60% Virtualized Servers Less Secure Than Physical Servers
Today I found an interesting article from Gartner, they predict that in 2012 60 percent of all virtual servers will be less secure than the physical servers they replace. Gartner expects this percentage to drop to 30% at the end of 2015.
These are the main risks Gartner identified, for the complete article check this page.
- Information Security Isn't Initially Involved in the Virtualization Projects
- A Compromise of the Virtualization Layer Could Result in the Compromise of All Hosted Workloads
- The Lack of Visibility and Controls on Internal Virtual Networks Created for VM-to-VM Communications Blinds Existing Security Policy Enforcement Mechanisms
- Workloads of Different Trust Levels Are Consolidated Onto a Single Physical Server Without Sufficient Separation
- Adequate Controls on Administrative Access to the Hypervisor/VMM Layer and to Administrative Tools Are Lacking
- There Is a Potential Loss of Separation of Duties for Network and Security Controls
"Virtualization is not inherently insecure," said Neil MacDonald, vice president and Gartner fellow. "However, most virtualized workloads are being deployed insecurely. The latter is a result of the immaturity of tools and processes and the limited training of staff, resellers and consultants."
Project VRC Phase II:
Latest generation virtualization techniques doubles capacity terminal servers
With that statement Ruben and Jeroen have just released Phase II of Project Virtual Reality Check (VRC) to create this whitepaper they have done more than 150 tests with Login VSI to measure the performance of servers while being stressed by a great amount of simulated users. This whitepaper has a few advantages to whitepapers published by the vendors themselves and whitepapers published by blogs that are only testing one hypervisor:
- The whitepaper is truly independent
- The whitepaper is approved by the different vendors
- Everybody can repeat the tests with the free available Login VSI
- The authors aren’t biased
- You can compare the results easily (the servers have been stressed the same way)
One of the most interesting conclusions of Phase II: The performance increase measured is not caused by improvements to the hypervisor but mainly by Intel’s innovations in the Nehalem architecture VRC states that it can be almost solely accredited for the performance improvements seen with TS workloads.
Get your free copy of the whitepaper at www.projectvrc.com
Independent benchmarking
Wohoo!! When we where creating Login VSI we had a few goals in mind, one of them is becoming the de facto standard for benchmarking virtual environments (TS/VDI/Bare metal etc). And i have to say: something is happening in the industry. To begin with we have Project VRC by Ruben and Jeroen but recently Citrix published some rather interesting whitepapers.
- Official Citrix Whitepaper with 5000 XenDesktop users. http://bit.ly/c5a0n5
Use free and reputable tools like LoginVSI from Login Consultants to simulate real-worldlike
user workloads.
- Official Citrix Whitepaper Single server scalability with XenDesktop http://bit.ly/b4MH75
VM density results are highly dependent upon workload characteristics. We used a
workload called Login VSI, created by an independent company, Login Consultants.
Login VSI, is well known in the VDI and terminal services community with testing of
8 various terminal services and VDI solutions from multiple vendors in a comprehensive,
ongoing test project called Project Virtual Reality Check.
AutoIT is enterprise ready!?
In IT everybody i meet always has something against AutoIT, this is for a obvious reason you don’t want to use recorded mouseclicks or sendkeys to install your applications unless there is really (no really!) no other option left.
In everyday usage i use AutoIT to create most parts of Login VSI, its perfect for emulating the user workloads because it works like a real user and because i dont have real programming skills the rest of VSI is also created in AutoIT script.
You would think a large company would do this a little different, maybe they would create the workloads in AutoIT scripts but creating the configuration GUI’s would be done much more professional…. Well VMWare dissagrees 
apparently.
Conclusion: +1 for the AutoIT team and –1 for VMware!
Citrix Edgesight will break march 25th
Well it’s always nice to know when you production environment will break, i wish i knew this for all software running in my environment 
. But it doesn't look really professional from the vendor side. And this time the vendor is: Citrix!
As of 2010-03-25 (March 25th, 2010), EdgeSight 5.0 and 5.1 (all service packs) will stop functioning.
Customers will receive the following error message for payload uploads:
“Archive load error: The archive '/edgesight/app/suser/ZRemoteLib.zpd#12!lsync.htm' is not appropriately signed. The system cannot find the file specified.”
General symptoms: Payloads will not be uploaded and many of the EdgeSight components will not work properly resulting in different errors.
Congratz to Citrix for reintroducing a bug the already discovered in version 4.5 of their software product!
App-V Self Support Tool
We all remember the last tool created by Peter Nap: App-V on a stick, but Peter didn't stop there. Yesterday Login Consultants released a new tool: The App-V Self Support Tool. One of the things that you will find out early on when actual users start working with App-V, is that sometimes they manually need to reset, preload and refresh their virtualized applications. As a result, you will need to give users access to the App-V client MMC plug-in.
The problem is, the MMC is typically off-limits for normal users in the enterprise because of security policies on desktops and laptops. And even when users have access, try explaining non-technical users how to work with the App-V client MMC plug-in. The App-V client configuration is simply way too clunky for normal users.
The great thing about the App-V Self Support tool is that is consists of just 2 files that do not have to be installed, one executable and one XML file for the configuration. This makes enterprise deployment quite easy: just drop the files anywhere on the client and provide the users a shortcut to start the application.
The interface is deliberately simplified, so users can find their way around. There are only a few options: View, Language, Repair, Cache, Start and Refresh. Users do not need anything more, and more importantly, they are not required to ask the helpdesk to support them.
Download the App-V Self Support (App-V SST) tool here.
[Virtualizing the App-V Support tool is not recommended! (No really.. it breaks)]
Disk to VHD Converter (Disk2VHD)
The Sysinternals guys did it again . This time they have given us the "Poor mans P2V" solution, and they call it: Disk2VHD.
The idea behind this is pretty cool, they use the Windows Volume Snapshot capability, to create consistent point-in-time snapshots of the volumes you want to convert. It will create one VHD for every disk but it will only include the partitions you select. The really cool thing about this: You can run it ONLINE!
There are some (small) limitations the VHD size limit is 127GB (because virtual pc doesn't support bigger VHD’s), and do not attach the VHD’s on the same system you created them because you will get an collision with the signature of the VHD’s source disk.
Ofcourse they put in in their Sysinternals Suite that can be downloaded from here
Add optional updates to MDT
. As you all know you can add your own applications as optional packages so you can select them pre-installation. This got me thinking: Let’s add windows update as optional package and use the framework that’s already available for this.Howto:
- Add a new application
- Standard application
- Quiet installation command
- cscript.exe "%SCRIPTROOT%\ZTIWindowsUpdate.wsf"
- Quiet installation command
That’s it
Whoo!! VMware reads our blog.
Or maybe not , it could be they already planned to release a new beta version of ThinApp in november. VMware announced this news at VMworld 2009. The final release is planned for Q1 2010 a little late if you ask me.. since there are already some working versions out there: for instance check Rubens video.
Next to that i also found a nice howto that shows how to decompile Thinapp and Xenocode packages created by NickOn and a nice little script that executes Thinreg in a decent way with support for recursive folders (here).
Login VSI 2.0 Beta 3
Being one of the developers of Login VSI of course i have to want to post something about it, but since we at IThastobeCool want to give you something special i decided to create a video of what Login VSI really does.
The video shows you the “Medium” user workload of Login VSI Express (read: Free) in this session we measure user experience by timing window events. You can imagine running this test with one user does not tell you the performance of the server but look what happens when you add 287!
“Login VSI 2.0 is the second iteration of Login VSI 1.0: the free and specifically designed benchmark for SBC and VDI environments. VSI 2.0 introduces completely new workloads, and a improved and more accurate index called VSImax. Overall, VSI 2.0 will be a much smoother experience, many best practices and lessons learned from project VRC are now included in this release. The free version will now be called “Login VSI 2.0 Express”, the advanced version is called “Login VSI 2.0 PRO”. The most important new 2.0 features are:
Workload(s) re-build from scratch
· New, more realistic, medium workload (now 10 instead of 18 minutes)
· Real-world end-user websites (with rich flash content)
· Windows 7 and Windows 2008 r2 support
· IE 8 support
· New Zip and PDF printer (BullZip)
· Highly improved robustness (even under extreme loads)
· Improved response timer mechanism and index: VSImax
VSI 2.0 PRO features
· Multilanguage Support (Express only support English OS and Office)
· Detailed logging
· Runtime calibration of timed events and response time measurement using an external SQL server clock (important for hypervisor comparisons)
· Office 2003 and Office 2010 support
· Customization Support (ad your own apps to the VSI workload)
Analyzer Changes
· New VSImax calculation: much more precise
· Automatic renaming of excel files to “testname.xltm”
· Remember settings from last session
AD Setup Changes
· Split system / user policy objects / added Computers OU
· Improved setup user objects (no password expiry etc)
Launcher
· New pre-launch naming of test: no more archiving of tests needed
Login VSI beta can be downloaded from Login VSI download section.