BitLocker Drive Encryption

BitLocker is intended to  prevent the theft of data on computers that have either been lost, stolen, or prematurely/improperly discarded. This new security feature is available from Microsoft on the following operating systems: Windows Vista Enterprise and Ultimate, as well as Windows Server Longhorn.

BitLocker utilizes a feature known as a Trusted Platform Module (TPM) to protect system data and ensures that the system was not tampered with while it was offline.  It prevents malicious attackers from successfully running hacker tools in an attempt to either break the system’s file protections or perform offline viewing of data on an unprotected drive.

The two main tasks performed by BitLocker to achieve data protection is full encryption of the hard drive and checking the integrity of boot component upon startup. Drive encryption prevents unauthorized users from access the data stored on the drive, and the integrity checking validates that the protected hard drive is still in the original computer, and ensures that decryption is allowed only if the system appears not to have been tampered with.

BitLocker is a completely integrated part of the Windows Vista operating system , and even includes its own Recovery Console in the event that data needs to be retreived off a failing or failed hard drive.

In addition to the features mentioned above, BitLocker also offers the ability to lock the normal boot process. The boot process is actually interrupted, and the user is prompted to enter a PIN number, which must be entered correctly for the system to boot into the operating system. Bootup can also be protected via an external USB key that  contains a security key which BitLocker validates against while booting the system.

The use of BitLocker is transparent during day-to-day use, and is configured via its own wizard, and can be further configured via a Windows Managment Interface (WMI).

Overview of Windows Server 2003 Cluster Services

Microsoft Cluster Service (MSCS) is available only in the Enterprise and Datacenter Editions of Windows 2003 Server. Clustering provides the high-availability and scalability that are essential for today’s mission-critical applications such as databases, email systems, and e-Commerce.

Many of the features available in previous versions of MSCS have been improved upon in Windows 2003, and there have been additional features added as well.

Larger Number of Nodes Supported

In the Windows 2000 version of Datacenter Edition a maximum of 4 nodes was supported. In Windows 2003 this has been doubled to 8 nodes. The Enterprise Edition version’s supported number has increased from 2 nodes to 8 nodes.

Integration With Active Directory Services

Windows 2003 MSCS integrates completely with Active Directory Services. Clustering creates a number of virtual items, including it’s own virtual server. Previously in Windows 2000, these virtual servers were not visible to Active Directory, and therefore not easily administered. In Windows 2003, a virtual computer object is created within Active Directory, which allows administrators to leverage all of the capabilities of Active Directory against this virtual server. It also allows for the use of Kerberos authentication by the services running within the cluster.

64-bit Support

Windows 2003 MSCS offers full support for clusters and applications running on 64-bit hardware.

New Quorum Configuration

The traditional configuration for a cluster’s quorum information involved creating a dedicated disk for the quorum, which had to be shared by all nodes in the cluster. MSCS in Windows 2003 offers a new quorum resource called the Majority Node Set (MNS), which does away with the need for the shared quorum disk.  MNS can be configured in clusters with 3 or more nodes.

Improved Storage Capabilites

There are a number of improvements to the storage capabilities of MSCS. Volume mount points are supported on shared disks, and continue to work on fail-over, which allows for more flexible file system naming. Another new feature is client-side-caching (CSC), also known as offline files. This allows client computers to cache data that is stored on a share within the cluster. The caching of this data minimizes the amount of time that clients are unable to access data in the event of a cluster fail-over. The Distributed File System (DFS) technology has been improved to support active/active clusters and can also combine multiple file shares on different machines to be combined into a single namespace.

Troubleshooting and Failure Recovery

Windows 2003 MSCS has seen a number of improvements to the cluster’s log files to make troubleshooting easier. These improvements include:

• cluster logs
• setup logs
• error levels
• local server timestamps
• Globally unique identifier (GUID)

This increased amount of information provided by the logs will greatly help in any troubleshooting scenario.

There is also a new cluster diagnostic tool, called ‘ClusDiag’, available in the Resource Kit. ClusDiag can collect the cluster logs and event viewer logs from all of the cluster’s nodes, and combine them into one report. Another new Resource Kit tool, known as ‘ClusterRecovery’, can be used to bring disk resources back online and rebuild the state of the cluster in the event of a disk failure.

Cloning table definition and data

At times, there is a need to clone a particular table’s definition and it’s data (or a sub-set) to be able to test certain scripts or even move the table to a separate tablespace/filegroup and also change it’s properties at the same time like initrans etc..  There is a quick and dirty way of doing that in every RDBMS.  Oracle is actually the most robust of the three leading vendors and provides a lot of functionality in it’s CTAS (Create Table AS) command.

The CTAS statement is one of the very simple methods for reorganizing an Oracle table or moving the table to another tablespace. The CTAS statement can also be used to change storage parameters for a table and also change the physical sequence of the table rows. CTAS has the following syntax:

create table tableA_clone
–tablespace clause
–storage clause
as
select * from tableA
–order by primary key columns
/

This can also be executed over db-links.  If you want only a sub-set of the data to be cloned, then provide the filter criteria in the where clause as if you were querying for that sub-set from the source table.
In SQL Server, you can do a “select into” statement in order to clone the table structure but that does not clone the constraints - it clones only the table and the data (where clause filter applies).

select * into tableA_clone from tableA

In DB2, you can use the “create table like” command.  In DB2, you can clone the tabel definition but cannot clone the data with this statement.  For the data, you will need to export/import the data.

Create table tableA_clone like tableA

Active Directory User Delegation Wizard Limitations

The Active Directory (AD) Delegation Wizard allows Windows administrators to automatically set permissions on certain AD objects by using predefined delegation tasks. In Windows 2003 AD some of the tasks include:

• Join a computer to a domain
• Manage group policy links
• Create/Delete user accounts
• Create/Delete groups
• Generate Resultant Set of Policy

The wizard is run via the Active Directory Sites and Services MMC snap-in.

As handy as this tool is for applying changes to an AD infrastructure there are a number of limitations worth mentioning:

1. The wizard only allows you to set additional permissions to those that already exist in AD. It will not let you remove or change existing permissions that are set for any organizational unit (OU).
2. The wizard does not support the removal of adminstrative permissions.
3. The pre-defined roles included in the wizard may not meet the requirements of your AD infrastructure, or the roles may not match what be compatable with roles that have already been implemented.
4. Despite its automation intentions, administrators still have to manually drill down the OU structure in order to apply the permissions to each individual OU. Also, one must click through all of the different sub-roles of the wizard, which can be both time consuming and error prone.

Although some of these limitations cannot be circumvented, administrators can modify the wizard’s configuration file to tailor the content of the wizard more to their liking. The name of the configuration file is delegwiz.inf, and is located in the %windir%/inf directory on any machine where the Active Directory Users and Computers MMC snap-in has been installed, and is referenced by the User Delegation Wizard each time it is initialized. As with any other .inf file, the delegwiz file can be edited in any text editor. Specific details on how to edit the file can be found in the following Microsoft support article:

http://support.microsoft.com/kb/308404

Windows System Assessment Tool (WinSAT)

Microsoft has introduced an interesting new tool with the release of Windows Vista - the Windows System Assessment Tool, or WinSAT. This tool rates a computer on a scale of 1 thru 5, with 5 being the highest (or best) possible score. Some of the components WinSAT analyzes include a system’s processor, memory, hard disks, and graphics capabilities. It then uses an algorithm to calculate what is called a system’s ‘Windows System Performance Rating’. This is not merely an average of the performance of the various components. The algorithm provides a much more accurate picture of a system’s performance capabilities than other tools like PerfMon, for example, which is average-based. 

 To better understand this rating system, consider the following scenario: You have a desktop PC with 4 Gig of memory,  but a terribly inferior graphics card. A normal averaging rating system would rank the memory of the machine at a 5, and the graphics card would receive a 1, which would average out to be a 3.  Now, we all know that an operating system like Vista is much more dependent on excellent graphics capabilities than the excessive 4 Gig of memory, so in reality this machine will have terrible performance. In this example, the average rating of 3 is misleading, and not at all indicative as to how the system will actually perform.

So how do you run WinSAT? Go to Control Panel -> System and Maintenance -> Performance Information and Tools. The process will take a few minutes, and once completed the results will be displayed as shown in the screen-shot below:

WinSAT Screenshot

From here you can view and print the details of the report, or learn more about the scores by clicking on the “What do these numbers mean?” link.

In case you’re wondering about the low score of “1″ in the screen-shot, the machine was a VMWare virtual machine with 748MB of memory.