploits in existing applications (Acrobat Reader, Adobe Flash, Java runtime, Internet Explorer) b) social engineering attacks, where the user is convinced to run/install some malware that they shouldn't. Despite code signing, users are still doing this. How will whitelisting help the above type of user? If it's an exploit, it's going to launch code. The code won't run in a whitelisting environment unless it's approved by the admin. This would also apply to social engineering. If your company has a whitelisting solution in place, code that is not approved won’t run. So the user can download the stupid game they love, but in the end, they won't be able to run it. A good whitelisting application has a massive repository of good files, and the ability to train the system by the admin, not the end-user. Alex -Original Message- From: Ken Schaefer [mailto:k...@adopenstatic.com] Sent: Monday, April 16, 2012 12:51 AM To: NT System Admin Issues Subject: RE: Whitelisting For the SOHO end user, the vast bulk of infections are either: a) exploits in existing applications (Acrobat Reader, Adobe Flash, Java runtime, Internet Explorer) b) social engineering attacks, where the user is convinced to run/install some malware that they shouldn't. Despite code signing, users are still doing this. How will whitelisting help the above type of user? I can't see how it does - they will always have the ability to override whatever recommendation the AV (or protection application) provides. For corporate users, does whitelisting help significantly? I'm not sure that large organisations have the necessary processes in place to implement whitelisting. Whitelisting will slow application development/deployment even more, and will just result in more applications like Access and Excel that provide a semi-IDE to the end user that allows them to develop their own code/functionality. And resulting opportunities for code exploit. Cheers Ken -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Monday, 16 April 2012 12:42 PM To: NT System Admin Issues Subject: Re: Whitelisting Um, really - you can't do it. Signatures (blacklists) for data files are a folly - worse than trying to blacklist executables. Your point is taken that if application/executable whitelisting is good that malware will become nothing more than bad data files, but that then becomes a problem of fixing the applications. Sanitizing inpyu And, fixing applications and their buffer overflows, heap overflows, integer under/overflows, etc., is a far smaller problem space than trying to blacklist data files. I'll take that problem vs. trying to allow folks to execute any random binary that catches their eye. None of it is easy, but whitelisting apps will be exponentially easier than blacklisting data. Kurt On Sun, Apr 15, 2012 at 21:24, Crawford, Scott crawfo...@evangel.edu wrote: Possibly...even probably. But, if we ever get to a world where whitelisting is the predominant means of execution control, the bad guys will, out of necessity, be relegated to exploiting flaws in applications through data files. A scanner that looks for signatures of exploits in files will be a useful tool. Assuming of course, all applications aren't secure. Sent from my Windows Phone From: Andrew S. Baker Sent: 4/15/2012 1:08 PM To: NT System Admin Issues Subject: Re: Whitelisting You can't. :) ASB http://XeeMe.com/AndrewBaker Harnessing the Advantages of Technology for the SMB market… On Sat, Apr 14, 2012 at 1:24 PM, Rankin, James R kz2...@googlemail.com wrote: How do you blacklist all possible bad data files? --Original Message-- From: Crawford, Scott To: NT System Admin Issues ReplyTo: NT System Admin Issues Subject: RE: Whitelisting Sent: 14 Apr 2012 18:02 A combination is needed. Whitelisting for traditional executable code and blacklisting for data files that exploit vulnerable white listed applications. -Original Message- From: Alex Eckelberry [mailto:a...@eckelberry.com] Sent: Saturday, April 14, 2012 10:10 AM To: NT System Admin Issues Subject: Whitelisting I'm curious, what's the general feeling about about whitelisting? As a former AV guy, I tend to prefer blacklisting, but I'm seeing signs things might be changing. Thoughts? ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to
Re: ASB
Thanks, Webster... I notice you avoided mentioning your hostile commentary. :) LOL * * *ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of Technology for the SMB market… * On Mon, Apr 16, 2012 at 8:15 AM, Webster webs...@carlwebster.com wrote: Saw this on twitter from our own world famous ASB: ** ** is voluntarily transitioning to full time Information Security and IT Operations consulting in May 2012. See me today, if you have technology.** ** ** ** All I can say is it is about time! As smart, dare I say brilliant, as ASB is, he should have zero problems finding work. ** ** ** ** Carl Webster Consultant and Citrix Technology Professional http://www.CarlWebster.com http://www.carlwebster.com/ ** ** ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: code signing certificate ?
Yes, and are great, but I'm not importing directly from the web site like he was able to. I've got the SPC and PVK files and now need to somehow import them into the certificate store. That is where I'm stuck. I've just found this link which seems to be promising: http://ellisweb.net/2008/08/signing-code-using-pvk-and-spc-files/ But isn't taking the password that I was given by our security guys. I'll have to check on that. Christopher Bodnar Enterprise Achitect I, Corporate Office of Technology:Enterprise Architecture and Engineering Services Tel 610-807-6459 3900 Burgess Place, Bethlehem, PA 18017 christopher_bod...@glic.com The Guardian Life Insurance Company of America www.guardianlife.com From: Mack Bolan mack.bola...@gmail.com To: NT System Admin Issues ntsysadmin@lyris.sunbelt-software.com Date: 04/16/2012 10:05 AM Subject:Re: code signing certificate ? Have you looked at Webster's instructions yet? Mack S. Bolan On Mon, Apr 16, 2012 at 8:58 AM, Christopher Bodnar christopher_bod...@glic.com wrote: OK, the Security team has now provided me the SPC file. What I'm looking for is how to install the certificate with these 2 files (SPC, and PVK). According to the information I've found online you should be able to do this: pvkimprt -import 1.spc myprivatekey.pvk Which will them launch a wizard, or you can export directly to the PFX file by using this: pvkimprt -PFX 1.spc myprivatekey.pvk ISDCert.pfx Neither seems to be working for me. I get this error: Command line option syntax error: I'm doing this from a W7 machine Thanks Christopher Bodnar Enterprise Achitect I, Corporate Office of Technology:Enterprise Architecture and Engineering Services Tel 610-807-6459 3900 Burgess Place, Bethlehem, PA 18017 christopher_bod...@glic.com The Guardian Life Insurance Company of America www.guardianlife.com From:Lora Cates lora.ca...@rocketmail.com To:NT System Admin Issues ntsysadmin@lyris.sunbelt-software.com Date:04/16/2012 09:42 AM Subject:Re: code signing certificate ? I found this in the NTSys Archives: http://carlwebster.com/how-to-digitally-sign-a-microsoft-powershell-script-with-a-third-party-code-signing-certificate/ -lc From: Christopher Bodnar christopher_bod...@glic.com To: NT System Admin Issues ntsysadmin@lyris.sunbelt-software.com Sent: Monday, April 16, 2012 8:21 AM Subject: code signing certificate ? All help is appreciated , have never done this before. We are going to start signing our scripts. I requested a code signing certificate from our Security group, we use Verisign. They handle all the Verisign certificates. They gave me back a *.PVK file. Shouldn't there also be a *SPC file as well? I've been looking at this for documentation on how to import the certificate: http://support.godaddy.com/help/5087 Wanted to verify this first, before I go back to our Security group. Thanks Christopher Bodnar Enterprise Achitect I, Corporate Office of Technology:Enterprise Architecture and Engineering Services Tel 610-807-6459 3900 Burgess Place, Bethlehem, PA 18017 christopher_bod...@glic.com The Guardian Life Insurance Company of America www.guardianlife.com - This message, and any attachments to it, may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are notified that any use, dissemination, distribution, copying, or communication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately by return e-mail and delete the message and any attachments. Thank you. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here:
Re: Whitelisting
Agreed, if you've got a malicious Word document that exploits a flaw in MS Word itself, then the only defence is good patching or some other form of exploit detection. If it's a zero-day, then there's probably nothing except exploit detection. Don't want to plug it too much but AppSense Application Manager does a good job of detecting execution beyond the expected capabilities of an application, but I've never been able to test it much beyond the types of things like malicious PDFs with Java exploits or exploits that call out to malicious dll files. Wonder how much work it would be to craft an Office document that tries to exploit a vulnerability to see if it can stop this sort of vector as well? On 16 April 2012 15:19, Alex Eckelberry al...@eckelberry.com wrote: But, if we ever get to a world where whitelisting is the predominant means of execution control, the bad guys will, out of necessity, be relegated to exploiting flaws in applications through data files. ** ** I don’t understand how you can have an exploit in a data file resulting in anything else but code execution. Data itself is harmless; it’s the executables that cause harm. ** ** There will always be code executed, in some form or another (unless I’m misunderstanding your point). ** ** Alex ** ** ** ** ** ** *From:* Crawford, Scott [mailto:crawfo...@evangel.edu] *Sent:* Monday, April 16, 2012 12:25 AM *To:* NT System Admin Issues *Subject:* RE: Whitelisting ** ** Possibly...even probably. But, if we ever get to a world where whitelisting is the predominant means of execution control, the bad guys will, out of necessity, be relegated to exploiting flaws in applications through data files. A scanner that looks for signatures of exploits in files will be a useful tool. Assuming of course, all applications aren't secure. Sent from my Windows Phone -- *From: *Andrew S. Baker *Sent: *4/15/2012 1:08 PM *To: *NT System Admin Issues *Subject: *Re: Whitelisting You can't. :) *ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of Technology for the SMB market…* On Sat, Apr 14, 2012 at 1:24 PM, Rankin, James R kz2...@googlemail.com wrote: How do you blacklist all possible bad data files? --Original Message-- From: Crawford, Scott To: NT System Admin Issues ReplyTo: NT System Admin Issues Subject: RE: Whitelisting Sent: 14 Apr 2012 18:02 A combination is needed. Whitelisting for traditional executable code and blacklisting for data files that exploit vulnerable white listed applications. -Original Message- From: Alex Eckelberry [mailto:a...@eckelberry.com] Sent: Saturday, April 14, 2012 10:10 AM To: NT System Admin Issues Subject: Whitelisting I'm curious, what's the general feeling about about whitelisting? As a former AV guy, I tend to prefer blacklisting, but I'm seeing signs things might be changing. Thoughts? ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin -- http://appsensebigot.blogspot.co.uk IMPORTANT INFORMATION/DISCLAIMER I certainly don't have time to monitor the content of e-mail sent and received via this account for the purposes of ensuring compliance with anyone's policies and procedures. I am pretty sure that somewhere in UK legislation there is some politically-correct drivel that stipulates I must never send or store e-mails or attachments that are obscene, indecent, sexist, racist, defamatory, abusive, in breach of copyright, encrypted, amusing, overly long, slightly opinionated, anonymous, likely to harm animals or hurt the feelings of an as-yet-unspecified or as-yet-nonexistent minority (such as extraterrestrial eggplants). Emails of this nature sent in or out of this account may be intercepted and stopped by the system, but it's a long shot. This being the UK, even if I was prosecuted for breach of said email guidelines, I'd probably walk with a suspended sentence anyway, but if
Re: Whitelisting
*I don’t understand how you can have an exploit in a data file resulting in anything else but code execution. * Exactly. We've had epic battles about this very point on more than one occasion, however, so... * * *ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of Technology for the SMB market… * On Mon, Apr 16, 2012 at 10:19 AM, Alex Eckelberry al...@eckelberry.comwrote: But, if we ever get to a world where whitelisting is the predominant means of execution control, the bad guys will, out of necessity, be relegated to exploiting flaws in applications through data files. ** ** I don’t understand how you can have an exploit in a data file resulting in anything else but code execution. Data itself is harmless; it’s the executables that cause harm. ** ** There will always be code executed, in some form or another (unless I’m misunderstanding your point). ** ** Alex ** ** ** ** ** ** *From:* Crawford, Scott [mailto:crawfo...@evangel.edu] *Sent:* Monday, April 16, 2012 12:25 AM *To:* NT System Admin Issues *Subject:* RE: Whitelisting ** ** Possibly...even probably. But, if we ever get to a world where whitelisting is the predominant means of execution control, the bad guys will, out of necessity, be relegated to exploiting flaws in applications through data files. A scanner that looks for signatures of exploits in files will be a useful tool. Assuming of course, all applications aren't secure. Sent from my Windows Phone -- *From: *Andrew S. Baker *Sent: *4/15/2012 1:08 PM *To: *NT System Admin Issues *Subject: *Re: Whitelisting You can't. :) *ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of Technology for the SMB market…* On Sat, Apr 14, 2012 at 1:24 PM, Rankin, James R kz2...@googlemail.com wrote: How do you blacklist all possible bad data files? --Original Message-- From: Crawford, Scott To: NT System Admin Issues ReplyTo: NT System Admin Issues Subject: RE: Whitelisting Sent: 14 Apr 2012 18:02 A combination is needed. Whitelisting for traditional executable code and blacklisting for data files that exploit vulnerable white listed applications. -Original Message- From: Alex Eckelberry [mailto:a...@eckelberry.com] Sent: Saturday, April 14, 2012 10:10 AM To: NT System Admin Issues Subject: Whitelisting I'm curious, what's the general feeling about about whitelisting? As a former AV guy, I tend to prefer blacklisting, but I'm seeing signs things might be changing. Thoughts? ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Whitelisting
A BHO is a DLL, in other words, a PE file. As is an OCX. These would be/should be covered by a competent whitelisting solution. AFAIK, Javascript can't do much malicious in and of itself except crash your browser or do other weird stuff. Where it is malicious is when it can execute Windows code locally (or Mac code, if running on a Mac machine). -Original Message- From: Ziots, Edward [mailto:ezi...@lifespan.org] Sent: Monday, April 16, 2012 7:47 AM To: NT System Admin Issues Subject: RE: Whitelisting One of the things I see mentioned below is the malicious browser based attacks ( BHO's, Malicious JavaScript, etc etc) and that is one area of weakness I see in the whitelisting solution. Other than that I agree it’s the right way to go. Being on the other side of Blacklisting, HIPS etc etc, it is a diminishing return over time when you have to write rule after rule to allow software to do things that aren't good coding practices, or worse, just to get the software to run. The other thing I would feel might be a weakness in the whitelisting solution, is if I allow a piece of software to run, and that software runs as a service and that service is remotely exploitable, than I can usurp the computer or any computer running that software, because I have exploited a trusted process. Again how can the whitelisting solution protect you from what you already have trusted if its flawed. Again layers of defense is still a valid argument here.. Z Edward Ziots CISSP, Security +, Network + Security Engineer Lifespan Organization ezi...@lifespan.org -Original Message- From: Ken Schaefer [mailto:k...@adopenstatic.com] Sent: Monday, April 16, 2012 2:24 AM To: NT System Admin Issues Subject: RE: Whitelisting To drive the point home - If I had to choose between whitelisting applications and blacklisting data, I'd choose whitelisting applications, every time. Why would you have to make a choice? They are not mutually exclusive options. To drive the point home - those words do not mean what I think you believe they mean. Whitelisting helps those who help themselves (corporately or individually). Think of it as evolution in action. Those people generally don't run into problems in the first place. Digital signatures, signed kernel mode code etc. can be used to verify that software you are running is mostly legitimate. The tools already exist for whitelisting applications running on your home computer - even Windows includes Software Restriction Policies, Applocker etc, but I doubt you've implemented it - it's simply too much hassle to create a digital signature of each and every single executable you want to allow, and then restrict each and every .dll or resource file that the .exe is allowed to load into its process space, and then also ensure that every application doesn't provide some shared memory space or other way for code to end up inside the permitted process. Cheers Ken -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Monday, 16 April 2012 2:14 PM To: NT System Admin Issues Subject: Re: Whitelisting On Sun, Apr 15, 2012 at 22:31, Ken Schaefer k...@adopenstatic.com wrote: -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Subject: Re: Whitelisting On Sun, Apr 15, 2012 at 21:50, Ken Schaefer k...@adopenstatic.com wrote: For the SOHO end user, the vast bulk of infections are either: a) exploits in existing applications (Acrobat Reader, Adobe Flash, Java runtime, Internet Explorer) b) social engineering attacks, where the user is convinced to run/install some malware that they shouldn't. Despite code signing, users are still doing this. How will whitelisting help the above type of user? I can't see how it does - they will always have the ability to override whatever recommendation the AV (or protection application) provides. Simple - they won't have to worry about file.doc.exe (or VBS|JS|JAR|DLL|etc) embedded in their emails, or the random executables from the various web sites either are deliberately set up, or have been subverted, to issue malware. Those are actually the larger threat, AFAICT. So, it doesn't help with any exploits of existing apps, browser plug ins etc. And if Joe User goes to AcmeSoftwareCompany.com and is persuaded that BritnesSpearsNaked.exe is actually a legitimate file, and then tells his WhiteListing application that it should be added to the white list, then it'll still run. And Joe User will still be screwed. And if Joe User gets CheckOutDancingPigs.vbs in his email, and is persuaded that it's from his good Nigerian Prince friend Joanne User, and runs it, and tells his WhiteListing application that is should be added to the white list, then it'll still run fine. We already have UAC, and AV, and Smart Screen, and Integrity Level warnings, that warn users that the application might be something bad. Yet users still allow
RE: Hooray, I'm moving to VMware!
Is the consensus that VMware is easier to use than Hyper-V? I've only used the latter, so I can't judge. John -Original Message- From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Monday, April 16, 2012 9:36 AM To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! I'd assume ease of use and market leader. -Original Message- From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us] Sent: 16 April 2012 14:16 To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! Someone else asked about this, but I didn't see a reply (although Postini frequently blocks messages from this list)... What factors led to you choosing VMware over Hyper-V? John Hornbuckle, MSMIS, PMP MIS Department Taylor County School District www.taylor.k12.fl.us - Original Message - From: David Mazzaccaro [mailto:david.mazzacc...@hudsonmobility.com] To: NT System Admin Issues [mailto:ntsysadmin@lyris.sunbelt-software.com] Sent: Fri, 13 Apr 2012 08:38:47 -0700 Subject: Hooray, I'm moving to VMware! Just got the ok to move forward with VMware/Citrix/Domain upgrade. I have 10 physical servers, and it looks like this will be the solution: 3 hosts: ($21k each) HP DL380 G7 E5660 Pair of 146 15k drives mirrored 196 G RAM - this was $45k alone Quad port gig adapter 2 Switches: ($1,800 each) HP 2910 1 SAN ($22,700) NetApp 2240 12 x 600GB VSphere Essentials Plus ($5,200) 6 Windows licenses ($13,600): Server 2008 Datacenter Windows/Xenapp licenses ($26,000) $40k services Install/config SAN, switches, hosts, VMware, new Citrix farm, 2008 Domain upgrade, P2V existing servers Total: $185,000 Sound good? ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin -- MIRA Ltd Watling Street, Nuneaton, Warwickshire, CV10 0TU, England Registered in England and Wales No. 402570 VAT Registration GB 100 1464 84 The contents of this e-mail are confidential and are solely for the use of the intended recipient. If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax. You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: Whitelisting
Yes, but if the bad data is used to perform a buffer overflow so that custom *code* can be executed to do nefarious acts, then that last step will fail because the custom malicious code is not authorized to run -- even in a zero day. No, it doesn't solve every last malware issue known to man, and there can be some management overhead depending on the implentation, but it addresses more issues than blacklisting does, and does so more effectively. Of course, we've been saying the same thing for a while here: http://www.mail-archive.com/ntsysadmin@lyris.sunbelt-software.com/msg72561.html http://www.mail-archive.com/ntsysadmin@lyris.sunbelt-software.com/msg106004.html * * *ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of Technology for the SMB market… * On Mon, Apr 16, 2012 at 10:28 AM, James Rankin kz2...@googlemail.comwrote: Agreed, if you've got a malicious Word document that exploits a flaw in MS Word itself, then the only defence is good patching or some other form of exploit detection. If it's a zero-day, then there's probably nothing except exploit detection. Don't want to plug it too much but AppSense Application Manager does a good job of detecting execution beyond the expected capabilities of an application, but I've never been able to test it much beyond the types of things like malicious PDFs with Java exploits or exploits that call out to malicious dll files. Wonder how much work it would be to craft an Office document that tries to exploit a vulnerability to see if it can stop this sort of vector as well? On 16 April 2012 15:19, Alex Eckelberry al...@eckelberry.com wrote: But, if we ever get to a world where whitelisting is the predominant means of execution control, the bad guys will, out of necessity, be relegated to exploiting flaws in applications through data files. ** ** I don’t understand how you can have an exploit in a data file resulting in anything else but code execution. Data itself is harmless; it’s the executables that cause harm. ** ** There will always be code executed, in some form or another (unless I’m misunderstanding your point). ** ** Alex ** ** ** ** ** ** *From:* Crawford, Scott [mailto:crawfo...@evangel.edu] *Sent:* Monday, April 16, 2012 12:25 AM *To:* NT System Admin Issues *Subject:* RE: Whitelisting ** ** Possibly...even probably. But, if we ever get to a world where whitelisting is the predominant means of execution control, the bad guys will, out of necessity, be relegated to exploiting flaws in applications through data files. A scanner that looks for signatures of exploits in files will be a useful tool. Assuming of course, all applications aren't secure. Sent from my Windows Phone -- *From: *Andrew S. Baker *Sent: *4/15/2012 1:08 PM *To: *NT System Admin Issues *Subject: *Re: Whitelisting You can't. :) *ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of Technology for the SMB market…* On Sat, Apr 14, 2012 at 1:24 PM, Rankin, James R kz2...@googlemail.com wrote: How do you blacklist all possible bad data files? --Original Message-- From: Crawford, Scott To: NT System Admin Issues ReplyTo: NT System Admin Issues Subject: RE: Whitelisting Sent: 14 Apr 2012 18:02 A combination is needed. Whitelisting for traditional executable code and blacklisting for data files that exploit vulnerable white listed applications. -Original Message- From: Alex Eckelberry [mailto:a...@eckelberry.com] Sent: Saturday, April 14, 2012 10:10 AM To: NT System Admin Issues Subject: Whitelisting I'm curious, what's the general feeling about about whitelisting? As a former AV guy, I tend to prefer blacklisting, but I'm seeing signs things might be changing. Thoughts? ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Hooray, I'm moving to VMware!
I can't speak for anyone else, but I like it. I don't find it hard to work with. I'm running 5 esxi4.1 hosts with 60 VM's. All of the hospital HCIS servers (Meditech) are running virtualized. We did have some hiccups on the way to going LIVE with it. We had a situation where VM thought the server was shut down when it was actually running. We had another case where we tried to vmotion 2 servers and it would just stop working at around 60%. Both of those turned out to be 1) configuration issues and 2) not the same version of VM running on all 5 hosts. Management is easy through the vSphere client. We're using EMC SAN for storage so when I need to create a new datastore, it takes about 15 minutes: create the LUN on the SAN, open vSphere and create the datastore and add the LUN to it. OTOH, I haven't upgraded to 5 from 4.1 so I can't speak as to how easy it would be to upgrade. Paul Chinnery Network Admin Memorial Medical Center 231.845.2319 -Original Message- From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us] Sent: Monday, April 16, 2012 10:40 AM To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! Is the consensus that VMware is easier to use than Hyper-V? I've only used the latter, so I can't judge. John -Original Message- From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Monday, April 16, 2012 9:36 AM To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! I'd assume ease of use and market leader. -Original Message- From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us] Sent: 16 April 2012 14:16 To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! Someone else asked about this, but I didn't see a reply (although Postini frequently blocks messages from this list)... What factors led to you choosing VMware over Hyper-V? John Hornbuckle, MSMIS, PMP MIS Department Taylor County School District www.taylor.k12.fl.us - Original Message - From: David Mazzaccaro [mailto:david.mazzacc...@hudsonmobility.com] To: NT System Admin Issues [mailto:ntsysadmin@lyris.sunbelt-software.com] Sent: Fri, 13 Apr 2012 08:38:47 -0700 Subject: Hooray, I'm moving to VMware! Just got the ok to move forward with VMware/Citrix/Domain upgrade. I have 10 physical servers, and it looks like this will be the solution: 3 hosts: ($21k each) HP DL380 G7 E5660 Pair of 146 15k drives mirrored 196 G RAM - this was $45k alone Quad port gig adapter 2 Switches: ($1,800 each) HP 2910 1 SAN ($22,700) NetApp 2240 12 x 600GB VSphere Essentials Plus ($5,200) 6 Windows licenses ($13,600): Server 2008 Datacenter Windows/Xenapp licenses ($26,000) $40k services Install/config SAN, switches, hosts, VMware, new Citrix farm, 2008 Domain upgrade, P2V existing servers Total: $185,000 Sound good? ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin -- MIRA Ltd Watling Street, Nuneaton, Warwickshire, CV10 0TU, England Registered in England and Wales No. 402570 VAT Registration GB 100 1464 84 The contents of this e-mail are confidential and are solely for the use of the intended recipient. If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax. You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: code signing certificate ?
I haven't used these formats before, but, three general thoughts: * Will the certs MMC solve this for you? * What about certutil.exe? * The OpenSSL Windows command line utility is a great resource for converting all manner of certificate formats. Thanks, Brian Desmond br...@briandesmond.com w - 312.625.1438 | c - 312.731.3132 From: Christopher Bodnar [mailto:christopher_bod...@glic.com] Sent: Monday, April 16, 2012 9:27 AM To: NT System Admin Issues Subject: Re: code signing certificate ? Yes, and are great, but I'm not importing directly from the web site like he was able to. I've got the SPC and PVK files and now need to somehow import them into the certificate store. That is where I'm stuck. I've just found this link which seems to be promising: http://ellisweb.net/2008/08/signing-code-using-pvk-and-spc-files/ But isn't taking the password that I was given by our security guys. I'll have to check on that. Christopher Bodnar Enterprise Achitect I, Corporate Office of Technology:Enterprise Architecture and Engineering Services Tel 610-807-6459 3900 Burgess Place, Bethlehem, PA 18017 christopher_bod...@glic.commailto: [cid:image001.jpg@01CD1BB9.B1F29FE0] The Guardian Life Insurance Company of America www.guardianlife.comhttp://www.guardianlife.com/ From:Mack Bolan mack.bola...@gmail.commailto:mack.bola...@gmail.com To:NT System Admin Issues ntsysadmin@lyris.sunbelt-software.commailto:ntsysadmin@lyris.sunbelt-software.com Date:04/16/2012 10:05 AM Subject:Re: code signing certificate ? Have you looked at Webster's instructions yet? Mack S. Bolan On Mon, Apr 16, 2012 at 8:58 AM, Christopher Bodnar christopher_bod...@glic.commailto:christopher_bod...@glic.com wrote: OK, the Security team has now provided me the SPC file. What I'm looking for is how to install the certificate with these 2 files (SPC, and PVK). According to the information I've found online you should be able to do this: pvkimprt -import 1.spc myprivatekey.pvk Which will them launch a wizard, or you can export directly to the PFX file by using this: pvkimprt -PFX 1.spc myprivatekey.pvk ISDCert.pfx Neither seems to be working for me. I get this error: Command line option syntax error: I'm doing this from a W7 machine Thanks Christopher Bodnar Enterprise Achitect I, Corporate Office of Technology:Enterprise Architecture and Engineering Services Tel 610-807-6459tel:610-807-6459 3900 Burgess Place, Bethlehem, PA 18017 christopher_bod...@glic.commailto:christopher_bod...@glic.com [cid:image001.jpg@01CD1BB9.B1F29FE0] The Guardian Life Insurance Company of America www.guardianlife.comhttp://www.guardianlife.com/ From:Lora Cates lora.ca...@rocketmail.commailto:lora.ca...@rocketmail.com To:NT System Admin Issues ntsysadmin@lyris.sunbelt-software.commailto:ntsysadmin@lyris.sunbelt-software.com Date:04/16/2012 09:42 AM Subject:Re: code signing certificate ? I found this in the NTSys Archives: http://carlwebster.com/how-to-digitally-sign-a-microsoft-powershell-script-with-a-third-party-code-signing-certificate/ -lc From: Christopher Bodnar christopher_bod...@glic.commailto:christopher_bod...@glic.com To: NT System Admin Issues ntsysadmin@lyris.sunbelt-software.commailto:ntsysadmin@lyris.sunbelt-software.com Sent: Monday, April 16, 2012 8:21 AM Subject: code signing certificate ? All help is appreciated , have never done this before. We are going to start signing our scripts. I requested a code signing certificate from our Security group, we use Verisign. They handle all the Verisign certificates. They gave me back a *.PVK file. Shouldn't there also be a *SPC file as well? I've been looking at this for documentation on how to import the certificate: http://support.godaddy.com/help/5087 Wanted to verify this first, before I go back to our Security group. Thanks Christopher Bodnar Enterprise Achitect I, Corporate Office of Technology:Enterprise Architecture and Engineering Services Tel 610-807-6459tel:610-807-6459 3900 Burgess Place, Bethlehem, PA 18017 christopher_bod...@glic.commailto:christopher_bod...@glic.com The Guardian Life Insurance Company of America www.guardianlife.comhttp://www.guardianlife.com/ - This message, and any attachments to it, may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are notified that any use, dissemination, distribution, copying, or communication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately by return e-mail and delete the message and any attachments. Thank you. ~ Finally, powerful endpoint security that
Re: Hooray, I'm moving to VMware!
I would say that VMWare is more feature rich and has a more extensive ecosystem of support and add-ons. Hyper-V is a little easier, but that's not a complete apples-to-apples comparison. Once you get into them, they're both complex enough, yet easy enough to manage. * * *ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of Technology for the SMB market… * On Mon, Apr 16, 2012 at 10:39 AM, John Hornbuckle john.hornbuc...@taylor.k12.fl.us wrote: Is the consensus that VMware is easier to use than Hyper-V? I've only used the latter, so I can't judge. John -Original Message- From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Monday, April 16, 2012 9:36 AM To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! I'd assume ease of use and market leader. -Original Message- From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us] Sent: 16 April 2012 14:16 To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! Someone else asked about this, but I didn't see a reply (although Postini frequently blocks messages from this list)... What factors led to you choosing VMware over Hyper-V? John Hornbuckle, MSMIS, PMP MIS Department Taylor County School District www.taylor.k12.fl.us - Original Message - From: David Mazzaccaro [mailto:david.mazzacc...@hudsonmobility.com] To: NT System Admin Issues [mailto:ntsysadmin@lyris.sunbelt-software.com] Sent: Fri, 13 Apr 2012 08:38:47 -0700 Subject: Hooray, I'm moving to VMware! Just got the ok to move forward with VMware/Citrix/Domain upgrade. I have 10 physical servers, and it looks like this will be the solution: 3 hosts: ($21k each) HP DL380 G7 E5660 Pair of 146 15k drives mirrored 196 G RAM - this was $45k alone Quad port gig adapter 2 Switches: ($1,800 each) HP 2910 1 SAN ($22,700) NetApp 2240 12 x 600GB VSphere Essentials Plus ($5,200) 6 Windows licenses ($13,600): Server 2008 Datacenter Windows/Xenapp licenses ($26,000) $40k services Install/config SAN, switches, hosts, VMware, new Citrix farm, 2008 Domain upgrade, P2V existing servers Total: $185,000 Sound good? ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: Whitelisting
Here's one typical scenario: - WinWord.exe has a a buffer overflow vulnerability. - WinWord.exe is a whitelisted app, so the vulnerability can be exploited. - Bad guy creates a hand-crafted data file that takes advantage of the buffer overflow vulnerability - User opens bad data file, which exploits the vulnerability In a traditional environment, the exploit of the vulnerability would likely include the uploading or installation of some files to the exploited machine for the purpose of controlling it more directly. In an environment that makes use of whitelisting technology, the code that is spawned by the exploit (either because it is embodied in the bad data, or because it is downloaded from some remote server) will be unable to run -- because it is not an approved application/code. This is a key benefit of whitelisting. Now, if the malware exploit only attempts to make use of existing files (CMD, etc) then these executions will be subject to whether or not they are approved from a whitelisting perspective, but the scope of the exploit is still *greatly* reduced. (Read Only or Blocked Attack vs full system compromise) * * *ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of Technology for the SMB market… * On Mon, Apr 16, 2012 at 11:12 AM, James Rankin kz2...@googlemail.comwrote: Ah yes, I recall this debate before. So it's not that if you used a Word exploit, for example, you could get winword.exe to do bad stuff under the context of that process - it would have to be remote code execution under its own badapp.exe - which even if you called it winword.exe would get caught by a hash value rule or check for signed code, am I thinking along the right lines? On 16 April 2012 15:54, Andrew S. Baker asbz...@gmail.com wrote: Yes, but if the bad data is used to perform a buffer overflow so that custom *code* can be executed to do nefarious acts, then that last step will fail because the custom malicious code is not authorized to run -- even in a zero day. No, it doesn't solve every last malware issue known to man, and there can be some management overhead depending on the implentation, but it addresses more issues than blacklisting does, and does so more effectively. Of course, we've been saying the same thing for a while here: http://www.mail-archive.com/ntsysadmin@lyris.sunbelt-software.com/msg72561.html http://www.mail-archive.com/ntsysadmin@lyris.sunbelt-software.com/msg106004.html * * *ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of Technology for the SMB market… * On Mon, Apr 16, 2012 at 10:28 AM, James Rankin kz2...@googlemail.comwrote: Agreed, if you've got a malicious Word document that exploits a flaw in MS Word itself, then the only defence is good patching or some other form of exploit detection. If it's a zero-day, then there's probably nothing except exploit detection. Don't want to plug it too much but AppSense Application Manager does a good job of detecting execution beyond the expected capabilities of an application, but I've never been able to test it much beyond the types of things like malicious PDFs with Java exploits or exploits that call out to malicious dll files. Wonder how much work it would be to craft an Office document that tries to exploit a vulnerability to see if it can stop this sort of vector as well? On 16 April 2012 15:19, Alex Eckelberry al...@eckelberry.com wrote: But, if we ever get to a world where whitelisting is the predominant** ** means of execution control, the bad guys will, out of necessity, be*** * relegated to exploiting flaws in applications through data files. ** ** I don’t understand how you can have an exploit in a data file resulting in anything else but code execution. Data itself is harmless; it’s the executables that cause harm. ** ** There will always be code executed, in some form or another (unless I’m misunderstanding your point). ** ** Alex ** ** ** ** ** ** *From:* Crawford, Scott [mailto:crawfo...@evangel.edu] *Sent:* Monday, April 16, 2012 12:25 AM *To:* NT System Admin Issues *Subject:* RE: Whitelisting ** ** Possibly...even probably. But, if we ever get to a world where whitelisting is the predominant means of execution control, the bad guys will, out of necessity, be relegated to exploiting flaws in applications through data files. A scanner that looks for signatures of exploits in files will be a useful tool. Assuming of course, all applications aren't secure. Sent from my Windows Phone -- *From: *Andrew S. Baker *Sent: *4/15/2012 1:08 PM *To: *NT System Admin Issues *Subject: *Re: Whitelisting You can't. :) *ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of Technology for the SMB market…* On Sat, Apr 14, 2012 at 1:24 PM, Rankin, James R kz2...@googlemail.com
Re: Hooray, I'm moving to VMware!
No mention of XenServer? It's a lot better than it used to be. On 16 April 2012 16:15, Andrew S. Baker asbz...@gmail.com wrote: I would say that VMWare is more feature rich and has a more extensive ecosystem of support and add-ons. Hyper-V is a little easier, but that's not a complete apples-to-apples comparison. Once you get into them, they're both complex enough, yet easy enough to manage. * * *ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of Technology for the SMB market… * On Mon, Apr 16, 2012 at 10:39 AM, John Hornbuckle john.hornbuc...@taylor.k12.fl.us wrote: Is the consensus that VMware is easier to use than Hyper-V? I've only used the latter, so I can't judge. John -Original Message- From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Monday, April 16, 2012 9:36 AM To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! I'd assume ease of use and market leader. -Original Message- From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us] Sent: 16 April 2012 14:16 To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! Someone else asked about this, but I didn't see a reply (although Postini frequently blocks messages from this list)... What factors led to you choosing VMware over Hyper-V? John Hornbuckle, MSMIS, PMP MIS Department Taylor County School District www.taylor.k12.fl.us - Original Message - From: David Mazzaccaro [mailto:david.mazzacc...@hudsonmobility.com] To: NT System Admin Issues [mailto:ntsysadmin@lyris.sunbelt-software.com] Sent: Fri, 13 Apr 2012 08:38:47 -0700 Subject: Hooray, I'm moving to VMware! Just got the ok to move forward with VMware/Citrix/Domain upgrade. I have 10 physical servers, and it looks like this will be the solution: 3 hosts: ($21k each) HP DL380 G7 E5660 Pair of 146 15k drives mirrored 196 G RAM - this was $45k alone Quad port gig adapter 2 Switches: ($1,800 each) HP 2910 1 SAN ($22,700) NetApp 2240 12 x 600GB VSphere Essentials Plus ($5,200) 6 Windows licenses ($13,600): Server 2008 Datacenter Windows/Xenapp licenses ($26,000) $40k services Install/config SAN, switches, hosts, VMware, new Citrix farm, 2008 Domain upgrade, P2V existing servers Total: $185,000 Sound good? ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin -- http://appsensebigot.blogspot.co.uk IMPORTANT INFORMATION/DISCLAIMER I certainly don't have time to monitor the content of e-mail sent and received via this account for the purposes of ensuring compliance with anyone's policies and procedures. I am pretty sure that somewhere in UK legislation there is some politically-correct drivel that stipulates I must never send or store e-mails or attachments that are obscene, indecent, sexist, racist, defamatory, abusive, in breach of copyright, encrypted, amusing, overly long, slightly opinionated, anonymous, likely to harm animals or hurt the feelings of an as-yet-unspecified or as-yet-nonexistent minority (such as extraterrestrial eggplants). Emails of this nature sent in or out of this account may be intercepted and stopped by the system, but it's a long shot. This being the UK, even if I was prosecuted for breach of said email guidelines, I'd probably walk with a suspended sentence anyway, but if I'd forgotten to pay my car insurance, I'd most certainly be hung, drawn and quartered. I am not responsible for any changes made to the message after it has been sent, in more or less the same way that cyclozine manufacturers aren't responsible for drug addicts mixing it with methadone and overdosing, so I'm glad I cleared the confusion up there nice and early. Where opinions are expressed, they are not necessarily mine. However, I don't make a habit of expressing other people's opinions for them, so you shouldn't take that statement as an indication that I am in the business of providing an opinion-expressing service. In the event that I did, this discourse would provide no guarantee that I would do it anyway, but I don't, so I won't. This e-mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you are not the intended addressee, or the person responsible for delivering it to them, aside from the fact that you've clearly got some level of unauthorised access to their account or are at least engaged in some sort of fraud, I'm obliged to tell you that may not copy, forward disclose or otherwise use it or any part of it in any way. To do so may be unlawful, and as you're already breaking the law, I am sure that bombshell
Re: Whitelisting
Thanks for clarifying that On 16 April 2012 16:25, Andrew S. Baker asbz...@gmail.com wrote: Here's one typical scenario: - WinWord.exe has a a buffer overflow vulnerability. - WinWord.exe is a whitelisted app, so the vulnerability can be exploited. - Bad guy creates a hand-crafted data file that takes advantage of the buffer overflow vulnerability - User opens bad data file, which exploits the vulnerability In a traditional environment, the exploit of the vulnerability would likely include the uploading or installation of some files to the exploited machine for the purpose of controlling it more directly. In an environment that makes use of whitelisting technology, the code that is spawned by the exploit (either because it is embodied in the bad data, or because it is downloaded from some remote server) will be unable to run -- because it is not an approved application/code. This is a key benefit of whitelisting. Now, if the malware exploit only attempts to make use of existing files (CMD, etc) then these executions will be subject to whether or not they are approved from a whitelisting perspective, but the scope of the exploit is still *greatly* reduced. (Read Only or Blocked Attack vs full system compromise) * * *ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of Technology for the SMB market… * On Mon, Apr 16, 2012 at 11:12 AM, James Rankin kz2...@googlemail.comwrote: Ah yes, I recall this debate before. So it's not that if you used a Word exploit, for example, you could get winword.exe to do bad stuff under the context of that process - it would have to be remote code execution under its own badapp.exe - which even if you called it winword.exe would get caught by a hash value rule or check for signed code, am I thinking along the right lines? On 16 April 2012 15:54, Andrew S. Baker asbz...@gmail.com wrote: Yes, but if the bad data is used to perform a buffer overflow so that custom *code* can be executed to do nefarious acts, then that last step will fail because the custom malicious code is not authorized to run -- even in a zero day. No, it doesn't solve every last malware issue known to man, and there can be some management overhead depending on the implentation, but it addresses more issues than blacklisting does, and does so more effectively. Of course, we've been saying the same thing for a while here: http://www.mail-archive.com/ntsysadmin@lyris.sunbelt-software.com/msg72561.html http://www.mail-archive.com/ntsysadmin@lyris.sunbelt-software.com/msg106004.html * * *ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of Technology for the SMB market… * On Mon, Apr 16, 2012 at 10:28 AM, James Rankin kz2...@googlemail.comwrote: Agreed, if you've got a malicious Word document that exploits a flaw in MS Word itself, then the only defence is good patching or some other form of exploit detection. If it's a zero-day, then there's probably nothing except exploit detection. Don't want to plug it too much but AppSense Application Manager does a good job of detecting execution beyond the expected capabilities of an application, but I've never been able to test it much beyond the types of things like malicious PDFs with Java exploits or exploits that call out to malicious dll files. Wonder how much work it would be to craft an Office document that tries to exploit a vulnerability to see if it can stop this sort of vector as well? On 16 April 2012 15:19, Alex Eckelberry al...@eckelberry.com wrote: But, if we ever get to a world where whitelisting is the predominant* *** means of execution control, the bad guys will, out of necessity, be** ** relegated to exploiting flaws in applications through data files. ** ** I don’t understand how you can have an exploit in a data file resulting in anything else but code execution. Data itself is harmless; it’s the executables that cause harm. ** ** There will always be code executed, in some form or another (unless I’m misunderstanding your point). ** ** Alex ** ** ** ** ** ** *From:* Crawford, Scott [mailto:crawfo...@evangel.edu] *Sent:* Monday, April 16, 2012 12:25 AM *To:* NT System Admin Issues *Subject:* RE: Whitelisting ** ** Possibly...even probably. But, if we ever get to a world where whitelisting is the predominant means of execution control, the bad guys will, out of necessity, be relegated to exploiting flaws in applications through data files. A scanner that looks for signatures of exploits in files will be a useful tool. Assuming of course, all applications aren't secure. Sent from my Windows Phone -- *From: *Andrew S. Baker *Sent: *4/15/2012 1:08 PM *To: *NT System Admin Issues *Subject: *Re: Whitelisting You can't. :) *ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of
RE: Hooray, I'm moving to VMware!
I've only used VMware so I'm more than happy to be corrected here, but in no particular order: Single ISO takes you from bare metal to working server. No third party drivers needed for things like MPIO and NIC teaming. Single management tool. Single management server (vCenter) gives visibility to your entire VMware infrastructure. Single thing to point backups at - I believe you have to backup Hyper-V boxes individually? No dependency on the domain being present which can put you in a fun situation if you have to power everything off and on again. Outside of usability you then have: Pretty much any virtual appliance you care to name will come natively in VMDK/OVF format Tons of vCenter add-ins I'm very interested in Hyper-V with Windows Server 8 and for us the timing falls nicely with our SAN and server refresh, but honestly the only reason I can see for looking at moving would be license costs - VMware works out expensive if you have more than a few hosts and want more than the basics. From: John Hornbuckle [john.hornbuc...@taylor.k12.fl.us] Sent: 16 April 2012 3:39 PM To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! Is the consensus that VMware is easier to use than Hyper-V? I've only used the latter, so I can't judge. John -Original Message- From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Monday, April 16, 2012 9:36 AM To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! I'd assume ease of use and market leader. -Original Message- From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us] Sent: 16 April 2012 14:16 To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! Someone else asked about this, but I didn't see a reply (although Postini frequently blocks messages from this list)... What factors led to you choosing VMware over Hyper-V? John Hornbuckle, MSMIS, PMP MIS Department Taylor County School District www.taylor.k12.fl.us - Original Message - From: David Mazzaccaro [mailto:david.mazzacc...@hudsonmobility.com] To: NT System Admin Issues [mailto:ntsysadmin@lyris.sunbelt-software.com] Sent: Fri, 13 Apr 2012 08:38:47 -0700 Subject: Hooray, I'm moving to VMware! Just got the ok to move forward with VMware/Citrix/Domain upgrade. I have 10 physical servers, and it looks like this will be the solution: 3 hosts: ($21k each) HP DL380 G7 E5660 Pair of 146 15k drives mirrored 196 G RAM - this was $45k alone Quad port gig adapter 2 Switches: ($1,800 each) HP 2910 1 SAN ($22,700) NetApp 2240 12 x 600GB VSphere Essentials Plus ($5,200) 6 Windows licenses ($13,600): Server 2008 Datacenter Windows/Xenapp licenses ($26,000) $40k services Install/config SAN, switches, hosts, VMware, new Citrix farm, 2008 Domain upgrade, P2V existing servers Total: $185,000 Sound good? ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin -- MIRA Ltd Watling Street, Nuneaton, Warwickshire, CV10 0TU, England Registered in England and Wales No. 402570 VAT Registration GB 100 1464 84 The contents of this e-mail are confidential and are solely for the use of the intended recipient. If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax. You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: Hooray, I'm moving to VMware!
* Single thing to point backups at - I believe you have to backup Hyper-V boxes individually? * No, you don't have to back them up individually. Lots of 3rd party options here. * No dependency on the domain being present which can put you in a fun situation if you have to power everything off and on again. * Your Hyper-V server need not be a domain member. * * *ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of Technology for the SMB market… * On Mon, Apr 16, 2012 at 11:41 AM, Paul Hutchings paul.hutchi...@mira.co.ukwrote: I've only used VMware so I'm more than happy to be corrected here, but in no particular order: Single ISO takes you from bare metal to working server. No third party drivers needed for things like MPIO and NIC teaming. Single management tool. Single management server (vCenter) gives visibility to your entire VMware infrastructure. Single thing to point backups at - I believe you have to backup Hyper-V boxes individually? No dependency on the domain being present which can put you in a fun situation if you have to power everything off and on again. Outside of usability you then have: Pretty much any virtual appliance you care to name will come natively in VMDK/OVF format Tons of vCenter add-ins I'm very interested in Hyper-V with Windows Server 8 and for us the timing falls nicely with our SAN and server refresh, but honestly the only reason I can see for looking at moving would be license costs - VMware works out expensive if you have more than a few hosts and want more than the basics. From: John Hornbuckle [john.hornbuc...@taylor.k12.fl.us] Sent: 16 April 2012 3:39 PM To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! Is the consensus that VMware is easier to use than Hyper-V? I've only used the latter, so I can't judge. John -Original Message- From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Monday, April 16, 2012 9:36 AM To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! I'd assume ease of use and market leader. -Original Message- From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us] Sent: 16 April 2012 14:16 To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! Someone else asked about this, but I didn't see a reply (although Postini frequently blocks messages from this list)... What factors led to you choosing VMware over Hyper-V? John Hornbuckle, MSMIS, PMP MIS Department Taylor County School District www.taylor.k12.fl.us - Original Message - From: David Mazzaccaro [mailto:david.mazzacc...@hudsonmobility.com] To: NT System Admin Issues [mailto:ntsysadmin@lyris.sunbelt-software.com] Sent: Fri, 13 Apr 2012 08:38:47 -0700 Subject: Hooray, I'm moving to VMware! Just got the ok to move forward with VMware/Citrix/Domain upgrade. I have 10 physical servers, and it looks like this will be the solution: 3 hosts: ($21k each) HP DL380 G7 E5660 Pair of 146 15k drives mirrored 196 G RAM - this was $45k alone Quad port gig adapter 2 Switches: ($1,800 each) HP 2910 1 SAN ($22,700) NetApp 2240 12 x 600GB VSphere Essentials Plus ($5,200) 6 Windows licenses ($13,600): Server 2008 Datacenter Windows/Xenapp licenses ($26,000) $40k services Install/config SAN, switches, hosts, VMware, new Citrix farm, 2008 Domain upgrade, P2V existing servers Total: $185,000 Sound good? ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: code signing certificate ?
OK, got past that hurdle. i was also able to successfully sign a script using SignTool. Just trying to figure out the process to verify the signature, getting this: SignTool Error: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider. But if I look at the path, it looks OK. Christopher Bodnar Enterprise Achitect I, Corporate Office of Technology:Enterprise Architecture and Engineering Services Tel 610-807-6459 3900 Burgess Place, Bethlehem, PA 18017 christopher_bod...@glic.com The Guardian Life Insurance Company of America www.guardianlife.com From: Christopher Bodnar christopher_bod...@glic.com To: NT System Admin Issues ntsysadmin@lyris.sunbelt-software.com Date: 04/16/2012 10:40 AM Subject:Re: code signing certificate ? Yes, and are great, but I'm not importing directly from the web site like he was able to. I've got the SPC and PVK files and now need to somehow import them into the certificate store. That is where I'm stuck. I've just found this link which seems to be promising: http://ellisweb.net/2008/08/signing-code-using-pvk-and-spc-files/ But isn't taking the password that I was given by our security guys. I'll have to check on that. Christopher Bodnar Enterprise Achitect I, Corporate Office of Technology:Enterprise Architecture and Engineering Services Tel 610-807-6459 3900 Burgess Place, Bethlehem, PA 18017 christopher_bod...@glic.com The Guardian Life Insurance Company of America www.guardianlife.com From:Mack Bolan mack.bola...@gmail.com To:NT System Admin Issues ntsysadmin@lyris.sunbelt-software.com Date:04/16/2012 10:05 AM Subject:Re: code signing certificate ? Have you looked at Webster's instructions yet? Mack S. Bolan On Mon, Apr 16, 2012 at 8:58 AM, Christopher Bodnar christopher_bod...@glic.com wrote: OK, the Security team has now provided me the SPC file. What I'm looking for is how to install the certificate with these 2 files (SPC, and PVK). According to the information I've found online you should be able to do this: pvkimprt -import 1.spc myprivatekey.pvk Which will them launch a wizard, or you can export directly to the PFX file by using this: pvkimprt -PFX 1.spc myprivatekey.pvk ISDCert.pfx Neither seems to be working for me. I get this error: Command line option syntax error: I'm doing this from a W7 machine Thanks Christopher Bodnar Enterprise Achitect I, Corporate Office of Technology:Enterprise Architecture and Engineering Services Tel 610-807-6459 3900 Burgess Place, Bethlehem, PA 18017 christopher_bod...@glic.com The Guardian Life Insurance Company of America www.guardianlife.com From:Lora Cates lora.ca...@rocketmail.com To:NT System Admin Issues ntsysadmin@lyris.sunbelt-software.com Date:04/16/2012 09:42 AM Subject:Re: code signing certificate ? I found this in the NTSys Archives: http://carlwebster.com/how-to-digitally-sign-a-microsoft-powershell-script-with-a-third-party-code-signing-certificate/ -lc From: Christopher Bodnar christopher_bod...@glic.com To: NT System Admin Issues ntsysadmin@lyris.sunbelt-software.com Sent: Monday, April 16, 2012 8:21 AM Subject: code signing certificate ? All help is appreciated , have never done this before. We are going to start signing our scripts. I requested a code signing certificate from our Security group, we use Verisign. They handle all the Verisign certificates. They gave me back a *.PVK file. Shouldn't there also be a *SPC file as well? I've been looking at this for documentation on how to import the certificate: http://support.godaddy.com/help/5087 Wanted to verify this first, before I go back to our Security group. Thanks Christopher Bodnar Enterprise Achitect I, Corporate Office of Technology:Enterprise Architecture and Engineering Services Tel 610-807-6459 3900 Burgess Place, Bethlehem, PA 18017 christopher_bod...@glic.com The Guardian Life Insurance Company of America www.guardianlife.com - This message, and any attachments to it, may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are notified that any use, dissemination, distribution, copying, or communication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately by return e-mail and delete the message and any attachments. Thank you. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe
Re: Whitelisting
On Mon, Apr 16, 2012 at 10:21 AM, Alex Eckelberry al...@eckelberry.com wrote: If it's an exploit, it's going to launch code. The code won't run in a whitelisting environment unless it's approved by the admin. CMD /C DEL C:\*.* /S /Q /F /A I expect you whitelist CMD.EXE, no? -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Whitelisting
Data is harmless unless that data is actually formed in such a way to exploit a vulnerability in an application. If so, you've got a whitelisted application executing arbitrary code from a data file. From: Alex Eckelberry [mailto:al...@eckelberry.com] Sent: Monday, April 16, 2012 9:19 AM To: NT System Admin Issues Subject: RE: Whitelisting But, if we ever get to a world where whitelisting is the predominant means of execution control, the bad guys will, out of necessity, be relegated to exploiting flaws in applications through data files. I don't understand how you can have an exploit in a data file resulting in anything else but code execution. Data itself is harmless; it's the executables that cause harm. There will always be code executed, in some form or another (unless I'm misunderstanding your point). Alex From: Crawford, Scott [mailto:crawfo...@evangel.edu]mailto:[mailto:crawfo...@evangel.edu] Sent: Monday, April 16, 2012 12:25 AM To: NT System Admin Issues Subject: RE: Whitelisting Possibly...even probably. But, if we ever get to a world where whitelisting is the predominant means of execution control, the bad guys will, out of necessity, be relegated to exploiting flaws in applications through data files. A scanner that looks for signatures of exploits in files will be a useful tool. Assuming of course, all applications aren't secure. Sent from my Windows Phone From: Andrew S. Baker Sent: 4/15/2012 1:08 PM To: NT System Admin Issues Subject: Re: Whitelisting You can't. :) ASB http://XeeMe.com/AndrewBaker Harnessing the Advantages of Technology for the SMB market... On Sat, Apr 14, 2012 at 1:24 PM, Rankin, James R kz2...@googlemail.commailto:kz2...@googlemail.com wrote: How do you blacklist all possible bad data files? --Original Message-- From: Crawford, Scott To: NT System Admin Issues ReplyTo: NT System Admin Issues Subject: RE: Whitelisting Sent: 14 Apr 2012 18:02 A combination is needed. Whitelisting for traditional executable code and blacklisting for data files that exploit vulnerable white listed applications. -Original Message- From: Alex Eckelberry [mailto:a...@eckelberry.commailto:a...@eckelberry.com] Sent: Saturday, April 14, 2012 10:10 AM To: NT System Admin Issues Subject: Whitelisting I'm curious, what's the general feeling about about whitelisting? As a former AV guy, I tend to prefer blacklisting, but I'm seeing signs things might be changing. Thoughts? ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Whitelisting
Why does the code that is spawned need to download some payload or use existing files? Why can't it make its own win32 calls? From: Andrew S. Baker [mailto:asbz...@gmail.com] Sent: Monday, April 16, 2012 10:26 AM To: NT System Admin Issues Subject: Re: Whitelisting Here's one typical scenario: * WinWord.exe has a a buffer overflow vulnerability. * WinWord.exe is a whitelisted app, so the vulnerability can be exploited. * Bad guy creates a hand-crafted data file that takes advantage of the buffer overflow vulnerability * User opens bad data file, which exploits the vulnerability In a traditional environment, the exploit of the vulnerability would likely include the uploading or installation of some files to the exploited machine for the purpose of controlling it more directly. In an environment that makes use of whitelisting technology, the code that is spawned by the exploit (either because it is embodied in the bad data, or because it is downloaded from some remote server) will be unable to run -- because it is not an approved application/code. This is a key benefit of whitelisting. Now, if the malware exploit only attempts to make use of existing files (CMD, etc) then these executions will be subject to whether or not they are approved from a whitelisting perspective, but the scope of the exploit is still greatly reduced. (Read Only or Blocked Attack vs full system compromise) ASB http://XeeMe.com/AndrewBaker Harnessing the Advantages of Technology for the SMB market... On Mon, Apr 16, 2012 at 11:12 AM, James Rankin kz2...@googlemail.commailto:kz2...@googlemail.com wrote: Ah yes, I recall this debate before. So it's not that if you used a Word exploit, for example, you could get winword.exe to do bad stuff under the context of that process - it would have to be remote code execution under its own badapp.exe - which even if you called it winword.exe would get caught by a hash value rule or check for signed code, am I thinking along the right lines? On 16 April 2012 15:54, Andrew S. Baker asbz...@gmail.commailto:asbz...@gmail.com wrote: Yes, but if the bad data is used to perform a buffer overflow so that custom *code* can be executed to do nefarious acts, then that last step will fail because the custom malicious code is not authorized to run -- even in a zero day. No, it doesn't solve every last malware issue known to man, and there can be some management overhead depending on the implentation, but it addresses more issues than blacklisting does, and does so more effectively. Of course, we've been saying the same thing for a while here: http://www.mail-archive.com/ntsysadmin@lyris.sunbelt-software.com/msg72561.html http://www.mail-archive.com/ntsysadmin@lyris.sunbelt-software.com/msg106004.html ASB http://XeeMe.com/AndrewBaker Harnessing the Advantages of Technology for the SMB market... On Mon, Apr 16, 2012 at 10:28 AM, James Rankin kz2...@googlemail.commailto:kz2...@googlemail.com wrote: Agreed, if you've got a malicious Word document that exploits a flaw in MS Word itself, then the only defence is good patching or some other form of exploit detection. If it's a zero-day, then there's probably nothing except exploit detection. Don't want to plug it too much but AppSense Application Manager does a good job of detecting execution beyond the expected capabilities of an application, but I've never been able to test it much beyond the types of things like malicious PDFs with Java exploits or exploits that call out to malicious dll files. Wonder how much work it would be to craft an Office document that tries to exploit a vulnerability to see if it can stop this sort of vector as well? On 16 April 2012 15:19, Alex Eckelberry al...@eckelberry.commailto:al...@eckelberry.com wrote: But, if we ever get to a world where whitelisting is the predominant means of execution control, the bad guys will, out of necessity, be relegated to exploiting flaws in applications through data files. I don't understand how you can have an exploit in a data file resulting in anything else but code execution. Data itself is harmless; it's the executables that cause harm. There will always be code executed, in some form or another (unless I'm misunderstanding your point). Alex From: Crawford, Scott [mailto:crawfo...@evangel.edumailto:crawfo...@evangel.edu] Sent: Monday, April 16, 2012 12:25 AM To: NT System Admin Issues Subject: RE: Whitelisting Possibly...even probably. But, if we ever get to a world where whitelisting is the predominant means of execution control, the bad guys will, out of necessity, be relegated to exploiting flaws in applications through data files. A scanner that looks for signatures of exploits in files will be a useful tool. Assuming of course, all applications aren't secure. Sent from my Windows Phone From: Andrew S. Baker Sent: 4/15/2012 1:08 PM To: NT System Admin Issues Subject:
RE: Hooray, I'm moving to VMware!
We're using an iSCSI tape library at our field offices, with the backup server VM connecting to it. Works great for us. Joe Heaton ITB - Windows Server Support -Original Message- From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Friday, April 13, 2012 2:37 PM To: Heaton, Joseph@DFG; NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! Basically forget about connecting your tape library to one of the VMware hosts, even if it should work it isn't going to be pleasant - far better to use one of your existing boxes as a media agent with the tape drive attached to it if you stick with the tape drive you have. If you wouldn't mind doing so it would be beneficial if you went into some detail on what you currently do for backups - what software, what backup routine etc.? If you're using something old or basic and are considering backups from scratch I'd suggest (in a very rough order) looking at Commvault, Unitrends, Veeam (only does VMware or Hyper-V) and AppAssure (only does Windows), then at the lower end you have Backup Exec and ArcServe and no doubt a few others. I really can't stress the point strongly enough about having a solid backup plan in place when you virtualise. Firstly you're talking about spending almost $200k on kit - respectfully I'm a little surprised if the VAR hasn't mentioned backups somewhere down the line? Secondly, your single SAN is your single point of failure. Sure, it's made not to fail but if it does you've just lost every single VM you have so you want to be able to get them back as quickly and easily as possible. From: David Mazzaccaro [david.mazzacc...@hudsonmobility.com] Sent: 13 April 2012 9:39 PM To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! Ah... yes, that is exactly what I am doing now. I will absolutely look into this. Thank you. -Original Message- From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Friday, April 13, 2012 3:54 PM To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! I meant more in terms of what backup software are you using? If you're currently doing backups of your physical boxes you're most likely doing it using traditional agents that sit on the boxes and do file or application level backups? Of course you can continue to do that, but you're missing one of the biggest benefits of virtualisation if you're not complementing it (or in some cases replacing it) with taking image level backups of the entire VM. It's something you should definitely look into, not least because, well it's backups so it's probably the most important part of the whole setup, but also because if you do go the Netapp route they also offer a lot of software tools (at a cost) that your backup software may be compatible with - basically you want to check it out prior to any purchase to avoid any surprises down the line (particularly as Netapp aren't the cheapest in terms of software licenses if you need to buy anything down the line). From: David Mazzaccaro [david.mazzacc...@hudsonmobility.com] Sent: 13 April 2012 8:44 PM To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! I assume I will back up to tape? -Original Message- From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Friday, April 13, 2012 3:29 PM To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! What are you doing to backup your VM's? From: David Mazzaccaro [david.mazzacc...@hudsonmobility.com] Sent: 13 April 2012 8:06 PM To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! Wow. This is perfect. You probably just saved me some serious coin. Thank you!!! -Original Message- From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Friday, April 13, 2012 2:45 PM To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! vSphere will see all the RAM, but the amount you'll be able to use (assuming vSphere 5) is licensed/controlled by your vRAM entitlement. It's one of the biggest and most contentious changes moving from 4.1 to 5. Here's VMware's licensing paper which lists it in all its glorious detail: http://www.vmware.com/files/pdf/vsphere_pricing.pdf So in a nutshell, yes, you'll have almost 600gb of RAM but will only be able to use 1/3rd of it without ponying up for more licenses. Nice eh?! From: David Mazzaccaro [david.mazzacc...@hudsonmobility.com] Sent: 13 April 2012 7:26 PM To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! So, even though I will have 588GB of RAM across all 3 hosts, VMware is only going to see and utilize 192GB? confused -Original Message- From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Friday, April 13, 2012 2:05 PM To: NT System Admin Issues Subject:
RE: Hooray, I'm moving to VMware!
I didn't think you could point Veeam (or whatever HyperV aware backup app you're using) to a single entity like you can vCenter and have it backup every VM that's in your cluster? If you can that's great to know as I always wondered how it coped with doing incremental backups of a VM when it's been moved between hosts if it addresses each host individually. On the domain point, so can you have several Hyper-V hosts that aren't domain members but still manage them as a single entity/cluster? Basically what's the Hyper-V equivalent of a vCenter server? Like I said I haven't used it but I thought those were both things about it that didn't seem quite as polished as VMware? From: Andrew S. Baker [asbz...@gmail.com] Sent: 16 April 2012 4:55 PM To: NT System Admin Issues Subject: Re: Hooray, I'm moving to VMware! Single thing to point backups at - I believe you have to backup Hyper-V boxes individually? No, you don't have to back them up individually. Lots of 3rd party options here. No dependency on the domain being present which can put you in a fun situation if you have to power everything off and on again. Your Hyper-V server need not be a domain member. ASB http://XeeMe.com/AndrewBaker Harnessing the Advantages of Technology for the SMB market… On Mon, Apr 16, 2012 at 11:41 AM, Paul Hutchings paul.hutchi...@mira.co.ukmailto:paul.hutchi...@mira.co.uk wrote: I've only used VMware so I'm more than happy to be corrected here, but in no particular order: Single ISO takes you from bare metal to working server. No third party drivers needed for things like MPIO and NIC teaming. Single management tool. Single management server (vCenter) gives visibility to your entire VMware infrastructure. Single thing to point backups at - I believe you have to backup Hyper-V boxes individually? No dependency on the domain being present which can put you in a fun situation if you have to power everything off and on again. Outside of usability you then have: Pretty much any virtual appliance you care to name will come natively in VMDK/OVF format Tons of vCenter add-ins I'm very interested in Hyper-V with Windows Server 8 and for us the timing falls nicely with our SAN and server refresh, but honestly the only reason I can see for looking at moving would be license costs - VMware works out expensive if you have more than a few hosts and want more than the basics. From: John Hornbuckle [john.hornbuc...@taylor.k12.fl.usmailto:john.hornbuc...@taylor.k12.fl.us] Sent: 16 April 2012 3:39 PM To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! Is the consensus that VMware is easier to use than Hyper-V? I've only used the latter, so I can't judge. John -Original Message- From: Paul Hutchings [mailto:paul.hutchi...@mira.co.ukmailto:paul.hutchi...@mira.co.uk] Sent: Monday, April 16, 2012 9:36 AM To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! I'd assume ease of use and market leader. -Original Message- From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.usmailto:john.hornbuc...@taylor.k12.fl.us] Sent: 16 April 2012 14:16 To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! Someone else asked about this, but I didn't see a reply (although Postini frequently blocks messages from this list)... What factors led to you choosing VMware over Hyper-V? John Hornbuckle, MSMIS, PMP MIS Department Taylor County School District www.taylor.k12.fl.ushttp://www.taylor.k12.fl.us - Original Message - From: David Mazzaccaro [mailto:david.mazzacc...@hudsonmobility.commailto:david.mazzacc...@hudsonmobility.com] To: NT System Admin Issues [mailto:ntsysadmin@lyris.sunbelt-software.commailto:ntsysadmin@lyris.sunbelt-software.com] Sent: Fri, 13 Apr 2012 08:38:47 -0700 Subject: Hooray, I'm moving to VMware! Just got the ok to move forward with VMware/Citrix/Domain upgrade. I have 10 physical servers, and it looks like this will be the solution: 3 hosts: ($21k each) HP DL380 G7 E5660 Pair of 146 15k drives mirrored 196 G RAM - this was $45k alone Quad port gig adapter 2 Switches: ($1,800 each) HP 2910 1 SAN ($22,700) NetApp 2240 12 x 600GB VSphere Essentials Plus ($5,200) 6 Windows licenses ($13,600): Server 2008 Datacenter Windows/Xenapp licenses ($26,000) $40k services Install/config SAN, switches, hosts, VMware, new Citrix farm, 2008 Domain upgrade, P2V existing servers Total: $185,000 Sound good? ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin -- MIRA Ltd Watling Street, Nuneaton, Warwickshire,
RE: Hooray, I'm moving to VMware!
Speaking of domain controllers, I am being told 2 different things... 1) ALWAYS keep a single DC physical. You can certainly have virtual DCs, but you must have at least 1 physical. 2) Virtualize everything you can. You don't need any physical boxes at all. Period. Thoughts? From: Andrew S. Baker [mailto:asbz...@gmail.com] Sent: Monday, April 16, 2012 11:55 AM To: NT System Admin Issues Subject: Re: Hooray, I'm moving to VMware! Single thing to point backups at - I believe you have to backup Hyper-V boxes individually? No, you don't have to back them up individually. Lots of 3rd party options here. No dependency on the domain being present which can put you in a fun situation if you have to power everything off and on again. Your Hyper-V server need not be a domain member. ASB http://XeeMe.com/AndrewBaker Harnessing the Advantages of Technology for the SMB market... On Mon, Apr 16, 2012 at 11:41 AM, Paul Hutchings paul.hutchi...@mira.co.uk wrote: I've only used VMware so I'm more than happy to be corrected here, but in no particular order: Single ISO takes you from bare metal to working server. No third party drivers needed for things like MPIO and NIC teaming. Single management tool. Single management server (vCenter) gives visibility to your entire VMware infrastructure. Single thing to point backups at - I believe you have to backup Hyper-V boxes individually? No dependency on the domain being present which can put you in a fun situation if you have to power everything off and on again. Outside of usability you then have: Pretty much any virtual appliance you care to name will come natively in VMDK/OVF format Tons of vCenter add-ins I'm very interested in Hyper-V with Windows Server 8 and for us the timing falls nicely with our SAN and server refresh, but honestly the only reason I can see for looking at moving would be license costs - VMware works out expensive if you have more than a few hosts and want more than the basics. From: John Hornbuckle [john.hornbuc...@taylor.k12.fl.us] Sent: 16 April 2012 3:39 PM To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! Is the consensus that VMware is easier to use than Hyper-V? I've only used the latter, so I can't judge. John -Original Message- From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Monday, April 16, 2012 9:36 AM To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! I'd assume ease of use and market leader. -Original Message- From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us] Sent: 16 April 2012 14:16 To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! Someone else asked about this, but I didn't see a reply (although Postini frequently blocks messages from this list)... What factors led to you choosing VMware over Hyper-V? John Hornbuckle, MSMIS, PMP MIS Department Taylor County School District www.taylor.k12.fl.us - Original Message - From: David Mazzaccaro [mailto:david.mazzacc...@hudsonmobility.com] To: NT System Admin Issues [mailto:ntsysadmin@lyris.sunbelt-software.com] Sent: Fri, 13 Apr 2012 08:38:47 -0700 Subject: Hooray, I'm moving to VMware! Just got the ok to move forward with VMware/Citrix/Domain upgrade. I have 10 physical servers, and it looks like this will be the solution: 3 hosts: ($21k each) HP DL380 G7 E5660 Pair of 146 15k drives mirrored 196 G RAM - this was $45k alone Quad port gig adapter 2 Switches: ($1,800 each) HP 2910 1 SAN ($22,700) NetApp 2240 12 x 600GB VSphere Essentials Plus ($5,200) 6 Windows licenses ($13,600): Server 2008 Datacenter Windows/Xenapp licenses ($26,000) $40k services Install/config SAN, switches, hosts, VMware, new Citrix farm, 2008 Domain upgrade, P2V existing servers Total: $185,000 Sound good? ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin . ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: Whitelisting
Because it is *data*. Data doesn't make calls. Code does.That's been the gist of the argument from the very beginning. * * *ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of Technology for the SMB market… * On Mon, Apr 16, 2012 at 12:25 PM, Crawford, Scott crawfo...@evangel.eduwrote: Why does the code that is spawned need to download some payload or use existing files? Why can’t it make its own win32 calls? ** ** *From:* Andrew S. Baker [mailto:asbz...@gmail.com] *Sent:* Monday, April 16, 2012 10:26 AM *To:* NT System Admin Issues *Subject:* Re: Whitelisting ** ** Here's one typical scenario: - WinWord.exe has a a buffer overflow vulnerability. - WinWord.exe is a whitelisted app, so the vulnerability can be exploited. - Bad guy creates a hand-crafted data file that takes advantage of the buffer overflow vulnerability - User opens bad data file, which exploits the vulnerability ** ** In a traditional environment, the exploit of the vulnerability would likely include the uploading or installation of some files to the exploited machine for the purpose of controlling it more directly. ** ** In an environment that makes use of whitelisting technology, the code that is spawned by the exploit (either because it is embodied in the bad data, or because it is downloaded from some remote server) will be unable to run -- because it is not an approved application/code. ** ** This is a key benefit of whitelisting. ** ** Now, if the malware exploit only attempts to make use of existing files (CMD, etc) then these executions will be subject to whether or not they are approved from a whitelisting perspective, but the scope of the exploit is still *greatly* reduced. (Read Only or Blocked Attack vs full system compromise) ** ** ** ** ** ** *ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of Technology for the SMB market…* On Mon, Apr 16, 2012 at 11:12 AM, James Rankin kz2...@googlemail.com wrote: Ah yes, I recall this debate before. So it's not that if you used a Word exploit, for example, you could get winword.exe to do bad stuff under the context of that process - it would have to be remote code execution under its own badapp.exe - which even if you called it winword.exe would get caught by a hash value rule or check for signed code, am I thinking along the right lines? ** ** On 16 April 2012 15:54, Andrew S. Baker asbz...@gmail.com wrote: Yes, but if the bad data is used to perform a buffer overflow so that custom *code* can be executed to do nefarious acts, then that last step will fail because the custom malicious code is not authorized to run -- even in a zero day. ** ** No, it doesn't solve every last malware issue known to man, and there can be some management overhead depending on the implentation, but it addresses more issues than blacklisting does, and does so more effectively. ** ** Of course, we've been saying the same thing for a while here: http://www.mail-archive.com/ntsysadmin@lyris.sunbelt-software.com/msg72561.html http://www.mail-archive.com/ntsysadmin@lyris.sunbelt-software.com/msg106004.html ** ** ** ** *ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of Technology for the SMB market…* On Mon, Apr 16, 2012 at 10:28 AM, James Rankin kz2...@googlemail.com wrote: Agreed, if you've got a malicious Word document that exploits a flaw in MS Word itself, then the only defence is good patching or some other form of exploit detection. If it's a zero-day, then there's probably nothing except exploit detection. Don't want to plug it too much but AppSense Application Manager does a good job of detecting execution beyond the expected capabilities of an application, but I've never been able to test it much beyond the types of things like malicious PDFs with Java exploits or exploits that call out to malicious dll files. Wonder how much work it would be to craft an Office document that tries to exploit a vulnerability to see if it can stop this sort of vector as well? On 16 April 2012 15:19, Alex Eckelberry al...@eckelberry.com wrote: But, if we ever get to a world where whitelisting is the predominant** ** means of execution control, the bad guys will, out of necessity, be relegated to exploiting flaws in applications through data files. I don’t understand how you can have an exploit in a data file resulting in anything else but code execution. Data itself is harmless; it’s the executables that cause harm. There will always be code executed, in some form or another (unless I’m misunderstanding your point). Alex *From:* Crawford, Scott [mailto:crawfo...@evangel.edu] *Sent:* Monday, April 16,
RE: Hooray, I'm moving to VMware!
I did briefly look at that. Problem was the iSCSI bridge for the tape libraries seemed to cost more than simply buying a physical box to connect the tape library to. Kind of weird but seemed consistent across vendors. From: Heaton, Joseph@DFG [jhea...@dfg.ca.gov] Sent: 16 April 2012 5:28 PM To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! We're using an iSCSI tape library at our field offices, with the backup server VM connecting to it. Works great for us. Joe Heaton ITB - Windows Server Support -Original Message- From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Friday, April 13, 2012 2:37 PM To: Heaton, Joseph@DFG; NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! Basically forget about connecting your tape library to one of the VMware hosts, even if it should work it isn't going to be pleasant - far better to use one of your existing boxes as a media agent with the tape drive attached to it if you stick with the tape drive you have. If you wouldn't mind doing so it would be beneficial if you went into some detail on what you currently do for backups - what software, what backup routine etc.? If you're using something old or basic and are considering backups from scratch I'd suggest (in a very rough order) looking at Commvault, Unitrends, Veeam (only does VMware or Hyper-V) and AppAssure (only does Windows), then at the lower end you have Backup Exec and ArcServe and no doubt a few others. I really can't stress the point strongly enough about having a solid backup plan in place when you virtualise. Firstly you're talking about spending almost $200k on kit - respectfully I'm a little surprised if the VAR hasn't mentioned backups somewhere down the line? Secondly, your single SAN is your single point of failure. Sure, it's made not to fail but if it does you've just lost every single VM you have so you want to be able to get them back as quickly and easily as possible. From: David Mazzaccaro [david.mazzacc...@hudsonmobility.com] Sent: 13 April 2012 9:39 PM To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! Ah... yes, that is exactly what I am doing now. I will absolutely look into this. Thank you. -Original Message- From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Friday, April 13, 2012 3:54 PM To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! I meant more in terms of what backup software are you using? If you're currently doing backups of your physical boxes you're most likely doing it using traditional agents that sit on the boxes and do file or application level backups? Of course you can continue to do that, but you're missing one of the biggest benefits of virtualisation if you're not complementing it (or in some cases replacing it) with taking image level backups of the entire VM. It's something you should definitely look into, not least because, well it's backups so it's probably the most important part of the whole setup, but also because if you do go the Netapp route they also offer a lot of software tools (at a cost) that your backup software may be compatible with - basically you want to check it out prior to any purchase to avoid any surprises down the line (particularly as Netapp aren't the cheapest in terms of software licenses if you need to buy anything down the line). From: David Mazzaccaro [david.mazzacc...@hudsonmobility.com] Sent: 13 April 2012 8:44 PM To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! I assume I will back up to tape? -Original Message- From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Friday, April 13, 2012 3:29 PM To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! What are you doing to backup your VM's? From: David Mazzaccaro [david.mazzacc...@hudsonmobility.com] Sent: 13 April 2012 8:06 PM To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! Wow. This is perfect. You probably just saved me some serious coin. Thank you!!! -Original Message- From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Friday, April 13, 2012 2:45 PM To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! vSphere will see all the RAM, but the amount you'll be able to use (assuming vSphere 5) is licensed/controlled by your vRAM entitlement. It's one of the biggest and most contentious changes moving from 4.1 to 5. Here's VMware's licensing paper which lists it in all its glorious detail: http://www.vmware.com/files/pdf/vsphere_pricing.pdf So in a nutshell, yes, you'll have almost 600gb of RAM but will only be able to use 1/3rd of it without ponying up for more licenses. Nice eh?! From: David Mazzaccaro
RE: Hooray, I'm moving to VMware!
You don't need any physical boxes at all. Period. I'd at least want some hosts :) From: David Mazzaccaro [mailto:david.mazzacc...@hudsonmobility.com] Sent: Monday, April 16, 2012 11:30 AM To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! Speaking of domain controllers, I am being told 2 different things... 1) ALWAYS keep a single DC physical. You can certainly have virtual DCs, but you must have at least 1 physical. 2) Virtualize everything you can. You don't need any physical boxes at all. Period. Thoughts? From: Andrew S. Baker [mailto:asbz...@gmail.com] Sent: Monday, April 16, 2012 11:55 AM To: NT System Admin Issues Subject: Re: Hooray, I'm moving to VMware! Single thing to point backups at - I believe you have to backup Hyper-V boxes individually? No, you don't have to back them up individually. Lots of 3rd party options here. No dependency on the domain being present which can put you in a fun situation if you have to power everything off and on again. Your Hyper-V server need not be a domain member. ASB http://XeeMe.com/AndrewBaker Harnessing the Advantages of Technology for the SMB market... On Mon, Apr 16, 2012 at 11:41 AM, Paul Hutchings paul.hutchi...@mira.co.ukmailto:paul.hutchi...@mira.co.uk wrote: I've only used VMware so I'm more than happy to be corrected here, but in no particular order: Single ISO takes you from bare metal to working server. No third party drivers needed for things like MPIO and NIC teaming. Single management tool. Single management server (vCenter) gives visibility to your entire VMware infrastructure. Single thing to point backups at - I believe you have to backup Hyper-V boxes individually? No dependency on the domain being present which can put you in a fun situation if you have to power everything off and on again. Outside of usability you then have: Pretty much any virtual appliance you care to name will come natively in VMDK/OVF format Tons of vCenter add-ins I'm very interested in Hyper-V with Windows Server 8 and for us the timing falls nicely with our SAN and server refresh, but honestly the only reason I can see for looking at moving would be license costs - VMware works out expensive if you have more than a few hosts and want more than the basics. From: John Hornbuckle [john.hornbuc...@taylor.k12.fl.usmailto:john.hornbuc...@taylor.k12.fl.us] Sent: 16 April 2012 3:39 PM To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! Is the consensus that VMware is easier to use than Hyper-V? I've only used the latter, so I can't judge. John -Original Message- From: Paul Hutchings [mailto:paul.hutchi...@mira.co.ukmailto:paul.hutchi...@mira.co.uk] Sent: Monday, April 16, 2012 9:36 AM To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! I'd assume ease of use and market leader. -Original Message- From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.usmailto:john.hornbuc...@taylor.k12.fl.us] Sent: 16 April 2012 14:16 To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! Someone else asked about this, but I didn't see a reply (although Postini frequently blocks messages from this list)... What factors led to you choosing VMware over Hyper-V? John Hornbuckle, MSMIS, PMP MIS Department Taylor County School District www.taylor.k12.fl.ushttp://www.taylor.k12.fl.us - Original Message - From: David Mazzaccaro [mailto:david.mazzacc...@hudsonmobility.commailto:david.mazzacc...@hudsonmobility.com] To: NT System Admin Issues [mailto:ntsysadmin@lyris.sunbelt-software.commailto:ntsysadmin@lyris.sunbelt-software.com] Sent: Fri, 13 Apr 2012 08:38:47 -0700 Subject: Hooray, I'm moving to VMware! Just got the ok to move forward with VMware/Citrix/Domain upgrade. I have 10 physical servers, and it looks like this will be the solution: 3 hosts: ($21k each) HP DL380 G7 E5660 Pair of 146 15k drives mirrored 196 G RAM - this was $45k alone Quad port gig adapter 2 Switches: ($1,800 each) HP 2910 1 SAN ($22,700) NetApp 2240 12 x 600GB VSphere Essentials Plus ($5,200) 6 Windows licenses ($13,600): Server 2008 Datacenter Windows/Xenapp licenses ($26,000) $40k services Install/config SAN, switches, hosts, VMware, new Citrix farm, 2008 Domain upgrade, P2V existing servers Total: $185,000 Sound good? ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin . ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here:
RE: Hooray, I'm moving to VMware!
#2 There are rules/best practises to follow such as not using snapshots when updating DCs that are virtual, but the biggest issue, which used to be clock skew, is a non-issue these days. From: David Mazzaccaro [david.mazzacc...@hudsonmobility.com] Sent: 16 April 2012 5:30 PM To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! Speaking of domain controllers, I am being told 2 different things... 1) ALWAYS keep a single DC physical. You can certainly have virtual DCs, but you must have at least 1 physical. 2) Virtualize everything you can. You don’t need any physical boxes at all. Period. Thoughts? From: Andrew S. Baker [mailto:asbz...@gmail.com] Sent: Monday, April 16, 2012 11:55 AM To: NT System Admin Issues Subject: Re: Hooray, I'm moving to VMware! Single thing to point backups at - I believe you have to backup Hyper-V boxes individually? No, you don't have to back them up individually. Lots of 3rd party options here. No dependency on the domain being present which can put you in a fun situation if you have to power everything off and on again. Your Hyper-V server need not be a domain member. ASB http://XeeMe.com/AndrewBaker Harnessing the Advantages of Technology for the SMB market… On Mon, Apr 16, 2012 at 11:41 AM, Paul Hutchings paul.hutchi...@mira.co.ukmailto:paul.hutchi...@mira.co.uk wrote: I've only used VMware so I'm more than happy to be corrected here, but in no particular order: Single ISO takes you from bare metal to working server. No third party drivers needed for things like MPIO and NIC teaming. Single management tool. Single management server (vCenter) gives visibility to your entire VMware infrastructure. Single thing to point backups at - I believe you have to backup Hyper-V boxes individually? No dependency on the domain being present which can put you in a fun situation if you have to power everything off and on again. Outside of usability you then have: Pretty much any virtual appliance you care to name will come natively in VMDK/OVF format Tons of vCenter add-ins I'm very interested in Hyper-V with Windows Server 8 and for us the timing falls nicely with our SAN and server refresh, but honestly the only reason I can see for looking at moving would be license costs - VMware works out expensive if you have more than a few hosts and want more than the basics. From: John Hornbuckle [john.hornbuc...@taylor.k12.fl.usmailto:john.hornbuc...@taylor.k12.fl.us] Sent: 16 April 2012 3:39 PM To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! Is the consensus that VMware is easier to use than Hyper-V? I've only used the latter, so I can't judge. John -Original Message- From: Paul Hutchings [mailto:paul.hutchi...@mira.co.ukmailto:paul.hutchi...@mira.co.uk] Sent: Monday, April 16, 2012 9:36 AM To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! I'd assume ease of use and market leader. -Original Message- From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.usmailto:john.hornbuc...@taylor.k12.fl.us] Sent: 16 April 2012 14:16 To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! Someone else asked about this, but I didn't see a reply (although Postini frequently blocks messages from this list)... What factors led to you choosing VMware over Hyper-V? John Hornbuckle, MSMIS, PMP MIS Department Taylor County School District www.taylor.k12.fl.ushttp://www.taylor.k12.fl.us - Original Message - From: David Mazzaccaro [mailto:david.mazzacc...@hudsonmobility.commailto:david.mazzacc...@hudsonmobility.com] To: NT System Admin Issues [mailto:ntsysadmin@lyris.sunbelt-software.commailto:ntsysadmin@lyris.sunbelt-software.com] Sent: Fri, 13 Apr 2012 08:38:47 -0700 Subject: Hooray, I'm moving to VMware! Just got the ok to move forward with VMware/Citrix/Domain upgrade. I have 10 physical servers, and it looks like this will be the solution: 3 hosts: ($21k each) HP DL380 G7 E5660 Pair of 146 15k drives mirrored 196 G RAM - this was $45k alone Quad port gig adapter 2 Switches: ($1,800 each) HP 2910 1 SAN ($22,700) NetApp 2240 12 x 600GB VSphere Essentials Plus ($5,200) 6 Windows licenses ($13,600): Server 2008 Datacenter Windows/Xenapp licenses ($26,000) $40k services Install/config SAN, switches, hosts, VMware, new Citrix farm, 2008 Domain upgrade, P2V existing servers Total: $185,000 Sound good? ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin . ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
RE: Hooray, I'm moving to VMware!
1. Both my dc's are physical. 2. A lot of that depends on the software being used. We have a fax server that the fax s/w vendor recommended be a physical server. When ICD-10 (medical coding) comes out, our coding vendor will not install on a virtual server. Paul Chinnery Network Admin Memorial Medical Center 231.845.2319 From: David Mazzaccaro [mailto:david.mazzacc...@hudsonmobility.com] Sent: Monday, April 16, 2012 12:30 PM To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! Speaking of domain controllers, I am being told 2 different things... 1) ALWAYS keep a single DC physical. You can certainly have virtual DCs, but you must have at least 1 physical. 2) Virtualize everything you can. You don't need any physical boxes at all. Period. Thoughts? From: Andrew S. Baker [mailto:asbz...@gmail.com] Sent: Monday, April 16, 2012 11:55 AM To: NT System Admin Issues Subject: Re: Hooray, I'm moving to VMware! Single thing to point backups at - I believe you have to backup Hyper-V boxes individually? No, you don't have to back them up individually. Lots of 3rd party options here. No dependency on the domain being present which can put you in a fun situation if you have to power everything off and on again. Your Hyper-V server need not be a domain member. ASB http://XeeMe.com/AndrewBaker Harnessing the Advantages of Technology for the SMB market... On Mon, Apr 16, 2012 at 11:41 AM, Paul Hutchings paul.hutchi...@mira.co.ukmailto:paul.hutchi...@mira.co.uk wrote: I've only used VMware so I'm more than happy to be corrected here, but in no particular order: Single ISO takes you from bare metal to working server. No third party drivers needed for things like MPIO and NIC teaming. Single management tool. Single management server (vCenter) gives visibility to your entire VMware infrastructure. Single thing to point backups at - I believe you have to backup Hyper-V boxes individually? No dependency on the domain being present which can put you in a fun situation if you have to power everything off and on again. Outside of usability you then have: Pretty much any virtual appliance you care to name will come natively in VMDK/OVF format Tons of vCenter add-ins I'm very interested in Hyper-V with Windows Server 8 and for us the timing falls nicely with our SAN and server refresh, but honestly the only reason I can see for looking at moving would be license costs - VMware works out expensive if you have more than a few hosts and want more than the basics. From: John Hornbuckle [john.hornbuc...@taylor.k12.fl.usmailto:john.hornbuc...@taylor.k12.fl.us] Sent: 16 April 2012 3:39 PM To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! Is the consensus that VMware is easier to use than Hyper-V? I've only used the latter, so I can't judge. John -Original Message- From: Paul Hutchings [mailto:paul.hutchi...@mira.co.ukmailto:paul.hutchi...@mira.co.uk] Sent: Monday, April 16, 2012 9:36 AM To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! I'd assume ease of use and market leader. -Original Message- From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.usmailto:john.hornbuc...@taylor.k12.fl.us] Sent: 16 April 2012 14:16 To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! Someone else asked about this, but I didn't see a reply (although Postini frequently blocks messages from this list)... What factors led to you choosing VMware over Hyper-V? John Hornbuckle, MSMIS, PMP MIS Department Taylor County School District www.taylor.k12.fl.ushttp://www.taylor.k12.fl.us - Original Message - From: David Mazzaccaro [mailto:david.mazzacc...@hudsonmobility.commailto:david.mazzacc...@hudsonmobility.com] To: NT System Admin Issues [mailto:ntsysadmin@lyris.sunbelt-software.commailto:ntsysadmin@lyris.sunbelt-software.com] Sent: Fri, 13 Apr 2012 08:38:47 -0700 Subject: Hooray, I'm moving to VMware! Just got the ok to move forward with VMware/Citrix/Domain upgrade. I have 10 physical servers, and it looks like this will be the solution: 3 hosts: ($21k each) HP DL380 G7 E5660 Pair of 146 15k drives mirrored 196 G RAM - this was $45k alone Quad port gig adapter 2 Switches: ($1,800 each) HP 2910 1 SAN ($22,700) NetApp 2240 12 x 600GB VSphere Essentials Plus ($5,200) 6 Windows licenses ($13,600): Server 2008 Datacenter Windows/Xenapp licenses ($26,000) $40k services Install/config SAN, switches, hosts, VMware, new Citrix farm, 2008 Domain upgrade, P2V existing servers Total: $185,000 Sound good? ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with
RE: Hooray, I'm moving to VMware!
Well if your entire VMWare infrastructure goes down it's possible to have issues with DNS unless the virtualized DNS server is set to auto restart AND be the first machine to come up. It's entirely possible to have everything virtualized but IMO having a single physical DNS server is just good redundancy planning that can save some angst during a stressful situation like everything going down at once.. YMMV John W. Cook Network Operations Manager Partnership For Strong Families 5950 NW 1st Place Gainesville, Fl 32607 Office (352) 244-1610 Cell (352) 215-6944 MCSE, MCP+I, MCTS, CompTIA A+, N+, VSP4, VTSP4 From: David Mazzaccaro [mailto:david.mazzacc...@hudsonmobility.com] Sent: Monday, April 16, 2012 12:30 PM To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! Speaking of domain controllers, I am being told 2 different things... 1) ALWAYS keep a single DC physical. You can certainly have virtual DCs, but you must have at least 1 physical. 2) Virtualize everything you can. You don't need any physical boxes at all. Period. Thoughts? From: Andrew S. Baker [mailto:asbz...@gmail.com]mailto:[mailto:asbz...@gmail.com] Sent: Monday, April 16, 2012 11:55 AM To: NT System Admin Issues Subject: Re: Hooray, I'm moving to VMware! Single thing to point backups at - I believe you have to backup Hyper-V boxes individually? No, you don't have to back them up individually. Lots of 3rd party options here. No dependency on the domain being present which can put you in a fun situation if you have to power everything off and on again. Your Hyper-V server need not be a domain member. ASB http://XeeMe.com/AndrewBaker Harnessing the Advantages of Technology for the SMB market... On Mon, Apr 16, 2012 at 11:41 AM, Paul Hutchings paul.hutchi...@mira.co.ukmailto:paul.hutchi...@mira.co.uk wrote: I've only used VMware so I'm more than happy to be corrected here, but in no particular order: Single ISO takes you from bare metal to working server. No third party drivers needed for things like MPIO and NIC teaming. Single management tool. Single management server (vCenter) gives visibility to your entire VMware infrastructure. Single thing to point backups at - I believe you have to backup Hyper-V boxes individually? No dependency on the domain being present which can put you in a fun situation if you have to power everything off and on again. Outside of usability you then have: Pretty much any virtual appliance you care to name will come natively in VMDK/OVF format Tons of vCenter add-ins I'm very interested in Hyper-V with Windows Server 8 and for us the timing falls nicely with our SAN and server refresh, but honestly the only reason I can see for looking at moving would be license costs - VMware works out expensive if you have more than a few hosts and want more than the basics. From: John Hornbuckle [john.hornbuc...@taylor.k12.fl.usmailto:john.hornbuc...@taylor.k12.fl.us] Sent: 16 April 2012 3:39 PM To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! Is the consensus that VMware is easier to use than Hyper-V? I've only used the latter, so I can't judge. John -Original Message- From: Paul Hutchings [mailto:paul.hutchi...@mira.co.ukmailto:paul.hutchi...@mira.co.uk] Sent: Monday, April 16, 2012 9:36 AM To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! I'd assume ease of use and market leader. -Original Message- From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.usmailto:john.hornbuc...@taylor.k12.fl.us] Sent: 16 April 2012 14:16 To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! Someone else asked about this, but I didn't see a reply (although Postini frequently blocks messages from this list)... What factors led to you choosing VMware over Hyper-V? John Hornbuckle, MSMIS, PMP MIS Department Taylor County School District www.taylor.k12.fl.ushttp://www.taylor.k12.fl.us - Original Message - From: David Mazzaccaro [mailto:david.mazzacc...@hudsonmobility.commailto:david.mazzacc...@hudsonmobility.com] To: NT System Admin Issues [mailto:ntsysadmin@lyris.sunbelt-software.commailto:ntsysadmin@lyris.sunbelt-software.com] Sent: Fri, 13 Apr 2012 08:38:47 -0700 Subject: Hooray, I'm moving to VMware! Just got the ok to move forward with VMware/Citrix/Domain upgrade. I have 10 physical servers, and it looks like this will be the solution: 3 hosts: ($21k each) HP DL380 G7 E5660 Pair of 146 15k drives mirrored 196 G RAM - this was $45k alone Quad port gig adapter 2 Switches: ($1,800 each) HP 2910 1 SAN ($22,700) NetApp 2240 12 x 600GB VSphere Essentials Plus ($5,200) 6 Windows licenses ($13,600): Server 2008 Datacenter Windows/Xenapp licenses ($26,000) $40k services Install/config SAN, switches, hosts, VMware, new Citrix farm, 2008 Domain upgrade, P2V existing servers Total: $185,000 Sound good? ~
RE: Hooray, I'm moving to VMware!
I would modify your statements in the following way: 1) Always have a way to boot a DC without the dependancies of other services. AKA, you can virtualize your DCs if your VM solution doesn't require a domain to boot/manage. Having a physical DC does solve this problem. 2) Virtualize everything you can, save what your application vendors ask that you don't. I.E.: You can't Hyper-V a ShoreTel Director server yet. (I do see they now support a VMWare configuration.) --Matt Ross Ephrata School District - Original Message - From: David Mazzaccaro [mailto:david.mazzacc...@hudsonmobility.com] To: NT System Admin Issues [mailto:ntsysadmin@lyris.sunbelt-software.com] Sent: Mon, 16 Apr 2012 09:30:11 -0700 Subject: RE: Hooray, I'm moving to VMware! Speaking of domain controllers, I am being told 2 different things... 1) ALWAYS keep a single DC physical. You can certainly have virtual DCs, but you must have at least 1 physical. 2) Virtualize everything you can. You don't need any physical boxes at all. Period. Thoughts? From: Andrew S. Baker [mailto:asbz...@gmail.com] Sent: Monday, April 16, 2012 11:55 AM To: NT System Admin Issues Subject: Re: Hooray, I'm moving to VMware! Single thing to point backups at - I believe you have to backup Hyper-V boxes individually? No, you don't have to back them up individually. Lots of 3rd party options here. No dependency on the domain being present which can put you in a fun situation if you have to power everything off and on again. Your Hyper-V server need not be a domain member. ASB http://XeeMe.com/AndrewBaker Harnessing the Advantages of Technology for the SMB market... On Mon, Apr 16, 2012 at 11:41 AM, Paul Hutchings paul.hutchi...@mira.co.uk wrote: I've only used VMware so I'm more than happy to be corrected here, but in no particular order: Single ISO takes you from bare metal to working server. No third party drivers needed for things like MPIO and NIC teaming. Single management tool. Single management server (vCenter) gives visibility to your entire VMware infrastructure. Single thing to point backups at - I believe you have to backup Hyper-V boxes individually? No dependency on the domain being present which can put you in a fun situation if you have to power everything off and on again. Outside of usability you then have: Pretty much any virtual appliance you care to name will come natively in VMDK/OVF format Tons of vCenter add-ins I'm very interested in Hyper-V with Windows Server 8 and for us the timing falls nicely with our SAN and server refresh, but honestly the only reason I can see for looking at moving would be license costs - VMware works out expensive if you have more than a few hosts and want more than the basics. From: John Hornbuckle [john.hornbuc...@taylor.k12.fl.us] Sent: 16 April 2012 3:39 PM To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! Is the consensus that VMware is easier to use than Hyper-V? I've only used the latter, so I can't judge. John -Original Message- From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Monday, April 16, 2012 9:36 AM To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! I'd assume ease of use and market leader. -Original Message- From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us] Sent: 16 April 2012 14:16 To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! Someone else asked about this, but I didn't see a reply (although Postini frequently blocks messages from this list)... What factors led to you choosing VMware over Hyper-V? John Hornbuckle, MSMIS, PMP MIS Department Taylor County School District www.taylor.k12.fl.us - Original Message - From: David Mazzaccaro [mailto:david.mazzacc...@hudsonmobility.com] To: NT System Admin Issues [mailto:ntsysadmin@lyris.sunbelt-software.com] Sent: Fri, 13 Apr 2012 08:38:47 -0700 Subject: Hooray, I'm moving to VMware! Just got the ok to move forward with VMware/Citrix/Domain upgrade. I have 10 physical servers, and it looks like this will be the solution: 3 hosts: ($21k each) HP DL380 G7 E5660 Pair of 146 15k drives mirrored 196 G RAM - this was $45k alone Quad port gig adapter 2 Switches: ($1,800 each) HP 2910 1 SAN ($22,700) NetApp 2240 12 x 600GB VSphere Essentials Plus ($5,200) 6 Windows licenses ($13,600): Server 2008 Datacenter Windows/Xenapp licenses ($26,000) $40k services Install/config SAN, switches, hosts, VMware, new Citrix farm, 2008 Domain upgrade, P2V existing servers Total: $185,000 Sound good? ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click
Re: Hooray, I'm moving to VMware!
We have some isolated environments where all servers are virtual (including DCs). In this case when we had some data center power issues or did some shut downs, we had to play whack a mole to find the DCs to power them up first. Since these environments were smaller involving 3 hosts each with only 40-60 guest servers per cluster, it was inconvienient and annoying but not seriously painful. We do have the virtual center server on a physical host with a local database now though which helps significantly. We also have rules to keep the DCs on seperate hosts. In the larger environments the AD team maintains some physical DCs but we've always wondered why. It's not like we don't have a geographically spread out environment with a lot of redundancy and coverage but there you go. Steven Peck http://www.blkmtn.org On Mon, Apr 16, 2012 at 9:30 AM, David Mazzaccaro david.mazzacc...@hudsonmobility.com wrote: Speaking of domain controllers, I am being told 2 different things... 1) ALWAYS keep a single DC physical. You can certainly have virtual DCs, but you must have at least 1 physical. 2) Virtualize everything you can. You don’t need any physical boxes at all. Period. ** ** Thoughts? ** ** ** ** *From:* Andrew S. Baker [mailto:asbz...@gmail.com] *Sent:* Monday, April 16, 2012 11:55 AM *To:* NT System Admin Issues *Subject:* Re: Hooray, I'm moving to VMware! ** ** * Single thing to point backups at - I believe you have to backup Hyper-V boxes individually? * No, you don't have to back them up individually. Lots of 3rd party options here. * No dependency on the domain being present which can put you in a fun situation if you have to power everything off and on again. * Your Hyper-V server need not be a domain member. ** ** *ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of Technology for the SMB market…* On Mon, Apr 16, 2012 at 11:41 AM, Paul Hutchings paul.hutchi...@mira.co.uk wrote: I've only used VMware so I'm more than happy to be corrected here, but in no particular order: Single ISO takes you from bare metal to working server. No third party drivers needed for things like MPIO and NIC teaming. Single management tool. Single management server (vCenter) gives visibility to your entire VMware infrastructure. Single thing to point backups at - I believe you have to backup Hyper-V boxes individually? No dependency on the domain being present which can put you in a fun situation if you have to power everything off and on again. Outside of usability you then have: Pretty much any virtual appliance you care to name will come natively in VMDK/OVF format Tons of vCenter add-ins I'm very interested in Hyper-V with Windows Server 8 and for us the timing falls nicely with our SAN and server refresh, but honestly the only reason I can see for looking at moving would be license costs - VMware works out expensive if you have more than a few hosts and want more than the basics. From: John Hornbuckle [john.hornbuc...@taylor.k12.fl.us] Sent: 16 April 2012 3:39 PM To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! Is the consensus that VMware is easier to use than Hyper-V? I've only used the latter, so I can't judge. John -Original Message- From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Monday, April 16, 2012 9:36 AM To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! I'd assume ease of use and market leader. -Original Message- From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us] Sent: 16 April 2012 14:16 To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! Someone else asked about this, but I didn't see a reply (although Postini frequently blocks messages from this list)... What factors led to you choosing VMware over Hyper-V? John Hornbuckle, MSMIS, PMP MIS Department Taylor County School District www.taylor.k12.fl.us - Original Message - From: David Mazzaccaro [mailto:david.mazzacc...@hudsonmobility.com] To: NT System Admin Issues [mailto:ntsysadmin@lyris.sunbelt-software.com] Sent: Fri, 13 Apr 2012 08:38:47 -0700 Subject: Hooray, I'm moving to VMware! Just got the ok to move forward with VMware/Citrix/Domain upgrade. I have 10 physical servers, and it looks like this will be the solution: 3 hosts: ($21k each) HP DL380 G7 E5660 Pair of 146 15k drives mirrored 196 G RAM - this was $45k alone Quad port gig adapter 2 Switches: ($1,800 each) HP 2910 1 SAN ($22,700) NetApp 2240 12 x 600GB VSphere Essentials Plus ($5,200) 6 Windows licenses ($13,600): Server 2008 Datacenter Windows/Xenapp licenses ($26,000) $40k services Install/config SAN, switches, hosts, VMware, new Citrix farm, 2008 Domain upgrade, P2V existing servers
RE: Whitelisting
Data is code. Code is data. They're both strings of 1's and 0's. The only difference is what is interpreting that string. If data is data, how is it able to cause winword.exe to download a payload? From: Andrew S. Baker [mailto:asbz...@gmail.com] Sent: Monday, April 16, 2012 11:30 AM To: NT System Admin Issues Subject: Re: Whitelisting Because it is data. Data doesn't make calls. Code does.That's been the gist of the argument from the very beginning. ASB http://XeeMe.com/AndrewBaker Harnessing the Advantages of Technology for the SMB market... On Mon, Apr 16, 2012 at 12:25 PM, Crawford, Scott crawfo...@evangel.edumailto:crawfo...@evangel.edu wrote: Why does the code that is spawned need to download some payload or use existing files? Why can't it make its own win32 calls? From: Andrew S. Baker [mailto:asbz...@gmail.commailto:asbz...@gmail.com] Sent: Monday, April 16, 2012 10:26 AM To: NT System Admin Issues Subject: Re: Whitelisting Here's one typical scenario: * WinWord.exe has a a buffer overflow vulnerability. * WinWord.exe is a whitelisted app, so the vulnerability can be exploited. * Bad guy creates a hand-crafted data file that takes advantage of the buffer overflow vulnerability * User opens bad data file, which exploits the vulnerability In a traditional environment, the exploit of the vulnerability would likely include the uploading or installation of some files to the exploited machine for the purpose of controlling it more directly. In an environment that makes use of whitelisting technology, the code that is spawned by the exploit (either because it is embodied in the bad data, or because it is downloaded from some remote server) will be unable to run -- because it is not an approved application/code. This is a key benefit of whitelisting. Now, if the malware exploit only attempts to make use of existing files (CMD, etc) then these executions will be subject to whether or not they are approved from a whitelisting perspective, but the scope of the exploit is still greatly reduced. (Read Only or Blocked Attack vs full system compromise) ASB http://XeeMe.com/AndrewBaker Harnessing the Advantages of Technology for the SMB market... On Mon, Apr 16, 2012 at 11:12 AM, James Rankin kz2...@googlemail.commailto:kz2...@googlemail.com wrote: Ah yes, I recall this debate before. So it's not that if you used a Word exploit, for example, you could get winword.exe to do bad stuff under the context of that process - it would have to be remote code execution under its own badapp.exe - which even if you called it winword.exe would get caught by a hash value rule or check for signed code, am I thinking along the right lines? On 16 April 2012 15:54, Andrew S. Baker asbz...@gmail.commailto:asbz...@gmail.com wrote: Yes, but if the bad data is used to perform a buffer overflow so that custom *code* can be executed to do nefarious acts, then that last step will fail because the custom malicious code is not authorized to run -- even in a zero day. No, it doesn't solve every last malware issue known to man, and there can be some management overhead depending on the implentation, but it addresses more issues than blacklisting does, and does so more effectively. Of course, we've been saying the same thing for a while here: http://www.mail-archive.com/ntsysadmin@lyris.sunbelt-software.com/msg72561.html http://www.mail-archive.com/ntsysadmin@lyris.sunbelt-software.com/msg106004.html ASB http://XeeMe.com/AndrewBaker Harnessing the Advantages of Technology for the SMB market... On Mon, Apr 16, 2012 at 10:28 AM, James Rankin kz2...@googlemail.commailto:kz2...@googlemail.com wrote: Agreed, if you've got a malicious Word document that exploits a flaw in MS Word itself, then the only defence is good patching or some other form of exploit detection. If it's a zero-day, then there's probably nothing except exploit detection. Don't want to plug it too much but AppSense Application Manager does a good job of detecting execution beyond the expected capabilities of an application, but I've never been able to test it much beyond the types of things like malicious PDFs with Java exploits or exploits that call out to malicious dll files. Wonder how much work it would be to craft an Office document that tries to exploit a vulnerability to see if it can stop this sort of vector as well? On 16 April 2012 15:19, Alex Eckelberry al...@eckelberry.commailto:al...@eckelberry.com wrote: But, if we ever get to a world where whitelisting is the predominant means of execution control, the bad guys will, out of necessity, be relegated to exploiting flaws in applications through data files. I don't understand how you can have an exploit in a data file resulting in anything else but code execution. Data itself is harmless; it's the executables that cause harm. There will always be code executed, in some form or another (unless I'm misunderstanding your
RE: Hooray, I'm moving to VMware!
No third party tools necessary for backing up the servers with VMWare standard/Ent/Ent+ - VMWare Data Recovery is included John W. Cook Network Operations Manager Partnership For Strong Families 5950 NW 1st Place Gainesville, Fl 32607 Office (352) 244-1610 Cell (352) 215-6944 MCSE, MCP+I, MCTS, CompTIA A+, N+, VSP4, VTSP4 From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Monday, April 16, 2012 12:28 PM To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! I didn't think you could point Veeam (or whatever HyperV aware backup app you're using) to a single entity like you can vCenter and have it backup every VM that's in your cluster? If you can that's great to know as I always wondered how it coped with doing incremental backups of a VM when it's been moved between hosts if it addresses each host individually. On the domain point, so can you have several Hyper-V hosts that aren't domain members but still manage them as a single entity/cluster? Basically what's the Hyper-V equivalent of a vCenter server? Like I said I haven't used it but I thought those were both things about it that didn't seem quite as polished as VMware? From: Andrew S. Baker [asbz...@gmail.com] Sent: 16 April 2012 4:55 PM To: NT System Admin Issues Subject: Re: Hooray, I'm moving to VMware! Single thing to point backups at - I believe you have to backup Hyper-V boxes individually? No, you don't have to back them up individually. Lots of 3rd party options here. No dependency on the domain being present which can put you in a fun situation if you have to power everything off and on again. Your Hyper-V server need not be a domain member. ASB http://XeeMe.com/AndrewBaker Harnessing the Advantages of Technology for the SMB market... On Mon, Apr 16, 2012 at 11:41 AM, Paul Hutchings paul.hutchi...@mira.co.ukmailto:paul.hutchi...@mira.co.uk wrote: I've only used VMware so I'm more than happy to be corrected here, but in no particular order: Single ISO takes you from bare metal to working server. No third party drivers needed for things like MPIO and NIC teaming. Single management tool. Single management server (vCenter) gives visibility to your entire VMware infrastructure. Single thing to point backups at - I believe you have to backup Hyper-V boxes individually? No dependency on the domain being present which can put you in a fun situation if you have to power everything off and on again. Outside of usability you then have: Pretty much any virtual appliance you care to name will come natively in VMDK/OVF format Tons of vCenter add-ins I'm very interested in Hyper-V with Windows Server 8 and for us the timing falls nicely with our SAN and server refresh, but honestly the only reason I can see for looking at moving would be license costs - VMware works out expensive if you have more than a few hosts and want more than the basics. From: John Hornbuckle [john.hornbuc...@taylor.k12.fl.usmailto:john.hornbuc...@taylor.k12.fl.us] Sent: 16 April 2012 3:39 PM To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! Is the consensus that VMware is easier to use than Hyper-V? I've only used the latter, so I can't judge. John -Original Message- From: Paul Hutchings [mailto:paul.hutchi...@mira.co.ukmailto:paul.hutchi...@mira.co.uk] Sent: Monday, April 16, 2012 9:36 AM To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! I'd assume ease of use and market leader. -Original Message- From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.usmailto:john.hornbuc...@taylor.k12.fl.us] Sent: 16 April 2012 14:16 To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! Someone else asked about this, but I didn't see a reply (although Postini frequently blocks messages from this list)... What factors led to you choosing VMware over Hyper-V? John Hornbuckle, MSMIS, PMP MIS Department Taylor County School District www.taylor.k12.fl.ushttp://www.taylor.k12.fl.us - Original Message - From: David Mazzaccaro [mailto:david.mazzacc...@hudsonmobility.commailto:david.mazzacc...@hudsonmobility.com] To: NT System Admin Issues [mailto:ntsysadmin@lyris.sunbelt-software.commailto:ntsysadmin@lyris.sunbelt-software.com] Sent: Fri, 13 Apr 2012 08:38:47 -0700 Subject: Hooray, I'm moving to VMware! Just got the ok to move forward with VMware/Citrix/Domain upgrade. I have 10 physical servers, and it looks like this will be the solution: 3 hosts: ($21k each) HP DL380 G7 E5660 Pair of 146 15k drives mirrored 196 G RAM - this was $45k alone Quad port gig adapter 2 Switches: ($1,800 each) HP 2910 1 SAN ($22,700) NetApp 2240 12 x 600GB VSphere Essentials Plus ($5,200) 6 Windows licenses ($13,600): Server 2008 Datacenter Windows/Xenapp licenses ($26,000) $40k services Install/config SAN, switches, hosts, VMware, new Citrix
RE: Hooray, I'm moving to VMware!
Your hyper-v host is fubar'd and you need to log into it. Your DC is hosted on that VM hostso you can't log in. You can certainly build it to avoid that problem, but that is why some people say keep one physical DC. For example you can have your hyper-v host not be in the domain. Or if you have multiple hyper hosts spread out your DC's. From: David Mazzaccaro [mailto:david.mazzacc...@hudsonmobility.com] Sent: Monday, April 16, 2012 12:43 PM To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! Speaking of domain controllers, I am being told 2 different things... 1) ALWAYS keep a single DC physical. You can certainly have virtual DCs, but you must have at least 1 physical. 2) Virtualize everything you can. You don't need any physical boxes at all. Period. Thoughts? From: Andrew S. Baker [mailto:asbz...@gmail.com]mailto:[mailto:asbz...@gmail.com] Sent: Monday, April 16, 2012 11:55 AM To: NT System Admin Issues Subject: Re: Hooray, I'm moving to VMware! Single thing to point backups at - I believe you have to backup Hyper-V boxes individually? No, you don't have to back them up individually. Lots of 3rd party options here. No dependency on the domain being present which can put you in a fun situation if you have to power everything off and on again. Your Hyper-V server need not be a domain member. ASB http://XeeMe.com/AndrewBaker Harnessing the Advantages of Technology for the SMB market... On Mon, Apr 16, 2012 at 11:41 AM, Paul Hutchings paul.hutchi...@mira.co.ukmailto:paul.hutchi...@mira.co.uk wrote: I've only used VMware so I'm more than happy to be corrected here, but in no particular order: Single ISO takes you from bare metal to working server. No third party drivers needed for things like MPIO and NIC teaming. Single management tool. Single management server (vCenter) gives visibility to your entire VMware infrastructure. Single thing to point backups at - I believe you have to backup Hyper-V boxes individually? No dependency on the domain being present which can put you in a fun situation if you have to power everything off and on again. Outside of usability you then have: Pretty much any virtual appliance you care to name will come natively in VMDK/OVF format Tons of vCenter add-ins I'm very interested in Hyper-V with Windows Server 8 and for us the timing falls nicely with our SAN and server refresh, but honestly the only reason I can see for looking at moving would be license costs - VMware works out expensive if you have more than a few hosts and want more than the basics. From: John Hornbuckle [john.hornbuc...@taylor.k12.fl.usmailto:john.hornbuc...@taylor.k12.fl.us] Sent: 16 April 2012 3:39 PM To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! Is the consensus that VMware is easier to use than Hyper-V? I've only used the latter, so I can't judge. John -Original Message- From: Paul Hutchings [mailto:paul.hutchi...@mira.co.ukmailto:paul.hutchi...@mira.co.uk] Sent: Monday, April 16, 2012 9:36 AM To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! I'd assume ease of use and market leader. -Original Message- From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.usmailto:john.hornbuc...@taylor.k12.fl.us] Sent: 16 April 2012 14:16 To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! Someone else asked about this, but I didn't see a reply (although Postini frequently blocks messages from this list)... What factors led to you choosing VMware over Hyper-V? John Hornbuckle, MSMIS, PMP MIS Department Taylor County School District www.taylor.k12.fl.ushttp://www.taylor.k12.fl.us - Original Message - From: David Mazzaccaro [mailto:david.mazzacc...@hudsonmobility.commailto:david.mazzacc...@hudsonmobility.com] To: NT System Admin Issues [mailto:ntsysadmin@lyris.sunbelt-software.commailto:ntsysadmin@lyris.sunbelt-software.com] Sent: Fri, 13 Apr 2012 08:38:47 -0700 Subject: Hooray, I'm moving to VMware! Just got the ok to move forward with VMware/Citrix/Domain upgrade. I have 10 physical servers, and it looks like this will be the solution: 3 hosts: ($21k each) HP DL380 G7 E5660 Pair of 146 15k drives mirrored 196 G RAM - this was $45k alone Quad port gig adapter 2 Switches: ($1,800 each) HP 2910 1 SAN ($22,700) NetApp 2240 12 x 600GB VSphere Essentials Plus ($5,200) 6 Windows licenses ($13,600): Server 2008 Datacenter Windows/Xenapp licenses ($26,000) $40k services Install/config SAN, switches, hosts, VMware, new Citrix farm, 2008 Domain upgrade, P2V existing servers Total: $185,000 Sound good? ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to
RE: Hooray, I'm moving to VMware!
The documentation currently says #1, but, I expect in the next 6-12 months you will see that shift to #2. I don't have a problem personally with #1. Thanks, Brian Desmond br...@briandesmond.com w - 312.625.1438 | c - 312.731.3132 From: David Mazzaccaro [mailto:david.mazzacc...@hudsonmobility.com] Sent: Monday, April 16, 2012 11:30 AM To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! Speaking of domain controllers, I am being told 2 different things... 1) ALWAYS keep a single DC physical. You can certainly have virtual DCs, but you must have at least 1 physical. 2) Virtualize everything you can. You don't need any physical boxes at all. Period. Thoughts? From: Andrew S. Baker [mailto:asbz...@gmail.com] Sent: Monday, April 16, 2012 11:55 AM To: NT System Admin Issues Subject: Re: Hooray, I'm moving to VMware! Single thing to point backups at - I believe you have to backup Hyper-V boxes individually? No, you don't have to back them up individually. Lots of 3rd party options here. No dependency on the domain being present which can put you in a fun situation if you have to power everything off and on again. Your Hyper-V server need not be a domain member. ASB http://XeeMe.com/AndrewBaker Harnessing the Advantages of Technology for the SMB market... On Mon, Apr 16, 2012 at 11:41 AM, Paul Hutchings paul.hutchi...@mira.co.ukmailto:paul.hutchi...@mira.co.uk wrote: I've only used VMware so I'm more than happy to be corrected here, but in no particular order: Single ISO takes you from bare metal to working server. No third party drivers needed for things like MPIO and NIC teaming. Single management tool. Single management server (vCenter) gives visibility to your entire VMware infrastructure. Single thing to point backups at - I believe you have to backup Hyper-V boxes individually? No dependency on the domain being present which can put you in a fun situation if you have to power everything off and on again. Outside of usability you then have: Pretty much any virtual appliance you care to name will come natively in VMDK/OVF format Tons of vCenter add-ins I'm very interested in Hyper-V with Windows Server 8 and for us the timing falls nicely with our SAN and server refresh, but honestly the only reason I can see for looking at moving would be license costs - VMware works out expensive if you have more than a few hosts and want more than the basics. From: John Hornbuckle [john.hornbuc...@taylor.k12.fl.usmailto:john.hornbuc...@taylor.k12.fl.us] Sent: 16 April 2012 3:39 PM To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! Is the consensus that VMware is easier to use than Hyper-V? I've only used the latter, so I can't judge. John -Original Message- From: Paul Hutchings [mailto:paul.hutchi...@mira.co.ukmailto:paul.hutchi...@mira.co.uk] Sent: Monday, April 16, 2012 9:36 AM To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! I'd assume ease of use and market leader. -Original Message- From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.usmailto:john.hornbuc...@taylor.k12.fl.us] Sent: 16 April 2012 14:16 To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! Someone else asked about this, but I didn't see a reply (although Postini frequently blocks messages from this list)... What factors led to you choosing VMware over Hyper-V? John Hornbuckle, MSMIS, PMP MIS Department Taylor County School District www.taylor.k12.fl.ushttp://www.taylor.k12.fl.us - Original Message - From: David Mazzaccaro [mailto:david.mazzacc...@hudsonmobility.commailto:david.mazzacc...@hudsonmobility.com] To: NT System Admin Issues [mailto:ntsysadmin@lyris.sunbelt-software.commailto:ntsysadmin@lyris.sunbelt-software.com] Sent: Fri, 13 Apr 2012 08:38:47 -0700 Subject: Hooray, I'm moving to VMware! Just got the ok to move forward with VMware/Citrix/Domain upgrade. I have 10 physical servers, and it looks like this will be the solution: 3 hosts: ($21k each) HP DL380 G7 E5660 Pair of 146 15k drives mirrored 196 G RAM - this was $45k alone Quad port gig adapter 2 Switches: ($1,800 each) HP 2910 1 SAN ($22,700) NetApp 2240 12 x 600GB VSphere Essentials Plus ($5,200) 6 Windows licenses ($13,600): Server 2008 Datacenter Windows/Xenapp licenses ($26,000) $40k services Install/config SAN, switches, hosts, VMware, new Citrix farm, 2008 Domain upgrade, P2V existing servers Total: $185,000 Sound good? ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin . ~ Finally, powerful endpoint security that ISN'T a resource
RE: code signing certificate ?
Do you have root cert auto updating enabled? Thanks, Brian Desmond br...@briandesmond.com w - 312.625.1438 | c - 312.731.3132 From: Christopher Bodnar [mailto:christopher_bod...@glic.com] Sent: Monday, April 16, 2012 11:02 AM To: NT System Admin Issues Subject: Re: code signing certificate ? OK, got past that hurdle. i was also able to successfully sign a script using SignTool. Just trying to figure out the process to verify the signature, getting this: SignTool Error: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider. But if I look at the path, it looks OK. Christopher Bodnar Enterprise Achitect I, Corporate Office of Technology:Enterprise Architecture and Engineering Services Tel 610-807-6459 3900 Burgess Place, Bethlehem, PA 18017 christopher_bod...@glic.commailto: [cid:image001.jpg@01CD1BC7.FCC12290] The Guardian Life Insurance Company of America www.guardianlife.comhttp://www.guardianlife.com/ From:Christopher Bodnar christopher_bod...@glic.commailto:christopher_bod...@glic.com To:NT System Admin Issues ntsysadmin@lyris.sunbelt-software.commailto:ntsysadmin@lyris.sunbelt-software.com Date:04/16/2012 10:40 AM Subject:Re: code signing certificate ? Yes, and are great, but I'm not importing directly from the web site like he was able to. I've got the SPC and PVK files and now need to somehow import them into the certificate store. That is where I'm stuck. I've just found this link which seems to be promising: http://ellisweb.net/2008/08/signing-code-using-pvk-and-spc-files/ But isn't taking the password that I was given by our security guys. I'll have to check on that. Christopher Bodnar Enterprise Achitect I, Corporate Office of Technology:Enterprise Architecture and Engineering Services Tel 610-807-6459 3900 Burgess Place, Bethlehem, PA 18017 christopher_bod...@glic.commailto: [cid:image001.jpg@01CD1BC7.FCC12290] The Guardian Life Insurance Company of America www.guardianlife.comhttp://www.guardianlife.com/ From:Mack Bolan mack.bola...@gmail.commailto:mack.bola...@gmail.com To:NT System Admin Issues ntsysadmin@lyris.sunbelt-software.commailto:ntsysadmin@lyris.sunbelt-software.com Date:04/16/2012 10:05 AM Subject:Re: code signing certificate ? Have you looked at Webster's instructions yet? Mack S. Bolan On Mon, Apr 16, 2012 at 8:58 AM, Christopher Bodnar christopher_bod...@glic.commailto:christopher_bod...@glic.com wrote: OK, the Security team has now provided me the SPC file. What I'm looking for is how to install the certificate with these 2 files (SPC, and PVK). According to the information I've found online you should be able to do this: pvkimprt -import 1.spc myprivatekey.pvk Which will them launch a wizard, or you can export directly to the PFX file by using this: pvkimprt -PFX 1.spc myprivatekey.pvk ISDCert.pfx Neither seems to be working for me. I get this error: Command line option syntax error: I'm doing this from a W7 machine Thanks Christopher Bodnar Enterprise Achitect I, Corporate Office of Technology:Enterprise Architecture and Engineering Services Tel 610-807-6459tel:610-807-6459 3900 Burgess Place, Bethlehem, PA 18017 christopher_bod...@glic.commailto:christopher_bod...@glic.com [cid:image001.jpg@01CD1BC7.FCC12290] The Guardian Life Insurance Company of America www.guardianlife.comhttp://www.guardianlife.com/ From:Lora Cates lora.ca...@rocketmail.commailto:lora.ca...@rocketmail.com To:NT System Admin Issues ntsysadmin@lyris.sunbelt-software.commailto:ntsysadmin@lyris.sunbelt-software.com Date:04/16/2012 09:42 AM Subject:Re: code signing certificate ? I found this in the NTSys Archives: http://carlwebster.com/how-to-digitally-sign-a-microsoft-powershell-script-with-a-third-party-code-signing-certificate/ -lc From: Christopher Bodnar christopher_bod...@glic.commailto:christopher_bod...@glic.com To: NT System Admin Issues ntsysadmin@lyris.sunbelt-software.commailto:ntsysadmin@lyris.sunbelt-software.com Sent: Monday, April 16, 2012 8:21 AM Subject: code signing certificate ? All help is appreciated , have never done this before. We are going to start signing our scripts. I requested a code signing certificate from our Security group, we use Verisign. They handle all the Verisign certificates. They gave me back a *.PVK file. Shouldn't there also be a *SPC file as well? I've been looking at this for documentation on how to import the certificate: http://support.godaddy.com/help/5087 Wanted to verify this first, before I go back to our Security group. Thanks Christopher Bodnar Enterprise Achitect I, Corporate Office of Technology:Enterprise Architecture and Engineering Services Tel
RE: Hooray, I'm moving to VMware!
LOL... From: Crawford, Scott [mailto:crawfo...@evangel.edu] Sent: Monday, April 16, 2012 12:42 PM To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! You don't need any physical boxes at all. Period. I'd at least want some hosts J From: David Mazzaccaro [mailto:david.mazzacc...@hudsonmobility.com] Sent: Monday, April 16, 2012 11:30 AM To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! Speaking of domain controllers, I am being told 2 different things... 1) ALWAYS keep a single DC physical. You can certainly have virtual DCs, but you must have at least 1 physical. 2) Virtualize everything you can. You don't need any physical boxes at all. Period. Thoughts? From: Andrew S. Baker [mailto:asbz...@gmail.com] Sent: Monday, April 16, 2012 11:55 AM To: NT System Admin Issues Subject: Re: Hooray, I'm moving to VMware! Single thing to point backups at - I believe you have to backup Hyper-V boxes individually? No, you don't have to back them up individually. Lots of 3rd party options here. No dependency on the domain being present which can put you in a fun situation if you have to power everything off and on again. Your Hyper-V server need not be a domain member. ASB http://XeeMe.com/AndrewBaker Harnessing the Advantages of Technology for the SMB market... On Mon, Apr 16, 2012 at 11:41 AM, Paul Hutchings paul.hutchi...@mira.co.uk wrote: I've only used VMware so I'm more than happy to be corrected here, but in no particular order: Single ISO takes you from bare metal to working server. No third party drivers needed for things like MPIO and NIC teaming. Single management tool. Single management server (vCenter) gives visibility to your entire VMware infrastructure. Single thing to point backups at - I believe you have to backup Hyper-V boxes individually? No dependency on the domain being present which can put you in a fun situation if you have to power everything off and on again. Outside of usability you then have: Pretty much any virtual appliance you care to name will come natively in VMDK/OVF format Tons of vCenter add-ins I'm very interested in Hyper-V with Windows Server 8 and for us the timing falls nicely with our SAN and server refresh, but honestly the only reason I can see for looking at moving would be license costs - VMware works out expensive if you have more than a few hosts and want more than the basics. From: John Hornbuckle [john.hornbuc...@taylor.k12.fl.us] Sent: 16 April 2012 3:39 PM To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! Is the consensus that VMware is easier to use than Hyper-V? I've only used the latter, so I can't judge. John -Original Message- From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Monday, April 16, 2012 9:36 AM To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! I'd assume ease of use and market leader. -Original Message- From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us] Sent: 16 April 2012 14:16 To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! Someone else asked about this, but I didn't see a reply (although Postini frequently blocks messages from this list)... What factors led to you choosing VMware over Hyper-V? John Hornbuckle, MSMIS, PMP MIS Department Taylor County School District www.taylor.k12.fl.us - Original Message - From: David Mazzaccaro [mailto:david.mazzacc...@hudsonmobility.com] To: NT System Admin Issues [mailto:ntsysadmin@lyris.sunbelt-software.com] Sent: Fri, 13 Apr 2012 08:38:47 -0700 Subject: Hooray, I'm moving to VMware! Just got the ok to move forward with VMware/Citrix/Domain upgrade. I have 10 physical servers, and it looks like this will be the solution: 3 hosts: ($21k each) HP DL380 G7 E5660 Pair of 146 15k drives mirrored 196 G RAM - this was $45k alone Quad port gig adapter 2 Switches: ($1,800 each) HP 2910 1 SAN ($22,700) NetApp 2240 12 x 600GB VSphere Essentials Plus ($5,200) 6 Windows licenses ($13,600): Server 2008 Datacenter Windows/Xenapp licenses ($26,000) $40k services Install/config SAN, switches, hosts, VMware, new Citrix farm, 2008 Domain upgrade, P2V existing servers Total: $185,000 Sound good? ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin . ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~
RE: Hooray, I'm moving to VMware!
Hmm... not sure how much it cost for us. We went with Dell TL2000 libraries, and the Dell iSCSI-SAS bridge card. Joe Heaton ITB - Windows Server Support -Original Message- From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Monday, April 16, 2012 9:37 AM To: Heaton, Joseph@DFG; NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! I did briefly look at that. Problem was the iSCSI bridge for the tape libraries seemed to cost more than simply buying a physical box to connect the tape library to. Kind of weird but seemed consistent across vendors. From: Heaton, Joseph@DFG [jhea...@dfg.ca.gov] Sent: 16 April 2012 5:28 PM To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! We're using an iSCSI tape library at our field offices, with the backup server VM connecting to it. Works great for us. Joe Heaton ITB - Windows Server Support -Original Message- From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Friday, April 13, 2012 2:37 PM To: Heaton, Joseph@DFG; NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! Basically forget about connecting your tape library to one of the VMware hosts, even if it should work it isn't going to be pleasant - far better to use one of your existing boxes as a media agent with the tape drive attached to it if you stick with the tape drive you have. If you wouldn't mind doing so it would be beneficial if you went into some detail on what you currently do for backups - what software, what backup routine etc.? If you're using something old or basic and are considering backups from scratch I'd suggest (in a very rough order) looking at Commvault, Unitrends, Veeam (only does VMware or Hyper-V) and AppAssure (only does Windows), then at the lower end you have Backup Exec and ArcServe and no doubt a few others. I really can't stress the point strongly enough about having a solid backup plan in place when you virtualise. Firstly you're talking about spending almost $200k on kit - respectfully I'm a little surprised if the VAR hasn't mentioned backups somewhere down the line? Secondly, your single SAN is your single point of failure. Sure, it's made not to fail but if it does you've just lost every single VM you have so you want to be able to get them back as quickly and easily as possible. From: David Mazzaccaro [david.mazzacc...@hudsonmobility.com] Sent: 13 April 2012 9:39 PM To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! Ah... yes, that is exactly what I am doing now. I will absolutely look into this. Thank you. -Original Message- From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Friday, April 13, 2012 3:54 PM To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! I meant more in terms of what backup software are you using? If you're currently doing backups of your physical boxes you're most likely doing it using traditional agents that sit on the boxes and do file or application level backups? Of course you can continue to do that, but you're missing one of the biggest benefits of virtualisation if you're not complementing it (or in some cases replacing it) with taking image level backups of the entire VM. It's something you should definitely look into, not least because, well it's backups so it's probably the most important part of the whole setup, but also because if you do go the Netapp route they also offer a lot of software tools (at a cost) that your backup software may be compatible with - basically you want to check it out prior to any purchase to avoid any surprises down the line (particularly as Netapp aren't the cheapest in terms of software licenses if you need to buy anything down the line). From: David Mazzaccaro [david.mazzacc...@hudsonmobility.com] Sent: 13 April 2012 8:44 PM To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! I assume I will back up to tape? -Original Message- From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Friday, April 13, 2012 3:29 PM To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! What are you doing to backup your VM's? From: David Mazzaccaro [david.mazzacc...@hudsonmobility.com] Sent: 13 April 2012 8:06 PM To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! Wow. This is perfect. You probably just saved me some serious coin. Thank you!!! -Original Message- From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Friday, April 13, 2012 2:45 PM To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! vSphere will see all the RAM, but the amount you'll be able to use (assuming vSphere 5) is licensed/controlled by your vRAM entitlement. It's one of the biggest and most contentious changes
RE: Hooray, I'm moving to VMware!
All of our DCs are virtual. Just make sure they're on different hosts, in case the host crashes... Joe Heaton ITB - Windows Server Support From: Scott Crawford [mailto:crawfo...@evangel.edu] Sent: Monday, April 16, 2012 9:42 AM To: Heaton, Joseph@DFG; NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! You don't need any physical boxes at all. Period. I'd at least want some hosts :) From: David Mazzaccaro [mailto:david.mazzacc...@hudsonmobility.com]mailto:[mailto:david.mazzacc...@hudsonmobility.com] Sent: Monday, April 16, 2012 11:30 AM To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! Speaking of domain controllers, I am being told 2 different things... 1) ALWAYS keep a single DC physical. You can certainly have virtual DCs, but you must have at least 1 physical. 2) Virtualize everything you can. You don't need any physical boxes at all. Period. Thoughts? From: Andrew S Baker [mailto:asbz...@gmail.com]mailto:[mailto:asbz...@gmail.com] Sent: Monday, April 16, 2012 11:55 AM To: NT System Admin Issues Subject: Re: Hooray, I'm moving to VMware! Single thing to point backups at - I believe you have to backup Hyper-V boxes individually? No, you don't have to back them up individually. Lots of 3rd party options here. No dependency on the domain being present which can put you in a fun situation if you have to power everything off and on again. Your Hyper-V server need not be a domain member. ASB http://XeeMe.com/AndrewBaker Harnessing the Advantages of Technology for the SMB market... On Mon, Apr 16, 2012 at 11:41 AM, Paul Hutchings paul.hutchi...@mira.co.ukmailto:paul.hutchi...@mira.co.uk wrote: I've only used VMware so I'm more than happy to be corrected here, but in no particular order: Single ISO takes you from bare metal to working server. No third party drivers needed for things like MPIO and NIC teaming. Single management tool. Single management server (vCenter) gives visibility to your entire VMware infrastructure. Single thing to point backups at - I believe you have to backup Hyper-V boxes individually? No dependency on the domain being present which can put you in a fun situation if you have to power everything off and on again. Outside of usability you then have: Pretty much any virtual appliance you care to name will come natively in VMDK/OVF format Tons of vCenter add-ins I'm very interested in Hyper-V with Windows Server 8 and for us the timing falls nicely with our SAN and server refresh, but honestly the only reason I can see for looking at moving would be license costs - VMware works out expensive if you have more than a few hosts and want more than the basics. From: John Hornbuckle [john.hornbuc...@taylor.k12.fl.usmailto:john.hornbuc...@taylor.k12.fl.us] Sent: 16 April 2012 3:39 PM To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! Is the consensus that VMware is easier to use than Hyper-V? I've only used the latter, so I can't judge. John -Original Message- From: Paul Hutchings [mailto:paul.hutchi...@mira.co.ukmailto:paul.hutchi...@mira.co.uk] Sent: Monday, April 16, 2012 9:36 AM To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! I'd assume ease of use and market leader. -Original Message- From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.usmailto:john.hornbuc...@taylor.k12.fl.us] Sent: 16 April 2012 14:16 To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! Someone else asked about this, but I didn't see a reply (although Postini frequently blocks messages from this list)... What factors led to you choosing VMware over Hyper-V? John Hornbuckle, MSMIS, PMP MIS Department Taylor County School District www.taylor.k12.flushttp://www.taylor.k12.fl.us - Original Message - From: David Mazzaccaro [mailto:david.mazzacc...@hudsonmobility.commailto:david.mazzacc...@hudsonmobility.com] To: NT System Admin Issues [mailto:ntsysadmin@lyris.sunbelt-software.commailto:ntsysadmin@lyris.sunbelt-software.com] Sent: Fri, 13 Apr 2012 08:38:47 -0700 Subject: Hooray, I'm moving to VMware! Just got the ok to move forward with VMware/Citrix/Domain upgrade. I have 10 physical servers, and it looks like this will be the solution: 3 hosts: ($21k each) HP DL380 G7 E5660 Pair of 146 15k drives mirrored 196 G RAM - this was $45k alone Quad port gig adapter 2 Switches: ($1,800 each) HP 2910 1 SAN ($22,700) NetApp 2240 12 x 600GB VSphere Essentials Plus ($5,200) 6 Windows licenses ($13,600): Server 2008 Datacenter Windows/Xenapp licenses ($26,000) $40k services Install/config SAN, switches, hosts, VMware, new Citrix farm, 2008 Domain upgrade, P2V existing servers Total: $185,000 Sound good? ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here:
Re: Hooray, I'm moving to VMware!
Yes! By physical boxes, we'll presume a box that's running as a DC, and not your hosts as Scott pithily responded... :-) And you may as well run a physical box for your vCenter if you're going to maintain a solid box for DC. The idea behind physical boxes, is it gives you something to authenticate against and bring your environment back online. At your size (three hosts, which is what I'm running) you probably don't need it, and can authenticate into the hosts and then start the guests that way. On Mon, Apr 16, 2012 at 12:30 PM, David Mazzaccaro david.mazzacc...@hudsonmobility.com wrote: Speaking of domain controllers, I am being told 2 different things... 1) ALWAYS keep a single DC physical. You can certainly have virtual DCs, but you must have at least 1 physical. 2) Virtualize everything you can. You don’t need any physical boxes at all. Period. ** ** Thoughts? ** ** ** ** *From:* Andrew S. Baker [mailto:asbz...@gmail.com] *Sent:* Monday, April 16, 2012 11:55 AM *To:* NT System Admin Issues *Subject:* Re: Hooray, I'm moving to VMware! ** ** * Single thing to point backups at - I believe you have to backup Hyper-V boxes individually? * No, you don't have to back them up individually. Lots of 3rd party options here. * No dependency on the domain being present which can put you in a fun situation if you have to power everything off and on again. * Your Hyper-V server need not be a domain member. ** ** *ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of Technology for the SMB market…* On Mon, Apr 16, 2012 at 11:41 AM, Paul Hutchings paul.hutchi...@mira.co.uk wrote: I've only used VMware so I'm more than happy to be corrected here, but in no particular order: Single ISO takes you from bare metal to working server. No third party drivers needed for things like MPIO and NIC teaming. Single management tool. Single management server (vCenter) gives visibility to your entire VMware infrastructure. Single thing to point backups at - I believe you have to backup Hyper-V boxes individually? No dependency on the domain being present which can put you in a fun situation if you have to power everything off and on again. Outside of usability you then have: Pretty much any virtual appliance you care to name will come natively in VMDK/OVF format Tons of vCenter add-ins I'm very interested in Hyper-V with Windows Server 8 and for us the timing falls nicely with our SAN and server refresh, but honestly the only reason I can see for looking at moving would be license costs - VMware works out expensive if you have more than a few hosts and want more than the basics. From: John Hornbuckle [john.hornbuc...@taylor.k12.fl.us] Sent: 16 April 2012 3:39 PM To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! Is the consensus that VMware is easier to use than Hyper-V? I've only used the latter, so I can't judge. John -Original Message- From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Monday, April 16, 2012 9:36 AM To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! I'd assume ease of use and market leader. -Original Message- From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us] Sent: 16 April 2012 14:16 To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! Someone else asked about this, but I didn't see a reply (although Postini frequently blocks messages from this list)... What factors led to you choosing VMware over Hyper-V? John Hornbuckle, MSMIS, PMP MIS Department Taylor County School District www.taylor.k12.fl.us - Original Message - From: David Mazzaccaro [mailto:david.mazzacc...@hudsonmobility.com] To: NT System Admin Issues [mailto:ntsysadmin@lyris.sunbelt-software.com] Sent: Fri, 13 Apr 2012 08:38:47 -0700 Subject: Hooray, I'm moving to VMware! Just got the ok to move forward with VMware/Citrix/Domain upgrade. I have 10 physical servers, and it looks like this will be the solution: 3 hosts: ($21k each) HP DL380 G7 E5660 Pair of 146 15k drives mirrored 196 G RAM - this was $45k alone Quad port gig adapter 2 Switches: ($1,800 each) HP 2910 1 SAN ($22,700) NetApp 2240 12 x 600GB VSphere Essentials Plus ($5,200) 6 Windows licenses ($13,600): Server 2008 Datacenter Windows/Xenapp licenses ($26,000) $40k services Install/config SAN, switches, hosts, VMware, new Citrix farm, 2008 Domain upgrade, P2V existing servers Total: $185,000 Sound good? ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with
RE: Hooray, I'm moving to VMware!
I vote for #1. If you have a data-center failure, a standalone DC makes it just a little bit easier to get everything running again. (Note: I'm not suggesting it's a requirement, but if you are re-starting a datacenter after a full failure, every bit of simplicity helps.) From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Monday, April 16, 2012 12:48 PM To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! #2 There are rules/best practises to follow such as not using snapshots when updating DCs that are virtual, but the biggest issue, which used to be clock skew, is a non-issue these days. From: David Mazzaccaro [david.mazzacc...@hudsonmobility.com] Sent: 16 April 2012 5:30 PM To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! Speaking of domain controllers, I am being told 2 different things... 1) ALWAYS keep a single DC physical. You can certainly have virtual DCs, but you must have at least 1 physical. 2) Virtualize everything you can. You don't need any physical boxes at all. Period. Thoughts? From: Andrew S. Baker [mailto:asbz...@gmail.com]mailto:[mailto:asbz...@gmail.com] Sent: Monday, April 16, 2012 11:55 AM To: NT System Admin Issues Subject: Re: Hooray, I'm moving to VMware! Single thing to point backups at - I believe you have to backup Hyper-V boxes individually? No, you don't have to back them up individually. Lots of 3rd party options here. No dependency on the domain being present which can put you in a fun situation if you have to power everything off and on again. Your Hyper-V server need not be a domain member. ASB http://XeeMe.com/AndrewBaker Harnessing the Advantages of Technology for the SMB market... On Mon, Apr 16, 2012 at 11:41 AM, Paul Hutchings paul.hutchi...@mira.co.ukmailto:paul.hutchi...@mira.co.uk wrote: I've only used VMware so I'm more than happy to be corrected here, but in no particular order: Single ISO takes you from bare metal to working server. No third party drivers needed for things like MPIO and NIC teaming. Single management tool. Single management server (vCenter) gives visibility to your entire VMware infrastructure. Single thing to point backups at - I believe you have to backup Hyper-V boxes individually? No dependency on the domain being present which can put you in a fun situation if you have to power everything off and on again. Outside of usability you then have: Pretty much any virtual appliance you care to name will come natively in VMDK/OVF format Tons of vCenter add-ins I'm very interested in Hyper-V with Windows Server 8 and for us the timing falls nicely with our SAN and server refresh, but honestly the only reason I can see for looking at moving would be license costs - VMware works out expensive if you have more than a few hosts and want more than the basics. From: John Hornbuckle [john.hornbuc...@taylor.k12.fl.usmailto:john.hornbuc...@taylor.k12.fl.us] Sent: 16 April 2012 3:39 PM To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! Is the consensus that VMware is easier to use than Hyper-V? I've only used the latter, so I can't judge. John -Original Message- From: Paul Hutchings [mailto:paul.hutchi...@mira.co.ukmailto:paul.hutchi...@mira.co.uk] Sent: Monday, April 16, 2012 9:36 AM To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! I'd assume ease of use and market leader. -Original Message- From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.usmailto:john.hornbuc...@taylor.k12.fl.us] Sent: 16 April 2012 14:16 To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! Someone else asked about this, but I didn't see a reply (although Postini frequently blocks messages from this list)... What factors led to you choosing VMware over Hyper-V? John Hornbuckle, MSMIS, PMP MIS Department Taylor County School District www.taylor.k12.fl.ushttp://www.taylor.k12.fl.us - Original Message - From: David Mazzaccaro [mailto:david.mazzacc...@hudsonmobility.commailto:david.mazzacc...@hudsonmobility.com] To: NT System Admin Issues [mailto:ntsysadmin@lyris.sunbelt-software.commailto:ntsysadmin@lyris.sunbelt-software.com] Sent: Fri, 13 Apr 2012 08:38:47 -0700 Subject: Hooray, I'm moving to VMware! Just got the ok to move forward with VMware/Citrix/Domain upgrade. I have 10 physical servers, and it looks like this will be the solution: 3 hosts: ($21k each) HP DL380 G7 E5660 Pair of 146 15k drives mirrored 196 G RAM - this was $45k alone Quad port gig adapter 2 Switches: ($1,800 each) HP 2910 1 SAN ($22,700) NetApp 2240 12 x 600GB VSphere Essentials Plus ($5,200) 6 Windows licenses ($13,600): Server 2008 Datacenter Windows/Xenapp licenses ($26,000) $40k services Install/config SAN, switches, hosts, VMware, new Citrix farm, 2008 Domain upgrade, P2V existing servers Total:
RE: Hooray, I'm moving to VMware!
Not in my opinion. But it's all about what you are used to. -Original Message- From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us] Sent: Monday, April 16, 2012 10:40 AM To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! Is the consensus that VMware is easier to use than Hyper-V? I've only used the latter, so I can't judge. John -Original Message- From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Monday, April 16, 2012 9:36 AM To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! I'd assume ease of use and market leader. -Original Message- From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us] Sent: 16 April 2012 14:16 To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! Someone else asked about this, but I didn't see a reply (although Postini frequently blocks messages from this list)... What factors led to you choosing VMware over Hyper-V? John Hornbuckle, MSMIS, PMP MIS Department Taylor County School District www.taylor.k12.fl.us - Original Message - From: David Mazzaccaro [mailto:david.mazzacc...@hudsonmobility.com] To: NT System Admin Issues [mailto:ntsysadmin@lyris.sunbelt-software.com] Sent: Fri, 13 Apr 2012 08:38:47 -0700 Subject: Hooray, I'm moving to VMware! Just got the ok to move forward with VMware/Citrix/Domain upgrade. I have 10 physical servers, and it looks like this will be the solution: 3 hosts: ($21k each) HP DL380 G7 E5660 Pair of 146 15k drives mirrored 196 G RAM - this was $45k alone Quad port gig adapter 2 Switches: ($1,800 each) HP 2910 1 SAN ($22,700) NetApp 2240 12 x 600GB VSphere Essentials Plus ($5,200) 6 Windows licenses ($13,600): Server 2008 Datacenter Windows/Xenapp licenses ($26,000) $40k services Install/config SAN, switches, hosts, VMware, new Citrix farm, 2008 Domain upgrade, P2V existing servers Total: $185,000 Sound good? ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin -- MIRA Ltd Watling Street, Nuneaton, Warwickshire, CV10 0TU, England Registered in England and Wales No. 402570 VAT Registration GB 100 1464 84 The contents of this e-mail are confidential and are solely for the use of the intended recipient. If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax. You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Hooray, I'm moving to VMware!
How many VMs are you able to run on each of your 3 hosts? With only 10 physical servers now.. I am wondering if 3 hosts are going to be overkill. Even with a play/test environment of another 10 servers Are 3 hosts a waste? From: Jonathan Link [mailto:jonathan.l...@gmail.com] Sent: Monday, April 16, 2012 1:05 PM To: NT System Admin Issues Subject: Re: Hooray, I'm moving to VMware! Yes! By physical boxes, we'll presume a box that's running as a DC, and not your hosts as Scott pithily responded... :-) And you may as well run a physical box for your vCenter if you're going to maintain a solid box for DC. The idea behind physical boxes, is it gives you something to authenticate against and bring your environment back online. At your size (three hosts, which is what I'm running) you probably don't need it, and can authenticate into the hosts and then start the guests that way. On Mon, Apr 16, 2012 at 12:30 PM, David Mazzaccaro david.mazzacc...@hudsonmobility.com wrote: Speaking of domain controllers, I am being told 2 different things... 1) ALWAYS keep a single DC physical. You can certainly have virtual DCs, but you must have at least 1 physical. 2) Virtualize everything you can. You don't need any physical boxes at all. Period. Thoughts? From: Andrew S. Baker [mailto:asbz...@gmail.com] Sent: Monday, April 16, 2012 11:55 AM To: NT System Admin Issues Subject: Re: Hooray, I'm moving to VMware! Single thing to point backups at - I believe you have to backup Hyper-V boxes individually? No, you don't have to back them up individually. Lots of 3rd party options here. No dependency on the domain being present which can put you in a fun situation if you have to power everything off and on again. Your Hyper-V server need not be a domain member. ASB http://XeeMe.com/AndrewBaker Harnessing the Advantages of Technology for the SMB market... On Mon, Apr 16, 2012 at 11:41 AM, Paul Hutchings paul.hutchi...@mira.co.uk wrote: I've only used VMware so I'm more than happy to be corrected here, but in no particular order: Single ISO takes you from bare metal to working server. No third party drivers needed for things like MPIO and NIC teaming. Single management tool. Single management server (vCenter) gives visibility to your entire VMware infrastructure. Single thing to point backups at - I believe you have to backup Hyper-V boxes individually? No dependency on the domain being present which can put you in a fun situation if you have to power everything off and on again. Outside of usability you then have: Pretty much any virtual appliance you care to name will come natively in VMDK/OVF format Tons of vCenter add-ins I'm very interested in Hyper-V with Windows Server 8 and for us the timing falls nicely with our SAN and server refresh, but honestly the only reason I can see for looking at moving would be license costs - VMware works out expensive if you have more than a few hosts and want more than the basics. From: John Hornbuckle [john.hornbuc...@taylor.k12.fl.us] Sent: 16 April 2012 3:39 PM To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! Is the consensus that VMware is easier to use than Hyper-V? I've only used the latter, so I can't judge. John -Original Message- From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Monday, April 16, 2012 9:36 AM To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! I'd assume ease of use and market leader. -Original Message- From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us] Sent: 16 April 2012 14:16 To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! Someone else asked about this, but I didn't see a reply (although Postini frequently blocks messages from this list)... What factors led to you choosing VMware over Hyper-V? John Hornbuckle, MSMIS, PMP MIS Department Taylor County School District www.taylor.k12.fl.us - Original Message - From: David Mazzaccaro [mailto:david.mazzacc...@hudsonmobility.com] To: NT System Admin Issues [mailto:ntsysadmin@lyris.sunbelt-software.com] Sent: Fri, 13 Apr 2012 08:38:47 -0700 Subject: Hooray, I'm moving to VMware! Just got the ok to move forward with VMware/Citrix/Domain upgrade. I have 10 physical servers, and it looks like this will be the solution: 3 hosts: ($21k each) HP DL380 G7 E5660 Pair of 146 15k drives mirrored 196 G RAM - this was $45k alone Quad port gig adapter 2 Switches: ($1,800 each) HP 2910 1 SAN ($22,700) NetApp 2240 12 x 600GB VSphere Essentials Plus ($5,200) 6 Windows licenses ($13,600): Server 2008 Datacenter Windows/Xenapp licenses ($26,000) $40k services Install/config SAN, switches, hosts, VMware, new Citrix farm, 2008 Domain upgrade, P2V existing servers Total: $185,000 Sound good? ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
Re: Whitelisting
*Data is code. Code is data. They’re both strings of 1’s and 0’s. * No, they are most certainly not the same. *The only difference is what is interpreting that string. * And that's a huge difference. *If data is data, how is it able to cause winword.exe to download a payload?* Well, here's an oversimplification of how buffer overflows work: 1. An executable opens up a data file for manipulation 2. Because the input buffer is not adequately validated, the data (which is larger than the area allowed by the buffer), ends up overwriting a critical area *of the host executable's execution area* with new 1s and 0s. 3. The code which should normally execute at the conclusion of the data input is now replaced by some code stub which will do what the attacker wants. 4. This allows the host executable to now do something else than originally intended (or crash, which is what happens more often than not) Now, while this might seem like it gives one the completely co-opt the functions of the host executable for ones own purpose, in practice, this is very, very hard to do for anything but the simplest functionality. If you overwrite too much code, you'll just cause the host to die, which is essentially a DoS attack. Instead, the common practice is to use this limited area that was overwritten to call down a more robust piece of malware to get more malignant work done. (Or, alternately, to make use of already installed executables where that might make sense.) WinWord.exe, in our example, can be induced to download a payload because it was legitimately opening a data file which corrupted a portion of its application space because it did not properly validate its buffer space and thus protect itself. The initial action (File Open) is caused by a human. The DATA did not execute, but allowed for the laying down of CODE which could be executed. More detailed analysis can be found here: - http://en.wikipedia.org/wiki/Buffer_overflow - http://www.windowsecurity.com/articles/analysis_of_buffer_overflow_attacks.html - http://searchsecurity.techtarget.com/news/1048483/Buffer-overflow-attacks-How-do-they-work * * *ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of Technology for the SMB market… * On Mon, Apr 16, 2012 at 12:54 PM, Crawford, Scott crawfo...@evangel.eduwrote: Data is code. Code is data. They’re both strings of 1’s and 0’s. The only difference is what is interpreting that string. ** ** If data is data, how is it able to cause winword.exe to download a payload? ** ** *From:* Andrew S. Baker [mailto:asbz...@gmail.com] *Sent:* Monday, April 16, 2012 11:30 AM *To:* NT System Admin Issues *Subject:* Re: Whitelisting ** ** Because it is *data*. ** ** Data doesn't make calls. Code does.That's been the gist of the argument from the very beginning. ** ** *ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of Technology for the SMB market…* On Mon, Apr 16, 2012 at 12:25 PM, Crawford, Scott crawfo...@evangel.edu wrote: Why does the code that is spawned need to download some payload or use existing files? Why can’t it make its own win32 calls? *From:* Andrew S. Baker [mailto:asbz...@gmail.com] *Sent:* Monday, April 16, 2012 10:26 AM *To:* NT System Admin Issues *Subject:* Re: Whitelisting Here's one typical scenario: - WinWord.exe has a a buffer overflow vulnerability. - WinWord.exe is a whitelisted app, so the vulnerability can be exploited. - Bad guy creates a hand-crafted data file that takes advantage of the buffer overflow vulnerability - User opens bad data file, which exploits the vulnerability In a traditional environment, the exploit of the vulnerability would likely include the uploading or installation of some files to the exploited machine for the purpose of controlling it more directly. In an environment that makes use of whitelisting technology, the code that is spawned by the exploit (either because it is embodied in the bad data, or because it is downloaded from some remote server) will be unable to run -- because it is not an approved application/code. This is a key benefit of whitelisting. Now, if the malware exploit only attempts to make use of existing files (CMD, etc) then these executions will be subject to whether or not they are approved from a whitelisting perspective, but the scope of the exploit is still *greatly* reduced. (Read Only or Blocked Attack vs full system compromise) *ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of Technology for the SMB market…* ** ** On Mon, Apr 16, 2012 at 11:12 AM, James Rankin kz2...@googlemail.com wrote: Ah yes, I recall this debate before. So it's
Re: Hooray, I'm moving to VMware!
System Center Virtual Machine Manager can manage both your VMWare and Hyper-V hosts... - http://technet.microsoft.com/en-us/library/hh546770.aspx - http://technet.microsoft.com/en-us/library/gg610610.aspx And there are backup solutions which are pointed at your HyperV host and will backup all the guests, yes. * * *ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of Technology for the SMB market… * On Mon, Apr 16, 2012 at 12:28 PM, Paul Hutchings paul.hutchi...@mira.co.ukwrote: I didn't think you could point Veeam (or whatever HyperV aware backup app you're using) to a single entity like you can vCenter and have it backup every VM that's in your cluster? If you can that's great to know as I always wondered how it coped with doing incremental backups of a VM when it's been moved between hosts if it addresses each host individually. On the domain point, so can you have several Hyper-V hosts that aren't domain members but still manage them as a single entity/cluster? Basically what's the Hyper-V equivalent of a vCenter server? Like I said I haven't used it but I thought those were both things about it that didn't seem quite as polished as VMware? -- *From:* Andrew S. Baker [asbz...@gmail.com] *Sent:* 16 April 2012 4:55 PM *To:* NT System Admin Issues *Subject:* Re: Hooray, I'm moving to VMware! * Single thing to point backups at - I believe you have to backup Hyper-V boxes individually? * No, you don't have to back them up individually. Lots of 3rd party options here. * No dependency on the domain being present which can put you in a fun situation if you have to power everything off and on again. * Your Hyper-V server need not be a domain member. ** *ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of Technology for the SMB market… * On Mon, Apr 16, 2012 at 11:41 AM, Paul Hutchings paul.hutchi...@mira.co.uk wrote: I've only used VMware so I'm more than happy to be corrected here, but in no particular order: Single ISO takes you from bare metal to working server. No third party drivers needed for things like MPIO and NIC teaming. Single management tool. Single management server (vCenter) gives visibility to your entire VMware infrastructure. Single thing to point backups at - I believe you have to backup Hyper-V boxes individually? No dependency on the domain being present which can put you in a fun situation if you have to power everything off and on again. Outside of usability you then have: Pretty much any virtual appliance you care to name will come natively in VMDK/OVF format Tons of vCenter add-ins I'm very interested in Hyper-V with Windows Server 8 and for us the timing falls nicely with our SAN and server refresh, but honestly the only reason I can see for looking at moving would be license costs - VMware works out expensive if you have more than a few hosts and want more than the basics. From: John Hornbuckle [john.hornbuc...@taylor.k12.fl.us] Sent: 16 April 2012 3:39 PM To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! Is the consensus that VMware is easier to use than Hyper-V? I've only used the latter, so I can't judge. John -Original Message- From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Monday, April 16, 2012 9:36 AM To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! I'd assume ease of use and market leader. -Original Message- From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us] Sent: 16 April 2012 14:16 To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! Someone else asked about this, but I didn't see a reply (although Postini frequently blocks messages from this list)... What factors led to you choosing VMware over Hyper-V? John Hornbuckle, MSMIS, PMP MIS Department Taylor County School District www.taylor.k12.fl.us - Original Message - From: David Mazzaccaro [mailto:david.mazzacc...@hudsonmobility.com] To: NT System Admin Issues [mailto:ntsysadmin@lyris.sunbelt-software.com] Sent: Fri, 13 Apr 2012 08:38:47 -0700 Subject: Hooray, I'm moving to VMware! Just got the ok to move forward with VMware/Citrix/Domain upgrade. I have 10 physical servers, and it looks like this will be the solution: 3 hosts: ($21k each) HP DL380 G7 E5660 Pair of 146 15k drives mirrored 196 G RAM - this was $45k alone Quad port gig adapter 2 Switches: ($1,800 each) HP 2910 1 SAN ($22,700) NetApp 2240 12 x 600GB VSphere Essentials Plus ($5,200) 6 Windows licenses ($13,600): Server 2008 Datacenter Windows/Xenapp licenses ($26,000) $40k services Install/config SAN, switches, hosts, VMware, new Citrix farm, 2008 Domain upgrade, P2V existing servers Total: $185,000 Sound good? ~ Finally, powerful endpoint
Re: Hooray, I'm moving to VMware!
I have 11 guests. I have three hosts so I can survive a host failure without squeezing the resources on the remaining hosts too much. On Mon, Apr 16, 2012 at 2:24 PM, David Mazzaccaro david.mazzacc...@hudsonmobility.com wrote: How many VMs are you able to run on each of your 3 hosts? With only 10 physical servers now.. I am wondering if 3 hosts are going to be overkill. Even with a play/test environment of another 10 servers…. Are 3 hosts a waste? ** ** ** ** ** ** *From:* Jonathan Link [mailto:jonathan.l...@gmail.com] *Sent:* Monday, April 16, 2012 1:05 PM *To:* NT System Admin Issues *Subject:* Re: Hooray, I'm moving to VMware! ** ** Yes! ** ** By physical boxes, we'll presume a box that's running as a DC, and not your hosts as Scott pithily responded... :-) And you may as well run a physical box for your vCenter if you're going to maintain a solid box for DC. ** ** The idea behind physical boxes, is it gives you something to authenticate against and bring your environment back online. At your size (three hosts, which is what I'm running) you probably don't need it, and can authenticate into the hosts and then start the guests that way. ** ** ** ** On Mon, Apr 16, 2012 at 12:30 PM, David Mazzaccaro david.mazzacc...@hudsonmobility.com wrote: Speaking of domain controllers, I am being told 2 different things... 1) ALWAYS keep a single DC physical. You can certainly have virtual DCs, but you must have at least 1 physical. 2) Virtualize everything you can. You don’t need any physical boxes at all. Period. Thoughts? *From:* Andrew S. Baker [mailto:asbz...@gmail.com] *Sent:* Monday, April 16, 2012 11:55 AM *To:* NT System Admin Issues *Subject:* Re: Hooray, I'm moving to VMware! * Single thing to point backups at - I believe you have to backup Hyper-V boxes individually? * No, you don't have to back them up individually. Lots of 3rd party options here. * No dependency on the domain being present which can put you in a fun situation if you have to power everything off and on again. * Your Hyper-V server need not be a domain member. *ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of Technology for the SMB market…* ** ** On Mon, Apr 16, 2012 at 11:41 AM, Paul Hutchings paul.hutchi...@mira.co.uk wrote: I've only used VMware so I'm more than happy to be corrected here, but in no particular order: Single ISO takes you from bare metal to working server. No third party drivers needed for things like MPIO and NIC teaming. Single management tool. Single management server (vCenter) gives visibility to your entire VMware infrastructure. Single thing to point backups at - I believe you have to backup Hyper-V boxes individually? No dependency on the domain being present which can put you in a fun situation if you have to power everything off and on again. Outside of usability you then have: Pretty much any virtual appliance you care to name will come natively in VMDK/OVF format Tons of vCenter add-ins I'm very interested in Hyper-V with Windows Server 8 and for us the timing falls nicely with our SAN and server refresh, but honestly the only reason I can see for looking at moving would be license costs - VMware works out expensive if you have more than a few hosts and want more than the basics. From: John Hornbuckle [john.hornbuc...@taylor.k12.fl.us] Sent: 16 April 2012 3:39 PM To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! Is the consensus that VMware is easier to use than Hyper-V? I've only used the latter, so I can't judge. John -Original Message- From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Monday, April 16, 2012 9:36 AM To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! I'd assume ease of use and market leader. -Original Message- From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us] Sent: 16 April 2012 14:16 To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! Someone else asked about this, but I didn't see a reply (although Postini frequently blocks messages from this list)... What factors led to you choosing VMware over Hyper-V? John Hornbuckle, MSMIS, PMP MIS Department Taylor County School District www.taylor.k12.fl.us - Original Message - From: David Mazzaccaro [mailto:david.mazzacc...@hudsonmobility.com] To: NT System Admin Issues [mailto:ntsysadmin@lyris.sunbelt-software.com] Sent: Fri, 13 Apr 2012 08:38:47 -0700 Subject: Hooray, I'm moving to VMware! Just got the ok to move forward with VMware/Citrix/Domain upgrade. I have 10 physical servers, and it looks like this will be the solution: 3 hosts: ($21k each) HP DL380 G7 E5660 Pair of 146 15k
Re: Hooray, I'm moving to VMware!
Either choice can be made to work without tremendous difficulty. But they do require different considerations. You'll find enough folks on this list that subscribe to either perspective. * * *ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of Technology for the SMB market… * On Mon, Apr 16, 2012 at 12:30 PM, David Mazzaccaro david.mazzacc...@hudsonmobility.com wrote: Speaking of domain controllers, I am being told 2 different things... 1) ALWAYS keep a single DC physical. You can certainly have virtual DCs, but you must have at least 1 physical. 2) Virtualize everything you can. You don’t need any physical boxes at all. Period. ** ** Thoughts? ** ** ** ** *From:* Andrew S. Baker [mailto:asbz...@gmail.com] *Sent:* Monday, April 16, 2012 11:55 AM *To:* NT System Admin Issues *Subject:* Re: Hooray, I'm moving to VMware! ** ** * Single thing to point backups at - I believe you have to backup Hyper-V boxes individually? * No, you don't have to back them up individually. Lots of 3rd party options here. * No dependency on the domain being present which can put you in a fun situation if you have to power everything off and on again. * Your Hyper-V server need not be a domain member. ** ** *ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of Technology for the SMB market…* On Mon, Apr 16, 2012 at 11:41 AM, Paul Hutchings paul.hutchi...@mira.co.uk wrote: I've only used VMware so I'm more than happy to be corrected here, but in no particular order: Single ISO takes you from bare metal to working server. No third party drivers needed for things like MPIO and NIC teaming. Single management tool. Single management server (vCenter) gives visibility to your entire VMware infrastructure. Single thing to point backups at - I believe you have to backup Hyper-V boxes individually? No dependency on the domain being present which can put you in a fun situation if you have to power everything off and on again. Outside of usability you then have: Pretty much any virtual appliance you care to name will come natively in VMDK/OVF format Tons of vCenter add-ins I'm very interested in Hyper-V with Windows Server 8 and for us the timing falls nicely with our SAN and server refresh, but honestly the only reason I can see for looking at moving would be license costs - VMware works out expensive if you have more than a few hosts and want more than the basics. From: John Hornbuckle [john.hornbuc...@taylor.k12.fl.us] Sent: 16 April 2012 3:39 PM To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! Is the consensus that VMware is easier to use than Hyper-V? I've only used the latter, so I can't judge. John -Original Message- From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Monday, April 16, 2012 9:36 AM To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! I'd assume ease of use and market leader. -Original Message- From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us] Sent: 16 April 2012 14:16 To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! Someone else asked about this, but I didn't see a reply (although Postini frequently blocks messages from this list)... What factors led to you choosing VMware over Hyper-V? John Hornbuckle, MSMIS, PMP MIS Department Taylor County School District www.taylor.k12.fl.us - Original Message - From: David Mazzaccaro [mailto:david.mazzacc...@hudsonmobility.com] To: NT System Admin Issues [mailto:ntsysadmin@lyris.sunbelt-software.com] Sent: Fri, 13 Apr 2012 08:38:47 -0700 Subject: Hooray, I'm moving to VMware! Just got the ok to move forward with VMware/Citrix/Domain upgrade. I have 10 physical servers, and it looks like this will be the solution: 3 hosts: ($21k each) HP DL380 G7 E5660 Pair of 146 15k drives mirrored 196 G RAM - this was $45k alone Quad port gig adapter 2 Switches: ($1,800 each) HP 2910 1 SAN ($22,700) NetApp 2240 12 x 600GB VSphere Essentials Plus ($5,200) 6 Windows licenses ($13,600): Server 2008 Datacenter Windows/Xenapp licenses ($26,000) $40k services Install/config SAN, switches, hosts, VMware, new Citrix farm, 2008 Domain upgrade, P2V existing servers Total: $185,000 Sound good? ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: Whitelisting
Great info ASB, thanks, very relevant to a lot of work I've been doing. ---Blackberried -Original Message- From: Andrew S. Baker asbz...@gmail.com Date: Mon, 16 Apr 2012 14:27:56 To: NT System Admin Issuesntsysadmin@lyris.sunbelt-software.com Reply-To: NT System Admin Issues ntsysadmin@lyris.sunbelt-software.com Subject: Re: Whitelisting *Data is code. Code is data. They’re both strings of 1’s and 0’s. * No, they are most certainly not the same. *The only difference is what is interpreting that string. * And that's a huge difference. *If data is data, how is it able to cause winword.exe to download a payload?* Well, here's an oversimplification of how buffer overflows work: 1. An executable opens up a data file for manipulation 2. Because the input buffer is not adequately validated, the data (which is larger than the area allowed by the buffer), ends up overwriting a critical area *of the host executable's execution area* with new 1s and 0s. 3. The code which should normally execute at the conclusion of the data input is now replaced by some code stub which will do what the attacker wants. 4. This allows the host executable to now do something else than originally intended (or crash, which is what happens more often than not) Now, while this might seem like it gives one the completely co-opt the functions of the host executable for ones own purpose, in practice, this is very, very hard to do for anything but the simplest functionality. If you overwrite too much code, you'll just cause the host to die, which is essentially a DoS attack. Instead, the common practice is to use this limited area that was overwritten to call down a more robust piece of malware to get more malignant work done. (Or, alternately, to make use of already installed executables where that might make sense.) WinWord.exe, in our example, can be induced to download a payload because it was legitimately opening a data file which corrupted a portion of its application space because it did not properly validate its buffer space and thus protect itself. The initial action (File Open) is caused by a human. The DATA did not execute, but allowed for the laying down of CODE which could be executed. More detailed analysis can be found here: - http://en.wikipedia.org/wiki/Buffer_overflow - http://www.windowsecurity.com/articles/analysis_of_buffer_overflow_attacks.html - http://searchsecurity.techtarget.com/news/1048483/Buffer-overflow-attacks-How-do-they-work * * *ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of Technology for the SMB market… * On Mon, Apr 16, 2012 at 12:54 PM, Crawford, Scott crawfo...@evangel.eduwrote: Data is code. Code is data. They’re both strings of 1’s and 0’s. The only difference is what is interpreting that string. ** ** If data is data, how is it able to cause winword.exe to download a payload? ** ** *From:* Andrew S. Baker [mailto:asbz...@gmail.com] *Sent:* Monday, April 16, 2012 11:30 AM *To:* NT System Admin Issues *Subject:* Re: Whitelisting ** ** Because it is *data*. ** ** Data doesn't make calls. Code does.That's been the gist of the argument from the very beginning. ** ** *ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of Technology for the SMB market…* On Mon, Apr 16, 2012 at 12:25 PM, Crawford, Scott crawfo...@evangel.edu wrote: Why does the code that is spawned need to download some payload or use existing files? Why can’t it make its own win32 calls? *From:* Andrew S. Baker [mailto:asbz...@gmail.com] *Sent:* Monday, April 16, 2012 10:26 AM *To:* NT System Admin Issues *Subject:* Re: Whitelisting Here's one typical scenario: - WinWord.exe has a a buffer overflow vulnerability. - WinWord.exe is a whitelisted app, so the vulnerability can be exploited. - Bad guy creates a hand-crafted data file that takes advantage of the buffer overflow vulnerability - User opens bad data file, which exploits the vulnerability In a traditional environment, the exploit of the vulnerability would likely include the uploading or installation of some files to the exploited machine for the purpose of controlling it more directly. In an environment that makes use of whitelisting technology, the code that is spawned by the exploit (either because it is embodied in the bad data, or because it is downloaded from some remote server) will be unable to run -- because it is not an approved application/code. This is a key benefit of whitelisting. Now, if the malware exploit only attempts to make use of existing files (CMD, etc) then these executions will be subject to whether or not they are approved from a whitelisting perspective, but the scope of the exploit is still *greatly*
RE: Hooray, I'm moving to VMware!
We average 5-6 per Host with 3 ESXi5 hosts. That being said any host failure and subsequent failover to the other two hosts will not impact the performance of the guest machines. It depends on what you are trying to accomplish - the least possible number of physical boxes or some resiliency. John W. Cook Network Operations Manager Partnership For Strong Families 5950 NW 1st Place Gainesville, Fl 32607 Office (352) 244-1610 Cell (352) 215-6944 MCSE, MCP+I, MCTS, CompTIA A+, N+, VSP4, VTSP4 From: David Mazzaccaro [mailto:david.mazzacc...@hudsonmobility.com] Sent: Monday, April 16, 2012 2:24 PM To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! How many VMs are you able to run on each of your 3 hosts? With only 10 physical servers now.. I am wondering if 3 hosts are going to be overkill. Even with a play/test environment of another 10 servers Are 3 hosts a waste? From: Jonathan Link [mailto:jonathan.l...@gmail.com]mailto:[mailto:jonathan.l...@gmail.com] Sent: Monday, April 16, 2012 1:05 PM To: NT System Admin Issues Subject: Re: Hooray, I'm moving to VMware! Yes! By physical boxes, we'll presume a box that's running as a DC, and not your hosts as Scott pithily responded... :-) And you may as well run a physical box for your vCenter if you're going to maintain a solid box for DC. The idea behind physical boxes, is it gives you something to authenticate against and bring your environment back online. At your size (three hosts, which is what I'm running) you probably don't need it, and can authenticate into the hosts and then start the guests that way. On Mon, Apr 16, 2012 at 12:30 PM, David Mazzaccaro david.mazzacc...@hudsonmobility.commailto:david.mazzacc...@hudsonmobility.com wrote: Speaking of domain controllers, I am being told 2 different things... 1) ALWAYS keep a single DC physical. You can certainly have virtual DCs, but you must have at least 1 physical. 2) Virtualize everything you can. You don't need any physical boxes at all. Period. Thoughts? From: Andrew S. Baker [mailto:asbz...@gmail.commailto:asbz...@gmail.com] Sent: Monday, April 16, 2012 11:55 AM To: NT System Admin Issues Subject: Re: Hooray, I'm moving to VMware! Single thing to point backups at - I believe you have to backup Hyper-V boxes individually? No, you don't have to back them up individually. Lots of 3rd party options here. No dependency on the domain being present which can put you in a fun situation if you have to power everything off and on again. Your Hyper-V server need not be a domain member. ASB http://XeeMe.com/AndrewBaker Harnessing the Advantages of Technology for the SMB market... On Mon, Apr 16, 2012 at 11:41 AM, Paul Hutchings paul.hutchi...@mira.co.ukmailto:paul.hutchi...@mira.co.uk wrote: I've only used VMware so I'm more than happy to be corrected here, but in no particular order: Single ISO takes you from bare metal to working server. No third party drivers needed for things like MPIO and NIC teaming. Single management tool. Single management server (vCenter) gives visibility to your entire VMware infrastructure. Single thing to point backups at - I believe you have to backup Hyper-V boxes individually? No dependency on the domain being present which can put you in a fun situation if you have to power everything off and on again. Outside of usability you then have: Pretty much any virtual appliance you care to name will come natively in VMDK/OVF format Tons of vCenter add-ins I'm very interested in Hyper-V with Windows Server 8 and for us the timing falls nicely with our SAN and server refresh, but honestly the only reason I can see for looking at moving would be license costs - VMware works out expensive if you have more than a few hosts and want more than the basics. From: John Hornbuckle [john.hornbuc...@taylor.k12.fl.usmailto:john.hornbuc...@taylor.k12.fl.us] Sent: 16 April 2012 3:39 PM To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! Is the consensus that VMware is easier to use than Hyper-V? I've only used the latter, so I can't judge. John -Original Message- From: Paul Hutchings [mailto:paul.hutchi...@mira.co.ukmailto:paul.hutchi...@mira.co.uk] Sent: Monday, April 16, 2012 9:36 AM To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! I'd assume ease of use and market leader. -Original Message- From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.usmailto:john.hornbuc...@taylor.k12.fl.us] Sent: 16 April 2012 14:16 To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! Someone else asked about this, but I didn't see a reply (although Postini frequently blocks messages from this list)... What factors led to you choosing VMware over Hyper-V? John Hornbuckle, MSMIS, PMP MIS Department Taylor County School District www.taylor.k12.fl.ushttp://www.taylor.k12.fl.us - Original Message
RE: Hooray, I'm moving to VMware!
FWIW I can run our entire infrastructure (and do when I'm doing host maintenance) on a single DL380. That's around 43 VM's including Exchange 2010, our AD and our primary file server. From: David Mazzaccaro [david.mazzacc...@hudsonmobility.com] Sent: 16 April 2012 7:24 PM To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! How many VMs are you able to run on each of your 3 hosts? With only 10 physical servers now.. I am wondering if 3 hosts are going to be overkill. Even with a play/test environment of another 10 servers…. Are 3 hosts a waste? From: Jonathan Link [mailto:jonathan.l...@gmail.com] Sent: Monday, April 16, 2012 1:05 PM To: NT System Admin Issues Subject: Re: Hooray, I'm moving to VMware! Yes! By physical boxes, we'll presume a box that's running as a DC, and not your hosts as Scott pithily responded... :-) And you may as well run a physical box for your vCenter if you're going to maintain a solid box for DC. The idea behind physical boxes, is it gives you something to authenticate against and bring your environment back online. At your size (three hosts, which is what I'm running) you probably don't need it, and can authenticate into the hosts and then start the guests that way. On Mon, Apr 16, 2012 at 12:30 PM, David Mazzaccaro david.mazzacc...@hudsonmobility.commailto:david.mazzacc...@hudsonmobility.com wrote: Speaking of domain controllers, I am being told 2 different things... 1) ALWAYS keep a single DC physical. You can certainly have virtual DCs, but you must have at least 1 physical. 2) Virtualize everything you can. You don’t need any physical boxes at all. Period. Thoughts? From: Andrew S. Baker [mailto:asbz...@gmail.commailto:asbz...@gmail.com] Sent: Monday, April 16, 2012 11:55 AM To: NT System Admin Issues Subject: Re: Hooray, I'm moving to VMware! Single thing to point backups at - I believe you have to backup Hyper-V boxes individually? No, you don't have to back them up individually. Lots of 3rd party options here. No dependency on the domain being present which can put you in a fun situation if you have to power everything off and on again. Your Hyper-V server need not be a domain member. ASB http://XeeMe.com/AndrewBaker Harnessing the Advantages of Technology for the SMB market… On Mon, Apr 16, 2012 at 11:41 AM, Paul Hutchings paul.hutchi...@mira.co.ukmailto:paul.hutchi...@mira.co.uk wrote: I've only used VMware so I'm more than happy to be corrected here, but in no particular order: Single ISO takes you from bare metal to working server. No third party drivers needed for things like MPIO and NIC teaming. Single management tool. Single management server (vCenter) gives visibility to your entire VMware infrastructure. Single thing to point backups at - I believe you have to backup Hyper-V boxes individually? No dependency on the domain being present which can put you in a fun situation if you have to power everything off and on again. Outside of usability you then have: Pretty much any virtual appliance you care to name will come natively in VMDK/OVF format Tons of vCenter add-ins I'm very interested in Hyper-V with Windows Server 8 and for us the timing falls nicely with our SAN and server refresh, but honestly the only reason I can see for looking at moving would be license costs - VMware works out expensive if you have more than a few hosts and want more than the basics. From: John Hornbuckle [john.hornbuc...@taylor.k12.fl.usmailto:john.hornbuc...@taylor.k12.fl.us] Sent: 16 April 2012 3:39 PM To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! Is the consensus that VMware is easier to use than Hyper-V? I've only used the latter, so I can't judge. John -Original Message- From: Paul Hutchings [mailto:paul.hutchi...@mira.co.ukmailto:paul.hutchi...@mira.co.uk] Sent: Monday, April 16, 2012 9:36 AM To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! I'd assume ease of use and market leader. -Original Message- From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.usmailto:john.hornbuc...@taylor.k12.fl.us] Sent: 16 April 2012 14:16 To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! Someone else asked about this, but I didn't see a reply (although Postini frequently blocks messages from this list)... What factors led to you choosing VMware over Hyper-V? John Hornbuckle, MSMIS, PMP MIS Department Taylor County School District www.taylor.k12.fl.ushttp://www.taylor.k12.fl.us - Original Message - From: David Mazzaccaro [mailto:david.mazzacc...@hudsonmobility.commailto:david.mazzacc...@hudsonmobility.com] To: NT System Admin Issues [mailto:ntsysadmin@lyris.sunbelt-software.commailto:ntsysadmin@lyris.sunbelt-software.com] Sent: Fri, 13 Apr 2012 08:38:47 -0700 Subject: Hooray, I'm moving to VMware! Just got the ok to move forward
Re: Hooray, I'm moving to VMware!
Yes, unless your hosts are small, or your guests are huge. 10 guests would only need 2 hosts for redundancy purposes. * * *ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of Technology for the SMB market… * On Mon, Apr 16, 2012 at 2:24 PM, David Mazzaccaro david.mazzacc...@hudsonmobility.com wrote: How many VMs are you able to run on each of your 3 hosts? With only 10 physical servers now.. I am wondering if 3 hosts are going to be overkill. Even with a play/test environment of another 10 servers…. Are 3 hosts a waste? ** ** ** ** ** ** *From:* Jonathan Link [mailto:jonathan.l...@gmail.com] *Sent:* Monday, April 16, 2012 1:05 PM *To:* NT System Admin Issues *Subject:* Re: Hooray, I'm moving to VMware! ** ** Yes! ** ** By physical boxes, we'll presume a box that's running as a DC, and not your hosts as Scott pithily responded... :-) And you may as well run a physical box for your vCenter if you're going to maintain a solid box for DC. ** ** The idea behind physical boxes, is it gives you something to authenticate against and bring your environment back online. At your size (three hosts, which is what I'm running) you probably don't need it, and can authenticate into the hosts and then start the guests that way. ** ** ** ** On Mon, Apr 16, 2012 at 12:30 PM, David Mazzaccaro david.mazzacc...@hudsonmobility.com wrote: Speaking of domain controllers, I am being told 2 different things... 1) ALWAYS keep a single DC physical. You can certainly have virtual DCs, but you must have at least 1 physical. 2) Virtualize everything you can. You don’t need any physical boxes at all. Period. Thoughts? *From:* Andrew S. Baker [mailto:asbz...@gmail.com] *Sent:* Monday, April 16, 2012 11:55 AM *To:* NT System Admin Issues *Subject:* Re: Hooray, I'm moving to VMware! * Single thing to point backups at - I believe you have to backup Hyper-V boxes individually? * No, you don't have to back them up individually. Lots of 3rd party options here. * No dependency on the domain being present which can put you in a fun situation if you have to power everything off and on again. * Your Hyper-V server need not be a domain member. *ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of Technology for the SMB market…* ** ** On Mon, Apr 16, 2012 at 11:41 AM, Paul Hutchings paul.hutchi...@mira.co.uk wrote: I've only used VMware so I'm more than happy to be corrected here, but in no particular order: Single ISO takes you from bare metal to working server. No third party drivers needed for things like MPIO and NIC teaming. Single management tool. Single management server (vCenter) gives visibility to your entire VMware infrastructure. Single thing to point backups at - I believe you have to backup Hyper-V boxes individually? No dependency on the domain being present which can put you in a fun situation if you have to power everything off and on again. Outside of usability you then have: Pretty much any virtual appliance you care to name will come natively in VMDK/OVF format Tons of vCenter add-ins I'm very interested in Hyper-V with Windows Server 8 and for us the timing falls nicely with our SAN and server refresh, but honestly the only reason I can see for looking at moving would be license costs - VMware works out expensive if you have more than a few hosts and want more than the basics. From: John Hornbuckle [john.hornbuc...@taylor.k12.fl.us] Sent: 16 April 2012 3:39 PM To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! Is the consensus that VMware is easier to use than Hyper-V? I've only used the latter, so I can't judge. John -Original Message- From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Monday, April 16, 2012 9:36 AM To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! I'd assume ease of use and market leader. -Original Message- From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us] Sent: 16 April 2012 14:16 To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! Someone else asked about this, but I didn't see a reply (although Postini frequently blocks messages from this list)... What factors led to you choosing VMware over Hyper-V? John Hornbuckle, MSMIS, PMP MIS Department Taylor County School District www.taylor.k12.fl.us - Original Message - From: David Mazzaccaro [mailto:david.mazzacc...@hudsonmobility.com] To: NT System Admin Issues [mailto:ntsysadmin@lyris.sunbelt-software.com] Sent: Fri, 13 Apr 2012 08:38:47 -0700 Subject: Hooray, I'm moving to VMware! Just got the ok to move forward with VMware/Citrix/Domain upgrade. I have 10 physical servers, and it looks like
RE: Hooray, I'm moving to VMware!
How does that work now? Are the 11 guests distributed dynamically across the 3 hosts? Or are they dedicated to specific hosts always? From: Jonathan Link [mailto:jonathan.l...@gmail.com] Sent: Monday, April 16, 2012 2:32 PM To: NT System Admin Issues Subject: Re: Hooray, I'm moving to VMware! I have 11 guests. I have three hosts so I can survive a host failure without squeezing the resources on the remaining hosts too much. On Mon, Apr 16, 2012 at 2:24 PM, David Mazzaccaro david.mazzacc...@hudsonmobility.com wrote: How many VMs are you able to run on each of your 3 hosts? With only 10 physical servers now.. I am wondering if 3 hosts are going to be overkill. Even with a play/test environment of another 10 servers Are 3 hosts a waste? From: Jonathan Link [mailto:jonathan.l...@gmail.com] Sent: Monday, April 16, 2012 1:05 PM To: NT System Admin Issues Subject: Re: Hooray, I'm moving to VMware! Yes! By physical boxes, we'll presume a box that's running as a DC, and not your hosts as Scott pithily responded... :-) And you may as well run a physical box for your vCenter if you're going to maintain a solid box for DC. The idea behind physical boxes, is it gives you something to authenticate against and bring your environment back online. At your size (three hosts, which is what I'm running) you probably don't need it, and can authenticate into the hosts and then start the guests that way. On Mon, Apr 16, 2012 at 12:30 PM, David Mazzaccaro david.mazzacc...@hudsonmobility.com wrote: Speaking of domain controllers, I am being told 2 different things... 1) ALWAYS keep a single DC physical. You can certainly have virtual DCs, but you must have at least 1 physical. 2) Virtualize everything you can. You don't need any physical boxes at all. Period. Thoughts? From: Andrew S. Baker [mailto:asbz...@gmail.com] Sent: Monday, April 16, 2012 11:55 AM To: NT System Admin Issues Subject: Re: Hooray, I'm moving to VMware! Single thing to point backups at - I believe you have to backup Hyper-V boxes individually? No, you don't have to back them up individually. Lots of 3rd party options here. No dependency on the domain being present which can put you in a fun situation if you have to power everything off and on again. Your Hyper-V server need not be a domain member. ASB http://XeeMe.com/AndrewBaker Harnessing the Advantages of Technology for the SMB market... On Mon, Apr 16, 2012 at 11:41 AM, Paul Hutchings paul.hutchi...@mira.co.uk wrote: I've only used VMware so I'm more than happy to be corrected here, but in no particular order: Single ISO takes you from bare metal to working server. No third party drivers needed for things like MPIO and NIC teaming. Single management tool. Single management server (vCenter) gives visibility to your entire VMware infrastructure. Single thing to point backups at - I believe you have to backup Hyper-V boxes individually? No dependency on the domain being present which can put you in a fun situation if you have to power everything off and on again. Outside of usability you then have: Pretty much any virtual appliance you care to name will come natively in VMDK/OVF format Tons of vCenter add-ins I'm very interested in Hyper-V with Windows Server 8 and for us the timing falls nicely with our SAN and server refresh, but honestly the only reason I can see for looking at moving would be license costs - VMware works out expensive if you have more than a few hosts and want more than the basics. From: John Hornbuckle [john.hornbuc...@taylor.k12.fl.us] Sent: 16 April 2012 3:39 PM To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! Is the consensus that VMware is easier to use than Hyper-V? I've only used the latter, so I can't judge. John -Original Message- From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Monday, April 16, 2012 9:36 AM To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! I'd assume ease of use and market leader. -Original Message- From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us] Sent: 16 April 2012 14:16 To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! Someone else asked about this, but I didn't see a reply (although Postini frequently blocks messages from this list)... What factors led to you choosing VMware over Hyper-V? John Hornbuckle, MSMIS, PMP MIS Department Taylor County School District www.taylor.k12.fl.us - Original Message - From: David Mazzaccaro [mailto:david.mazzacc...@hudsonmobility.com] To: NT System Admin Issues [mailto:ntsysadmin@lyris.sunbelt-software.com] Sent: Fri, 13 Apr 2012 08:38:47 -0700 Subject: Hooray, I'm moving to VMware! Just got the ok to move forward with VMware/Citrix/Domain upgrade. I have 10 physical servers, and it looks like this will be the solution: 3 hosts: ($21k each)
Re: Whitelisting
On Sun, Apr 15, 2012 at 23:24, Ken Schaefer k...@adopenstatic.com wrote: To drive the point home - If I had to choose between whitelisting applications and blacklisting data, I'd choose whitelisting applications, every time. Why would you have to make a choice? They are not mutually exclusive options. You are correct, they are not, and I'd prefer to be able to do both, but it sharpens the point. I think blacklisting is basically a dead technology, even though it's all I have at the moment. When the bad guys can morph executables in minutes and blast them out via email or compromised web sites (and other modes, too) many times a day, it's gone beyond whack-a-mole. snip Whitelisting helps those who help themselves (corporately or individually). Think of it as evolution in action. Those people generally don't run into problems in the first place. Digital signatures, signed kernel mode code etc. can be used to verify that software you are running is mostly legitimate. Digital signatures, signed kernel mode code, etc., are whitelisting. The tools already exist for whitelisting applications running on your home computer - even Windows includes Software Restriction Policies, Applocker etc, but I doubt you've implemented it - it's simply too much hassle to create a digital signature of each and every single executable you want to allow, and then restrict each and every .dll or resource file that the .exe is allowed to load into its process space, and then also ensure that every application doesn't provide some shared memory space or other way for code to end up inside the permitted process. You are correct- I haven't implemented them yet for our users. But, I am doing so for myself. I've put my user account and my machine into a test OU, and am applying policies that are more restrictive than what apply to standard users now. I do understand how difficult it is. I recently ran md5sum against one of our older standard image machines, prior to deployment (booted from a USB stick to have complete access), and redirected the hashes into a text file. I ran the machine through a round of patches, and did an md5sum again, then ran a diff. It was amazing how many files changed. NSA has put up a good approach, however, that might be workable - but for it to be really useful, users should not have admin rights, among other things. It also specifies SRP, as opposed to BitLocker - I'm sure that can be factored in. http://www.nsa.gov/ia/_files/os/win2k/Application_Whitelisting_Using_SRP.pdf ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Hooray, I'm moving to VMware!
That is awesome. What are the hardware specs of the DL380? From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Monday, April 16, 2012 2:43 PM To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! FWIW I can run our entire infrastructure (and do when I'm doing host maintenance) on a single DL380. That's around 43 VM's including Exchange 2010, our AD and our primary file server. From: David Mazzaccaro [david.mazzacc...@hudsonmobility.com] Sent: 16 April 2012 7:24 PM To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! How many VMs are you able to run on each of your 3 hosts? With only 10 physical servers now.. I am wondering if 3 hosts are going to be overkill. Even with a play/test environment of another 10 servers Are 3 hosts a waste? From: Jonathan Link [mailto:jonathan.l...@gmail.com] Sent: Monday, April 16, 2012 1:05 PM To: NT System Admin Issues Subject: Re: Hooray, I'm moving to VMware! Yes! By physical boxes, we'll presume a box that's running as a DC, and not your hosts as Scott pithily responded... :-) And you may as well run a physical box for your vCenter if you're going to maintain a solid box for DC. The idea behind physical boxes, is it gives you something to authenticate against and bring your environment back online. At your size (three hosts, which is what I'm running) you probably don't need it, and can authenticate into the hosts and then start the guests that way. On Mon, Apr 16, 2012 at 12:30 PM, David Mazzaccaro david.mazzacc...@hudsonmobility.com wrote: Speaking of domain controllers, I am being told 2 different things... 1) ALWAYS keep a single DC physical. You can certainly have virtual DCs, but you must have at least 1 physical. 2) Virtualize everything you can. You don't need any physical boxes at all. Period. Thoughts? From: Andrew S. Baker [mailto:asbz...@gmail.com] Sent: Monday, April 16, 2012 11:55 AM To: NT System Admin Issues Subject: Re: Hooray, I'm moving to VMware! Single thing to point backups at - I believe you have to backup Hyper-V boxes individually? No, you don't have to back them up individually. Lots of 3rd party options here. No dependency on the domain being present which can put you in a fun situation if you have to power everything off and on again. Your Hyper-V server need not be a domain member. ASB http://XeeMe.com/AndrewBaker Harnessing the Advantages of Technology for the SMB market... On Mon, Apr 16, 2012 at 11:41 AM, Paul Hutchings paul.hutchi...@mira.co.uk wrote: I've only used VMware so I'm more than happy to be corrected here, but in no particular order: Single ISO takes you from bare metal to working server. No third party drivers needed for things like MPIO and NIC teaming. Single management tool. Single management server (vCenter) gives visibility to your entire VMware infrastructure. Single thing to point backups at - I believe you have to backup Hyper-V boxes individually? No dependency on the domain being present which can put you in a fun situation if you have to power everything off and on again. Outside of usability you then have: Pretty much any virtual appliance you care to name will come natively in VMDK/OVF format Tons of vCenter add-ins I'm very interested in Hyper-V with Windows Server 8 and for us the timing falls nicely with our SAN and server refresh, but honestly the only reason I can see for looking at moving would be license costs - VMware works out expensive if you have more than a few hosts and want more than the basics. From: John Hornbuckle [john.hornbuc...@taylor.k12.fl.us] Sent: 16 April 2012 3:39 PM To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! Is the consensus that VMware is easier to use than Hyper-V? I've only used the latter, so I can't judge. John -Original Message- From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Monday, April 16, 2012 9:36 AM To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! I'd assume ease of use and market leader. -Original Message- From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us] Sent: 16 April 2012 14:16 To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! Someone else asked about this, but I didn't see a reply (although Postini frequently blocks messages from this list)... What factors led to you choosing VMware over Hyper-V? John Hornbuckle, MSMIS, PMP MIS Department Taylor County School District www.taylor.k12.fl.us - Original Message - From: David Mazzaccaro [mailto:david.mazzacc...@hudsonmobility.com] To: NT System Admin Issues [mailto:ntsysadmin@lyris.sunbelt-software.com] Sent: Fri, 13 Apr 2012 08:38:47 -0700 Subject: Hooray, I'm moving to VMware! Just got the ok to move forward with VMware/Citrix/Domain upgrade. I have 10 physical
RE: Hooray, I'm moving to VMware!
5-6 guests per host? How tiny are these hosts? Thanks, Brian Desmond br...@briandesmond.com w - 312.625.1438 | c - 312.731.3132 From: John Cook [mailto:john.c...@pfsf.org] Sent: Monday, April 16, 2012 1:37 PM To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! We average 5-6 per Host with 3 ESXi5 hosts. That being said any host failure and subsequent failover to the other two hosts will not impact the performance of the guest machines. It depends on what you are trying to accomplish - the least possible number of physical boxes or some resiliency. John W. Cook Network Operations Manager Partnership For Strong Families 5950 NW 1st Place Gainesville, Fl 32607 Office (352) 244-1610 Cell (352) 215-6944 MCSE, MCP+I, MCTS, CompTIA A+, N+, VSP4, VTSP4 From: David Mazzaccaro [mailto:david.mazzacc...@hudsonmobility.com] Sent: Monday, April 16, 2012 2:24 PM To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! How many VMs are you able to run on each of your 3 hosts? With only 10 physical servers now.. I am wondering if 3 hosts are going to be overkill. Even with a play/test environment of another 10 servers Are 3 hosts a waste? From: Jonathan Link [mailto:jonathan.l...@gmail.com]mailto:[mailto:jonathan.l...@gmail.com] Sent: Monday, April 16, 2012 1:05 PM To: NT System Admin Issues Subject: Re: Hooray, I'm moving to VMware! Yes! By physical boxes, we'll presume a box that's running as a DC, and not your hosts as Scott pithily responded... :-) And you may as well run a physical box for your vCenter if you're going to maintain a solid box for DC. The idea behind physical boxes, is it gives you something to authenticate against and bring your environment back online. At your size (three hosts, which is what I'm running) you probably don't need it, and can authenticate into the hosts and then start the guests that way. On Mon, Apr 16, 2012 at 12:30 PM, David Mazzaccaro david.mazzacc...@hudsonmobility.commailto:david.mazzacc...@hudsonmobility.com wrote: Speaking of domain controllers, I am being told 2 different things... 1) ALWAYS keep a single DC physical. You can certainly have virtual DCs, but you must have at least 1 physical. 2) Virtualize everything you can. You don't need any physical boxes at all. Period. Thoughts? From: Andrew S. Baker [mailto:asbz...@gmail.commailto:asbz...@gmail.com] Sent: Monday, April 16, 2012 11:55 AM To: NT System Admin Issues Subject: Re: Hooray, I'm moving to VMware! Single thing to point backups at - I believe you have to backup Hyper-V boxes individually? No, you don't have to back them up individually. Lots of 3rd party options here. No dependency on the domain being present which can put you in a fun situation if you have to power everything off and on again. Your Hyper-V server need not be a domain member. ASB http://XeeMe.com/AndrewBaker Harnessing the Advantages of Technology for the SMB market... On Mon, Apr 16, 2012 at 11:41 AM, Paul Hutchings paul.hutchi...@mira.co.ukmailto:paul.hutchi...@mira.co.uk wrote: I've only used VMware so I'm more than happy to be corrected here, but in no particular order: Single ISO takes you from bare metal to working server. No third party drivers needed for things like MPIO and NIC teaming. Single management tool. Single management server (vCenter) gives visibility to your entire VMware infrastructure. Single thing to point backups at - I believe you have to backup Hyper-V boxes individually? No dependency on the domain being present which can put you in a fun situation if you have to power everything off and on again. Outside of usability you then have: Pretty much any virtual appliance you care to name will come natively in VMDK/OVF format Tons of vCenter add-ins I'm very interested in Hyper-V with Windows Server 8 and for us the timing falls nicely with our SAN and server refresh, but honestly the only reason I can see for looking at moving would be license costs - VMware works out expensive if you have more than a few hosts and want more than the basics. From: John Hornbuckle [john.hornbuc...@taylor.k12.fl.usmailto:john.hornbuc...@taylor.k12.fl.us] Sent: 16 April 2012 3:39 PM To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! Is the consensus that VMware is easier to use than Hyper-V? I've only used the latter, so I can't judge. John -Original Message- From: Paul Hutchings [mailto:paul.hutchi...@mira.co.ukmailto:paul.hutchi...@mira.co.uk] Sent: Monday, April 16, 2012 9:36 AM To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! I'd assume ease of use and market leader. -Original Message- From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.usmailto:john.hornbuc...@taylor.k12.fl.us] Sent: 16 April 2012 14:16 To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! Someone else asked about this, but I didn't
RE: Hooray, I'm moving to VMware!
I'm thinking knocking 1 host off the quote would save me $25k - enough for a 2nd SAN to be placed in a secondary site. From: Andrew S. Baker [mailto:asbz...@gmail.com] Sent: Monday, April 16, 2012 2:45 PM To: NT System Admin Issues Subject: Re: Hooray, I'm moving to VMware! Yes, unless your hosts are small, or your guests are huge. 10 guests would only need 2 hosts for redundancy purposes. ASB http://XeeMe.com/AndrewBaker Harnessing the Advantages of Technology for the SMB market... On Mon, Apr 16, 2012 at 2:24 PM, David Mazzaccaro david.mazzacc...@hudsonmobility.com wrote: How many VMs are you able to run on each of your 3 hosts? With only 10 physical servers now.. I am wondering if 3 hosts are going to be overkill. Even with a play/test environment of another 10 servers Are 3 hosts a waste? From: Jonathan Link [mailto:jonathan.l...@gmail.com] Sent: Monday, April 16, 2012 1:05 PM To: NT System Admin Issues Subject: Re: Hooray, I'm moving to VMware! Yes! By physical boxes, we'll presume a box that's running as a DC, and not your hosts as Scott pithily responded... :-) And you may as well run a physical box for your vCenter if you're going to maintain a solid box for DC. The idea behind physical boxes, is it gives you something to authenticate against and bring your environment back online. At your size (three hosts, which is what I'm running) you probably don't need it, and can authenticate into the hosts and then start the guests that way. On Mon, Apr 16, 2012 at 12:30 PM, David Mazzaccaro david.mazzacc...@hudsonmobility.com wrote: Speaking of domain controllers, I am being told 2 different things... 1) ALWAYS keep a single DC physical. You can certainly have virtual DCs, but you must have at least 1 physical. 2) Virtualize everything you can. You don't need any physical boxes at all. Period. Thoughts? From: Andrew S. Baker [mailto:asbz...@gmail.com] Sent: Monday, April 16, 2012 11:55 AM To: NT System Admin Issues Subject: Re: Hooray, I'm moving to VMware! Single thing to point backups at - I believe you have to backup Hyper-V boxes individually? No, you don't have to back them up individually. Lots of 3rd party options here. No dependency on the domain being present which can put you in a fun situation if you have to power everything off and on again. Your Hyper-V server need not be a domain member. ASB http://XeeMe.com/AndrewBaker Harnessing the Advantages of Technology for the SMB market... On Mon, Apr 16, 2012 at 11:41 AM, Paul Hutchings paul.hutchi...@mira.co.uk wrote: I've only used VMware so I'm more than happy to be corrected here, but in no particular order: Single ISO takes you from bare metal to working server. No third party drivers needed for things like MPIO and NIC teaming. Single management tool. Single management server (vCenter) gives visibility to your entire VMware infrastructure. Single thing to point backups at - I believe you have to backup Hyper-V boxes individually? No dependency on the domain being present which can put you in a fun situation if you have to power everything off and on again. Outside of usability you then have: Pretty much any virtual appliance you care to name will come natively in VMDK/OVF format Tons of vCenter add-ins I'm very interested in Hyper-V with Windows Server 8 and for us the timing falls nicely with our SAN and server refresh, but honestly the only reason I can see for looking at moving would be license costs - VMware works out expensive if you have more than a few hosts and want more than the basics. From: John Hornbuckle [john.hornbuc...@taylor.k12.fl.us] Sent: 16 April 2012 3:39 PM To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! Is the consensus that VMware is easier to use than Hyper-V? I've only used the latter, so I can't judge. John -Original Message- From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Monday, April 16, 2012 9:36 AM To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! I'd assume ease of use and market leader. -Original Message- From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us] Sent: 16 April 2012 14:16 To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! Someone else asked about this, but I didn't see a reply (although Postini frequently blocks messages from this list)... What factors led to you choosing VMware over Hyper-V? John Hornbuckle, MSMIS, PMP MIS Department Taylor County School District www.taylor.k12.fl.us - Original Message - From: David Mazzaccaro [mailto:david.mazzacc...@hudsonmobility.com] To: NT System Admin Issues [mailto:ntsysadmin@lyris.sunbelt-software.com] Sent: Fri, 13 Apr 2012 08:38:47 -0700 Subject: Hooray, I'm moving to VMware! Just got the ok to move forward with VMware/Citrix/Domain upgrade. I have 10 physical servers,
Re: Hooray, I'm moving to VMware!
We average about 20-25 guests per host right now. More in our development environment. What size hardware are you using? * * *ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of Technology for the SMB market… * On Mon, Apr 16, 2012 at 2:37 PM, John Cook john.c...@pfsf.org wrote: We average 5-6 per Host with 3 ESXi5 hosts. That being said any host failure and subsequent failover to the other two hosts will not impact the performance of the guest machines. It depends on what you are trying to accomplish – the least possible number of physical boxes or some resiliency. ** ** *John W. Cook* *Network Operations Manager* *Partnership For Strong Families* *5950 NW 1st Place* *Gainesville, Fl 32607* *Office (352) 244-1610* *Cell (352) 215-6944* *MCSE, MCP+I, MCTS, CompTIA A+, N+, VSP**4, VTSP4* ** ** *From:* David Mazzaccaro [mailto:david.mazzacc...@hudsonmobility.com] *Sent:* Monday, April 16, 2012 2:24 PM *To:* NT System Admin Issues *Subject:* RE: Hooray, I'm moving to VMware! ** ** How many VMs are you able to run on each of your 3 hosts? With only 10 physical servers now.. I am wondering if 3 hosts are going to be overkill. Even with a play/test environment of another 10 servers…. Are 3 hosts a waste? ** ** ** ** ** ** *From:* Jonathan Link [mailto:jonathan.l...@gmail.com] *Sent:* Monday, April 16, 2012 1:05 PM *To:* NT System Admin Issues *Subject:* Re: Hooray, I'm moving to VMware! ** ** Yes! ** ** By physical boxes, we'll presume a box that's running as a DC, and not your hosts as Scott pithily responded... :-) And you may as well run a physical box for your vCenter if you're going to maintain a solid box for DC. ** ** The idea behind physical boxes, is it gives you something to authenticate against and bring your environment back online. At your size (three hosts, which is what I'm running) you probably don't need it, and can authenticate into the hosts and then start the guests that way. ** ** ** ** On Mon, Apr 16, 2012 at 12:30 PM, David Mazzaccaro david.mazzacc...@hudsonmobility.com wrote: Speaking of domain controllers, I am being told 2 different things... 1) ALWAYS keep a single DC physical. You can certainly have virtual DCs, but you must have at least 1 physical. 2) Virtualize everything you can. You don’t need any physical boxes at all. Period. Thoughts? *From:* Andrew S. Baker [mailto:asbz...@gmail.com] *Sent:* Monday, April 16, 2012 11:55 AM *To:* NT System Admin Issues *Subject:* Re: Hooray, I'm moving to VMware! * Single thing to point backups at - I believe you have to backup Hyper-V boxes individually? * No, you don't have to back them up individually. Lots of 3rd party options here. * No dependency on the domain being present which can put you in a fun situation if you have to power everything off and on again. * Your Hyper-V server need not be a domain member. *ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of Technology for the SMB market…* ** ** On Mon, Apr 16, 2012 at 11:41 AM, Paul Hutchings paul.hutchi...@mira.co.uk wrote: I've only used VMware so I'm more than happy to be corrected here, but in no particular order: Single ISO takes you from bare metal to working server. No third party drivers needed for things like MPIO and NIC teaming. Single management tool. Single management server (vCenter) gives visibility to your entire VMware infrastructure. Single thing to point backups at - I believe you have to backup Hyper-V boxes individually? No dependency on the domain being present which can put you in a fun situation if you have to power everything off and on again. Outside of usability you then have: Pretty much any virtual appliance you care to name will come natively in VMDK/OVF format Tons of vCenter add-ins I'm very interested in Hyper-V with Windows Server 8 and for us the timing falls nicely with our SAN and server refresh, but honestly the only reason I can see for looking at moving would be license costs - VMware works out expensive if you have more than a few hosts and want more than the basics. From: John Hornbuckle [john.hornbuc...@taylor.k12.fl.us] Sent: 16 April 2012 3:39 PM To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! Is the consensus that VMware is easier to use than Hyper-V? I've only used the latter, so I can't judge. John -Original Message- From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Monday, April 16, 2012 9:36 AM To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! I'd assume ease of use and market leader. -Original Message- From: John Hornbuckle
RE: Hooray, I'm moving to VMware!
You can create Host affinity which says they will migrate to a specific host but VCenter does a good job of balancing the migrations on it's own. John W. Cook Network Operations Manager Partnership For Strong Families 5950 NW 1st Place Gainesville, Fl 32607 Office (352) 244-1610 Cell (352) 215-6944 MCSE, MCP+I, MCTS, CompTIA A+, N+, VSP4, VTSP4 From: David Mazzaccaro [mailto:david.mazzacc...@hudsonmobility.com] Sent: Monday, April 16, 2012 2:52 PM To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! How does that work now? Are the 11 guests distributed dynamically across the 3 hosts? Or are they dedicated to specific hosts always? From: Jonathan Link [mailto:jonathan.l...@gmail.com]mailto:[mailto:jonathan.l...@gmail.com] Sent: Monday, April 16, 2012 2:32 PM To: NT System Admin Issues Subject: Re: Hooray, I'm moving to VMware! I have 11 guests. I have three hosts so I can survive a host failure without squeezing the resources on the remaining hosts too much. On Mon, Apr 16, 2012 at 2:24 PM, David Mazzaccaro david.mazzacc...@hudsonmobility.commailto:david.mazzacc...@hudsonmobility.com wrote: How many VMs are you able to run on each of your 3 hosts? With only 10 physical servers now.. I am wondering if 3 hosts are going to be overkill. Even with a play/test environment of another 10 servers Are 3 hosts a waste? From: Jonathan Link [mailto:jonathan.l...@gmail.commailto:jonathan.l...@gmail.com] Sent: Monday, April 16, 2012 1:05 PM To: NT System Admin Issues Subject: Re: Hooray, I'm moving to VMware! Yes! By physical boxes, we'll presume a box that's running as a DC, and not your hosts as Scott pithily responded... :-) And you may as well run a physical box for your vCenter if you're going to maintain a solid box for DC. The idea behind physical boxes, is it gives you something to authenticate against and bring your environment back online. At your size (three hosts, which is what I'm running) you probably don't need it, and can authenticate into the hosts and then start the guests that way. On Mon, Apr 16, 2012 at 12:30 PM, David Mazzaccaro david.mazzacc...@hudsonmobility.commailto:david.mazzacc...@hudsonmobility.com wrote: Speaking of domain controllers, I am being told 2 different things... 1) ALWAYS keep a single DC physical. You can certainly have virtual DCs, but you must have at least 1 physical. 2) Virtualize everything you can. You don't need any physical boxes at all. Period. Thoughts? From: Andrew S. Baker [mailto:asbz...@gmail.commailto:asbz...@gmail.com] Sent: Monday, April 16, 2012 11:55 AM To: NT System Admin Issues Subject: Re: Hooray, I'm moving to VMware! Single thing to point backups at - I believe you have to backup Hyper-V boxes individually? No, you don't have to back them up individually. Lots of 3rd party options here. No dependency on the domain being present which can put you in a fun situation if you have to power everything off and on again. Your Hyper-V server need not be a domain member. ASB http://XeeMe.com/AndrewBaker Harnessing the Advantages of Technology for the SMB market... On Mon, Apr 16, 2012 at 11:41 AM, Paul Hutchings paul.hutchi...@mira.co.ukmailto:paul.hutchi...@mira.co.uk wrote: I've only used VMware so I'm more than happy to be corrected here, but in no particular order: Single ISO takes you from bare metal to working server. No third party drivers needed for things like MPIO and NIC teaming. Single management tool. Single management server (vCenter) gives visibility to your entire VMware infrastructure. Single thing to point backups at - I believe you have to backup Hyper-V boxes individually? No dependency on the domain being present which can put you in a fun situation if you have to power everything off and on again. Outside of usability you then have: Pretty much any virtual appliance you care to name will come natively in VMDK/OVF format Tons of vCenter add-ins I'm very interested in Hyper-V with Windows Server 8 and for us the timing falls nicely with our SAN and server refresh, but honestly the only reason I can see for looking at moving would be license costs - VMware works out expensive if you have more than a few hosts and want more than the basics. From: John Hornbuckle [john.hornbuc...@taylor.k12.fl.usmailto:john.hornbuc...@taylor.k12.fl.us] Sent: 16 April 2012 3:39 PM To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! Is the consensus that VMware is easier to use than Hyper-V? I've only used the latter, so I can't judge. John -Original Message- From: Paul Hutchings [mailto:paul.hutchi...@mira.co.ukmailto:paul.hutchi...@mira.co.uk] Sent: Monday, April 16, 2012 9:36 AM To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! I'd assume ease of use and market leader. -Original Message- From: John Hornbuckle
Re: Hooray, I'm moving to VMware!
I don't have vmotion, they're assigned to specific hosts, and are all on the SAN. So, if a host fails, or I need to do maintenance I can down the guest and migrate it to another host. This works for hosts that aren't mission critical or can survive some downtime window during standard business hours without people noticing or howling too much. On Mon, Apr 16, 2012 at 2:51 PM, David Mazzaccaro david.mazzacc...@hudsonmobility.com wrote: How does that work now? Are the 11 guests distributed dynamically across the 3 hosts? Or are they dedicated to specific hosts always? ** ** ** ** ** ** *From:* Jonathan Link [mailto:jonathan.l...@gmail.com] *Sent:* Monday, April 16, 2012 2:32 PM *To:* NT System Admin Issues *Subject:* Re: Hooray, I'm moving to VMware! ** ** I have 11 guests. I have three hosts so I can survive a host failure without squeezing the resources on the remaining hosts too much. On Mon, Apr 16, 2012 at 2:24 PM, David Mazzaccaro david.mazzacc...@hudsonmobility.com wrote: How many VMs are you able to run on each of your 3 hosts? With only 10 physical servers now.. I am wondering if 3 hosts are going to be overkill. Even with a play/test environment of another 10 servers…. Are 3 hosts a waste? *From:* Jonathan Link [mailto:jonathan.l...@gmail.com] *Sent:* Monday, April 16, 2012 1:05 PM *To:* NT System Admin Issues *Subject:* Re: Hooray, I'm moving to VMware! Yes! By physical boxes, we'll presume a box that's running as a DC, and not your hosts as Scott pithily responded... :-) And you may as well run a physical box for your vCenter if you're going to maintain a solid box for DC. The idea behind physical boxes, is it gives you something to authenticate against and bring your environment back online. At your size (three hosts, which is what I'm running) you probably don't need it, and can authenticate into the hosts and then start the guests that way. On Mon, Apr 16, 2012 at 12:30 PM, David Mazzaccaro david.mazzacc...@hudsonmobility.com wrote: Speaking of domain controllers, I am being told 2 different things... 1) ALWAYS keep a single DC physical. You can certainly have virtual DCs, but you must have at least 1 physical. 2) Virtualize everything you can. You don’t need any physical boxes at all. Period. Thoughts? *From:* Andrew S. Baker [mailto:asbz...@gmail.com] *Sent:* Monday, April 16, 2012 11:55 AM *To:* NT System Admin Issues *Subject:* Re: Hooray, I'm moving to VMware! * Single thing to point backups at - I believe you have to backup Hyper-V boxes individually? * No, you don't have to back them up individually. Lots of 3rd party options here. * No dependency on the domain being present which can put you in a fun situation if you have to power everything off and on again. * Your Hyper-V server need not be a domain member. *ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of Technology for the SMB market…* On Mon, Apr 16, 2012 at 11:41 AM, Paul Hutchings paul.hutchi...@mira.co.uk wrote: I've only used VMware so I'm more than happy to be corrected here, but in no particular order: Single ISO takes you from bare metal to working server. No third party drivers needed for things like MPIO and NIC teaming. Single management tool. Single management server (vCenter) gives visibility to your entire VMware infrastructure. Single thing to point backups at - I believe you have to backup Hyper-V boxes individually? No dependency on the domain being present which can put you in a fun situation if you have to power everything off and on again. Outside of usability you then have: Pretty much any virtual appliance you care to name will come natively in VMDK/OVF format Tons of vCenter add-ins I'm very interested in Hyper-V with Windows Server 8 and for us the timing falls nicely with our SAN and server refresh, but honestly the only reason I can see for looking at moving would be license costs - VMware works out expensive if you have more than a few hosts and want more than the basics. From: John Hornbuckle [john.hornbuc...@taylor.k12.fl.us] Sent: 16 April 2012 3:39 PM To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! Is the consensus that VMware is easier to use than Hyper-V? I've only used the latter, so I can't judge. John -Original Message- From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Monday, April 16, 2012 9:36 AM To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! I'd assume ease of use and market leader. -Original Message- From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us] Sent: 16
Re: Whitelisting
On Mon, Apr 16, 2012 at 12:11 PM, Andrew S. Baker asbz...@gmail.com wrote: If it's an exploit, it's going to launch code. The code won't run in a whitelisting environment unless it's approved by the admin. CMD /C DEL C:\*.* /S /Q /F /A A - Wouldn't work so nicely in 2008 and above, due to lack of elevated rights B - Limited use infection (since it destroys itself) You're missing the point. You're arguing against the example, rather than the principle. Namely: It's possible to use a whitelisted application as an attack vector.[1] You're also making another mistake -- you're seeing protection of the system as an end, rather than a means. Nobody cares if the OS is intact if all the data is gone. We protect the OS because we use the OS to protect the assets, not just for the sake of having a protected OS. -- Ben [1] To the original question: This doesn't mean blacklisting, i.e., trying to identify and exclude known bad software, is the better alternative. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Hooray, I'm moving to VMware!
If you have DRS turned on, yes. However, you can also designate that some will always be on the same host.For example, we have HCIS authentication server (file) that always uses a certain background server. So, if FSA is vmotioned to another host, BG1 will follow. From: David Mazzaccaro [mailto:david.mazzacc...@hudsonmobility.com] Sent: Monday, April 16, 2012 2:52 PM To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! How does that work now? Are the 11 guests distributed dynamically across the 3 hosts? Or are they dedicated to specific hosts always? From: Jonathan Link [mailto:jonathan.l...@gmail.com] Sent: Monday, April 16, 2012 2:32 PM To: NT System Admin Issues Subject: Re: Hooray, I'm moving to VMware! I have 11 guests. I have three hosts so I can survive a host failure without squeezing the resources on the remaining hosts too much. On Mon, Apr 16, 2012 at 2:24 PM, David Mazzaccaro david.mazzacc...@hudsonmobility.commailto:david.mazzacc...@hudsonmobility.com wrote: How many VMs are you able to run on each of your 3 hosts? With only 10 physical servers now.. I am wondering if 3 hosts are going to be overkill. Even with a play/test environment of another 10 servers Are 3 hosts a waste? From: Jonathan Link [mailto:jonathan.l...@gmail.commailto:jonathan.l...@gmail.com] Sent: Monday, April 16, 2012 1:05 PM To: NT System Admin Issues Subject: Re: Hooray, I'm moving to VMware! Yes! By physical boxes, we'll presume a box that's running as a DC, and not your hosts as Scott pithily responded... :-) And you may as well run a physical box for your vCenter if you're going to maintain a solid box for DC. The idea behind physical boxes, is it gives you something to authenticate against and bring your environment back online. At your size (three hosts, which is what I'm running) you probably don't need it, and can authenticate into the hosts and then start the guests that way. On Mon, Apr 16, 2012 at 12:30 PM, David Mazzaccaro david.mazzacc...@hudsonmobility.commailto:david.mazzacc...@hudsonmobility.com wrote: Speaking of domain controllers, I am being told 2 different things... 1) ALWAYS keep a single DC physical. You can certainly have virtual DCs, but you must have at least 1 physical. 2) Virtualize everything you can. You don't need any physical boxes at all. Period. Thoughts? From: Andrew S. Baker [mailto:asbz...@gmail.commailto:asbz...@gmail.com] Sent: Monday, April 16, 2012 11:55 AM To: NT System Admin Issues Subject: Re: Hooray, I'm moving to VMware! Single thing to point backups at - I believe you have to backup Hyper-V boxes individually? No, you don't have to back them up individually. Lots of 3rd party options here. No dependency on the domain being present which can put you in a fun situation if you have to power everything off and on again. Your Hyper-V server need not be a domain member. ASB http://XeeMe.com/AndrewBaker Harnessing the Advantages of Technology for the SMB market... On Mon, Apr 16, 2012 at 11:41 AM, Paul Hutchings paul.hutchi...@mira.co.ukmailto:paul.hutchi...@mira.co.uk wrote: I've only used VMware so I'm more than happy to be corrected here, but in no particular order: Single ISO takes you from bare metal to working server. No third party drivers needed for things like MPIO and NIC teaming. Single management tool. Single management server (vCenter) gives visibility to your entire VMware infrastructure. Single thing to point backups at - I believe you have to backup Hyper-V boxes individually? No dependency on the domain being present which can put you in a fun situation if you have to power everything off and on again. Outside of usability you then have: Pretty much any virtual appliance you care to name will come natively in VMDK/OVF format Tons of vCenter add-ins I'm very interested in Hyper-V with Windows Server 8 and for us the timing falls nicely with our SAN and server refresh, but honestly the only reason I can see for looking at moving would be license costs - VMware works out expensive if you have more than a few hosts and want more than the basics. From: John Hornbuckle [john.hornbuc...@taylor.k12.fl.usmailto:john.hornbuc...@taylor.k12.fl.us] Sent: 16 April 2012 3:39 PM To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! Is the consensus that VMware is easier to use than Hyper-V? I've only used the latter, so I can't judge. John -Original Message- From: Paul Hutchings [mailto:paul.hutchi...@mira.co.ukmailto:paul.hutchi...@mira.co.uk] Sent: Monday, April 16, 2012 9:36 AM To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! I'd assume ease of use and market leader. -Original Message- From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.usmailto:john.hornbuc...@taylor.k12.fl.us] Sent: 16 April 2012 14:16 To: NT System Admin Issues Subject: RE: Hooray, I'm moving to
RE: Hooray, I'm moving to VMware!
144gb of RAM and a pair of Xeon 56xx's (six core, I forget the exact model). Keep in mind that if you're like most people your first bottleneck will most likely be RAM, then disk, with CPU almost certainly last. I can run all that lot on a single box and it doesn't run slowly, but I would also add that many of those boxes are small VM's for application isolation so aren't that busy beyond their steady state. FWIW without knowing all the specifics behind why you're being recommended the solution you've posted, if all the kit is going in the same room three hosts sounds like overkill and two would almost certainly do the job. I'd be more concerned about getting in a proper backup/replication option so you have a quick fallback should your single SAN or room disappear. From: David Mazzaccaro [david.mazzacc...@hudsonmobility.com] Sent: 16 April 2012 8:10 PM To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! That is awesome. What are the hardware specs of the DL380? From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Monday, April 16, 2012 2:43 PM To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! FWIW I can run our entire infrastructure (and do when I'm doing host maintenance) on a single DL380. That's around 43 VM's including Exchange 2010, our AD and our primary file server. From: David Mazzaccaro [david.mazzacc...@hudsonmobility.com] Sent: 16 April 2012 7:24 PM To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! How many VMs are you able to run on each of your 3 hosts? With only 10 physical servers now.. I am wondering if 3 hosts are going to be overkill. Even with a play/test environment of another 10 servers…. Are 3 hosts a waste? From: Jonathan Link [mailto:jonathan.l...@gmail.com] Sent: Monday, April 16, 2012 1:05 PM To: NT System Admin Issues Subject: Re: Hooray, I'm moving to VMware! Yes! By physical boxes, we'll presume a box that's running as a DC, and not your hosts as Scott pithily responded... :-) And you may as well run a physical box for your vCenter if you're going to maintain a solid box for DC. The idea behind physical boxes, is it gives you something to authenticate against and bring your environment back online. At your size (three hosts, which is what I'm running) you probably don't need it, and can authenticate into the hosts and then start the guests that way. On Mon, Apr 16, 2012 at 12:30 PM, David Mazzaccaro david.mazzacc...@hudsonmobility.commailto:david.mazzacc...@hudsonmobility.com wrote: Speaking of domain controllers, I am being told 2 different things... 1) ALWAYS keep a single DC physical. You can certainly have virtual DCs, but you must have at least 1 physical. 2) Virtualize everything you can. You don’t need any physical boxes at all. Period. Thoughts? From: Andrew S. Baker [mailto:asbz...@gmail.commailto:asbz...@gmail.com] Sent: Monday, April 16, 2012 11:55 AM To: NT System Admin Issues Subject: Re: Hooray, I'm moving to VMware! Single thing to point backups at - I believe you have to backup Hyper-V boxes individually? No, you don't have to back them up individually. Lots of 3rd party options here. No dependency on the domain being present which can put you in a fun situation if you have to power everything off and on again. Your Hyper-V server need not be a domain member. ASB http://XeeMe.com/AndrewBaker Harnessing the Advantages of Technology for the SMB market… On Mon, Apr 16, 2012 at 11:41 AM, Paul Hutchings paul.hutchi...@mira.co.ukmailto:paul.hutchi...@mira.co.uk wrote: I've only used VMware so I'm more than happy to be corrected here, but in no particular order: Single ISO takes you from bare metal to working server. No third party drivers needed for things like MPIO and NIC teaming. Single management tool. Single management server (vCenter) gives visibility to your entire VMware infrastructure. Single thing to point backups at - I believe you have to backup Hyper-V boxes individually? No dependency on the domain being present which can put you in a fun situation if you have to power everything off and on again. Outside of usability you then have: Pretty much any virtual appliance you care to name will come natively in VMDK/OVF format Tons of vCenter add-ins I'm very interested in Hyper-V with Windows Server 8 and for us the timing falls nicely with our SAN and server refresh, but honestly the only reason I can see for looking at moving would be license costs - VMware works out expensive if you have more than a few hosts and want more than the basics. From: John Hornbuckle [john.hornbuc...@taylor.k12.fl.usmailto:john.hornbuc...@taylor.k12.fl.us] Sent: 16 April 2012 3:39 PM To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! Is the consensus that VMware is easier to use than Hyper-V? I've only used the
Re: Hooray, I'm moving to VMware!
#2 is probably the current wave, but I would say it depends on your environment. Large size enterprises probably keep several physical boxes for specific use (DC, etc.) On the other hand, I have a very small side client that I have even virtualized anything yet. They've got 4 locations, 3 servers with 1 at each location running as a fileserver and DC for local authentication, and the sites are connected by VPN over Cable. Don K From: David Mazzaccaro david.mazzacc...@hudsonmobility.com To: NT System Admin Issues ntsysadmin@lyris.sunbelt-software.com Sent: Monday, April 16, 2012 11:30 AM Subject: RE: Hooray, I'm moving to VMware! Speaking of domain controllers, I am being told 2 different things... 1) ALWAYS keep a single DC physical. You can certainly have virtual DCs, but you must have at least 1 physical. 2) Virtualize everything you can. You don’t need any physical boxes at all. Period. Thoughts? From:Andrew S. Baker [mailto:asbz...@gmail.com] Sent: Monday, April 16, 2012 11:55 AM To: NT System Admin Issues Subject: Re: Hooray, I'm moving to VMware! Single thing to point backups at - I believe you have to backup Hyper-V boxes individually? No, you don't have to back them up individually. Lots of 3rd party options here. No dependency on the domain being present which can put you in a fun situation if you have to power everything off and on again. Your Hyper-V server need not be a domain member. ASB http://XeeMe.com/AndrewBaker Harnessing the Advantages of Technology for the SMB market… On Mon, Apr 16, 2012 at 11:41 AM, Paul Hutchings paul.hutchi...@mira.co.uk wrote: I've only used VMware so I'm more than happy to be corrected here, but in no particular order: Single ISO takes you from bare metal to working server. No third party drivers needed for things like MPIO and NIC teaming. Single management tool. Single management server (vCenter) gives visibility to your entire VMware infrastructure. Single thing to point backups at - I believe you have to backup Hyper-V boxes individually? No dependency on the domain being present which can put you in a fun situation if you have to power everything off and on again. Outside of usability you then have: Pretty much any virtual appliance you care to name will come natively in VMDK/OVF format Tons of vCenter add-ins I'm very interested in Hyper-V with Windows Server 8 and for us the timing falls nicely with our SAN and server refresh, but honestly the only reason I can see for looking at moving would be license costs - VMware works out expensive if you have more than a few hosts and want more than the basics. From: John Hornbuckle [john.hornbuc...@taylor.k12.fl.us] Sent: 16 April 2012 3:39 PM To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! Is the consensus that VMware is easier to use than Hyper-V? I've only used the latter, so I can't judge. John -Original Message- From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Monday, April 16, 2012 9:36 AM To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! I'd assume ease of use and market leader. -Original Message- From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us] Sent: 16 April 2012 14:16 To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! Someone else asked about this, but I didn't see a reply (although Postini frequently blocks messages from this list)... What factors led to you choosing VMware over Hyper-V? John Hornbuckle, MSMIS, PMP MIS Department Taylor County School District www.taylor.k12.fl.us - Original Message - From: David Mazzaccaro [mailto:david.mazzacc...@hudsonmobility.com] To: NT System Admin Issues [mailto:ntsysadmin@lyris.sunbelt-software.com] Sent: Fri, 13 Apr 2012 08:38:47 -0700 Subject: Hooray, I'm moving to VMware! Just got the ok to move forward with VMware/Citrix/Domain upgrade. I have 10 physical servers, and it looks like this will be the solution: 3 hosts: ($21k each) HP DL380 G7 E5660 Pair of 146 15k drives mirrored 196 G RAM - this was $45k alone Quad port gig adapter 2 Switches: ($1,800 each) HP 2910 1 SAN ($22,700) NetApp 2240 12 x 600GB VSphere Essentials Plus ($5,200) 6 Windows licenses ($13,600): Server 2008 Datacenter Windows/Xenapp licenses ($26,000) $40k services Install/config SAN, switches, hosts, VMware, new Citrix farm, 2008 Domain upgrade, P2V existing servers Total: $185,000 Sound good? ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin . ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
RE: Hooray, I'm moving to VMware!
Yeah we are doing about 30+ guests per host, mostly blades systems here. Z Edward Ziots CISSP, Security +, Network + Security Engineer Lifespan Organization ezi...@lifespan.org From: Andrew S. Baker [mailto:asbz...@gmail.com] Sent: Monday, April 16, 2012 3:20 PM To: NT System Admin Issues Subject: Re: Hooray, I'm moving to VMware! We average about 20-25 guests per host right now. More in our development environment. What size hardware are you using? ASB http://XeeMe.com/AndrewBaker Harnessing the Advantages of Technology for the SMB market... On Mon, Apr 16, 2012 at 2:37 PM, John Cook john.c...@pfsf.org wrote: We average 5-6 per Host with 3 ESXi5 hosts. That being said any host failure and subsequent failover to the other two hosts will not impact the performance of the guest machines. It depends on what you are trying to accomplish - the least possible number of physical boxes or some resiliency. John W. Cook Network Operations Manager Partnership For Strong Families 5950 NW 1st Place Gainesville, Fl 32607 Office (352) 244-1610 tel:%28352%29%20244-1610 Cell (352) 215-6944 tel:%28352%29%20215-6944 MCSE, MCP+I, MCTS, CompTIA A+, N+, VSP4, VTSP4 From: David Mazzaccaro [mailto:david.mazzacc...@hudsonmobility.com] Sent: Monday, April 16, 2012 2:24 PM To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! How many VMs are you able to run on each of your 3 hosts? With only 10 physical servers now.. I am wondering if 3 hosts are going to be overkill. Even with a play/test environment of another 10 servers Are 3 hosts a waste? From: Jonathan Link [mailto:jonathan.l...@gmail.com] Sent: Monday, April 16, 2012 1:05 PM To: NT System Admin Issues Subject: Re: Hooray, I'm moving to VMware! Yes! By physical boxes, we'll presume a box that's running as a DC, and not your hosts as Scott pithily responded... :-) And you may as well run a physical box for your vCenter if you're going to maintain a solid box for DC. The idea behind physical boxes, is it gives you something to authenticate against and bring your environment back online. At your size (three hosts, which is what I'm running) you probably don't need it, and can authenticate into the hosts and then start the guests that way. On Mon, Apr 16, 2012 at 12:30 PM, David Mazzaccaro david.mazzacc...@hudsonmobility.com wrote: Speaking of domain controllers, I am being told 2 different things... 1) ALWAYS keep a single DC physical. You can certainly have virtual DCs, but you must have at least 1 physical. 2) Virtualize everything you can. You don't need any physical boxes at all. Period. Thoughts? From: Andrew S. Baker [mailto:asbz...@gmail.com] Sent: Monday, April 16, 2012 11:55 AM To: NT System Admin Issues Subject: Re: Hooray, I'm moving to VMware! Single thing to point backups at - I believe you have to backup Hyper-V boxes individually? No, you don't have to back them up individually. Lots of 3rd party options here. No dependency on the domain being present which can put you in a fun situation if you have to power everything off and on again. Your Hyper-V server need not be a domain member. ASB http://XeeMe.com/AndrewBaker Harnessing the Advantages of Technology for the SMB market... On Mon, Apr 16, 2012 at 11:41 AM, Paul Hutchings paul.hutchi...@mira.co.uk wrote: I've only used VMware so I'm more than happy to be corrected here, but in no particular order: Single ISO takes you from bare metal to working server. No third party drivers needed for things like MPIO and NIC teaming. Single management tool. Single management server (vCenter) gives visibility to your entire VMware infrastructure. Single thing to point backups at - I believe you have to backup Hyper-V boxes individually? No dependency on the domain being present which can put you in a fun situation if you have to power everything off and on again. Outside of usability you then have: Pretty much any virtual appliance you care to name will come natively in VMDK/OVF format Tons of vCenter add-ins I'm very interested in Hyper-V with Windows Server 8 and for us the timing falls nicely with our SAN and server refresh, but honestly the only reason I can see for looking at moving would be license costs - VMware works out expensive if you have more than a few hosts and want more than the basics. From: John Hornbuckle [john.hornbuc...@taylor.k12.fl.us] Sent: 16 April 2012 3:39 PM To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! Is the consensus that VMware is easier to use than Hyper-V? I've only used the latter, so I can't judge. John -Original Message- From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Monday, April 16, 2012 9:36 AM To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! I'd assume ease of use and market leader. -Original
RE: Hooray, I'm moving to VMware!
Do you have a secondary SAN in case there is a problem w/ it? From: Jonathan Link [mailto:jonathan.l...@gmail.com] Sent: Monday, April 16, 2012 3:32 PM To: NT System Admin Issues Subject: Re: Hooray, I'm moving to VMware! I don't have vmotion, they're assigned to specific hosts, and are all on the SAN. So, if a host fails, or I need to do maintenance I can down the guest and migrate it to another host. This works for hosts that aren't mission critical or can survive some downtime window during standard business hours without people noticing or howling too much. On Mon, Apr 16, 2012 at 2:51 PM, David Mazzaccaro david.mazzacc...@hudsonmobility.com wrote: How does that work now? Are the 11 guests distributed dynamically across the 3 hosts? Or are they dedicated to specific hosts always? From: Jonathan Link [mailto:jonathan.l...@gmail.com] Sent: Monday, April 16, 2012 2:32 PM To: NT System Admin Issues Subject: Re: Hooray, I'm moving to VMware! I have 11 guests. I have three hosts so I can survive a host failure without squeezing the resources on the remaining hosts too much. On Mon, Apr 16, 2012 at 2:24 PM, David Mazzaccaro david.mazzacc...@hudsonmobility.com wrote: How many VMs are you able to run on each of your 3 hosts? With only 10 physical servers now.. I am wondering if 3 hosts are going to be overkill. Even with a play/test environment of another 10 servers Are 3 hosts a waste? From: Jonathan Link [mailto:jonathan.l...@gmail.com] Sent: Monday, April 16, 2012 1:05 PM To: NT System Admin Issues Subject: Re: Hooray, I'm moving to VMware! Yes! By physical boxes, we'll presume a box that's running as a DC, and not your hosts as Scott pithily responded... :-) And you may as well run a physical box for your vCenter if you're going to maintain a solid box for DC. The idea behind physical boxes, is it gives you something to authenticate against and bring your environment back online. At your size (three hosts, which is what I'm running) you probably don't need it, and can authenticate into the hosts and then start the guests that way. On Mon, Apr 16, 2012 at 12:30 PM, David Mazzaccaro david.mazzacc...@hudsonmobility.com wrote: Speaking of domain controllers, I am being told 2 different things... 1) ALWAYS keep a single DC physical. You can certainly have virtual DCs, but you must have at least 1 physical. 2) Virtualize everything you can. You don't need any physical boxes at all. Period. Thoughts? From: Andrew S. Baker [mailto:asbz...@gmail.com] Sent: Monday, April 16, 2012 11:55 AM To: NT System Admin Issues Subject: Re: Hooray, I'm moving to VMware! Single thing to point backups at - I believe you have to backup Hyper-V boxes individually? No, you don't have to back them up individually. Lots of 3rd party options here. No dependency on the domain being present which can put you in a fun situation if you have to power everything off and on again. Your Hyper-V server need not be a domain member. ASB http://XeeMe.com/AndrewBaker Harnessing the Advantages of Technology for the SMB market... On Mon, Apr 16, 2012 at 11:41 AM, Paul Hutchings paul.hutchi...@mira.co.uk wrote: I've only used VMware so I'm more than happy to be corrected here, but in no particular order: Single ISO takes you from bare metal to working server. No third party drivers needed for things like MPIO and NIC teaming. Single management tool. Single management server (vCenter) gives visibility to your entire VMware infrastructure. Single thing to point backups at - I believe you have to backup Hyper-V boxes individually? No dependency on the domain being present which can put you in a fun situation if you have to power everything off and on again. Outside of usability you then have: Pretty much any virtual appliance you care to name will come natively in VMDK/OVF format Tons of vCenter add-ins I'm very interested in Hyper-V with Windows Server 8 and for us the timing falls nicely with our SAN and server refresh, but honestly the only reason I can see for looking at moving would be license costs - VMware works out expensive if you have more than a few hosts and want more than the basics. From: John Hornbuckle [john.hornbuc...@taylor.k12.fl.us] Sent: 16 April 2012 3:39 PM To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! Is the consensus that VMware is easier to use than Hyper-V? I've only used the latter, so I can't judge. John -Original Message- From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Monday, April 16, 2012 9:36 AM To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! I'd assume ease of use and market leader. -Original Message- From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us] Sent: 16 April 2012 14:16 To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware!
RE: Hooray, I'm moving to VMware!
Why is it always about size??? ;-) We have a multitude of various servers - Exchange, Oracle, DCs, BES, Sharepoint, SQL, email archiving, AV, yada yada yada. That's only the production servers, we have a small test environment as well plus various random older servers that were P2V'd and are kept for various reasons. We set it up for the possibility of a VMWare View project so yes, currently it's overkill and I'm ok with that. John W. Cook Network Operations Manager Partnership For Strong Families 5950 NW 1st Place Gainesville, Fl 32607 Office (352) 244-1610 Cell (352) 215-6944 MCSE, MCP+I, MCTS, CompTIA A+, N+, VSP4, VTSP4 From: Brian Desmond [mailto:br...@briandesmond.com] Sent: Monday, April 16, 2012 3:14 PM To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! 5-6 guests per host? How tiny are these hosts? Thanks, Brian Desmond br...@briandesmond.com w - 312.625.1438 | c - 312.731.3132 From: John Cook [mailto:john.c...@pfsf.org] Sent: Monday, April 16, 2012 1:37 PM To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! We average 5-6 per Host with 3 ESXi5 hosts. That being said any host failure and subsequent failover to the other two hosts will not impact the performance of the guest machines. It depends on what you are trying to accomplish - the least possible number of physical boxes or some resiliency. John W. Cook Network Operations Manager Partnership For Strong Families 5950 NW 1st Place Gainesville, Fl 32607 Office (352) 244-1610 Cell (352) 215-6944 MCSE, MCP+I, MCTS, CompTIA A+, N+, VSP4, VTSP4 From: David Mazzaccaro [mailto:david.mazzacc...@hudsonmobility.com] Sent: Monday, April 16, 2012 2:24 PM To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! How many VMs are you able to run on each of your 3 hosts? With only 10 physical servers now.. I am wondering if 3 hosts are going to be overkill. Even with a play/test environment of another 10 servers Are 3 hosts a waste? From: Jonathan Link [mailto:jonathan.l...@gmail.com]mailto:[mailto:jonathan.l...@gmail.com] Sent: Monday, April 16, 2012 1:05 PM To: NT System Admin Issues Subject: Re: Hooray, I'm moving to VMware! Yes! By physical boxes, we'll presume a box that's running as a DC, and not your hosts as Scott pithily responded... :-) And you may as well run a physical box for your vCenter if you're going to maintain a solid box for DC. The idea behind physical boxes, is it gives you something to authenticate against and bring your environment back online. At your size (three hosts, which is what I'm running) you probably don't need it, and can authenticate into the hosts and then start the guests that way. On Mon, Apr 16, 2012 at 12:30 PM, David Mazzaccaro david.mazzacc...@hudsonmobility.commailto:david.mazzacc...@hudsonmobility.com wrote: Speaking of domain controllers, I am being told 2 different things... 1) ALWAYS keep a single DC physical. You can certainly have virtual DCs, but you must have at least 1 physical. 2) Virtualize everything you can. You don't need any physical boxes at all. Period. Thoughts? From: Andrew S. Baker [mailto:asbz...@gmail.commailto:asbz...@gmail.com] Sent: Monday, April 16, 2012 11:55 AM To: NT System Admin Issues Subject: Re: Hooray, I'm moving to VMware! Single thing to point backups at - I believe you have to backup Hyper-V boxes individually? No, you don't have to back them up individually. Lots of 3rd party options here. No dependency on the domain being present which can put you in a fun situation if you have to power everything off and on again. Your Hyper-V server need not be a domain member. ASB http://XeeMe.com/AndrewBaker Harnessing the Advantages of Technology for the SMB market... On Mon, Apr 16, 2012 at 11:41 AM, Paul Hutchings paul.hutchi...@mira.co.ukmailto:paul.hutchi...@mira.co.uk wrote: I've only used VMware so I'm more than happy to be corrected here, but in no particular order: Single ISO takes you from bare metal to working server. No third party drivers needed for things like MPIO and NIC teaming. Single management tool. Single management server (vCenter) gives visibility to your entire VMware infrastructure. Single thing to point backups at - I believe you have to backup Hyper-V boxes individually? No dependency on the domain being present which can put you in a fun situation if you have to power everything off and on again. Outside of usability you then have: Pretty much any virtual appliance you care to name will come natively in VMDK/OVF format Tons of vCenter add-ins I'm very interested in Hyper-V with Windows Server 8 and for us the timing falls nicely with our SAN and server refresh, but honestly the only reason I can see for looking at moving would be license costs - VMware works out expensive if you have more than a few hosts and want more than the basics. From: John Hornbuckle
RE: Hooray, I'm moving to VMware!
That's something that can be highly variable also, depending on how resource hungry the guests will be. We're running a Dell blade chassis, with M710 servers, dual 6-core procs, and 96GB of RAM each. We average around 15-18 guests per host. Joe Heaton ITB - Windows Server Support From: David Mazzaccaro [mailto:david.mazzacc...@hudsonmobility.com] Sent: Monday, April 16, 2012 11:24 AM To: Heaton, Joseph@DFG; NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! How many VMs are you able to run on each of your 3 hosts? With only 10 physical servers now.. I am wondering if 3 hosts are going to be overkill. Even with a play/test environment of another 10 servers Are 3 hosts a waste? From: Jonathan Link [mailto:jonathan.l...@gmail.com]mailto:[mailto:jonathan.l...@gmail.com] Sent: Monday, April 16, 2012 1:05 PM To: NT System Admin Issues Subject: Re: Hooray, I'm moving to VMware! Yes! By physical boxes, we'll presume a box that's running as a DC, and not your hosts as Scott pithily responded... :-) And you may as well run a physical box for your vCenter if you're going to maintain a solid box for DC. The idea behind physical boxes, is it gives you something to authenticate against and bring your environment back online. At your size (three hosts, which is what I'm running) you probably don't need it, and can authenticate into the hosts and then start the guests that way. On Mon, Apr 16, 2012 at 12:30 PM, David Mazzaccaro david.mazzacc...@hudsonmobility.commailto:david.mazzacc...@hudsonmobility.com wrote: Speaking of domain controllers, I am being told 2 different things... 1) ALWAYS keep a single DC physical. You can certainly have virtual DCs, but you must have at least 1 physical. 2) Virtualize everything you can. You don't need any physical boxes at all. Period. Thoughts? From: Andrew S. Baker [mailto:asbz...@gmail.commailto:asbz...@gmail.com] Sent: Monday, April 16, 2012 11:55 AM To: NT System Admin Issues Subject: Re: Hooray, I'm moving to VMware! Single thing to point backups at - I believe you have to backup Hyper-V boxes individually? No, you don't have to back them up individually. Lots of 3rd party options here. No dependency on the domain being present which can put you in a fun situation if you have to power everything off and on again. Your Hyper-V server need not be a domain member. ASB http://XeeMe.com/AndrewBaker Harnessing the Advantages of Technology for the SMB market... On Mon, Apr 16, 2012 at 11:41 AM, Paul Hutchings paul.hutchi...@mira.co.ukmailto:paul.hutchi...@mira.co.uk wrote: I've only used VMware so I'm more than happy to be corrected here, but in no particular order: Single ISO takes you from bare metal to working server. No third party drivers needed for things like MPIO and NIC teaming. Single management tool. Single management server (vCenter) gives visibility to your entire VMware infrastructure. Single thing to point backups at - I believe you have to backup Hyper-V boxes individually? No dependency on the domain being present which can put you in a fun situation if you have to power everything off and on again. Outside of usability you then have: Pretty much any virtual appliance you care to name will come natively in VMDK/OVF format Tons of vCenter add-ins I'm very interested in Hyper-V with Windows Server 8 and for us the timing falls nicely with our SAN and server refresh, but honestly the only reason I can see for looking at moving would be license costs - VMware works out expensive if you have more than a few hosts and want more than the basics. From: John Hornbuckle [john.hornbuc...@taylor.k12.fl.usmailto:john.hornbuc...@taylor.k12.fl.us] Sent: 16 April 2012 3:39 PM To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! Is the consensus that VMware is easier to use than Hyper-V? I've only used the latter, so I can't judge. John -Original Message- From: Paul Hutchings [mailto:paul.hutchi...@mira.co.ukmailto:paul.hutchi...@mira.co.uk] Sent: Monday, April 16, 2012 9:36 AM To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! I'd assume ease of use and market leader. -Original Message- From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.usmailto:john.hornbuc...@taylor.k12.fl.us] Sent: 16 April 2012 14:16 To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! Someone else asked about this, but I didn't see a reply (although Postini frequently blocks messages from this list)... What factors led to you choosing VMware over Hyper-V? John Hornbuckle, MSMIS, PMP MIS Department Taylor County School District www.taylor.k12.fl.ushttp://www.taylor.k12.fl.us - Original Message - From: David Mazzaccaro [mailto:david.mazzacc...@hudsonmobility.commailto:david.mazzacc...@hudsonmobility.com] To: NT System Admin Issues
RE: Hooray, I'm moving to VMware!
Just to clarify that you won't get DRS with the Essentials/Essentials Plus bundle as that comes with Enterprise onwards. From: Chinnery, Paul [pa...@mmcwm.com] Sent: 16 April 2012 8:34 PM To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! If you have DRS turned on, yes. However, you can also designate that some will always be on the same host.For example, we have HCIS authentication server (file) that always uses a certain background server. So, if FSA is vmotioned to another host, BG1 will follow. From: David Mazzaccaro [mailto:david.mazzacc...@hudsonmobility.com] Sent: Monday, April 16, 2012 2:52 PM To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! How does that work now? Are the 11 guests distributed dynamically across the 3 hosts? Or are they dedicated to specific hosts always? From: Jonathan Link [mailto:jonathan.l...@gmail.com] Sent: Monday, April 16, 2012 2:32 PM To: NT System Admin Issues Subject: Re: Hooray, I'm moving to VMware! I have 11 guests. I have three hosts so I can survive a host failure without squeezing the resources on the remaining hosts too much. On Mon, Apr 16, 2012 at 2:24 PM, David Mazzaccaro david.mazzacc...@hudsonmobility.commailto:david.mazzacc...@hudsonmobility.com wrote: How many VMs are you able to run on each of your 3 hosts? With only 10 physical servers now.. I am wondering if 3 hosts are going to be overkill. Even with a play/test environment of another 10 servers…. Are 3 hosts a waste? From: Jonathan Link [mailto:jonathan.l...@gmail.commailto:jonathan.l...@gmail.com] Sent: Monday, April 16, 2012 1:05 PM To: NT System Admin Issues Subject: Re: Hooray, I'm moving to VMware! Yes! By physical boxes, we'll presume a box that's running as a DC, and not your hosts as Scott pithily responded... :-) And you may as well run a physical box for your vCenter if you're going to maintain a solid box for DC. The idea behind physical boxes, is it gives you something to authenticate against and bring your environment back online. At your size (three hosts, which is what I'm running) you probably don't need it, and can authenticate into the hosts and then start the guests that way. On Mon, Apr 16, 2012 at 12:30 PM, David Mazzaccaro david.mazzacc...@hudsonmobility.commailto:david.mazzacc...@hudsonmobility.com wrote: Speaking of domain controllers, I am being told 2 different things... 1) ALWAYS keep a single DC physical. You can certainly have virtual DCs, but you must have at least 1 physical. 2) Virtualize everything you can. You don’t need any physical boxes at all. Period. Thoughts? From: Andrew S. Baker [mailto:asbz...@gmail.commailto:asbz...@gmail.com] Sent: Monday, April 16, 2012 11:55 AM To: NT System Admin Issues Subject: Re: Hooray, I'm moving to VMware! Single thing to point backups at - I believe you have to backup Hyper-V boxes individually? No, you don't have to back them up individually. Lots of 3rd party options here. No dependency on the domain being present which can put you in a fun situation if you have to power everything off and on again. Your Hyper-V server need not be a domain member. ASB http://XeeMe.com/AndrewBaker Harnessing the Advantages of Technology for the SMB market… On Mon, Apr 16, 2012 at 11:41 AM, Paul Hutchings paul.hutchi...@mira.co.ukmailto:paul.hutchi...@mira.co.uk wrote: I've only used VMware so I'm more than happy to be corrected here, but in no particular order: Single ISO takes you from bare metal to working server. No third party drivers needed for things like MPIO and NIC teaming. Single management tool. Single management server (vCenter) gives visibility to your entire VMware infrastructure. Single thing to point backups at - I believe you have to backup Hyper-V boxes individually? No dependency on the domain being present which can put you in a fun situation if you have to power everything off and on again. Outside of usability you then have: Pretty much any virtual appliance you care to name will come natively in VMDK/OVF format Tons of vCenter add-ins I'm very interested in Hyper-V with Windows Server 8 and for us the timing falls nicely with our SAN and server refresh, but honestly the only reason I can see for looking at moving would be license costs - VMware works out expensive if you have more than a few hosts and want more than the basics. From: John Hornbuckle [john.hornbuc...@taylor.k12.fl.usmailto:john.hornbuc...@taylor.k12.fl.us] Sent: 16 April 2012 3:39 PM To: NT System Admin Issues Subject: RE: Hooray, I'm moving to VMware! Is the consensus that VMware is easier to use than Hyper-V? I've only used the latter, so I can't judge. John -Original Message- From: Paul Hutchings [mailto:paul.hutchi...@mira.co.ukmailto:paul.hutchi...@mira.co.uk] Sent: Monday, April 16, 2012 9:36 AM To: NT System Admin Issues Subject: RE:
Re: Hooray, I'm moving to VMware!
I get much better XenDesktop performance on XenServer, FWIW ---Blackberried -Original Message- From: Jonathan Link jonathan.l...@gmail.com Date: Mon, 16 Apr 2012 16:54:58 To: NT System Admin Issuesntsysadmin@lyris.sunbelt-software.com Reply-To: NT System Admin Issues ntsysadmin@lyris.sunbelt-software.comSubject: Re: Hooray, I'm moving to VMware! Not like it's Tennessee or anything... On Mon, Apr 16, 2012 at 4:12 PM, Webster webs...@carlwebster.com wrote: HELP YOU MOVE! Isn’t that like physical labor (i.e. WORK)? Can’t that be outsourced? Besides, MBS is MUCH closer to you than I am. J It just an extreme white-knuckle drive for him or it was for me last time I drove from C’Ville, VA to some place in deep banjo country West Virginny. ** ** ** ** Carl Webster Consultant and Citrix Technology Professional http://www.CarlWebster.com http://www.carlwebster.com/ ** ** *From:* Andrew S. Baker [mailto:asbz...@gmail.com] *Subject:* Re: Hooray, I'm moving to VMware! ** ** I'm just working with what the folks are asking. :) ** ** We respect the right of every organization to choose its own poison... :)* *** ** ** ** ** If you're going to visit me, at least help me move! LOL ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Whitelisting
Your buffer overflow example illustrates the point. What is being over-written into the host's execution area? Answer: code/data/1's and 0's from the data file. Having never written a buffer overflow attack, I'll take your word that it's very, very hard to do for anything but the simplest functionality. However, the size of that resulting code isn't really the point. The point is that arbitrary code is being run. From: Andrew S. Baker [mailto:asbz...@gmail.com] Sent: Monday, April 16, 2012 1:28 PM To: NT System Admin Issues Subject: Re: Whitelisting Data is code. Code is data. They're both strings of 1's and 0's. No, they are most certainly not the same. The only difference is what is interpreting that string. And that's a huge difference. If data is data, how is it able to cause winword.exe to download a payload? Well, here's an oversimplification of how buffer overflows work: 1. An executable opens up a data file for manipulation 2. Because the input buffer is not adequately validated, the data (which is larger than the area allowed by the buffer), ends up overwriting a critical area of the host executable's execution area with new 1s and 0s. 3. The code which should normally execute at the conclusion of the data input is now replaced by some code stub which will do what the attacker wants. 4. This allows the host executable to now do something else than originally intended (or crash, which is what happens more often than not) Now, while this might seem like it gives one the completely co-opt the functions of the host executable for ones own purpose, in practice, this is very, very hard to do for anything but the simplest functionality. If you overwrite too much code, you'll just cause the host to die, which is essentially a DoS attack. Instead, the common practice is to use this limited area that was overwritten to call down a more robust piece of malware to get more malignant work done. (Or, alternately, to make use of already installed executables where that might make sense.) WinWord.exe, in our example, can be induced to download a payload because it was legitimately opening a data file which corrupted a portion of its application space because it did not properly validate its buffer space and thus protect itself. The initial action (File Open) is caused by a human. The DATA did not execute, but allowed for the laying down of CODE which could be executed. More detailed analysis can be found here: * http://en.wikipedia.org/wiki/Buffer_overflow * http://www.windowsecurity.com/articles/analysis_of_buffer_overflow_attacks.html * http://searchsecurity.techtarget.com/news/1048483/Buffer-overflow-attacks-How-do-they-work ASB http://XeeMe.com/AndrewBaker Harnessing the Advantages of Technology for the SMB market... On Mon, Apr 16, 2012 at 12:54 PM, Crawford, Scott crawfo...@evangel.edumailto:crawfo...@evangel.edu wrote: Data is code. Code is data. They're both strings of 1's and 0's. The only difference is what is interpreting that string. If data is data, how is it able to cause winword.exe to download a payload? From: Andrew S. Baker [mailto:asbz...@gmail.commailto:asbz...@gmail.com] Sent: Monday, April 16, 2012 11:30 AM To: NT System Admin Issues Subject: Re: Whitelisting Because it is data. Data doesn't make calls. Code does.That's been the gist of the argument from the very beginning. ASB http://XeeMe.com/AndrewBaker Harnessing the Advantages of Technology for the SMB market... On Mon, Apr 16, 2012 at 12:25 PM, Crawford, Scott crawfo...@evangel.edumailto:crawfo...@evangel.edu wrote: Why does the code that is spawned need to download some payload or use existing files? Why can't it make its own win32 calls? From: Andrew S. Baker [mailto:asbz...@gmail.commailto:asbz...@gmail.com] Sent: Monday, April 16, 2012 10:26 AM To: NT System Admin Issues Subject: Re: Whitelisting Here's one typical scenario: * WinWord.exe has a a buffer overflow vulnerability. * WinWord.exe is a whitelisted app, so the vulnerability can be exploited. * Bad guy creates a hand-crafted data file that takes advantage of the buffer overflow vulnerability * User opens bad data file, which exploits the vulnerability In a traditional environment, the exploit of the vulnerability would likely include the uploading or installation of some files to the exploited machine for the purpose of controlling it more directly. In an environment that makes use of whitelisting technology, the code that is spawned by the exploit (either because it is embodied in the bad data, or because it is downloaded from some remote server) will be unable to run -- because it is not an approved application/code. This is a key benefit of whitelisting. Now, if the malware exploit only attempts to make use of existing files (CMD, etc) then these executions will be subject to whether or not they are approved from a whitelisting perspective, but
RE: Whitelisting
The user being socially engineered *is* the admin - it's a SOHO environment. It was the *line* just above what you quoted: For the SOHO end user, the vast bulk of infections are either: These types of users are being socially engineered *today* despite AV, code signing, UAC and any number of other warnings. They *still* insist on running BritneySpearsNaked.exe So, my question remains? How does whitelisting help that type of user? -Original Message- From: Alex Eckelberry [mailto:al...@eckelberry.com] Sent: Monday, 16 April 2012 10:21 PM To: NT System Admin Issues Subject: RE: Whitelisting a) exploits in existing applications (Acrobat Reader, Adobe Flash, Java runtime, Internet Explorer) b) social engineering attacks, where the user is convinced to run/install some malware that they shouldn't. Despite code signing, users are still doing this. How will whitelisting help the above type of user? If it's an exploit, it's going to launch code. The code won't run in a whitelisting environment unless it's approved by the admin. This would also apply to social engineering. If your company has a whitelisting solution in place, code that is not approved won’t run. So the user can download the stupid game they love, but in the end, they won't be able to run it. A good whitelisting application has a massive repository of good files, and the ability to train the system by the admin, not the end-user. Alex -Original Message- From: Ken Schaefer [mailto:k...@adopenstatic.com] Sent: Monday, April 16, 2012 12:51 AM To: NT System Admin Issues Subject: RE: Whitelisting For the SOHO end user, the vast bulk of infections are either: a) exploits in existing applications (Acrobat Reader, Adobe Flash, Java runtime, Internet Explorer) b) social engineering attacks, where the user is convinced to run/install some malware that they shouldn't. Despite code signing, users are still doing this. How will whitelisting help the above type of user? I can't see how it does - they will always have the ability to override whatever recommendation the AV (or protection application) provides. For corporate users, does whitelisting help significantly? I'm not sure that large organisations have the necessary processes in place to implement whitelisting. Whitelisting will slow application development/deployment even more, and will just result in more applications like Access and Excel that provide a semi-IDE to the end user that allows them to develop their own code/functionality. And resulting opportunities for code exploit. Cheers Ken -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Monday, 16 April 2012 12:42 PM To: NT System Admin Issues Subject: Re: Whitelisting Um, really - you can't do it. Signatures (blacklists) for data files are a folly - worse than trying to blacklist executables. Your point is taken that if application/executable whitelisting is good that malware will become nothing more than bad data files, but that then becomes a problem of fixing the applications. Sanitizing inpyu And, fixing applications and their buffer overflows, heap overflows, integer under/overflows, etc., is a far smaller problem space than trying to blacklist data files. I'll take that problem vs. trying to allow folks to execute any random binary that catches their eye. None of it is easy, but whitelisting apps will be exponentially easier than blacklisting data. Kurt On Sun, Apr 15, 2012 at 21:24, Crawford, Scott crawfo...@evangel.edu wrote: Possibly...even probably. But, if we ever get to a world where whitelisting is the predominant means of execution control, the bad guys will, out of necessity, be relegated to exploiting flaws in applications through data files. A scanner that looks for signatures of exploits in files will be a useful tool. Assuming of course, all applications aren't secure. Sent from my Windows Phone From: Andrew S. Baker Sent: 4/15/2012 1:08 PM To: NT System Admin Issues Subject: Re: Whitelisting You can't. :) ASB http://XeeMe.com/AndrewBaker Harnessing the Advantages of Technology for the SMB market… On Sat, Apr 14, 2012 at 1:24 PM, Rankin, James R kz2...@googlemail.com wrote: How do you blacklist all possible bad data files? --Original Message-- From: Crawford, Scott To: NT System Admin Issues ReplyTo: NT System Admin Issues Subject: RE: Whitelisting Sent: 14 Apr 2012 18:02 A combination is needed. Whitelisting for traditional executable code and blacklisting for data files that exploit vulnerable white listed applications. -Original Message- From: Alex Eckelberry [mailto:a...@eckelberry.com] Sent: Saturday, April 14, 2012 10:10 AM To: NT System Admin Issues Subject: Whitelisting I'm curious, what's the general feeling about about whitelisting? As a former AV guy, I tend to prefer blacklisting, but I'm seeing signs
RE: Whitelisting
The first statement is wrong - there is no difference between data and code - they are just ones and zeros. Now, an application, can, tell an OS that certain memory addresses contain code that should not be executed. But some other application, loading exactly the same ones and zeros, can tell the OS that it should be executable. Cheers Ken From: Andrew S. Baker [mailto:asbz...@gmail.com] Sent: Tuesday, 17 April 2012 2:28 AM To: NT System Admin Issues Subject: Re: Whitelisting Data is code. Code is data. They're both strings of 1's and 0's. No, they are most certainly not the same. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: Whitelisting
*Your buffer overflow example illustrates the point. * It really doesn't illustrate what you think it does, but there's no point in me going down this route any longer. You've chosen to selectively read what I've posted, and ignored clear examples that disagreed with your premise. We'll just have to agree to disagree on this. * * *ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of Technology for the SMB market… * On Mon, Apr 16, 2012 at 6:23 PM, Crawford, Scott crawfo...@evangel.eduwrote: Your buffer overflow example illustrates the point. What is being over-written into the host’s execution area? Answer: code/data/1’s and 0’s from the data file. Having never written a buffer overflow attack, I’ll take your word that it’s “very, very hard to do for anything but the simplest functionality”. However, the size of that resulting code isn’t really the point. The point is that arbitrary code is being run. ** ** *From:* Andrew S. Baker [mailto:asbz...@gmail.com] *Sent:* Monday, April 16, 2012 1:28 PM *To:* NT System Admin Issues *Subject:* Re: Whitelisting ** ** ***Data is code. Code is data. They’re both strings of 1’s and 0’s. * ** ** No, they are most certainly not the same. ** ** ** ** *The only difference is what is interpreting that string.** * ** ** And that's a huge difference. ** ** ** ** ***If data is data, how is it able to cause winword.exe to download a payload?* ** ** Well, here's an oversimplification of how buffer overflows work: ** ** 1. An executable opens up a data file for manipulation 2. Because the input buffer is not adequately validated, the data (which is larger than the area allowed by the buffer), ends up overwriting a critical area *of the host executable's execution area* with new 1s and 0s. 3. The code which should normally execute at the conclusion of the data input is now replaced by some code stub which will do what the attacker wants. 4. This allows the host executable to now do something else than originally intended (or crash, which is what happens more often than not) ** ** Now, while this might seem like it gives one the completely co-opt the functions of the host executable for ones own purpose, in practice, this is very, very hard to do for anything but the simplest functionality. If you overwrite too much code, you'll just cause the host to die, which is essentially a DoS attack. Instead, the common practice is to use this limited area that was overwritten to call down a more robust piece of malware to get more malignant work done. (Or, alternately, to make use of already installed executables where that might make sense.) ** ** WinWord.exe, in our example, can be induced to download a payload because it was legitimately opening a data file which corrupted a portion of its application space because it did not properly validate its buffer space and thus protect itself. The initial action (File Open) is caused by a human. The DATA did not execute, but allowed for the laying down of CODE which could be executed. ** ** ** ** More detailed analysis can be found here: - http://en.wikipedia.org/wiki/Buffer_overflow - http://www.windowsecurity.com/articles/analysis_of_buffer_overflow_attacks.html - http://searchsecurity.techtarget.com/news/1048483/Buffer-overflow-attacks-How-do-they-work ** ** ** ** *ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of Technology for the SMB market…* On Mon, Apr 16, 2012 at 12:54 PM, Crawford, Scott crawfo...@evangel.edu wrote: Data is code. Code is data. They’re both strings of 1’s and 0’s. The only difference is what is interpreting that string. If data is data, how is it able to cause winword.exe to download a payload? *From:* Andrew S. Baker [mailto:asbz...@gmail.com] *Sent:* Monday, April 16, 2012 11:30 AM *To:* NT System Admin Issues *Subject:* Re: Whitelisting Because it is *data*. Data doesn't make calls. Code does.That's been the gist of the argument from the very beginning. *ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of Technology for the SMB market…* ** ** On Mon, Apr 16, 2012 at 12:25 PM, Crawford, Scott crawfo...@evangel.edu wrote: Why does the code that is spawned need to download some payload or use existing files? Why can’t it make its own win32 calls? *From:* Andrew S. Baker [mailto:asbz...@gmail.com] *Sent:* Monday, April 16, 2012 10:26 AM *To:* NT System Admin Issues *Subject:* Re: Whitelisting Here's one typical scenario: - WinWord.exe has a a buffer overflow vulnerability. - WinWord.exe is a whitelisted app, so the
Re: Whitelisting
It doesn't help someone who has the authority to override the controls. But, thankfully, that's a smaller percentage than people who don't have that authority. AV also doesn't help the people who won't install it or update it. But it has managed to help others. UAC doesn't help people who turn it off, etc. We can only help the most people who want to be helped, or who have no ability to undo the help. The rest, I will call consulting customers. (for a while, anyway) * * *ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of Technology for the SMB market… * On Mon, Apr 16, 2012 at 11:07 PM, Ken Schaefer k...@adopenstatic.com wrote: The user being socially engineered *is* the admin - it's a SOHO environment. It was the *line* just above what you quoted: For the SOHO end user, the vast bulk of infections are either: These types of users are being socially engineered *today* despite AV, code signing, UAC and any number of other warnings. They *still* insist on running BritneySpearsNaked.exe So, my question remains? How does whitelisting help that type of user? -Original Message- From: Alex Eckelberry [mailto:al...@eckelberry.com] Sent: Monday, 16 April 2012 10:21 PM To: NT System Admin Issues Subject: RE: Whitelisting a) exploits in existing applications (Acrobat Reader, Adobe Flash, Java runtime, Internet Explorer) b) social engineering attacks, where the user is convinced to run/install some malware that they shouldn't. Despite code signing, users are still doing this. How will whitelisting help the above type of user? If it's an exploit, it's going to launch code. The code won't run in a whitelisting environment unless it's approved by the admin. This would also apply to social engineering. If your company has a whitelisting solution in place, code that is not approved won’t run. So the user can download the stupid game they love, but in the end, they won't be able to run it. A good whitelisting application has a massive repository of good files, and the ability to train the system by the admin, not the end-user. Alex -Original Message- From: Ken Schaefer [mailto:k...@adopenstatic.com] Sent: Monday, April 16, 2012 12:51 AM To: NT System Admin Issues Subject: RE: Whitelisting For the SOHO end user, the vast bulk of infections are either: a) exploits in existing applications (Acrobat Reader, Adobe Flash, Java runtime, Internet Explorer) b) social engineering attacks, where the user is convinced to run/install some malware that they shouldn't. Despite code signing, users are still doing this. How will whitelisting help the above type of user? I can't see how it does - they will always have the ability to override whatever recommendation the AV (or protection application) provides. For corporate users, does whitelisting help significantly? I'm not sure that large organisations have the necessary processes in place to implement whitelisting. Whitelisting will slow application development/deployment even more, and will just result in more applications like Access and Excel that provide a semi-IDE to the end user that allows them to develop their own code/functionality. And resulting opportunities for code exploit. Cheers Ken -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Monday, 16 April 2012 12:42 PM To: NT System Admin Issues Subject: Re: Whitelisting Um, really - you can't do it. Signatures (blacklists) for data files are a folly - worse than trying to blacklist executables. Your point is taken that if application/executable whitelisting is good that malware will become nothing more than bad data files, but that then becomes a problem of fixing the applications. Sanitizing inpyu And, fixing applications and their buffer overflows, heap overflows, integer under/overflows, etc., is a far smaller problem space than trying to blacklist data files. I'll take that problem vs. trying to allow folks to execute any random binary that catches their eye. None of it is easy, but whitelisting apps will be exponentially easier than blacklisting data. Kurt On Sun, Apr 15, 2012 at 21:24, Crawford, Scott crawfo...@evangel.edu wrote: Possibly...even probably. But, if we ever get to a world where whitelisting is the predominant means of execution control, the bad guys will, out of necessity, be relegated to exploiting flaws in applications through data files. A scanner that looks for signatures of exploits in files will be a useful tool. Assuming of course, all applications aren't secure. Sent from my Windows Phone From: Andrew S. Baker Sent: 4/15/2012 1:08 PM To: NT System Admin Issues Subject: Re: Whitelisting You can't. :) ASB http://XeeMe.com/AndrewBaker Harnessing the Advantages of Technology for the SMB market… On Sat, Apr 14, 2012 at 1:24 PM, Rankin, James R
RE: Whitelisting
How about I just load another bit of code into the process space of the existing, whitelisted application (e.g. a .dll). Then there is no need to spawn any separate executable process. Unless you are intending to fingerprint every single file on the system, we're back to square one. From: Andrew S. Baker [mailto:asbz...@gmail.com] Sent: Monday, 16 April 2012 11:26 PM To: NT System Admin Issues Subject: Re: Whitelisting Here's one typical scenario: * WinWord.exe has a a buffer overflow vulnerability. * WinWord.exe is a whitelisted app, so the vulnerability can be exploited. * Bad guy creates a hand-crafted data file that takes advantage of the buffer overflow vulnerability * User opens bad data file, which exploits the vulnerability In a traditional environment, the exploit of the vulnerability would likely include the uploading or installation of some files to the exploited machine for the purpose of controlling it more directly. In an environment that makes use of whitelisting technology, the code that is spawned by the exploit (either because it is embodied in the bad data, or because it is downloaded from some remote server) will be unable to run -- because it is not an approved application/code. This is a key benefit of whitelisting. Now, if the malware exploit only attempts to make use of existing files (CMD, etc) then these executions will be subject to whether or not they are approved from a whitelisting perspective, but the scope of the exploit is still greatly reduced. (Read Only or Blocked Attack vs full system compromise) ASB http://XeeMe.com/AndrewBaker Harnessing the Advantages of Technology for the SMB market... On Mon, Apr 16, 2012 at 11:12 AM, James Rankin kz2...@googlemail.commailto:kz2...@googlemail.com wrote: Ah yes, I recall this debate before. So it's not that if you used a Word exploit, for example, you could get winword.exe to do bad stuff under the context of that process - it would have to be remote code execution under its own badapp.exe - which even if you called it winword.exe would get caught by a hash value rule or check for signed code, am I thinking along the right lines? On 16 April 2012 15:54, Andrew S. Baker asbz...@gmail.commailto:asbz...@gmail.com wrote: Yes, but if the bad data is used to perform a buffer overflow so that custom *code* can be executed to do nefarious acts, then that last step will fail because the custom malicious code is not authorized to run -- even in a zero day. No, it doesn't solve every last malware issue known to man, and there can be some management overhead depending on the implentation, but it addresses more issues than blacklisting does, and does so more effectively. Of course, we've been saying the same thing for a while here: http://www.mail-archive.com/ntsysadmin@lyris.sunbelt-software.com/msg72561.html http://www.mail-archive.com/ntsysadmin@lyris.sunbelt-software.com/msg106004.html ASB http://XeeMe.com/AndrewBaker Harnessing the Advantages of Technology for the SMB market... On Mon, Apr 16, 2012 at 10:28 AM, James Rankin kz2...@googlemail.commailto:kz2...@googlemail.com wrote: Agreed, if you've got a malicious Word document that exploits a flaw in MS Word itself, then the only defence is good patching or some other form of exploit detection. If it's a zero-day, then there's probably nothing except exploit detection. Don't want to plug it too much but AppSense Application Manager does a good job of detecting execution beyond the expected capabilities of an application, but I've never been able to test it much beyond the types of things like malicious PDFs with Java exploits or exploits that call out to malicious dll files. Wonder how much work it would be to craft an Office document that tries to exploit a vulnerability to see if it can stop this sort of vector as well? On 16 April 2012 15:19, Alex Eckelberry al...@eckelberry.commailto:al...@eckelberry.com wrote: But, if we ever get to a world where whitelisting is the predominant means of execution control, the bad guys will, out of necessity, be relegated to exploiting flaws in applications through data files. I don't understand how you can have an exploit in a data file resulting in anything else but code execution. Data itself is harmless; it's the executables that cause harm. There will always be code executed, in some form or another (unless I'm misunderstanding your point). Alex From: Crawford, Scott [mailto:crawfo...@evangel.edumailto:crawfo...@evangel.edu] Sent: Monday, April 16, 2012 12:25 AM To: NT System Admin Issues Subject: RE: Whitelisting Possibly...even probably. But, if we ever get to a world where whitelisting is the predominant means of execution control, the bad guys will, out of necessity, be relegated to exploiting flaws in applications through data files. A scanner that looks for signatures of exploits in files will be a useful tool. Assuming of course, all applications
RE: Hooray, I'm moving to VMware!
SCVMM 2008 has limitations on what it can manage - so you'll still be breaking out the VMware tools to manage your VMWare side. Dunno about SCVMM 2012 Cheers Ken From: Andrew S. Baker [mailto:asbz...@gmail.com] Sent: Tuesday, 17 April 2012 2:31 AM To: NT System Admin Issues Subject: Re: Hooray, I'm moving to VMware! System Center Virtual Machine Manager can manage both your VMWare and Hyper-V hosts... * http://technet.microsoft.com/en-us/library/hh546770.aspx * http://technet.microsoft.com/en-us/library/gg610610.aspx And there are backup solutions which are pointed at your HyperV host and will backup all the guests, yes. ASB http://XeeMe.com/AndrewBaker Harnessing the Advantages of Technology for the SMB market... On Mon, Apr 16, 2012 at 12:28 PM, Paul Hutchings paul.hutchi...@mira.co.ukmailto:paul.hutchi...@mira.co.uk wrote: I didn't think you could point Veeam (or whatever HyperV aware backup app you're using) to a single entity like you can vCenter and have it backup every VM that's in your cluster? If you can that's great to know as I always wondered how it coped with doing incremental backups of a VM when it's been moved between hosts if it addresses each host individually. On the domain point, so can you have several Hyper-V hosts that aren't domain members but still manage them as a single entity/cluster? Basically what's the Hyper-V equivalent of a vCenter server? Like I said I haven't used it but I thought those were both things about it that didn't seem quite as polished as VMware? From: Andrew S. Baker [asbz...@gmail.commailto:asbz...@gmail.com] Sent: 16 April 2012 4:55 PM To: NT System Admin Issues Subject: Re: Hooray, I'm moving to VMware! Single thing to point backups at - I believe you have to backup Hyper-V boxes individually? No, you don't have to back them up individually. Lots of 3rd party options here. No dependency on the domain being present which can put you in a fun situation if you have to power everything off and on again. Your Hyper-V server need not be a domain member. ASB http://XeeMe.com/AndrewBaker Harnessing the Advantages of Technology for the SMB market... ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Whitelisting
-Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Tuesday, 17 April 2012 2:57 AM To: NT System Admin Issues Subject: Re: Whitelisting Whitelisting helps those who help themselves (corporately or individually). Think of it as evolution in action. Those people generally don't run into problems in the first place. Digital signatures, signed kernel mode code etc. can be used to verify that software you are running is mostly legitimate. Digital signatures, signed kernel mode code, etc., are whitelisting. And the point I'm making is that these whitelisting technologies are *not* helping make the problem I'm describing go away. 1. For SOHO environment, the end user simply overrides the warnings a. Only when the end user cannot override the settings (e.g. Windows x64 kernel code signing requirements) has any major improvement occurred i. I doubt that this type of central control by Microsoft would be tolerated for user mode applications ii. It could still be bypassed by packaging a CA cert with the malware – I’m surprised that this isn’t more prevalent. 2. For corporate environment of small size, the “administrator” is responsible for managing this on behalf of their users. Many smaller orgs are probably over staffed, so there is bandwidth to manage this 3. In the enterprise, this can’t be centrally controlled without impacting business agility. So the response from software vendors will be to create more applications like Access which allow *end users* to develop applications. How are you going to stop malicious applications like this? It’s just like spam – a never ending, escalating war. You are correct- I haven't implemented them yet for our users. But, I am doing so for myself. I've put my user account and my machine into a test OU, and am applying policies that are more restrictive than what apply to standard users now. I do understand how difficult it is. I recently ran md5sum against one of our older standard image machines, prior to deployment (booted from a USB stick to have complete access), and redirected the hashes into a text file. I ran the machine through a round of patches, and did an md5sum again, then ran a diff. It was amazing how many files changed. And this is just files on a disk. Are you also going to monitor which files are loaded by which processes (e.g. which .dll files are loaded by which .exe files?) Not just what the on-disk signatures, but an actual mapping of .dlls used by which .exe? Otherwise, a new, malicious dll file can be loaded into an existing, trusted, application. Cheers Ken ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Whitelisting
Let's try another one: I use an exploit (or even just VBA automation) in Word to password protect all your files. You need to pay me to get them back (or maybe I don't care whether you get them back, I just like inflicting pain - aka like most mass market viruses) Does whitelisting address this scenario? No. Are exploits just going to move from the problem space solved by whitelisting and to a new area that is not addressed by this technology? Yes It's just like spam (and every other area where we have a constantly escalated war of technology). Yet for some reason we don't seem to be learning that lesson. Cheers Ken From: Andrew S. Baker [mailto:asbz...@gmail.com] Sent: Tuesday, 17 April 2012 11:07 AM To: NT System Admin Issues Subject: Re: Whitelisting For any given environment, there will be less known good items that I want to run, than known bad ones that I don't, not to mention all the unknown bad ones that I don't know about yet. Managing the smaller list is *better*, not *perfect*. I haven't missed the point. A flawed example is just that -- flawed. But, going beyond that and focusing on the principle itself, the blacklist is ALSO vulnerable to the same issue. So, do you settle for the us both sharing your example problem, plus you having a host of other ones that are greater than mine? Or do you acknowledge that the approach I favor creates a smaller attack surface area? ASB http://XeeMe.com/AndrewBaker Harnessing the Advantages of Technology for the SMB market... On Mon, Apr 16, 2012 at 3:33 PM, Ben Scott mailvor...@gmail.commailto:mailvor...@gmail.com wrote: On Mon, Apr 16, 2012 at 12:11 PM, Andrew S. Baker asbz...@gmail.commailto:asbz...@gmail.com wrote: If it's an exploit, it's going to launch code. The code won't run in a whitelisting environment unless it's approved by the admin. CMD /C DEL C:\*.* /S /Q /F /A A - Wouldn't work so nicely in 2008 and above, due to lack of elevated rights B - Limited use infection (since it destroys itself) You're missing the point. You're arguing against the example, rather than the principle. Namely: It's possible to use a whitelisted application as an attack vector.[1] You're also making another mistake -- you're seeing protection of the system as an end, rather than a means. Nobody cares if the OS is intact if all the data is gone. We protect the OS because we use the OS to protect the assets, not just for the sake of having a protected OS. -- Ben [1] To the original question: This doesn't mean blacklisting, i.e., trying to identify and exclude known bad software, is the better alternative. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
