TechNet Stories and Technical Information

Hybrid Cloud Security

I continue to be amazed at the useful stuff on I ran across this the other day, looking something up about Hyper-V.

Security is always top of mind these days, so I thought I would share our Hyper-V Security Guide.

Network Security

Download This Solution Accelerator

Launch the download of the Hyper-V Security Guide.

About This Solution Accelerator

The Hyper-V Security Guide provides IT professionals with guidance, instructions, and recommendations to address key security concerns about server virtualization.

Microsoft Hyper-V technology allows consolidation of workloads that are currently spread across multiple underutilized servers onto a smaller number of servers. This capability provides a way to reduce costs through lower hardware, energy, and management overhead while creating a more dynamic IT infrastructure.

The Hyper-V Security Guide can help you elevate the security of virtualized Windows Server environments to address your business-critical needs.

This guide focuses on three key areas:

  • Hardening Hyper-V
  • Delegating virtual machine management
  • Protecting virtual machines

Included in the Download

The download for the Hyper-V Security Guide includes the following components:

  • Hyper-V Security This file includes the following individual files:
    • Hyper-V Security Guide.docx. This Microsoft Word document is the primary component of this Solution Accelerator. See the following "In More Detail" section for chapter descriptions.
    • Hyper-V Security Guide Overview.docx. A two-page overview description of this Solution Accelerator.
    • Release Notes.rtf. This file describes any outstanding issues and other important information.

In More Detail

The Hyper-V Security Guide includes the following content:

  • Overview. The overview states the purpose and scope of the guide, defines the guide audience, and describes its structure to help you locate the information that is relevant to you. It also describes the user prerequisites for the guidance.
  • Chapter 1: Hardening Hyper-V. This chapter provides prescriptive guidance for hardening the Hyper-V role, including several best practices for installing and configuring Hyper-V with a focus on security. These best practices include measures for reducing the attack surface of Hyper-V as well as recommendations for properly configuring secure virtual networks and storage devices.
  • Chapter 2: Delegating virtual machine management. This chapter discusses methods for delegating virtual machine management so that virtual machine administrators only have the minimum permissions they require. It describes common delegation scenarios, and includes detailed steps to guide you through using Authorization Manager (AzMan) and System Center Virtual Machine Manager 2008 (VMM 2008) to separate virtual machine administrators from virtualization host administrators.
  • Chapter 3: Protecting virtual machines. This chapter provides prescriptive guidance for securing virtual machine resources. It includes best practices and detailed steps for protecting virtual machines by using a combination of file system permissions, encryption, and auditing.

Related Resources

The following resources provide additional information about security topics and in-depth discussion of the concepts and security prescriptions in this guide:

Community and Feedback

  • Want to know what’s coming up next? Check out our Security Guidance Blog.
  • E-mail your feedback about the Hyper-V Security Guide to the following address:
  • If you’ve used a Solution Accelerator within your organization, please share your experience with us by completing this short survey (takes less than 10 minutes).

About Solution Accelerators

Solution Accelerators are authoritative resources that help IT professionals plan, deliver, operate, and manage IT systems that address real-world scenarios. Solution Accelerators provide free prescriptive guidance and automation to accelerate cross-product integration, core infrastructure development, and other enhancements.

Register to receive the Solution Accelerator Notifications newsletter so that you can stay informed about new Solution Accelerator releases and updates. The newsletter covers such areas of interest as

  • Communication & Collaboration
  • Security, Data Protection, & Recovery
  • Deployment
  • Operations & Management

Download This Accelerator

Download the Hyper-V Security Guide now.

System Center 2012 RC downloads

Are you ready to try the latest on System Center 2012 Betas and Release Candidates?

Go to and get the latest downloads.

System Center 2012 Virtual Labs released

Evaluation Software

Today Microsoft has made 4 new free virtual labs available. This gives you a great opportunity to try out some of the basic operations of some of the new suite of System Center tools.

TechNet Virtual Lab: System Center Operations Manager 2012: Infrastructure and Application Performance Monitoring

TechNet Virtual Lab: System Center Virtual Machine Manager 2012: Building Your Cloud Infrastructure

TechNet Virtual Lab: System Center Virtual Machine Manager 2012: Building a Service Template

TechNet Virtual Lab: Introduction to System Center Configuration Manager 2012

Try them out. And then if you’re interested in running these tools for yourself by building your own test environment, don’t forget to download the evaluations of these products HERE.

Windows Intune The Cloud on your Terms

What in the world is this thing called Windows Intune?

Windows Intune is PC management & security in the cloud

  • Perform security and management tasks remotely from a web-based console.

  • Help secure PCs from malware and virus threats with endpoint protection.

  • Deploy most updates and line of business applications through the cloud.

  • Greater performance and security with available Windows 7 Enterprise upgrade.

Windows Intune simplifies and helps businesses manage and secure PCs using Windows®cloud services and Windows 7. Windows Intune includes both the cloud service for PC management and security and upgrade rights to Windows 7 Enterprise and future versions of Windows.

With the Windows Intune cloud service, IT staff can remotely perform a number of security and management tasks including manage updates, endpoint protection to help safeguard PCs from malware threats, and inventory management so IT and end-users can remain productive from virtually anywhere—all that’s required is an Internet connection. With the Windows 7 Enterprise upgrade included in the subscription, customers can get the best Windows experience with Windows 7 Enterprise or standardize on the Windows version of their choice.

Customers also have the option to purchase the Microsoft Desktop Optimization Pack (MDOP) add-on, a set of seven on-site advanced desktop management tools. MDOP can help further enhance security and control and help you resolve critical issues that could not be addressed by the cloud service, such as diagnosing and recovering unbootable PCs. For more information on the capabilities of the MDOP, please visit

Windows Intune Case Studies

The Windows Intune cloud service is a single, easy-to-deploy solution to help manage and secure for PCs. A simple Web-based console gives you immediate visibility into what’s going on across all your managed PCs so that you can proactively identify and resolve problems with your PCs virtually anywhere.

Help manage and secure PCs anywhere

  • Protect PCs from malware: Help protect your customers’ PCs from the latest threats with centralized endpoint protection. You can even remotely initiate on-demand malware scans, forced restarts, or malware definition updates to take the extra step helping ensure your PCs are well-protected from potential threats.

  • Manage updates: Centrally manage the deployment of updates to Microsoft ® and most third-party software, keeping the applications your workers need current.

  • Distribute software: Deploy Microsoft and most third-party software, through the cloud, to PCs located nearly anywhere.

  • Proactively monitor PCs: Receive alerts on updates, threats, offline PCs and more so that you can proactively identify and resolve problems with your PCs virtually anywhere.

  • Provide remote assistance: Resolve PC issues, regardless of where you or your users are located, with remote assistance.

  • Track hardware and software inventory: Track hardware and software assets used in your business to efficiently manage your assets and compliance.

  • Manage your licenses: Manage many Microsoft volume license agreements and other license agreements to track how many licenses you’ve purchased against what you’ve installed.

  • Increase insight with reporting: Generate and save reports on updates, software, hardware, and licenses. Export data as a comma separated value file and import it directly into Microsoft Excel for further analysis.

  • Set security policies: Centrally manage update, firewall, and endpoint protection policies, even on remote machines outside the corporate network.

Note: For more details on any of these items, please refer to the Windows Intune Product Guide

So, Version 2 of Windows Intune just came out, what’s New?

The core architecture remains unchanged, and we’ve added a few of the top feature requests from users. We’ve also made usability improvements to the service to deliver a richer experience and help you proactively address the PC management and security needs of your business. These updates include:

  • Software Distribution: Deploy many Microsoft®, third-party, and your company’s own business applications and updates to Windows Intune managed PCs, as noted in Software Distribution section below.

  • Remote Tasks: Remotely perform the following tasks on Windows Intune managed PCs from the administration console: Full scan, Quick scan, Update Malware Definition, and Restart.

  • Robust license management: Manage your Microsoft Retail Licenses, Original Equipment Manufacturer (OEM) Licenses for Microsoft software, and third-party software licenses in addition to many Microsoft Volume License agreements. With 15 years of experience hosting some of the world's largest cloud services, such as Hotmail and Windows Update, Microsoft provides the reliability, availability, and security customers expect for their business: highly-secure, high-availability server architecture, 24x7 support, and a financially-backed 99.9% scheduled uptime SLA.

  • Enhanced Reporting: Create hardware reports based on new hardware filters for common hardware characteristics. Additionally, you can now create and save report parameters to make it easy and efficient to run a report again in the future.

  • Alerts + Monitoring: Configure alert types to be reported according to a specified threshold, frequency, or percent of computers affected.

  • Numerous usability and user interface enhancements: We continue to improve the design and usability based on user feedback. You will find updates like read-only access and new context menus, copy and paste, drag and drop, search, filter, and improved organization capabilities throughout the product.

Microsoft Assessment and Planning (MAP) Toolkit 6.5 released

Simplify cloud migration planning with MAP Toolkit 6.5

The Solution Accelerators team is pleased to announce the Microsoft Assessment and Planning (MAP) Toolkit 6.5 is now available for download.

Download the MAP Toolkit 6.5.

The journey to the cloud is now smoother than ever with the Microsoft Assessment and Planning (MAP) Toolkit 6.5. The MAP Toolkit’s new capabilities help users to securely assess heterogeneous IT environments while enabling the evaluation of workloads for migration to Microsoft’s private and public cloud platforms. Consolidate existing server workloads using the updated Microsoft Private Cloud Fast Track capacity planning feature. The Database Consolidation Appliance Assessment allows you to simplify SQL Server migration planning for the private cloud. The revamped Azure Migration feature in MAP 6.5 provides more in-depth analysis of the suitability of migrating on-premises applications to the Windows Azure platform. Additional new features in MAP 6.5 include the discovery of active Windows® devices, Software Usage Tracking for Forefront® Endpoint Protection (FEP), and the discovery of Oracle instances on Itanium-based servers with HP-UX to assist in the planning of migration to SQL Server®.


Accelerate planning for the private cloud with Microsoft Private Cloud Fast Track Onboarding.

Planning your private cloud just got easier. Microsoft Private Cloud Fast Track Onboarding, an updated assessment available with MAP 6.5, provides consolidation guidance and validated configurations with preconfigured Microsoft Private Cloud Fast Track Infrastructures including computing power, network, and storage architectures. This updated feature provides greater flexibility in private cloud migration planning by allowing users to customize computer configurations and shared resources to target consolidation of both physical and virtual workloads. Get a quick analysis of server consolidation on Microsoft Private Cloud Fast Track Infrastructures to help accelerate your planning of physical to virtual (“P2V”) migration to Microsoft Private Cloud Fast Track.

Identify migration opportunities with heterogeneous server environment inventory.

MAP has expanded its heterogeneous server environment inventory to include VMware Server, VMware vSphere, and VMware vCenter. Inventory and reporting on the number of servers and guests deployed and managed by VMware infrastructure helps you identify migration opportunities and accelerates the migration planning process. SQL Server, SharePoint Server and Exchange Server run better on Hyper-V, so MAP 6.5 has the added capability of identifying Microsoft workloads deployed on VMware guests.

Simplify consolidation of SQL Server to the Database Consolidation Appliance

MAP 6.5 simplifies SQL Server consolidation planning and provides recommendations for migration to the Database Consolidation Appliance. Using MAP, you can measure the current database workloads, estimate the capacity required for migrating to Database Consolidation Appliance, and take the next steps in the process. The Database Consolidation Appliance provides better agility through a fully elastic database infrastructure and allows you to consolidate thousands of SQL Server instances into a single appliance resulting in exceptional operational cost savings.

Assess your software usage and evaluate your licensing needs.

The enhanced Software Usage Tracking feature in MAP 6.5 simplifies and reduces time and administrative costs associated with software license management and compliance by adding additional product coverage, as well as the ability to identify active devices. Forefront Endpoint Protection (FEP) usage tracking measures server and client usage for the FEP product, a recent addition to the Microsoft Core Client Access License (CAL) Suite. In addition to FEP, the Software Usage Tracking feature provides consistent software usage reports for key Microsoft server products (Windows Server, SharePoint Server, System Center Configuration Manager, Exchange Server, and SQL Server). With the addition of the new Active Devices scenario, organizations can now easily identify and report Windows devices that are active on the network. This information is particularly useful in Enterprise Agreement scenarios.

Discover Oracle instances on Itanium-based servers for migration to SQL Server.

MAP 6.5 adds to the heterogeneous database inventory and reporting capability with the discovery of Oracle instances on Itanium-based servers with HP-UX. The MAP Toolkit can help determine total cost of ownership for maintaining Oracle and the potential return on investment (ROI) from switching to SQL Server. MAP also allows users to discover, plan, and migrate to SQL Server. Along with reporting of the size and use of each schema, MAP provides an estimate of the complexity of migration and suggests candidates for migration to SQL Server. This heterogeneous database inventory and reporting capability will help you accelerate migration to SQL Server from MySQL, Oracle, and Sybase databases.

Assess your client environment for Office 365 readiness.

MAP 6.5 helps make your planning process easier and faster for business productivity solutions. MAP 6.5 includes an Office 365 client assessment that evaluates the compatibility of the Office suite software deployed in your environment. This assessment helps you quickly pinpoint the clients ready for upgrade to Office 365. The tool obtains machine-level details to determine the upgrade readiness and quickly identifies the compatibility of current Office suite software installed with Office 365.

Determine readiness for migration to Windows 7 and Windows Internet Explorer 9.

Simplify your organization's migration to Windows 7 and Windows Internet Explorer 9 with MAP 6.5. The MAP Internet Explorer migration assessment—now updated for Internet Explorer 9 migration—inventories your environment and reports on deployed web browsers, Microsoft ActiveX controls, and add-ons, and then generates a migration assessment report and proposal for easier migration to Windows 7 and Internet Explorer 9.

Accelerate planning and migration with new UI and usability updates in MAP 6.5.

MAP 6.5 offers an improved user experience to simplify and accelerate your planning needs. The improved MAP user interface streamlines the assessment and planning process by clearly identifying the sequence of steps that users must perform to successfully complete the migration planning process.

The Cloud on Your Terms: Office 365 how Microsoft is deploying it

The Cloud on Your Terms part 20 A lot of water to cool a Data Center

Back in September the team I am on got to visit our “Cloud” Data Center in San Antonio, Texas. Now they wouldn’t let us take pictures of the insides, but I have to tell you about some of the things I saw. You have all seen Data Centers, raised floor and lots of air conditioning especially here in HOT Texas in the summers. It takes a huge amount of electricity to cool a large data center. Well when we built San Antonio Data Center back in 2008, we wanted to be as Green as possible. Check out this Blog entry about the data center from Green Data Center Blog.

We use chilled water to provide the air conditioning or cooling. To chill water, you have evaporate water into the air to cool the water. This could take millions and millions of gallons for a Data Center of this size. We have a special arrangement with the City of San Antonio. We take “Grey water” from the city sewer system, and rain water collected on the massive roof to use to evaporate to created chilled water. More about this process on that Green Data Center Blog. The chilled water is 47 degrees. We store a huge amount of it, I think they said over 500,000 gallons of it. Look in this picture(courtesy of Antonio paper, and areo photo)

At the bottom of the picture is the white storage tank that stores the water for us. There is one at each end of the building. This is enough water to cool all the servers for about 12 minutes if we were to loose power. I know not a long time. So we would start up our generators, then we could start chilling water again within the 12 minute timeframe.

If I could show you the inside of the data center, the raised floor has water pipes running under the servers, air is blown over these pipes and that provides the chilling for each room of servers.

We put out lots of information about the design of our Data Centers. You can read more or watch the videos on

San Antonio is a V2 of our Data Centers, We are now building V4 of our Data Centers.

Check out this video from that we posted on

The Cloud on Your Terms Part 18 Lesson Learned from building a Private Cloud

So day three now of lessons learned within this blog series. Kevin started us out with his lessons here, then yesterday Brian Lewis told us what he learned, and now today is my turn. Part of this post originally appeared on my blog October 5, hey I wrote it so I gave myself permission to leverage here:


Last week I was part of a team that traveled To San Jose, CA. Our mission was to get some hands on experience, and build a test lab that we can use to demo System Center, Private Cloud, VDI, Clustering, etc. etc., etc. for our events over the few months.

Our Monday got off to a slow start, President Obama was in Silicon Valley to give a “LinkedIn” chat (not sure why he couldn’t have done this remotely), but do you know what happens to “the 101” when The President is on the move? I got out of the car in the middle of the lane on the 101 and took this picture.


We didn’t move 5 feet for about 15 minutes…..

Our plan was to build out these 5 Dell Servers we got. Document what we did, so the next two team could come in and repeat our steps.

Monday we installed Windows Server 2008 R2 SP1 on all 5 boxes, we thought we were cool doing for Thumb drives (much faster) than DVD installs.


Basically we took the defaults, didn’t really think about the drives, or partitions, or much. The Dell R710’s came with 2 or 6 TWO Terabyte drives. We just did install. Then realized the ones with 2 drives were striped, but why couldn’t we see the other drive? Yep Server has a 2 Terabyte boot partition limit. Oops. So we wanted to move around a couple of drives (add more to one machine, only leave one in others). So it was off to “undo the stripping” move the drives, and yes now Tuesday, start over with the installs, but BEFORE we did, we created a 2 Terabyte partition for the OS, and another partition for the rest of the storage. Ah learning's (or being stupid from the cold).

We also took the chance to make sure hardware virtualization was installed on all 5 servers. It wasn’t we thought we got them all. On Friday we had issues with the second server Hyper-v2. With a little research, Hyper-v service was failing (we even re-installed Hyper-v roll) Yes it would let us install the role of Hyper-v without hardware virtualization turned on. So always double check your BIOS and make sure hardware virtualization is turned on. We had to prove it ourselves that is what really happened, I took a screen shot of the server.


I will post more on the fun week, I learned a lot. I have more appreciation for all you Server Admins out there. Makes me realize how much worry the cloud will take out of this stuff.

Now we aren’t 100% of the time extremely hard work, we like to play also, so one evening we made it over to Santa Cruz and got a ride on this:

WP_000177 But that’s another story…..

We survived “being Stupid” from the cold, Yes our test lab is up and running now. More later!

Hybrid and Public Clouds

If you remember back to part 2 of this 30 part series, we defined Hybrid Cloud as just about anything you want it to do, it’s really a combination of Public, Private, or Traditional IT.

When we think about Private Cloud and combined with Traditional IT it makes logical combination. Many IT shops have embraced Virtualization as their current IT solution. Private Cloud is new compared to Public Cloud. But in most cases Private Cloud means taking that internal IT infrastructure to the next level, both in self service, and flexibility and automation. Very few companies are ready to go 100% Private Cloud. The question is how do you combine your traditional IT infrastructure with your new Private Cloud.


With this in mind, you need to think about Security and authentication as you move from traditional IT to the Cloud. If you aren’t already using Active Directory, now would be the time to deploy it across your networks so you are ready to manage access across your systems. You can extend your Active Directory with ADFS (Active Directory Federated Services) to allow you to work with partners and vendors that you want to share your security with.

In our ebook Cloud Power, they talk about Hybrid, as a great entry point for you to work with the cloud. It’s about deciding what part of your infrastructure you want to start with and make it work with Private Cloud and integrate with the rest of your network.This is a great proof of concept before deciding to move more things into the Cloud.

Another area of Hybrid to discuss in this space is working with public solutions like Windows Azure. There is a new feature coming with Azure called “Connect”. This will be part of the Azure Virtual Network, More information at This product isn’t available yet, we are testing it with many customers in our CTP program.

Yet more things to think about when considering Hybrid, Management of both parts of your solution, our System Center Application controller has a new download for Monitoring pack for Windows Azure applications. That download is available here:

System Center 2012 Release Candidate

180-day evaluation of Operations Manager 2007 R2

System Center Operations Manager 2007 R2, Microsoft’s end-to-end service-management product, is your best choice for Windows environments. It works seamlessly with Microsoft infrastructure servers, such as Windows Server, and application servers, such as Microsoft Exchange, helping you to increase efficiency while enabling greater control of the IT environment.

As a significant step towards fulfilling Microsoft’s common management vision, Operations Manager 2007 R2 also helps you monitor Windows Azure applications, thus allowing you to extend your familiar on-premises monitoring solution to public cloud scenarios.

Key Benefits

  • Exceptional application performance and availability for Microsoft environments
  • Provides end-to-end service management for your datacenter services
  • Helps increase the efficiency and control of your datacenter environments
  • Unified monitoring across your private and public cloud services

Information on SCOM can be found at:

We also have a Tech Center for System Center Operations Manager on TechNet it is located here:

As I was starting to write this blog post on System Center Operations manager, I was reading today on the System Center Blog posted by Kevin Holman.

Details on System Center Operation Manager 2012 Release Candidate released 11-10-11

Details at:

Download from:

Full set of product documentation is available:

Details and features of the OM2012 RC:

Feature Summary

  • Setup Improvements
    Operations Manager 2012 has a new Setup wizard.
  • Highly Available Management Group Out of the Box
    In Operations Manager 2012, all management servers are peers; there is no root management server. The workload is split among all management servers in a management group, which provides high availability without requiring a cluster.
  • Resource pools
    A resource pool provides the ability to distribute workloads across multiple management servers, such as availability, network device monitoring, distributed monitor health rollup, and group calculation.
  • Agent Configuration
    Operations Manager 2012 provides an easy method for configuring agents to report to multiple management servers by adding an Operations Manager Agent application to Control Panel on each agent-managed computer.
  • Operations Console
    You will notice some subtle changes to the Operations console. The Actions pane is now the Tasks pane, and includes a new section called Navigation Tasks that makes it easy for you to open views for a selected object. The Tasks pane offers two tabs: one for actions and one for resources and Help links. The Navigation and Tasks panes can be hidden or revealed instantly by clicking the arrow in the title bar of the pane.
  • Web console
    Operations Manager 2012 introduces a new Web console. In Operations Manager 2012, all Operations Manager views are available in the Web console.
  • Network monitoring
    Operations Manager 2012 provides the ability to discover and monitor network routers and switches, including the network interfaces and ports on those devices and the virtual LAN (VLAN) that they participate in. You can also delete discovered network devices and prevent the deleted network devices from being rediscovered the next time discovery runs. For more information, see Monitor Network Devices.
  • Application monitoring
    In Operations Manager 2012, you can monitor ASP.NET applications in server- and client-side environments to get details about application availability and performance. Configure monitoring settings, such as polling frequency and transaction threshold. Then use results, including how frequently a problem is occurring, how a server was performing when a problem occurred, and the distributed chain for a transaction in question to pinpoint problems and solutions. For more information, see Monitor a .NET Application.
  • Dashboard views
    As part of the network monitoring and application monitoring capabilities, Operations Manager 2012 includes new comprehensive dashboard views that combine multiple panels of information into a single view. In Operations Manager 2012, you can add the new dashboard views to My Workspace.
  • Display dashboard views using SharePoint
    The Operations Manager web part displays specified dashboard views and can be added to Microsoft SharePoint 2010 sites. For more information, see Add a Dashboard View to a SharePoint Site.
  • Creating dashboard views
    Dashboard views have been significantly upgraded in Operations Manager 2012 from their capabilities in Operations Manager 2007 R2, including custom layouts and nested dashboard views. For more information, see Create a Dashboard View.
  • Operations Manager Module for Windows PowerShell
    Operations Manager 2012 provides a Windows PowerShell 2.0 module containing a full set of new cmdlets. The cmdlets in this module are only compatible with Operations Manager 2012. You can recognize the Operations Manager 2012 cmdlets by the "SC" preceding the noun. For additional information about the Operations Manager 2012 cmdlets, open the Operations Manager command shell and type Get-Help about_OpsMgr_WhatsNew. For information about how the Operations Manager 2007 cmdlets map to the Operations Manager 2012 cmdlets, type Get-Help about_OpsMgr_Cmdlet_Names.To use the Operations Manager 2012 cmdlets, you must establish a connection to an Operations Manager management group. You can establish either a persistent connection in which you can run multiple cmdlets, or a temporary connection when running a single cmdlet. For more information about connections, open the Operations Manager Shell and type Get-Help about_OpsMgr_Connections.
  • UNIX- and Linux-based computers
    In Operations Manager 2012, the Discovery Wizard is easier to use for discovering UNIX- and Linux-based computers. You can now use Windows PowerShell to manage UNIX- and Linux-based computers, for more information, see the UNIX and Linux section in the release notes. High availability is also supported.
UNIX/Linux Shell Command Template Management Pack
This Management Pack implements authoring templates that allow the creation of rules, tasks, and monitors based on execution of shell commands on UNIX/Linux agents.
JEE Management Packs
These management packs monitor JEE (Java Enterprise Edition) application servers. Management packs are available for IBM WebSphere, Oracle WebLogic, Red Hat JBoss and Apache Tomcat.
Blog Software
Blog Software