Microsoft have now confirmed support of OCS 2007 R2 on Windows 2008 R2 – yay.
The following scenarios are also still not supported:
Thanks to ‘the UC Guys’ for the info.
Want to implement AD RMS but already have file servers full of unprotected content? No problem! With the AD RMS bulk protection tool and File Classification Infrastructure this can be achieved. In FCI we can create classifications based on business impact (based on Key words e.g. private, or regular expressions such as National Insurance numbers etc) and have RMS templates applied to classifications as we see fit, oh the power! * This can also continue to apply to additional files uploaded to the file servers each time the File Server Resource Manager rules and file management tasks run (which can run on a schedule) You can also using FCI set a flag to apply to files that have been encrypted with a time stamp and can configure it to send an email to the owner of the file which has been encrypted.
Have SharePoint libraries? Again no problem these can be configured to apply protection based on the NTFS permissions on download from the library, it’s all covered! Automation is the new buzz word within RMS and it continues with Exchange 2010’s automatic protection of emails using transport rules to apply pre-defined templates based on email content or recipients.
*Note – By default only the Microsoft Office suite and xps viewer file extensions can be RMS protected, however IRM’s can be downloaded for hundreds of other file types so nearly all file extensions can benefit from RMS protection!
To RMS or not to RMS? I think the former 
Just a quick one, there are two great (free!) tools from MS for taking your default server install and securing it.
The first, SCW, is installed by default on all servers – run the tool and it will walk you through the process of identifying which roles and features have been installed and then produce a template which disables unused services and configures the Windows Firewall for the required services. Useful to note that it enables you to specify all the management tools required to manage the server, so you get all the goodness of having the firewall enabled without the pain of not being to get to the server with your favourite management tools. Once you have a template created, you can then use the command line component, scwcmd, to transform it and export it to AD as a GPO.
The second, the Security Compliance Management Toolkit, is available for download from http://technet.microsoft.com/en-us/library/cc514539.aspx. There are lots of elements to the toolkit, not least the ability to monitor ongoing compliance using SCCM’s DCM feature, but the interesting bit for this post is that it includes a tool to create GPO’s with a full suite of recommended registry settings to harden the OS – many of these settings are not exposed by GPO’s as standard.
HTH
SharePoint is not my usual topic of conversation I will admit, however this caused me pain & isn’t documented from what I could find.
For what ever reason my local SharePoint workspace recently broke, giving me this error when I tried to launch it:
I tried the various recover my account links etc.. all to no avail, I came to the conclusion that I needed to re-import the backup of my workspace, however to do this I needed to delete the broken on my laptop, I couldn’t do this as I couldn’t log in to the workspace…
So after some digging around I found the following location (this is on Windows 7, if you’re on something older, upgrade!):
C:Users<username>AppDataLocalMicrosoftOfficeGrooveUserAccounts
Under here are some folders with seemingly random names, deleting the folders essentially reset SharePoint Workspace to it’s defaults & allowed me to re-import my backup – note I only had one account configured, if you have more than one you’ll need to find a way to identify which is the one for your broken account – measure twice, cut once! Doing this will obliterate your account & any data stored locally which means anything not uploaded yet will be lost – this wasn’t an issue for me but be aware of it before you delete the account folder, if it is an issue for you this solution probably isn’t suitable.
Just finished implementing Direct Access in the office, using Forefront UAG to publish it. The wizard in UAG is a dream, everything just works, only things to note are that when you are asked to specify names for the DNS exclusion list, be careful to add all the names you would use to VPN in and to retrieve CRL’s – if you don’t, you’ll find that once the policy is applied, you won’t be able to access the LAN externally – and if you are doing the installation remotely, we would class this as a BAD THING. Easy enough to rectify, just delete the cached GPO policy (HKLM/Software/Policies/Microsoft) – everything under this key is volatile and will be restored next time GP is updated. Also, occasionally I noticed that running the GPO export script would error on the NPRT sections, saying the file was in use – rerunning the script worked every time.
The one thing to note, however, which is true for UAG and TMG, is that all the IPSec functionality is delivered by the Windows Firewall, not UAG or TMG. If, then, the Windows firewall has been disabled prior to the installation of UAG, you will find that the installation proceeds without a hitch, and running the Direct Access wizard works, clients that receive the group policies will connect over Teredo and IPHTTPS, everything looks great – but the clients can’t actually contact any of the internal servers, which is a shame being that contacting the internal severs is the entire point of the exercise Frustratingly, at this point you find a distinct lack of errors – all the components appear to be functioning perfectly. However, if you look at the Windows Firewall, you will see that the IPSec Connection Security Rules from the UAG wizard are present in Windows Firewall/Connection Security Rules, but are not present in Windows Firewall/Monitoring/Connection Security Rules, even though the Public Profile is marked as active. The solution? Enable the Windows Firewall for the Public Profile, if not all Profiles. Take home lesson? In Windows 7 and Server 2008, the Windows Firewall should no longer be treated as a bolt on extra, to be disabled unless there is a specific requirement for it to be on – it should now be treated as a core component, and only disabled when a specific requirement to do so exists.
So you have laptop without a TPM and still want to use Bitlocker? Well you can still use Bitlocker and store the key on a USB key instead. this will give you a secure data encryption solution and will require you to insert a USB key when the machine boots or resumes from hibernation. This is not required when your machine goes to sleep or standby, so is primarily most useful when your laptop is stolen or someone is conducting an offline attack on your disk.
Funnily enough it would protect you from an attack directly on the TPM such as this, but you are still better with than without a TPM.
The steps on a Windows 7 machine are as follows:
Edit GPO
Edit your local Group Policy to enable Bitlocker with a USB key:
then edit the policy to enable require boot authentication without a TPM using Bitlocker
And configure to store your key in Active Directory ( a good idea but optional)
Update GPO
Run Gpupdate to cause the policy to apply
Enable Bitlocker
Then Enable Bitlocker in Windows Explorer
Now when I tried this on a USB key the other day i had an un pleasant surprise when I rebooted and my machine wouldn’t boot as it couldn’t find the Bitlocker key.
Turns out out my USB key had a freebie security application on it which made the key unreadable at boot time. Luckily i had enable the 48 bit recovery key and kept it somewhere safe, so I just reformatted the key and then used the manage BitLocker option to recreate the key:
It’s a common sight: staff crowded round a laptop, cradling their coffees, or wasting valuable time sending countless e-mails to each other to get a group project finished. But in an economic environment where you need to maximise your resources, it’s time to discover a better way of working.
There is a far better way to work, which improves both productivity and collaboration. Your team can work together faster and more effectively, with help from Microsoft products. Freeing them to:
We can help you find the right solution to boost collaboration and productivity. Contact us today to find out more:
E-mail us: enquiries@risual.com
Call us: 0845 6800077
Visit our Web site: www.risual.com
