For Sale – Asus UX31E Zenbook I7 4GB 128GB Win10

Europe’s busiest forums, with independent news and expert reviews, for TVs, Home Cinema, Hi-Fi, Movies, Gaming, Tech and more.

AVForums.com is owned and operated by M2N Limited,
company number 03997482, registered in England and Wales.

Powered by Xenforo, Hosted by Nimbus Hosting, Original design Critical Media Ltd.
This website uses the TMDb API but is not endorsed or certified by TMDb.

Copyright © 2000-2020 E. & O.E.

Go to Original Article
Author:

Cortana in the upcoming Windows 10 release: focused on your productivity with enhanced security and privacy | Windows Experience Blog

AI in Microsoft 365 is driving a significant shift in how people interact with Microsoft 365 applications. Our experiences personalize and adapt to you, support you and help amplify your skills. You can see this shift in the personalized experiences we are enabling through Cortana, your personal productivity assistant in Microsoft 365. Cortana helps you stay on top of your day, save time and do your best work.
Today, Microsoft is announcing an updated Cortana experience in Windows 10 that will deliver more help from your assistant in Microsoft 365. This next step in Cortana’s evolution will bring enhanced, seamless personal productivity assistance as a free update to the latest version of Windows 10 coming this spring.
Through this updated Cortana experience, we will roll out new Cortana services delivered through Microsoft 365 backed by the privacy, security and compliance promises of Office 365 services as set out in the Online Services Terms. Protecting your data and privacy is our highest priority, and we give you control over your data.
Cortana’s new capabilities help you achieve more with less effort
The upcoming update to Windows 10 will include access to a new Cortana experience with an emphasis on productivity, helping you quickly find the information you want across Microsoft 365. The new Cortana experience in Windows 10 features a chat-based UI that gives you the ability to interact with Cortana using your voice or the keyboard.
For English (United States) users, Cortana will assist you in better managing your schedule and tasks by staying on top of your calendar and focusing on what matters with meeting insights. You can speak or type requests to find people or files, or quickly create or query emails. You can also easily check your calendar, set a reminder, or add to your lists in Microsoft To Do:
“What’s next on my calendar?”
“Remind me to send the ‘weekly report’ every Friday at 2pm.”
“Add ‘status report’ to my task list.”
And Cortana will continue to help you get answers from Bing, set alarms and timers, open apps, adjust settings, or give you a joke you can share with colleagues, friends or family.
Outside of the United States, the initial release of the Cortana experience in Windows 10 will include answers from Bing and the ability to chat with Cortana. We plan to enhance our international experience with more productivity-based capabilities in the future.
Additional changes for Cortana
As part of Cortana’s evolution into a personal productivity assistant in Microsoft 365, you’ll see some changes in how Cortana works in the latest version of Windows 10. We’ve tightened access to Cortana so that you must be securely logged in with your work or school account or your Microsoft account before using Cortana, and some consumer skills including music, connected home and third-party skills will no longer be available in the updated Cortana experience in Windows 10. We’re also making some changes to where Cortana helps you. As part of our standard practice, we are ending support for Cortana in older versions of Windows that have reached their end-of-service dates. We recommend that customers update their devices to the latest version of Windows 10 to continue using Cortana. We’ll also be turning off the Cortana services in the Microsoft Launcher on Android by the end of April.
We’re excited about how these updates to Cortana will help you stay on top of things, save time and do your best work. As we continue to innovate on Cortana in Microsoft 365, we plan to share further improvements in the coming months.

For Sale – HTPC

Europe’s busiest forums, with independent news and expert reviews, for TVs, Home Cinema, Hi-Fi, Movies, Gaming, Tech and more.

AVForums.com is owned and operated by M2N Limited,
company number 03997482, registered in England and Wales.

Powered by Xenforo, Hosted by Nimbus Hosting, Original design Critical Media Ltd.
This website uses the TMDb API but is not endorsed or certified by TMDb.

Copyright © 2000-2020 E. & O.E.

Go to Original Article
Author:

For Sale – MacBook Pro Retina 13.3 pristine condition

Europe’s busiest forums, with independent news and expert reviews, for TVs, Home Cinema, Hi-Fi, Movies, Gaming, Tech and more.

AVForums.com is owned and operated by M2N Limited,
company number 03997482, registered in England and Wales.

Powered by Xenforo, Hosted by Nimbus Hosting, Original design Critical Media Ltd.
This website uses the TMDb API but is not endorsed or certified by TMDb.

Copyright © 2000-2020 E. & O.E.

Go to Original Article
Author:

Releasing Windows 10 Insider Preview Build 19041.113 to the Slow ring | Windows Experience Blog

Hello Windows Insiders, today we’re releasing 20H1 Build 19041.113 (KB4540409) to Windows Insiders in the Slow ring. This Cumulative Update includes quality improvements. Key changes include:
We fixed an issue that might block digital rights management (DRM) video playback in apps that depend on the Windows 8.0 or later PlayReady Store Framework for content protection.
We have updated the copyright date for Windows 10, version 2004 to the year 2020.
We have fixed an issue that causes the Notepad icon to appear on the Start menu after uninstalling the Feature-on-Demand (FOD) version of Notepad.
We have fixed an issue that might cause some systems to stop responding at sign in because several background services are being hosted in the same service host process.
We have fixed an issue with the Your Phone app that might cause the copying of large PC files (such as images) to certain phone models to time out.
We have fixed an issue with cellular data for certain mobile carriers that might prevent connectivity on Microsoft Surface Pro X.
We have fixed an issue that fails to pin the new Microsoft Edge icon to the taskbar after a user installs the new Microsoft Edge and creates a new user profile on the device.
We have fixed an issue that prevents some users from signing out because the user session stops responding.

We are aware Narrator and NVDA users that seek the latest release of Microsoft Edge based on Chromium may experience some difficulty when navigating and reading certain web content. Narrator, NVDA and the Edge teams are aware of these issues. Users of legacy Microsoft Edge will not be affected. NVAccess has released a NVDA 2019.3that resolves the known issue with Edge.
Thanks,BLB

Welcome to Babylon.js 4.1 – Windows Developer Blog

Our mission is to create one of the most powerful, beautiful, and simple Web rendering engines in the world. Our passion is to make it completely open and free for everyone.
Today, we are thrilled to announce the official release of Babylon.js 4.1! Before diving into more detail, we also want to humbly thank the awesome community of 250+ contributors for their efforts to help build this framework.

Up to 3 times smaller and 12% faster, Babylon.js 4.1 includes countless performance optimizations, continuing our lineage of a high-performance engine. With the new Node Material Editor, a truly cross-platform development experience with Babylon Native, Cascaded Shadows, Navigation Mesh, updated WebXR and glTF support, and much more, Babylon.js 4.1 brings even more power to your web development toolbox.

Introducing the powerful and simple Node Material Editor. This new user-friendly node-based system unlocks the power of the GPU for everyone. Traditionally, writing shaders (GPU programs) hasn’t been very easy or accessible for anyone without the understanding of low-level code. Babylon’s new node material system removes the complexity without sacrificing power. With this new system, absolutely anyone can create beautiful shader networks by simply connecting nodes together.

To see the Node Material in action, we put together a couple of demos for you. The Under Water Demo and accompanying Mystery Demo Tutorial Videos showcase how the Node Material makes writing complex vertex shaders easier. The Fantasy Weapons Demo shows off some truly amazing lighting effects shaders. If you just can’t wait to try out the Node Material Editor yourself, head on over here.

The holy grail of software development is to write code once and have it work everywhere: on any device, on every platform. This is the inspiration behind Babylon Native. This exciting new addition to the Babylon platform allows anyone to take their Babylon.js code and build a native application with it, unlocking the power of native technologies. You can learn more about it here.

Real-time screen space reflections are here! With this amazing effort from the dedicated Julien Moreau Mathis, you can now add an entirely new level of realism, depth, and intrigue to all of your Babylon experiences. Simple to use and beautiful, this feature is truly a “must try!” Check out a live demo here.

Babylon.js 4.1 brings one of the most community requested features to the engine: Cascaded Shadow Maps! This exciting new feature helps distribute the resolution of shadows making shadows look crisp, smooth, and beautiful. Best of all, it was created by one of our very own community members: Popov72. Check out a demo here.

The power of the core Babylon.js engine is now available in a stripped-down version that we are calling the “Thin Engine.” 
Babylon’s scene graph and all other tools and features rely on an engine which functions as the central hub of the technology. The size of this central engine is critically important to anyone thinking about using Babylon.js at mass scale for 2D experiences. The Thin Engine removes features in exchange for raw power in a tiny package size. Stripping the core engine down to its bare frame, we created a version specifically for accelerating 2D experiences with the smallest possible package size (~100KB unpacked).

With the new fun and simple Navigation Mesh system, leveraging the power of the excellent and open source Recast navigation library, it’s easier than ever to create convincing “AI” for your game or interactive experience. Simply provide a crowd agent with a navigation mesh, and the movement of that agent will be confined to the mesh. As seen with the fish in this Underwater Demo, you’ll find it very useful for AI and path finding or to replace physics for collision detection (only allow player to go where it’s possible instead of using collision detection). More info here.

It’s no secret that the future is bright for AR/VR experiences on the web. Babylon 4.1 further advances the engine’s best-in-class WebXR support by bringing: 
An easy to use experience helper
A dedicated session manager for more advanced users
One camera to rule them all
Full support for any device that accepts WebXR sessions
Full input-source support
API for Experimental AR features
Teleportation, scene interactions, physics, and more
You can find more details on our introduction to WebXR.

Of course, that’s all just the tip of the iceberg. There’s so much more packed into this release that it’s nearly too much to mention…nearly…
Render the same scene from 2 different canvases with MultiView
Render UI elements in a second worker thread with Offscreen Canvas
Render thousands of objects with variance through Instance Buffers
Speed up common web controls with powerful new 2D Controls
Reduced 3D file sizes through experimental KTX2+BasisU support
Experimental support for upcoming glTF extensions: KHR_texture_basisu, KHR_mesh_quantization, KHR_materials_clearcoat, KHR_materials_sheen, KHR_materials_specular
For a full list of new features, updates, performance improvements, and bug fixes, head on over here.
Babylon.js 4.1 marks another major step forward towards creating one of the most powerful, beautiful, simple, and open rendering engine in the world. We can’t wait to see what you make with it.
www.babylonjs.com

Protecting users from potentially unwanted applications in Microsoft Edge – Microsoft Edge Blog

Our customer feedback tells us that when users search for free versions of software, they often find applications with a poor reputation being installed on the machine at the same time. This pattern indicates that the user has downloaded an application which shows offers (or bundles) for potentially unwanted applications (PUA).
Potentially unwanted applications can make the user less productive, make the user’s machine less performant, and lead to a degraded Windows experience. Examples of PUA include software that creates extra advertisements, applications that mine cryptocurrency, applications that show offers for other software and applications that the AV industry considers having a poor reputation.
In the new Microsoft Edge (beginning with 80.0.338.0), we’ve introduced a new feature to prevent downloads that may contain potentially unwanted apps (PUA), by blocking those apps from downloading. This feature is off by default, but can be turned on in three easy steps:
Tap … (Settings and more) > Settings.
Choose Privacy and services.
Scroll down to Services, and then turn on Block potentially unwanted apps.

Here is what users will see when a download is blocked by the feature (Note: PUA blocking requires Microsoft Defender SmartScreen to be enabled):

To learn more about what Microsoft defines as PUA, see the criteria in our documentation.
If an app has been mislabeled as PUA, users can choose to keep it by tapping … in the bottom bar, choosing Keep, and then choosing Keep anyway in the dialog that appears.

From edge://downloads/, users can also choose Report this app as reputable, which will direct them to our feedback site. There, users can let us know that they think the app is mistakenly marked as PUA.
If you own the site or app in question, you can let us know here. Your feedback will be reviewed by our team to determine an appropriate follow up action.

Our goal is to assist users in getting the apps they want, while empowering them to maintain control over their devices and experiences.
You can learn more about how Microsoft identifies malware, unwanted software, and PUA in our security documentation.
We encourage users to always try to download software from a trusted location, such as the publisher’s website or a reputable app store, and to check reviews of the app and the reputation of the publisher before downloading.
If you are an admin or IT professional and are interested in enabling this feature on for your users, see our enterprise documentation here.
We hope you’ll try out this new feature in the new Microsoft Edge and let us know what you think! Give us your feedback by clicking the feedback link in the upper right corner of your browser or pressing Alt-Shift-I to send feedback.
– Juli Hooper and Michael Johnson, Microsoft Defender ATP

The Complete Guide to Scale-Out File Server for Hyper-V

This article will help you understand how to plan, configure and optimize your SOFS infrastructure, primarily focused on Hyper-V scenarios.

Over the past decade, it seems that an increasing number of components are recommended when building a highly-available Hyper-V infrastructure. I remember my first day as a program manager at Microsoft when I was tasked with building my first Windows Server 2008 Failover Cluster. All I had to do was connect the hardware, configure shared storage, and pass Cluster Validation, which was fairly straightforward.

Failover Cluster with Traditional Cluster Disks

Figure 1 – A Failover Cluster with Traditional Cluster Disks

Nowadays, the recommend cluster configuration for Hyper-V virtual machines (VMs) requires adding additional management layers such as Cluster Shared Volumes (CSV), disks which must also cluster a file server to host the file path to access it, known as a Scale-Out File Server (SOFS). While the SOFS provides the fairly basic functionality of keeping a file share online, understanding this configuration can be challenging for experienced Windows Server administrators. To see the complete stack which Microsoft recommends, scroll down to see the figures throughout this article. This may appear daunting, but do not worry, we’ll explain what all of these building blocks are for.

While there are management tools like System Center Virtual Machine Manager (SCVMM) that can automate the entire infrastructure deployment, most organizations need to configure these components independently. There is limited content online explaining how Scale-Out File Server clusters work and best practices for optimizing them. Let’s get into it!

Scale-Out File Server (SOFS) Capabilities & Limitations

A SOFS cluster should only be used for specific scenarios. The following list of features have been tested and are either supported, supported but not recommended, or not supported with the SOFS.

Supported SOFS scenarios

  • File Server
    • Deduplication – VDI Only
    • DFS Namespace (DFSN) – Folder Target Server Only
    • File System
    • SMB
      • Multichannel
      • Direct
      • Continuous Availability
      • Transparent Failover
  • Other Roles
    • Hyper-V
    • IIS Web Server
    • Remote Desktop (RDS) – User Profile Disks Only
    • SQL Server
  • System Center Virtual Machine Manager (VMM)

Supported, but not recommended SOFS scenarios

  • File Server
    • Folder Redirection
    • Home Directories
    • Offline Files
    • Roaming User Profiles

Unsupported SOFS scenarios

  • File Server
    • BranchCache
    • Deduplication – General Purpose
    • DFS Namespace (DFSN) – Root Server
    • DFS Replication (DFSR)
    • Dynamic Access Control (DAC)
    • File Server Resource Manager (FSRM)
    • File Classification Infrastructure (FCI)
    • Network File System (NFS)
    • Work Folders

Scale-Out File Server (SOFS) Benefits

Fundamentally, a Scale-Out File Server is a Failover Cluster running the File Server role. It keeps the file share path (\ClusterStorageVolume1) continually available so that it can always be accessed. This is critical because Hyper-V VMs us this file path to access their virtual hard disks (VHDs) via the SMB3 protocol. If this file path is unavailable, then the VMs cannot access their VHD and cannot operate.

Additionally, it also provides the following benefits:

  • Deploy Multiple VMs on a Single Disk – SOFS allows multiple VMs running on different nodes to use the same CSV disk to access their VHDs.
  • Active / Active File Connections – All cluster nodes will host the SMB namespace so that a VM can connect or quickly reconnect to any active server and have access to its CSV disk.
  • Automatic Load Balancing of SOFS Clients – Since multiple VMs may be using the same CSV disk, the cluster will automatically distribute the connections. Clients are able to connect to the disk through any cluster node, so they are sent to the server with fewest file share connections. By distributing the clients across different nodes, the network traffic and its processing overhead are spread out across the hardware which should maximize its performance and reduce bottlenecks.
  • Increased Storage Traffic Bandwidth – Using SOFS, the VMs will be spread across multiple nodes. This also means that the disk traffic will be distributed across multiple connections which maximizes the storage traffic throughput.
  • Anti-Affinity – If you are hosting similar roles on a cluster, such as two active/active file shares for a SOFS, these should be distributed across different hosts. Using the cluster’s anti-affinity property, these two roles will always try to run on different hosts eliminating a single point of failure.
  • CSV Cache – SOFS files which are frequently accessed will be copied locally on each cluster node in a cache. This is helpful if the same type of VM file is read many times, such as in VDI scenarios.
  • CSV CHKDSK – CSV disks have been optimized to skipping the offline phase, which means that they will come online faster after a crash. Faster recovery time is important for high-availability since it minimizes downtime.

Scale-Out File Server (SOFS) Cluster Architecture

This section will explain the design fundaments of Scale-Out File Servers for Hyper-V. The SOFS can run on the same cluster as the Hyper-V VMs it is supporting, or on an independent cluster. If you are running everything on a single cluster, the SOFS must be deployed as a File Server role directly on the cluster; it cannot run inside a clustered VM since that VM won’t start without access to the File Server. This would cause a problem since neither the VM nor the virtualized File Server could start-up since they have a dependency on each other.

Hyper-V Storage and Failover Clustering

When Hyper-V was first introduced with Windows Server 2008 Failover Clustering, it had several limitations that have since been addressed. The main challenge was that each VM required its own cluster disk, which made the management of cluster storage complicated. Large clusters could require dozens or hundreds of disks, one for each virtual machine. This was sometimes not even possible due to limitations created by hardware vendors which required a unique drive letter for each disk. Technically you could run multiple VMs on the same cluster disk, each with their own virtual hard disks (VHDs). However, this configuration was not recommended, because if one VM crashed and had to failover to a different node, it would force all the VMs using that disk to shut down and failover to other nodes. This causes unplanned downtime, and as virtualization becomes more popular, a cluster-aware file system was created known as Cluster Shared Volumes (CSV). See Figure 1 (above) for the basic architecture of a cluster using traditional cluster disks.

Cluster Shared Volume (CSV) Disks and Failover Clustering

CSV Disks were introduced in Windows Server 2008 R2 as a distributed file system that is optimized for Hyper-V VMs. The disk must be visible by all cluster nodes, use NTFS or ReFS, and can be created from pools of disks using Storage Spaces.

The CSV disk is designed to host VHDs from multiple VMs from different nodes and run them simultaneously. The VMs can distribute themselves across the cluster nodes, balancing the hardware resources which they are consuming. A cluster can host multiple CSV disks and their VMs can freely move around the cluster, without any planned downtime. The CSV disk traffic communicates over standard networks using SMB, so traffic can be routed across different cluster communication paths for additional resiliency, without being restricted to use a SAN.

A Cluster Shared Volumes disk functions similar to a file share hosting the VHD file since it provides storage and controls access. Virtual machines can access their VHDs like clients would access a file hosted in a file share using a path like \ClusterStorageVolume1. This file path is identical on every cluster node, so as a VM moves between servers it will always be able to access its disk using the same file path. Figure 2 shows a Failover Cluster storing its VHDs on a CSV disk. Note that multiple VHDs for different VMs on different nodes can reside on the same disk which they access through the SMB Share.

A Failover Cluster with a Cluster Shared Volumes (CSV) Disk

Figure 2 – A Failover Cluster with a Cluster Shared Volumes (CSV) Disk

Scale-Out File Server (SOFS) and Failover Clustering

The SMB file share used for the CSV disk must be hosted by a Windows Server File Server. However, the file share should also be highly-available so that it does not become a single point of failure. A clustered File Server can be deployed as a SOFS through Failover Cluster Manager as described at the end of this article.

The SOFS will publish the VHD’s file share location (known as the “CSV Namespace”) on every node. This active/active configuration allows clients to be able to access their storage through multiple pathways. This provides additional resiliency and availability because if one node crashes, the VM will temporarily pause its transactions until it can quickly reconnect to the disk via another active node, but it remains online.

Since the SOFS runs on a standard Windows Server Failover Cluster, it must follow the hardware guidance provided by Microsoft. One of the fundamental rules of failover clustering is that all the hardware and software should be identical. This allows a VM or file server to be able to operate the same way on any cluster node, as all the setting, file paths, and registry settings will be the same. Make sure you run the Cluster Validation tests and follow Altaro’s Cluster Validation troubleshooting guidance if you see any warnings or errors.

The following figure shows a SOFS deployed in the same cluster. The clustered SMB shares create a highly-available CSV namespace allowing VMs to access their disk through multiple file paths.

A Failover Cluster using Clustered SMB File Shares for CSV Disk Access

Figure 3 – A Failover Cluster using Clustered SMB File Shares for CSV Disk Access

Storage Spaces Direct (S2D) with SOFS

Storage Spaces Direct (S2D) lets organizations deploy small failover clusters with no shared storage. S2D will generally use commodity servers with direct-attached storage (DAS) to create clusters that use mirroring to replicate their data between local disks to keep their states consistent. These S2D clusters can be deployed as Hyper-V hosts, storage hosts or in a converged configuration running both roles. The storage uses Scale-Out File Servers to host the shares for the VHD files.

In Figure 4, a SOFS cluster is shown which uses storage spaces direct, rather than shared storage, to host the CSV volumes and VHD files. Each CSV volume and its respective VHDs are mirrored between each of the local storage arrays.

 A Failover Cluster with Storage Spaces Direct (S2D)

Figure 4 – A Failover Cluster with Storage Spaces Direct (S2D)

Infrastructure Scale-Out File Server (SOFS)

Windows Server 2019 introduced a new Scale-Out File Server role called the Infrastructure File Server. This functions as the traditional SOFS, but it is specifically designed to only support Hyper-V virtual infrastructure with no other types of roles. There can also be only one Infrastructure SOFS per cluster.

The Infrastructure SOFS can be created manually via PowerShell or automatically when it is deployed by Windows Azure Stack or System Center Virtual Machine Manager (SCVMM). This role will automatically create a CSV namespace share using the syntax \InfraSOFSNameVolume1. Additionally, it will enable the Continuous Availability (CA) setting for the SMB shares, also known as SMB Transparent Failover.

Infrastructure File Server Role on a Windows Server 2019 Failover Cluster

Figure 5 – Infrastructure File Server Role on a Windows Server 2019 Failover Cluster

Cluster Sets

Windows Server 2019 Failover Clustering introduced the management concept of cluster sets. A cluster set is a collection of failover cluster which can be managed as a single logical entity. It allows VMs to seamlessly move between clusters which then lets organizations create a highly-available infrastructure with almost limitless capacity. To simplify the management of the cluster sets, a single namespace can be used to access the cluster. This namespace can run on a SOFS for continual availability and clients will automatically get redirected to the appropriate location within the cluster set.

The following figure shows two Failover Clusters within a cluster set, both of which are using a SOFS. Additionally, a third independent SOFS is deployed to provide highly-available access to the cluster set itself.

A Scale-Out File Server with Cluster Sets

Figure 6 – A Scale-Out File Server with Cluster Sets

Guest Clustering with SOFS

Acquiring dedicated physical hardware is not required for the SOFS as this can be fully-virtualized. When a cluster runs inside of VMs instead of physical hardware, this is known as guest clustering. However, you should not run a SOFS within a VM which it is providing the namespace for, as it can get into a situation where it cannot start the VM since it cannot access the VM’s own VHD.

Microsoft Azure with SOFS

Microsoft Azure allows you to deploy virtualized guest clusters in the public cloud. You will need at least 2 storage accounts, each with a matching number and size of disks. It is recommended to use at least DS-series VMs with premium storage. Since this cluster is already running in Azure, it can also use a cloud witness for is quorum disk.

You can even download an Azure VM template which comes as a pre-configure two-node Windows Server 2016 Storage Spaces Direct (S2D) Scale-Out File Server (SOFS) cluster.

System Center Virtual Machine Manager (VMM) with SOFS

Since the Scale-Out File Server has become an important role in virtualized infrastructures, System Center Virtual Machine Manager (VMM) has tightly integrated it into their fabric management capabilities.

Deployment

VMM makes it fairly easy to deploy SOFS throughout your infrastructure on bare-metal or Hyper-V hosts. You can add existing file servers under management or deploy each SOFS throughout your fabric. For more information visit:

When VMM is used to create a cluster set, an Infrastructure SOFS is automatically created on the Management Server (if it does not already exist). This file share will host the single shared namespace used by the cluster set.

Configuration

Many of the foundational components of a Scale-Out File Server can be deployed and managed by VMM. This includes the ability to use physical disks to create storage pools that can host SOFS file shares. The SOFS file shares themselves can also be created through VMM. If you are also using Storage Spaces Direct (S2D) then you will need to create a disk witness which will use the SOFS to host the file share. Quality of Service (QoS) can also be adjusted to control network traffic speed to resources or VHDs running on the SOFS shares.

Management Cluster

In large virtualized environments, it is recommended to have a dedicated management cluster for System Center VMM. The virtualization management console, database, and services are highly-available so that they can continually monitor the environment. The management cluster can use unified storage namespace runs on a Scale-Out File Server, granting additional resiliency to accessing the storage and its clients.

Library Share

VMM uses a library to store files which may be deployed multiple times, such as VHDs or image files. The library uses an SMB file share as a common namespace to access those resources, which can be made highly-available using a SOFS. The data in the library itself cannot be stored on a SOFS, but rather on a traditional clustered file server.

Update Management

Cluster patch management is one of the most tedious tasks which administrators face as it is repetitive and time-consuming. VMM has automated this process through serially updating one node at a time while keeping the other workloads online. SOFS clusters can be automatically patched using VMM.

Rolling Upgrade

Rolling upgrades refers to the process where infrastructure servers are gradually updated to the latest version of Windows Server. Most of the infrastructure servers managed by VMM can be included in the rolling upgrade cycle which functions like the Update Management feature. Different nodes in the SOFS cluster are sequentially placed into maintenance mode (so the workloads are drained), updated, patched, tested and reconnected to the cluster. Workloads will gradually migrate to the newly installed nodes while the older nodes wait to be updated. Gradually all the SOFS cluster nodes are updated to the latest version of Windows Server.

Internet Information Services (IIS) Web Server with SOFS

Everything in this article so far has referenced SOFS in the context of being used for Hyper-V VMs. SOFS is gradually being adopted by other infrastructure services to provide high-availability to their critical components which use SMB file shares.

The Internet Information Services (IIS) Web Server is used for hosting websites. To distribute the network traffic, usually, multiple IIS Servers are deployed. If they have any shared configuration information or data, this can be stored in the Scale-Out File Server.

Remote Desktop Services (RDS) with SOFS

The Remote Desktop Services (RDS) role has a popular feature known as user profile disks (UPDs) which allows users to have a dedicated data disk stored on a file server. The file share path can be placed on a SOFS to make access to that share highly-available.

SQL Server with SOFS

Certain SQL Server roles have been able to use SOFS to make their SMB connections highly-available. Starting with SQL Server 2012, the SMB file server storage option is offered for SQL Server, databases (including Master, MSDB, Model and TempDB) and the database engine. The SQL Server itself can be standalone or deployed as a failover cluster installation (FCI).

Deploying a SOFS Cluster & Next Steps

Now that you understand the planning considerations, you are ready to deploy the SOFS. From Failover Cluster Manager, you will launch the High Availability Wizard and select the File Server role. Next, you will select the File Server Type. Traditional clustered file servers will use the File Server for general use. For SOFS, select Scale-Out File Server for application data.

The interface is shown in the following figure and described as, “Use this option to provide storage for server applications or virtual machines that leave files open for extended periods of time. Scale-Out File Server client connections are distributed across nodes in the cluster for better throughput. This option supports the SMB protocol. It does not support the NFS protocol, Data Deduplication, DSF Replication, or File Server Resource Manager.”

Installing a Scale-Out File Server (SOFS)

Figure 7 – Installing a Scale-Out File Server (SOFS)

Now you should have a fundamental understanding of the use and deployment options for the SOFS. For additional information about deploying a Scale-Out File Server (SOFS), please visit https://docs.microsoft.com/en-us/windows-server/failover-clustering/sofs-overview. If there’s anything you want to ask about SOFS, let me know in the comments below and I’ll get back to you!

Go to Original Article
Author: Symon Perriman

Windows IIS server hardening checklist

Default configurations for most OSes are not designed with security as the primary focus. Rather, they concentrate…

on ease of setup, use and communications. Therefore, web servers running default configurations are obvious targets for automated attacks and can be quickly compromised.

Device hardening is the process of enhancing web server security through a variety of measures to minimize its attack surface and eliminate as many security risks as possible in order to achieve a much more secure OS environment.

Because web servers are constantly attached to the internet and often act as gateways to an organization’s critical data and services, it is essential to ensure they are hardened before being put into production.

Consult this server hardening checklist to ensure server hardening policies are correctly implemented for your organization’s Windows Internet Information Services (IIS) server.

General

  • Never connect an IIS server to the internet until it is fully hardened.
  • Place the server in a physically secure location.
  • Do not install the IIS server on a domain controller.
  • Do not install a printer.
  • Use two network interfaces in the server: one for admin and one for the network.
  • Install service packs, patches and hot fixes.
  • Run Microsoft Security Compliance Toolkit.
  • Run IIS Lockdown on the server.
  • Install and configure URLScan.
  • Secure remote administration of the server, and configure for encryption, low session timeouts and account lockouts.
  • Disable unnecessary Windows services.
  • Ensure services are running with least-privileged accounts.
  • Disable FTP, Simple Mail Transfer Protocol and Network News Transfer Protocol services if they are not required.
  • Disable Telnet service.
  • Disable ASP.NET state service if not used by your applications.
  • Disable Web Distributed Authoring and Versioning if not used by the application, or secure it if it is required.
  • Do not install Microsoft Data Access Components (MDAC) unless specifically needed.
  • Do not install the HTML version of Internet Services Manager.
  • Do not install Microsoft Index Server unless required.
  • Do not install Microsoft FrontPage Server Extensions (FPSE) unless required.
  • Harden the TCP/IP stack.
  • Disable NetBIOS and Server Message Block — closing ports 137, 138, 139 and 445.
  • Reconfigure recycle bin and page file system data policies.
  • Secure CMOS (complementary metal-oxide semiconductor) settings.
  • Secure physical media — CD-ROM drive and so on.

Accounts

  • Remove unused accounts from the server.
  • Disable Windows Guest account.
  • Rename Administrator account, and set a strong password.
  • Disable IUSR_Machine account if it is not used by the application.
  • Create a custom least-privileged anonymous account if applications require anonymous access.
  • Do not give the anonymous account write access to web content directories or allow it to execute command-line tools.
  • If you host multiple web applications, configure a separate anonymous user account for each one.
  • Configure ASP.NET process account for least privilege. This only applies if you are not using the default ASP.NET account, which is a least-privileged account.
  • Enforce strong account and password policies for the server.
  • Enforce two-factor authentication where possible.
  • Restrict remote logons. (The “access this computer from the network” user right is removed from the Everyone group.)
  • Do not share accounts among administrators.
  • Disable null sessions (anonymous logons).
  • Require approval for account delegation.
  • Do not allow users and administrators to share accounts.
  • Do not create more than two accounts in the administrator group.
  • Require administrators to log on locally, or secure the remote administration system.

Files and directories

  • Use multiple disks or partition volumes, and do not install the web server home directory on the same volume as the OS folders.
  • Contain files and directories on NT file system (NTFS) volumes.
  • Put website content on a nonsystem NTFS volume.
  • Create a new site, and disable the default site.
  • Put log files on a nonsystem NTFS volume but not on the same volume where the website content resides.
  • Restrict the Everyone group — no access to WINNTsystem32 or web directories.
  • Ensure website root directory has deny write access control entry (ACE) for anonymous internet accounts.
  • Ensure content directories have deny write ACE for anonymous internet accounts.
  • Remove resource kit tools, utilities and SDKs.
  • Remove any sample applications or code.
  • Remove IP address in header for Content-Location.

Shares

  • Remove all unnecessary shares, including default administration shares.
  • Restrict access to required shares — the Everyone group does not have access.
  • Remove administrative shares — C$ and Admin$ — if they are not required. (Microsoft System Center Operations Manager — formerly Microsoft Systems Management Server and Microsoft Operations Manager — requires these shares.)

Ports

  • Restrict internet-facing interfaces to port 443 (SSL).
  • Run IIS Lockdown Wizard on the server.

Registry

  • Restrict remote registry access.
  • Secure the local Security Account Manager (SAM) database by implementing the NoLMHash Policy.

Auditing and logging

  • Audit failed logon attempts.
  • Relocate and secure IIS log files.
  • Configure log files with an appropriate file size depending on the application security requirement.
  • Regularly archive and analyze log files.
  • Audit access to the MetaBase.xml and MBSchema.xml files.
  • Configure IIS for World Wide Web Consortium extended log file format auditing.
  • Read how to use SQL Server to analyze web logs here.

Sites and virtual directories

  • Put websites on a nonsystem partition.
  • Disable Parent Paths setting.
  • Remove any unnecessary virtual directories.
  • Remove or secure MDAC Remote Data Services virtual directory.
  • Do not grant included directories read web permission.
  • Restrict write and execute web permissions for anonymous accounts in virtual directories.
  • Ensure there is script source access only on folders that support content authoring.
  • Ensure there is write access only on folders that support content authoring and these folders are configured for authentication and SSL encryption.
  • Remove FPSE if not used. If FPSE are used, update and restrict access to them.
  • Remove the IIS Internet Printing virtual directory.

Script mappings

  • Map extensions not used by the application to 404.dll — .idq, .htw, .ida, .shtml, .shtm, .stm, idc, .htr, .printer.
  • Map unnecessary ASP.NET file type extensions to HttpForbiddenHandler in Machine.config.

ISAPI filters

IIS Metabase

  • Restrict access to the metabase by using NTFS permissions (%systemroot%system32inetsrvmetabase.bin).
  • Restrict IIS banner information (disable IP address in content location).

Server certificates

  • Ensure certificate date ranges are valid.
  • Only use certificates for their intended purpose. For example, the server certificate is not used for email.
  • Ensure the certificate’s public key is valid, all the way to a trusted root authority.
  • Confirm that the certificate has not been revoked.

Machine.config

  • Map protected resources to HttpForbiddenHandler.
  • Remove unused HttpModules.
  • Disable tracing: <trace enable=”false”/>.
  • Turn off debug compiles: <compilation debug=”false” explicit=”true” defaultLanguage=”vb”>.

Dig Deeper on Microsoft Windows security

Go to Original Article
Author: