Running NetSH to block out going FTP traffic

Chanced upon me to write something simple. Smile

Can i use Windows Firewall to block outgoing FTP traffic? Yes.

This is the command. “netsh advfirewall firewall add rule name="BlockFTP" protocol=TCP dir=out localport=21 action=block”

/Dennis
*PS: I’ll find time to do a GUI one shortly> Smile

Advertisements

Using Group Policy to prevent FTP.EXE from running

Wow, its been some time i wrote something since i took on my new role. Thought i should pick up my “pen”, erm, rather keyboard and start striking again.

The main focal point of today’s entry in my tech diary, is spurned by a question, can i block ftp.exe program from running in Windows 7. As we all know, Windows 7 loads up with ftp.exe as a process installed. Try opening your command prompt and type “ftp”.

image

At this time, you open up the task manager, you’ll notice “ftp.exe” amongst the many processes you have.

image

FTP on its own isn’t a very secure protocol. Its been around for a very long time. Secure FTP is the preferred way of doing FTP these days. A good Admin will secure all sensitive protocol with IPSec, but that is out of scope at the moment for this short write up.

To prevent “FTP.EXE” from being loaded, there are several ways. One of the most primitive way is to delete the file. Yup, an easy but not enforceable, because someone can simply copy and put it back.

To completely prevent FTP.EXE from running, one should be exploring using enforcement via Group Policies. It is the most effective way of governance across the enterprise.

Here are the steps (Done locally on a Windows 7 client, you should do this via GPMC on the right domain policy):

  1. Edit the appropriate GPO and navigate to “Computer Configuration-> Windows Settings –> Security Settings –> Software Restriction Policies.
  2. Create a new Software Restriction Policy if it isn’t already created.
  3. in the Software Restriction Policy, click on Additional Rules.
  4. Right click Additional Rules and click on New Hash Rule
  5. To identify the binary running ftp.exe, click on Browse and locate “C:\Windows\System32\ftp.exe”.
  6. Under security level, select disallowed and click OK.

image

At this stage, your computer has been updated with the new GPO. However, it will not take effect till the next reboot or till you run the command “gpupdate /force”.

After which, try running FTP. You should be greeted with this message

image

You can use this technique to prevent banned software from running. On the flip side, you couldn’t also block all software from running except for selected few. Have fun.

/Dennis

Not sure how you should license Windows 7 ??

I have been getting queries about licensing of Windows 7.

From my knowledge, there are a couple.

For the consumers;

There are a few choices. The cheapest of which is the OEM license.

OEM License

How can you get OEM license?

OEM Licenses are shipped with new hardware you buy. For example, if you buy a Dell machine or a HP, it comes bundled with an OEM License.

If you custom built your machine, you can also ask your system builder, or the shop selling you the hardware components for the OEM license. Yes, you can buy OEM license if you buy major components of a PC.

Are there any caveats?

Well, its a fraction of the retail packages. The only rights you cannot have is, you cannot move the OEM License to another hardware. For example, your HP PC aged out, you custom built a new machine. You cannot reuse your HP OEM License on the new custom built.

Retail License (aka FPP in MS)

How can you get retail FPP license?

Many IT shop sells FPP license. FPP are nicely packed in packaged boxes, unlike the OEM. In Singapore, you can find FPP packages in places like Sim Lim Square, Challenger Superstore, Harvey Norman and Courts. Of course, there are many others.

Are there any caveats?

No. Absolutely not. But of course, 1 machine, 1 license. If your current machine is damaged, you can redeploy the license to a new machine (This is a right that OEM licenses doesn’t have).

Do i need a full OS?

Well, if you currently have an OS that qualifies for the upgrade FPP packs, then by all means, buy the Upgrade, its cheaper too.

For companies / small business;

You can choose to license Windows 7 like a consumer. However, there are more savings if you consider getting volume licenses. There are many types of volume licenses for different scenarios. Too many to cover in this simple blog.

I suggest you check out this url -> http://www.microsoft.com/licensing/about-licensing/windows7.aspx

It contains all the information you need to license Windows 7 in volume.

clip_image002

Why is licensing so complex?

Well, lets just say customers want it. In reality, licensing is not complicated. From my understanding where i am working in MS, MS didn’t want to complicate licensing. They really want to simply where possible. But situations arises and customers ask for more granular licensing models.

So striking between a fair licensing model to customers of MS, and of course, being a business, MS has to answer to its shareholders too. I’ll leave this part out. Just remember, the more granular the licensing gets, the cheaper the options customers get to choose to fit their scenarios.

/Dennis

Windows 7 BranchCache™ Explained

Windows 7 BranchCache™ Explained

Posted By: yung | Dec 8th @ 9:35 AM | 4,542 Views | 0 Comments

Formats:

One of the key capabilities delivered in Windows 7 for enabling people to be productive anywhere is BranchCache™. It not only speeds up access to data and documents from Web and file servers by reducing web and file access over a WAN link, it frees up bandwidth over the WAN link for other uses.

With BranchCache™, the first request from a branch office network to download content from a web server or file server (or in the context of BranchCache™ a “content server”) also caches a copy in the local, branch network. In a subsequent request from the branch network for the same content in the content server, instead of downloading content from the content server over the WAN, clients receive the locally cached copy from the branch network. This occurs once the content server authenticates and authorizes the request. BranchCache™ has two operating modes, Distributed Cache mode and Hosted Cache mode.

Distributed Cache mode is for a small branch without a local file server, that can be used as a hosted cache server. This configuration caches content downloaded from a content server over the WAN at the user’s computer. Caching occurs at the very first request from a user in a branch office. Subsequent branch office requests for the same content will locate the cached content by broadcasting to the local network, and then collecting it from that user’s computer in the local area network. Peer-to-peer sharing is the basic idea. — There is no central repository in the branch. There are no requirements for servers or services  in the branch office beyond client computers running Windows 7.

Hosted Cache mode, on the other hand, specifies a branch office server for caching content downloaded over the WAN. It is recommended for a branch with more than 50 clients. The key differences from the Distributed Cache Mode process are:

  • Content downloaded over the WAN on the first request is only cached in a designated server local to a branch office, while Distributed Cache Mode caches content at a requester’s computer.
  • Clients issuing subsequent requests for the content  establish a direct connection with the designated server to acquire it, once the content server authenticates and authorizes the request. In Distributed Cache Mode, clients broadcast over the local network to find the computer with the cached content. 

The concept of BranchCache™ is fairly straightforward. Technical specifics which minimize the communications and reduce the bandwidth over the WAN are, however, quite interesting. While a second Windows 7 client requests the same file from the content server, a user is authenticated and authorized in exactly the same manner it would if BranchCache™ was not being used. If successful, the content server returns content metadata over the same channel that data would normally have been sent. The metadata is the mechanism for reducing bandwidth, because the content metadata is significantly smaller than the actual content. It is important that the content server sends the content metadata to each client to ensure that a client always receives hashes for the most up-to-date content. This process ensures that users are always accessing the most current data. The content is broken into blocks. For each block, a hash is computed (known as the “block hash”). A hash is also computed on a collection of blocks (known as the “segment hash”). Content metadata is primarily composed of block hashes and segment hashes and the segment hashes provide a unit of discovery. The hash algorithm that is used is Secure Hash Algorithm (or SHA) 256. The compression ratio achieved is approximately 2000:1; that is, the size of the metadata sent over the wire is ~2000 times smaller than the size of the original data itself.

This is how the BranchCache™ process works:

  1. A Windows 7 client connects to the content server in the central office and requests a file (or file segment) exactly as it would if it were retrieving the file without using BranchCache™.
  2. The content server authenticates and authorizes the client exactly as it would without BranchCache™. If successful, it returns content metadata over the same channel that data would normally have been sent. If this is the first time any client from the branch office network is requesting a file not already cached on the local network, the client retrieves the file directly from the content server.
  3. In Distributed Cache mode, the client sends a request on the local network for the required file by using the Web Services Discovery (WS-Discovery) multicast protocol. The segment hashes provide a unit of discovery. This helps reduce the total number of lookups performed for a given piece of content (versus looking up each block). The client that previously cached the file sends the file to the requesting client. The data is encrypted using a key derived from the hashes sent by the content server, as part of the content metadata. The client decrypts the data, computes the hashes on the blocks received from the first client, and ensures that it is identical to the block hashes provided as part of the content metadata by the content server. This ensures that the content has not been modified.

While in Hosted Cache mode, the client uses the hashes in the metadata to search for the file in the Hosted Cache server. A key difference in Hosted Cache mode is that a client establishes an SSL connection with the Hosted Cache server, and it offers content identifiers over this encrypted channel. The Hosted Cache server connects to the client and retrieves the set of blocks that are not cached.

To implement BranchCache, client computers must be running Windows® 7, with the BranchCache™ feature enabled. Web servers and file servers must be running Windows® Server 2008 R2, with the BranchCache™ feature enabled.

BranchCache™ is designed to give branch-office users an experience similar to being connected directly to the central office. It works with your existing network and security infrastructure including IPv4, IPv6, and end-to-end encryption methods such as Secure Sockets Layer (SSL) and Internet Protocol Security (IPSec). The process requires that a content server authenticates and authorizes a client before retrieving content from within the branch. Additionally, the content server returns content metadata to a requesting client to ensure that the client will reference the current version of requested content in the content server.

Tags: branch cache, Branch Office, Windows 7, Windows Server 2008 R2

Need to turn your Windows 7 into a WIFI Hotspot ??

Connectify_Web_light-BETA_01[1]I am preparing to manage my TechNet/MSDN booth at the New Efficiency Launch @ Suntec City. I will be speaking as part of keynotes. On the side track, i am managing the TechNet/MSDN booth.

At the booth, you can sign up to TechNet/MSDN Flash newsletters to get in touch with our Singapore team, and also a quiz to win a Lenovo S10-2. As part of this, i need to provide internet access to 2 laptop kiosk that we make available at this booth. We will be in Room 209 at Suntec Convention Center. Beside us will be MS Press. We’ve partnered with them to provide you 30% discount at the event site off any MS Press books.

So i had to think about providing internet access to both stations and my own laptop. There are several ways to do it, but i stumbled on this Connectify and i thought its quite innovative. The last time i came across something like this was for the mobile phone.

This software allows you to turn your Windows 7 into a WIFI Hotspot to share the internet connection that runs on a Windows 7 laptop. So now i can easily use a mobile internet usb device from the telco and share the connection with other machines. There are still some kinks with device support, but definitely something worth a checkout.

Join the beta test now.

/Dennis

Microsoft Deployment Tool Kit 2010 released!

Click here to download MDT now. (http://go.microsoft.com/fwlink/?LinkId=159061)

As you prepare to deploy Windows® 7 and Windows Server® 2008 R2, get a jump start with Microsoft® Deployment Toolkit (MDT) 2010. Leverage this Solution Accelerator to achieve efficient, cost-effective deployment of Windows 7 and Windows Server 2008 R2.

MDT is the recommended process and toolset to automate desktop and server deployment. MDT provides you with the following benefits:

  • Unified tools and processes required for desktop and server deployment in a common deployment console and collection of guidance.
  • Reduced deployment time and standardized desktop and server images, along with improved security and ongoing configuration management.
  • Fully automated Zero Touch Installation deployments by leveraging System Center Configuration Manager 2007 Service Pack 2 Release Candidate and Windows deployment tools. For those without a System Center Configuration Manager 2007 infrastructure, MDT leverages Windows deployment tools for Lite Touch Installation deployments.

MDT 2010 includes new features such as flexible driver management, optimized user interface workflow, and Windows PowerShellTM command line interface to help simplify deployment and make your job easier. Deploy faster and more easily with MDT 2010.

New in MDT 2010

Improvements in MDT 2010 allow you to:

  • Access deployment shares from anywhere on the network and replicate files and settings across organizational boundaries or sites.
  • Organize and manage drivers, operating systems, applications, packages, and task sequences with an improved UI.
  • Automate UI functionality using the new Windows PowerShell command line interface.

Next steps

If you have used a Solution Accelerator within your organization, please share your experience with us by completing this short survey (http://go.microsoft.com/fwlink/?LinkID=132579).

/Dennis

Springboard Virtual Roundtable – Sept 24 – Windows 7 AppCompat Part 2: Virtualization

Springboard Series Virtual Roundtable

Windows 7 Application Compatibility Part 2: Virtualization

Date: Thursday, September 24

Time: 9:00am Pacific Time

https://ms.istreamplanet.com/springboard

Hear from a panel of experts how virtualization tools can help you with application compatibility concerns whether you’re migrating from Windows Vista or Windows XP. Join us to discuss how presentation virtualization, desktop virtualization and application virtualization can reduce testing times, expedite deployment and ultimately help you streamline PC management. We’ll cover the latest desktop virtualization technologies from Microsoft, including App-V, MED-V and XP Mode for Windows 7. Plus we share tips and tricks and demonstrate free tools to analyze and fix applications while answering your questions live during the event. Join live on Thursday, September 24th, 2009, 9:00am Pacific Time. Missed Part 1? Watch the replay.

For IT Pro tips, tricks and resources for Windows 7, visit the Springboard Series.

As part of the “virtual” experience, you may submit your questions about Windows 7 Application Compatibility to the panel live during the event—or submit questions in advance to vrtable@microsoft.com.

Springboard Series: The resource for Windows desktop IT professionals