The Windows Server Notebook


May 31, 2017  7:34 PM

Latest Windows ransomware attack exposes hard truths

Tom Walat Tom Walat Profile: Tom Walat
Ransomware, WannaCry, Windows

Now that the aftershocks from the WannaCry ransomware outbreak have subsided, I think we can distill everything we’ve learned into a nutshell: It’s all the systems administrators’ fault.

Forget the National Security Agency, the developers of the EternalBlue exploit, and the hackers who packaged the Server Message Block version 1 (SMBv1) vulnerability into ransomware. Blame IT for all the trouble that affected, at last count, more than 400,000 Windows machines worldwide.

After all, when WannaCry — also known as Wcry and WannaCrypt — launched on May 12, Microsoft had already addressed the SMBv1 exploit in March when it issued patches for security bulletin MS17-010. Most IT shops patch immediately, right? And they all follow best practices? And run the latest operating systems?

It’s convenient to find a scapegoat and point the finger at the beleaguered sys admins — the same people who worked untold hours to patch numerous systems before users returned to work after the May 13-14 weekend — because the patch to suppress the attack was already three months old.

WannaCry hit England’s National Health Service particularly hard. Patients scheduled for surgeries and other medical procedures had to leave hospitals until the IT teams could free encrypted files held hostage by the ransomware. According to The Guardian, about 90% of the NHS’ systems are Windows XP, which Microsoft dropped from support in 2014.

A screenshot shows the message the WannaCry ransomware displays after it has encrypted the user's files. The Windows ransomware requests $300 in bitcoin to decrypt the files.

A screenshot shows the message the WannaCry ransomware displays after it has encrypted the user’s files. The Windows ransomware requests $300 in bitcoin to decrypt the files.

This example illustrates the secret lives of sys admins. In the theoretical world, anything and everything is possible. It’s a magical place where IT’s budget is sufficient and sacrosanct, and the latest Windows operating system rolls out the moment it becomes available.

But the reality is that many administrators work in what we can diplomatically refer to as less-than-ideal situations. They have spotty networks, outdated hardware and not enough time to get everything done. These sys admins must find a way to protect the company that relies on a line-of-business application that runs on an unsupported operating system that cannot be upgraded or else the software vendor will drop its support.

In recognition of the gravity of the WannaCry attack and the pain of numerous organizations, Microsoft took the unusual step to provide WannaCry fixes for several legacy operating systems. Short of waiting for Microsoft to come to the rescue, what can administrators do to shore up defenses before the next Windows ransomware attack?

Lock systems down
Educate yourself. Follow security professionals on Twitter, read Microsoft TechNet blogs related to security and check other security blogs. Learn where your vulnerabilities are and plug holes whenever possible.

Microsoft’s Ned Pyle has blogged about the looming troubles for administrators who leave the SMBv1 enabled. The United States Computer Emergency Readiness Team, among other security sites, has long recommended administrators block the ports that give SMBv1 internet access.

A short PowerShell command can disable SMBv1, but that doesn’t help with older OSes including XP and Windows Server 2003 that require SMBv1 to function. Ideally, an organization will upgrade to a supported operating system or air-gap those machines.

Apply updates ASAP
Verizon’s annual Data Breach Investigation Report (DBIR) provides several takeaways regarding the daily threats faced by various industries.

In the 2017 DBIR, the company recommended that organizations apply security updates in a timely fashion and check that all systems have the most recent application updates.

As the WannaCry outbreak demonstrated, a patch for affected supported operating systems is effective only if IT actually applies it shortly after availability. If your organization updates machines once every three months, it might be time to rethink your patching processes.

Use PowerShell for a rapid response
A small PowerShell script could pull hundreds — or thousands — of computer names out of Active Directory and query them to quickly check whether they contain security updates related to the MS17-010 security bulletin.

PowerShell is more than 10 years old, and Microsoft continues to pour significant development resources into this scripting and automation tool. There’s a bit of a learning curve with PowerShell, but a sys admin who builds proficiency with its cmdlets can wield tremendous influence over the data center, particularly one that hosts a wide range of apps and systems. This type of expertise can save hours of work when the next Windows ransomware epidemic hits.

Make bulletproof backups
If ransomware does slip past the defensive perimeter and encrypt critical data, organizations should have a solid backup plan in place to overcome this setback.

One common plan is a “3-2-1” system: Keep three copies of the data; store two copies of the data on different storage types, such as a networked-attached storage device and external drives; and place one copy of the data offsite. Test the restore procedure before disaster strikes.

We all know that sys admins do the best they can under difficult circumstances. Are you thwarted by too many tickets, not enough personnel, inadequate budget — or a confluence of multiple issues? Comment below to tell us about your pain points.

Tom Walat is the site editor for SearchWindowsServer. Write to him at twalat@techtarget.com or follow him @TomWalatTT on Twitter.

May 31, 2017  2:48 PM

Rise of the container OS administrators’ dilemma

Meredith Courtemanche Meredith Courtemanche Profile: Meredith Courtemanche
containers, Microsoft, Windows Server 2016

The trumpeted arrival of containerized workloads at production’s gates has enterprise IT shops bracing for the new landscape of container OSes.

Containers alleviate one headache for systems administrators. Virtual machines that encapsulate the whole OS force IT shops to run many different OS versions, which can spawn dependencies and configuration drift. One container OS underpins all of the containers on a given host, which simplifies OS updates and reduces the resource overhead per server.

Sys admins should scrutinize the size of enterprise OSes as they adopt containers, advised Thomas Bittman, vice president at Gartner, who spoke at the analyst firm’s IT Operations Strategies and Solutions conference in Orlando in May. Containerization could force OS administrators to support more and newer OSes in production, at least for now. Windows Server typically requires 10 gigabytes to operate, while Red Hat Enterprise Linux needs nearly half that space at about 6 GB — but that’s still a heavy OS originally designed for monolithic applications, not lightweight containers that encapsulate small functions of an application. As containerized workloads enter the production environment alongside legacy apps, IT admins will be pressured to adopt micro OSes such as Alpine Linux, CoreOS Linux, RancherOS and Red Hat’s Atomic Host, Bittman said. For Windows administrators, Server Core is a stripped-down offering of Windows Server at 5 GB, but that’s still big compared to micro and targeted container OSes. RancherOS, by contrast, occupies 150 megabytes of space. Nano Server, available in Windows Server 2016 and Microsoft Azure cloud deployments, is a container OS that, at around 500 MB, finally makes Microsoft a worthy contender– but organizations have been slow to embrace it.

“Windows administrators are used to a UI [user interface] on their servers … they’re not familiar with PowerShell and the command line,” said Thomas Maurer, a Microsoft MVP for Hyper-V and a cloud architect for Swiss-based itnetX. Admins worry that if something goes wrong in this smaller OS they won’t be able to fix it. Microsoft also forces a rapid pace of change on Nano Server via the Current Branch for Business cadence for Software Assurance — fall more than two versions behind and you’ll lose support.

Microsoft has hit some bumps as it integrates container operations into Windows Server. It abandoned a homegrown container management engine project in favor of the Docker Engine and Docker client wrapped with a set of PowerShell cmdlets. This PowerShell module is still in infancy and it is unclear how extensively Microsoft will develop it, Maurer said.

Containers calling

Microsoft loves the idea of containers because it takes the focus from the hypervisor and puts it back on the operating system, Bittman said. But with Nano Server only released late last year, he wondered why it took the company so long to invest in container OS technology.

Microsoft was late to the game, Maurer agreed, and needed time to build a base that enables containers, including the .NET Core framework and the Nano Server minimal deployment option, which is a significant reduction in size from Server Core.

The company is making strides now. Hyper-V containers provide an additional layer of isolation to essentially give each container its own kernel, which Maurer describes as a creation somewhere between a VM and a container. By the end of 2017, Microsoft will bring the Windows Subsystem for Linux onto Windows Server, using this Hyper-V container isolation to run Linux and Windows containers on a Windows Server host. Host-independent containerization should be ready as early as this summer through Microsoft’s Insider early access program.

“That’s really cool — that’s where things are going,” Maurer said. “If you have a mixed environment, instead of having Linux everywhere you just install Windows and you can run those Linux containers on Windows and you don’t have to think about it anymore. … It wouldn’t matter on which host you deployed a Linux container or a Windows container, you can run it on all of the hosts.”

For those just starting with containers, the challenge isn’t the technology itself, it’s a change in operations, Maurer said. A sys admin can create and maintain a VM for months — or years — but with containers you declare the configuration and allow the container to destroy and restart, and redeploy container images with each update.

Finally, a word to the wise: While containers seemingly replace one OS challenge with another, what they really do is layer on. Most container workloads that will enter production for the foreseeable future will do so on host VMs, which have known management and security processes for production workloads.

Meredith Courtemanche is a senior site editor in TechTarget’s Data Center and Virtualization group, with sites including SearchITOperations, SearchWindowsServer and SearchExchange. Find her work @DataCenterTT or email her at mcourtemanche@techtarget.com.

Author’s note: If you take issue with the exclusive focus on people named Tom interviewed for this blog, please contact SearchWindowsServer editor Tom Walat.


July 12, 2016  3:48 PM

Microsoft announces Windows Server 2016 will launch at Ignite conference

Tom Walat Tom Walat Profile: Tom Walat

All the prognostication about when Windows Server 2016 will be available was laid to rest in multiple blogs from Microsoft today when the company announced the next version of the server operating system will launch at the Microsoft Ignite event in Atlanta September 26-30.

Windows Server 2016 will come in the usual three editions of Datacenter, Standard and Essentials. Datacenter, being the most costly at $6,155 for two processors at eight cores, is geared toward larger organizations that have demanding virtualization needs and want to use the more innovative software-defined storage and networking features in this upcoming release. Some of the new enhancements such as the more secure Shielded VMs in Hyper-V and the software-defined storage feature Storage Spaces Direct are only available in the Datacenter edition.

Mid-sized companies would most likely use the Standard edition while organizations with fewer than 50 employees may land on the least expensive Essentials edition.

For Standard and Datacenter users, Microsoft will have three installation options: Server with Desktop Experience, Server Core and Nano Server. The Desktop Experience version is what some in IT would call the “full server installation”; it’s meant for users who require a user interface (UI) to manage applications. Server Core has no UI and is a lighter installation that has eliminated some of the roles and features found on the Desktop Experience option. Nano Server is the smallest server OS possible and is tailored for running containers but can also be used as a Hyper-V host and web server. Administrators can manage Nano Server — a headless server — with PowerShell and Server Manager. Note that Nano Server only works with 64-bit applications.

Support models for Windows Server editions

Microsoft also announced that its typical five years of mainstream support (with five years of extended support) will continue with the full Windows Server 2016 installation and Server Core through the Long Term Servicing Branch (LTSB) servicing model.

But for organizations using Nano Server, Microsoft has announced it will use the Current Branch for Business (CBB) servicing model. Microsoft calls CBB “a more active servicing model similar to the experience with Windows 10” and requires Software Assurance. CBB will not be available for Server with Desktop Experience and Server Core versions.

While the CBB update feature sounds similar to what is being offered with Windows 10, don’t fret. Microsoft said Nano Server CBB releases are not automatically installed. But administrators will need to be aware Microsoft plans to support just two of the most current Nano Server CBB releases. That means, if version 3 is out, administrators will no longer have support for a Nano Server still running on version 1.


May 18, 2016  1:11 PM

Microsoft seeks bounty hunters to secure Nano Server

Tom Walat Tom Walat Profile: Tom Walat

With the release of Windows Server 2016 due sometime in the third quarter, Microsoft is crowdsourcing its efforts to smooth out any vulnerabilities with a key feature in its next major server operating release — the smaller server deployment dubbed Nano Server — by offering a financial incentive for bug hunters.

As most administrators know, patches to close remote-code execution (RCE) flaws will get a critical rating. For these types of exploits in Nano Server, Microsoft will pay $15,000 for a “high quality” report. Unlike Microsoft’s other ongoing bounty programs, this hunt is being held for a limited time. The deadline to submit a report for is July 29.

For other vulnerabilities, the payoff is a bit less. For “Remote Unauthenticated Denial of Service, Elevation of Privilege, or other higher severity vulnerabilities in specific Nano Server DLLs” vulnerabilities, bounty hunters can earn up to $9,000. Bugs that affect Nano Server DLLs, such as spoofing and information disclosure, will fetch $500.

Nano Server is a lightweight server operating system that could be of great benefit to an organization that needs to deploy and manage containers and/or virtual machines in rapid fashion, so it’s particularly suited for a DevOps environment.

Nano Server takes up about 400 MB when installed, which is a substantial reduction when you consider a full install of Windows Server 2012 eats up about 6.3 GB of drive space.

By whittling down the server installation to just the essential core services, the smaller deployment size allows organizations to maximize the number of virtual machines running on a host. Microsoft also positions Nano Server as a scale-out file server and a host for Windows Server and Hyper-V containers.

Nano Server is a headless server that has had a majority of the .NET framework removed. You can’t manage Nano Server locally. For administrators who prefer using a GUI, that isn’t an option. Administrators will need to use a remote management tool such as PowerShell Direct or the forthcoming “server management tools” application currently in preview mode in the Management section of the Azure Marketplace.

This substantial reduction in code also means the attack surface for Nano Server is much smaller. In theory, Nano Server’s small footprint means fewer vulnerabilities. But for a company moving to a container-based infrastructure where the microservices sit on top of the underlying operating system, it’s critical that the foundation remains as secure as possible.

If this all sounds familiar, it’s because it is. Microsoft has been down this minimal server footprint path before with the Server Core release that came out with Windows Server 2008. But Server Core never caught on with most administrators. It was marginally more secure than Windows Server, and administrators had to surmount a learning curve to manage it.

So what is different with Nano Server? Maybe it’s not so different, but it’s the times they have a-changed. More companies are deploying servers at scale, which has lead to a significant uptick of interest in PowerShell.  And Microsoft could not just sit idly by while competitors such as VMware were courting cloud customers with Photon, its own stripped-down Linux OS geared for hosting containers.

You could look at this bug bounty one of two ways. First, one could say this effort is indicative of the culture shift under Microsoft CEO Satya Nadella where transparency is emphasized.

Or perhaps it’s a more calculated move where Microsoft is thumping its chest at the collective Internet and calling out all comers who have knocked the company for its security failings. What better way for Microsoft to prove to potential customers that its new deployment model is bullet-proof than through this type of public display.

Click this link for more information about the Nano Server bug bounty.


August 3, 2015  3:06 PM

July in review: the top Windows Server content

Toni Boger Toni Boger Profile: Toni Boger
Microsoft Patch Tuesday, PowerShell cmdlets, Windows Server 2003, Windows Server 2016

In our monthly feature, we recap the most popular content with our readers from the previous month and share it with you.

For the month of July, Windows Server readers kept cool by learning more about what’s coming in Windows Server 2016, what was included in the latest Patch Tuesday updates and how to use certain PowerShell cmdlets to ease management tasks.

Essential security updates in Windows Server 2016

The upcoming version of Windows Server includes a number of important new security features, including more options for authentication methods, restricting accounts, additional Web protection and more.

Windows Server 2003 gets its swan song in Patch Tuesday

Microsoft released 14 security updates in its latest Patch Tuesday cycle, including four critical updates. Two critical updates applied to Windows Server 2003, the last updates Microsoft will provide for admins before it ends technical support for the version.

How PowerShell Server Manager juggles multiple servers

This tool can be especially useful for Windows Server admins looking for a way to manage multiple servers, roles in Windows and features from a single console.

Run PowerShell cmdlets on remote servers

There are two PowerShell commands that Windows Server admins can use if they need to manage multiple servers. This expert provides a deep dive into these commands and what they’re capable of.

Which content was most helpful for you in July? Was it something we didn’t include in our list? Let us know in the comments below or on Twitter @SearchWinServer.


July 1, 2015  7:31 PM

The top Windows Server tips and news of June 2015

Tayla Holman Tayla Holman Profile: Tayla Holman
Exchange Server, Microsoft Patch Tuesday, Windows 10, Windows Server 2016

For our monthly feature, we look at the most popular stories on SearchWindowsServer.com from the previous month and share it with you.

In June, readers wanted to learn what tools could aid a Windows 10 deployment and what to expect from Group Policy in Windows Server 2016.

Patch Tuesday includes Exchange Server, IE and Office fixes
Last month’s Patch Tuesday was relatively light, with Microsoft issuing patches across eight bulletins addressing 45 vulnerabilities. Internet Explorer received a security update that addressed 24 vulnerabilities, while Microsoft Office and Exchange Server received important patches for remote code execution and elevation of privilege vulnerabilities.

The top tools to deploy Windows 10
With the release of Windows 10 quickly approaching, admins have several first- and third-party tools at their disposal to deploy the operating system, including the Windows Assessment and Deployment Kit and SmartDeploy.

Walk through Group Policy in Windows Server 2016
While the structure of Group Policy hasn’t changed in Windows Server 2016, the configuration process is different from previous versions. Admins can edit Group Policies with PowerShell or the Group Policy Editor.

Five tips to manage Microsoft Azure
As Microsoft continues to push its cloud message, resources such as Azure Active Directory Premium and Azure Right Management Services will help admins manage Microsoft Azure with ease.

Deploy Nano Server in Windows Server 2016
Admins looking to deploy Nano Server in Windows Server 2016 may be confused at the lack of an option to do so from Windows Setup. This tip breaks down how to install Nano Server by converting a WIM file into a bootable VHD.

What Windows Server content was most helpful to you last month? Was it something we didn’t cover in our list? Let us know in the comments or on Twitter @SearchWinServer.


June 2, 2015  7:43 PM

The top Windows Server tips and news of May 2015

Tayla Holman Tayla Holman Profile: Tayla Holman
Data Deduplication, Windows Server 2016

For our monthly feature, we look at the most popular stories on SearchWindowsServer.com the previous month and share it with you.

In May, our readers were curious about the lack of containers in the second technical preview of Windows Server 2016, and how update deployment would change with the release of Windows 10. Readers also wanted to know how to use SCCM 2012 to see Linux systems.

Containers absent from Windows Server 2016 second preview

Microsoft released the second technical preview of Windows Server 2016 during last month’s Ignite conference, but attendees were disappointed by the lack of containers.  The company said Windows Server containers and Hyper-V containers would be included in the next preview, which is due for release this summer.

Windows Update for Business allows admins to choose update pace

New in Windows 10, Windows Update for Business will let admins choose when they want to deploy updates. Those who want to deploy updates right away can choose the “fast” ring, while admins who want to be more cautious can choose a “slow” ring.

IE, Office, SharePoint Server get Patch Tuesday fixes

Microsoft issued patches across 13 bulletins addressing 48 vulnerabilities for May’s Patch Tuesday, with one cumulative security update for Internet Explorer addressing 22 vulnerabilities. Office and SharePoint Server also received updates for user input and specially crafted page content.

Learn about data deduplication in Windows  Server 2012  R2

Data deduplication in Windows Server 2012 R2 helps admins reclaim available storage space by looking at a volume, finding repeating content and removing all but one copy of that content, all while replacing the deleted areas with “links” back to the single copy.

Using SCCM 2012 to see Linux systems

With SCCM 2012, admins can collect and organize inventory data for Linux and UNIX client systems using a Common Information Model (CIM) server. When the CIM server is installed with the SCCM Linux and UNIX clients, the two ends are able to communicate directly without a Web  Services Management interface.

What Windows Server content helped you last month? Was it something we didn’t include in our list? Let us know in the comments or on Twitter @SearchWinServer.


May 1, 2015  9:05 PM

The top Window Server tips and news of April 2015

Tayla Holman Tayla Holman Profile: Tayla Holman

For our monthly feature, we look at the most popular stories on SearchWindowsServer.com in April and share them with our readers.

Last month, readers wanted to know more about Nano Server, a new installation option that will be available in Windows Server 2016, and were eager to learn how to configure their machines to their liking with PowerShell Desired State Configuration.

Microsoft strips down with Nano Server

The 2016 version of Windows Server will include a stripped-down installation option called Nano Server, which can only be run remotely through PowerShell. While Nano Server removes local logon, Remote Desktop, GUI and 32-bit support, it fully supports Visual Studio and API compatibility for certain components.

Patch Tuesday tackles IE and HTTP flaws

April’s Patch Tuesday included 11 bulletins addressing 25 vulnerabilities, including security flaws in Internet Explorer and HTTP.  Microsoft also rolled out Skype for Business as an update for Office 2013, and said all customers are expected to be transitioned by the end of May.

Get to know PowerShell Desired State Configuration

PowerShell Desired State Configuration uses standards-based Web services to allow admins to configure their machines the way they want. Since it is already included in Windows Server there are no additional expenses and no additional management overhead since it requires only PowerShell to be installed.

How to address SSL/TLS flaws on Windows Server

If you’re running one of the known vulnerable versions of SSL or TLS, your servers and sensitive data may be at risk for attacks. It is important to make sure the proper patches are installed and to determine whether your servers are accessible over an unsecured wireless network.

Test your Microsoft Azure knowledge

Think you know Microsoft Azure, the latest version of Microsoft’s Azure cloud software? This quiz will test your familiarity with the cloud hosting platform providers and its features.

What Windows Server content helped you last month? Was it something we didn’t include in our list? Let us know in the comments or on Twitter @SearchWinServer.


April 2, 2015  4:11 PM

The top Windows Server tips and news of March 2015

Tayla Holman Tayla Holman Profile: Tayla Holman

For our monthly feature, we look at the most popular stories on SearchWindowsServer.com in March and share them with our readers.

Last month, our experts weighed the pros and cons of the free Hyper-V server, suggested five questions Windows administrator candidates could expect during an interview, and gave tips for fixing three security flaws that may affect Windows servers.

Patch Tuesday fixes issues in IE, Office 

Microsoft issued five critical updates for March’s Patch Tuesday, including fixes for vulnerabilities in Internet Explorer and Office. Last month’s patches also addressed issues with Remote Desktop and OWA.

Should you download the free Hyper-V server?

Microsoft Hyper-V Server 2012 R2 became available for download last month, but as a free product it does have limitations. One major drawback is the lack of support from Microsoft and paid third parties.

Five questions to expect during a Windows administrator interview

Candidates for a Windows administrator position will need to be prepared in order to stand out in a crowded field. Here are five questions you may be asked during an interview.

How to fix SSL/TLS security flaws 

There have been several SSL and TLS security flaws uncovered in the past year, but patching may not be enough to protect your servers. Here are three flaws and how to fix them.

Previewing the Network Controller role 

A new feature in the Windows Server technical preview, the Network Controller role gives admins the ability to manage physical and virtual network infrastructure, and to configure and manage  firewall rules. The Network Controller can also configure subnets, VLANS, NICs and more.

What Windows Server content helped you last month? Was it something we didn’t include in our list? Let us know in the comments or on Twitter @SearchWinServer.


March 2, 2015  6:27 PM

The top Windows Server tips and news of February 2015

Tayla Holman Tayla Holman Profile: Tayla Holman

For our monthly feature, we look at the most popular stories on SearchWindowsServer.com in February.

With Windows Server 2003 reaching its end of life in five months, our readers wanted to know what options they have for moving to a new server and what they should expect to pay if they delay a migration.

Microsoft issues patches for Internet Explorer and Group Policy

For February’s Patch Tuesday, Microsoft issued critical updates for over three dozen Internet Explorer vulnerabilities, making up for a lack of fixes in January’s batch of patches. The company also issued a critical update for a Group Policy vulnerability in Windows Server that could allow remote code execution.

Don’t hesitate to migrate from Windows Server 2003

Delaying a migration from Windows Server 2003 could cost large IT shops hundreds of thousands of dollars in extended support fees. One Microsoft consultant suggests enterprise customers use a custom support agreement (CSA) in the first year to keeps costs down.

Windows Server 2003 migration options

IT shops that choose to stay on Windows Server 2003 past its end-of-life open themselves up to security attacks. Fortunately, there are on-premise and cloud-based options for migrating away from the aging platform.

Tips for strengthening Active Directory password policy settings

Weak passwords can seriously jeopardize your enterprise’s security. Mitigate possible threats by determining where your risks are and fine-tuning standards and policies across the board.

How to make Windows security training work for you

career in information security is one of the best specialties out there for Windows admins. Capitalize on the growing demand by learning from pros in the field and putting your knowledge into practice in a test lab environment.


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: