Poort443

Disable Windows 7 Services to save resources with View

2012-01-31T14:01:00.000+01:00

Every VMware View implementation will try to squeeze as much VM’s out of the available hardware resources as possible. One of the easier ways to do this is to disable unnecessary Windows services to save on RAM and CPU.

This can of course be achieved by disabling the services in the master or template, but from a management perspective it’s better to use Active Directory (AD) group policy to do this. If anything changes later on and some service has to be enabled that was previously thought unnecessary, it can be done dynamically by changing the Group Policy Object (GPO).

A problem with this approach can be that if the Group Policy Management Console (GPMC) is used on a Windows 2008 R2 Server some services that are specific for Windows 7 (and not present on Windows 2008 R2) are not seen. What you can’t see is difficult to disable

Easiest resolution for this is of course to install the GPMC on a Windows 7 VM in the domain. For all kinds of reasons involving permissions on OU’s managed by other departments and compliance reasons I was recently in a position where this was not possible, at least not without a lot of hassle. So for me disabling the Windows 7 Services had to be done in two stages:

Making and exporting a security profile on a Windows 7 View desktop
Importing this security profile on a Windows Server 2008 R2 domain controller

Another advantage to this approach is that the Security Profile that will be created is just a list that can be applied again later. If you’re a consultant and have to do this again and again it saves a lot of time and makes sure you don’t forget things or make typos.

This can be done by creating a Group Policy Security Template on a Windows 7 desktop, and importing this in the GPO for the VMware View desktops. This post will show how this is done.

First you have to decide which services can safely be disabled. As usual “it depends” on your environment and requirements. I recently used this list:

BitLocker Drive Encryption Service
Block Level Backup Engine Service
Bluetooth Service
Desktop Window Manager Session Manager
Diagnostic Policy Service
Disk Defragmenter
Error Reporting Service
Fax
Home Group Listener
Home Group Provider
IP Helper
Microsoft iSCSI Initiator Service
Offline Files
Parental Controls
Secure Socket Tunneling Protocol Service
Tablet PC Input Service
Windows Error Reporting
Windows Media Center Scheduler Service
Windows Media Center Receiver Service
Windows Media Player Network Sharing Service
Wireless Zero Configuration
WLAN AutoConfig
WWAN AutoConfig

Always check what these services actually do. Look at the description and check with Google and Microsoft Technet. Another thing is to check the dependencies of the service. If a service is disabled by GPO, all other services that depend on it will fail to start. With this caution out of the way we can get into the “How-to” of disabling them.

First a list of these services and their startup types has to be made on a Windows 7 VM to import into the GPO. For this you should be on a Windows 7 VM that’s part of the AD domain. Open a MMC and add the plugin “Security Templates”:

Once this plug-in is loaded it needs to be pointed to a path where it can find and store security templates. Use “New Template Search Path…”:

I used C:\Temp. Next do “New Template” and give it a name, you’ll end up with an empty security template:

In this template, locate “System Services”. Select one of the services that’s to be disabled:

Select “Define this policy..” and change the setting to “Disabled”. Also don’t forget to check the “Edit Security” button just to make sure you’ve touched these settings. The permission will than change to “Configured”. Now follows the joy of checking all the services you want disabled. Lots of clicking involved:

When all the services have been checked,the template needs to be exported so it can later be imported into the GPO in place for View:

Use “Save As..” and select a location. The file will have the .inf extension.

This file now needs to be read by the AD GPO that’s made for your VMware View. Open your Group Policy Management Console and edit you View GPO. Go to Computer \ Policy \ Windows Settings and do “Import Policy”. Select the .inf file made earlier and it will be imported into your View GPO.

The result will be that all Windows 7 Services deemed not necessary for use by VMware View will now be disabled, including the services that would not have been seen on the Windows 2008 (R2) platform.

Alternative for the whole thing: Do it in Group Policy Preferences. It also has the ability to change services. I personally think as it’s a limitation forced on users a GPO is the best place for it.

Resources saved, better density of VM’s per host, more value for money

Technorati Tags: VMware,VMware View,GPO

Block VMwareTray.exe using Software Restriction Policies in AD

2011-12-23T14:51:00.000+01:00

In this post I described how it’s possible to hide the VMware Tools Control Panel applet in Windows 7 using Active Directory GPO. Another thing I like to clean up is the VMwareTray application. It’s again a way into the VMware Tools applet and regular users should need no access to it. Also it’s a running process without a real purpose. VMwareTray.exe is located in C:\Program Files\VMware\VMware Tools. It’s started by default for every user by the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VMware Tools.

VMware’s solution for these things is again KB 1006354. It advises to remove this key so the process does not run. This works of course but for me there are two problems:

The user could start vmwaretray.exe manually. Not a disaster this, but still not what you’re trying to achieve
If the VMware Tools are upgraded the keys will re-appear and will have to be removed again

So I prefer it to be fixed by GPO. If it’s done right it works better and is far less troublesome from a management point of view.

My solution is to use Software Restriction Policies. It’s a standard part of Active Directory’s GPO’s. It can be found under Computer \ Policies \ Windows \ Security Settings \ Software Restriction Policies. By default, no SRP’s are defined. It’s also good to really think about what you’re going to do. SRP’s are really powerful and you could easily produce results you don’t want. To enable SRP:

Click on: “New Software Restriction Policies”. Some default rules are now created. They should probably remain as they are. They make sure that by default everything is allowed to run. What you must do now is create a new “Additional Rule” and choose “Hash Rule”:

In this hash rule you’re given the opportunity to browse to the file you want to block:

Browse to VMwareTray.exe in C:\Program Files\VMware\VMware Tools. Windows will now enter the file information. Leave the Security Level on “Disallowed” and give a meaningful description:

Now you’re done. After a policy update you’ll no longer be able to start VMware tray.exe. If you try to do so anyway you’ll get this message:

“This program is blocked by group policy”. It will also be blocked when the VM starts, so it won’t be running in your System tray. Of course you could also block VMControlPanel.cpl while you’re at it.

Now, when VMware Tools are updated later the VMwareTray.exe might be changed so much that it’s no longer blocked by an SRP. You’d have to make a new hash rule in that case. But that’s still much better than manually editing things in the registry and messing with file security in your View image.

Technorati Tags: VMware,VMware View,GPO

Hiding the VMware Tools applet from the Control Panel

2011-12-23T13:17:00.000+01:00

I spend quite some time designing and building VMware View environments. If you’re like me you don’t want the users of your View desktops limited too much. After all, one of the great advantages of using VDI is that users are less limited than on a Citrix or RDS server. If the View desktop looks like the one at home users will like it more.

It’s still better however if regular users are prohibited from accessing certain settings. Just to make sure that they don’t break crucial things. This is best done with GPO’s (group policy objects in Active Directory). One of the things I don’t want users to see is the VMware Tools applet in the Control Panel. It’s this one:

It’s not too obvious how this should be hidden. Of course many Control Panel applets can be hidden using Active Directory GPO.

VMware actually has a KB article on this subject: KB Article: 1006354. What I don’t like about their solution is that it involves file security to block access to the applets. I prefer doing this kind of thing with GPO’s as it’s a better manageable solution. Also removing the registry key works fine but only until the tools are updated to a newer version. The registry key will than return and you’ll have to manually fix it again. So I tried to find a better way.

If you check your GPO (User \ Policies \ Administrative Templates \ Control Panel) you’ll find “Hide specified Control Panel items”. The “Help” here is actually quite helpful for a change. It mentions how you have to specify something like “Microsoft.Mouse” to remove the Mouse applet in Control Panel. It’s difficult to find the name for the VMware Tools applet though, at least I couldn’t find it. Maybe I checked the wrong places .

It is mentioned that for Vista and earlier you’re supposed to use the .CPL name, if a .CPL exists for the applet in question. The VMware Tools applet does have a .CPL file, it’s located in C:\Program Files\VMware\VMware Tools\VMControlPanel.cpl.

If this name is specified in the “Hide specified Control Panel items” it just doesn’t work. The VMware Tools applet remains in the Control Panel. So I played around with the first way of doing it described in “Help”, the Windows 7 method. It turns out that: “Vmware.VMControlpanel” works. So make a GPO setting like this:

The VMware Tools applet will now disappear from the Control Panel so it can’t be fiddled with.

Next to remove is the VMware tray utility. I’ll do that in another post.

Technorati Tags: VMware,VMware View,GPO

Enable VMware vShield Manager and vShield Endpoint

2011-12-20T12:59:00.001+01:00

For use with Trend Micro Deep Security 7.5

Lately I’ve been working on implementing Trend Micro’s Deep Security in a medium sized VMware View 4.5 environment. We’ll use it to replace the in-VM virus scanning solution now in use. The goal is of course to make the AV management easier and to reduce the load in every VM. The current version of Deep Security is 7.5. It’s not supported yet on vSphere 5, but our View 4.5 pools run on vSphere 4.1 anyway.
First a picture of the DS / vShield architecture to get an idea of what’s involved:

There’s a number of things that have to be done to get DS 7.5 running. Firstly it’s dependent on the presence of VMware vShield Endpoint which has to be enabled first. I’ll focus this post on enabling vShield Endpoint and get back to DS 7.5 later in another post.To enable vShield Endpoint:

You need to add Endpoint licenses to vCenter
Get vShield Manager up and running
Enable vShield Endpoint on your ESX hosts.

I won’t go too much into adding the vShield Endpoint licenses. It’s done in the usual way .
vShield Manager can be downloaded from VMware.com/downloads as an .ova package of 536 MB. The version to use (now) is 4.1.0-310451. If you have the View Premier licenses it can be found under View. If you have the Enterprise licenses it’s not included with View and you’ll have to purchase (and download) vShield Manager separately.
The vShield Manager appliance can be imported using the vSphere Client. Logon is done (using the vSphere Client at this time) with username “admin” and password “default” (the word “default”, not some default value). Get into command mode with “enable” and logon again with the same account. Run the command “setup” to start a short configuration wizard which asks about IP values. The vShield Manager has to be able to reach the ESX servers over their Management or Service Console networks. Later the Deep Security Manager (a Windows server) also needs to be able to get to it. After the vShield Manger is configured with IP, it can be accessed and managed using a web interface.
At this time vShield Manager has to be pointed to vCenter:

It needs the vCenter name or IP address and an account with permissions in vCenter. Once this is saved the vCenter Plug-in can be registered to vCenter:

This can be done on the same page by simply clicking “Register”. While you’re in the vShield Manager you might as well change the default password and enter the correct time.
In vCenter, if you check Plug-ins\Manage Plug-ins the plug-in vShield Manager shows up. Also at the host level you’ll find a new tab called vShield.

If you’ve done the licensing right the option “Install” next to vShield Endpoint will be enabled. Don’t do this with VM’s running. After clicking “Install” you’ll get another screen which for some reason offers an “Install” button again. After clicking this one the actual installation (or enablement, as it was already present) of vShield Endpoint begins. I noticed enabling vShield Endpoint does not ask for a reboot, but to be safe I did it anyway. Of course this will have to be done on all hosts.

Technorati Tags: vShield Endpoint,vShield Manager,VMware,VMware View

vShield Endpoint 5 driver integrated with VMware Tools

2011-12-13T12:25:00.000+01:00

One of the nice new features of vSphere 5 is that the vShield platform is being further developed. Among the changes that were announced earlier was the integration of the vShield Endpoint Thin Agent into VMware Tools. If you deploy vSphere 5 now however, you won’t find the integrated Endpoint driver. Fortunately it really is integrated with VMware Tools but it’s necessary however to get the latest version from VMware.com. It’s all described in VMware KB 2002778 right here. This is how it’s done:

Get the right version of the VMware Tools here.

Open directory “Windows”, and get the right version (x64 or x86) for your OS. Download this file.

Start the installation of the new VMware Tools package. It will upgrade over the existing version. Do a “Custom” installation:

Go to /VMCI Driver / vShield Drivers and choose to install these:

Finish the installation and reboot. Now Endpoint is integrated with your VMware Tools.

Please note that this is all vSphere 5 functionality, and at this time (13-Dec.-2011) it’s not yet supported by Trend Micro Deep Security. It will be with DS8 which is announced for Q1 2012, probably January.

Technorati Tags: Trend Micro DeepSecurity,vShield Endpoint,vShield

Technorati Claim tag

2011-12-12T09:56:00.001+01:00

PSXKWUZQDBNX

It’s hear for technical reasons.

VMware View Security Server – How to use a commercial wildcard certificate

2009-06-14T11:43:00.002+02:00

Technorati Tags: VMware,View,Security Server,certificate,wildcard certificate,Digicert

Recently I had to configure a View Security Server with a wildcard certificate. For me this was a first, and it cost me quite a bit of time. I also found the documentation on it (in the View Admin guide) fairly minimal, so I'll share my experiences here.

The Certificate Issues

My scenario: I was given a wildcard certificate in .cer format, and a separate keyfile, in .key format. As these are not the right format for View (what I needed is .Pfx,this is stated in the Admin guide), I combined them using Openssl. The version I used is from the GNUWin32 utilities at gnuwin32.sourceforge.net. The command I used for this was:
openssl.exe pkcs12 -export -out secure.website.com.pfx -inkey keyfile.key -in star_website.crt

This created the secure.website.com.pfx. I imported this in certmgr.msc (MS Certificate Manager) to check it's status. The Certificate Manager tells me it's not able to verify this certificate. I discovered that the certificate is signed by Digicert. On Digicert's website I find their root certificates, at: http://www.digicert.com/digicert-root-certificates.htm. I download and install their root certificates, but my problem remains. The problem turns out to be that my certificate is not signed by Digicert Global Root CA, but Digicert Global CA (without the Root). This certificate is not available for download from Digicert, but Google guides me to: http://www.digicert.com/CACerts/DigiCertGlobalCA.crt. This only leads to my next problem:

My original secure.website.com.crt was given to my in the following format:

-----BEGIN CERTIFICATE-----
MIIF2zCCBMOgAwIBAgIQDxsRAmWiSkaXgZmgHzKDBDANBgkqhkiG9w0BAQUFADBc
ro/jP6wKPNT5CSiVt85VY5R1cpJwWxxQjGeT10pMxPtXr4P/XbZzvTvmMvfb6M0f
mXjDaZPEaYg1cJHMLWJF
-----END CERTIFICATE-----

The new certificate I just downloaded (DigiCertGlobalCA.crt) is not. I now have to find this root certificate in the right format. Google again helps, and finds https://maven.atlassian.com/, which uses the certificate. In IE I than open the Securit Report (the lock) and click "View Certificate".

I go to Certification path, select Digicert Global CA, and "View Certificate. Next I choose Details, copy to file ("Copy to file" was at first greyed out in my browser, I had to turn off UAC in Windows 7..). Finally I choose "Base 64 X.509 .cer" as the format. This finally gives me the Digicert Global CA in the right format.

Checking the path I realize that this certificate is intermediate, and itself signed by Entrust.

Specifically: Entrust.net Secure Server Certification Authority. I can download this certificate in the right format from the Entrust.net website.

I now have three certificates:

Secure.website.cer
Digicert.cer
Entrust.cer

I open all of the in Notepad, and combine them in one text file, combined.cer. The order is as above.
I can now go back to openssl, and do:

openssl.exe pkcs12 -export -out secure.website.com.pfx -inkey keyfile.key -in combined.cer.

This works, and Cert Manager verifies this certificate is now OK.

On the Security Server

I copy the certificate to the security server, and place it in: C:\Program Files\VMware\View Manager\Server\sslgateway\conf

To make sure, and I don't know if it's a necessary step, I add the Digicert and Entrust certificates to the VMware View (java) CA.

C:\Program Files\VMware\VMware View\Server\jre\lib\security>keytool -import -file digicert.cer -keystore cacerts (the password is changeit I found out..)
C:\Program Files\VMware\VMware View\Server\jre\lib\security>keytool -import -file entrust.cer -keystore cacerts
All this just to make sure that the certificate chain is OK on the Security Server.
I than edit locked.properties and added:
· keyfile=secure.website.com.pfx
· keypass=”your password used when creating the .pfx”
I restarted de View Connection service, and all was well!
It cost me a lot of time, and looking back on it, I just should have got a new certificate and followed the regular procedure. But it can be done.
M8RYZG3HPS9B

WANem

2009-03-13T14:40:00.000+01:00

I recently discovered WANem (http://wanem.sourceforge.net/). I quote: "WANem is a Wide Area Network Emulator, meant to provide a real experience of a Wide Area Network/Internet, during application development / testing over a LAN environment."

What it can be used for is testing if a virtual desktop running on VMware View will respond adequately if used over a WAN connection. It's even possible to emulate things like dropped packages, see the screenshot:

vOptimizer Pro 2.1 Release

2009-03-12T15:00:00.000+01:00

And there's my first news: Vizioncore releases an update to vOptimizer Pro. It should help with increasing storage utilization, and interestingly also with aligning partitions. There own press release:

vOptimizer Pro 2.1 Release

New features have been added to our innovative virtual machine storage optimization and rightsizing/ reclamation solution. vOptimizer Pro helps to manage virtual machine sprawl, administration of virtual machine sizing and containment of enterprise storage costs. Now, with the release of vOptimizer Pro 2.1, users can do even more.vOptimizer Pro 2.1 includes:
Alignment Detection and Display
Installation in a virtual machine
This upgrade is available now.

Poort443 is open!

2009-03-12T14:50:00.000+01:00

Yes, yet another blog on virtualization. You can't have too many of them. The primary interests of this blog will be VMware and other virtualization solutions. In that order. VMware is what I prefer at the moment, but I also believe that there is a market for other vendors, like Microsoft and Citrix.

Apart from virtualization I'm generally interested in IT infrastucture. I follow developments there as well. I hope I'll occasionally blog about something that's of interest to te rest of the world. Please participate if you want!