Monthly Archives: February 2010

You are browsing the site archives by month.

Lamest Phishing Attempt Ever?

Yesterday, I received what just may be the lamest phishing attempt ever. I’m not sure whether the originators of this particular attempt were just plain lazy, or whether they were too dumb to properly disguise what they were trying to do. Regardless, this is a good object lesson in the kinds of things to look for to spot bogus email messages. Here’s the message (click to view larger screen cap):

Pathetic Attempt At Phishing

Let’s just walk through all the things that are wrong with this:

  1. It has my own email address in the “From” field. If I had sent myself a message about this, I’d remember - wouldn’t I?
  2. Grammatical error #1: “has just be released”
  3. Grammatical error #2: “Dear use of the mailing service”
  4. You really expect me to believe that my own corporate support team is going to ask me to go to some Web site in Europe and run an executable file? Really? And you didn’t even bother to disguise the link?
  5. The whole message is self-contradictory - if the security settings of my mailbox have been changed, and I need to apply new security settings, how is it that I was able to get to my mailbox to see this email message?

This message could have been made a lot more believable by doing just a few simple things - and it’s worth noting what they are, because a lot of other phishing messages that are turning up in your users’ mailboxes are doing these things already.

First, they could have used an email address other than mine as the “From” address. Lots of companies have fairly predictable email aliases, such as “support@,” “webmaster@,” etc., that would be more likely to be associated with a support team.

Second, they could have been a little more careful about grammatical errors. It’s worth noting, however, that because a lot of phishing expeditions originate outside of the U.S. (the “” domain happens to be registered to someone in France), and are put together by people whose first language is not English, it is not unusual to see grammatical or spelling errors, and this is, in fact, one of the best ways of spotting phony messages.

Third, they could have used a graphic that they lifted from my own corporate Web site. It’s not hard, all they have to do is create a dynamic link. The following HTML code:

<img alt=”Wells Fargo Logo” src=”” />

Will yield this (unless Wells Fargo has moved the location of the logo file):
Wells Fargo Logo
All I had to do was go to the Wells Fargo home page, right-click on their logo, choose “Copy image location,” which gives me the exact URL of the image file, and paste it into the HTML code of my page. I didn’t copy the logo graphic - I’m pulling it dynamically from their site. This is a very common practice in phishing emails that pretend to be from your bank, or from PayPal, or from eBay.

And, of course, I could link that graphic to any site I wanted, and if you weren’t paying attention, you might not notice that the site I’m linking it to is not really a Wells Fargo site. I might even further disguise the link by creating something like “,” hoping, of course, that you’ll see “” and not look any closer, and not spot the fact that the actual link is not to a Wells Fargo Web site at all.

This is also a very common practice. And if the originators of the email above weren’t so dumb and/or lazy, that’s how they would have disguised the link. Or, if they didn’t want to bother with a graphic, they could have at least disguised the text. Remember, you can have any words you want link to any URL you want. The HTML code is easy. Just do something like:

<a href=””>Come look at the fluffy bunnies!</a>

And you’ll get text that says “Come look at the fluffy bunnies!” but that is actually linked to the malware executable.

Fortunately, many email readers, including Outlook, will pop up the actual HTML destination if you hover your mouse over the link, so that’s a good habit to get into before you click on any link in an email message.

Bottom line: this particular phishing message was fairly easy to spot. There are a lot of other messages that your users will receive that are much more cleverly disguised. But if you know what to look for, you can usually spot them. Your best defense will be to help your users learn what to look for. A good start might be to share this post with them.

Two Very Cool Utilities

Today, I’m not going to focus on pressing business issues, Microsoft licensing, or the latest news from Citrix. Instead, I want to share a couple of software utilities that have made my computing world more pleasant. Both have free versions as well as “Pro” versions that cost a modest amount of money and give you more functionality. Both are Windows 7 compatible.

Managing Desktop Icons
First, I’m one of those users who puts a lot of icons on the desktop. I want my most frequently used programs (and even some of the less frequently used) right there where I can double-click them without having to navigate through the Start menu tree. (Yeah, I probably never entirely outgrew Windows for Workgroups v3.11 in that respect.) But the desktop can get, um, rather cluttered. Sometimes the icons don’t want to stay where I put them. I can use the “auto arrange” feature, but I don’t always like the way they get arranged.

I was delighted to discover “Fences” by Stardock. All you have to do is hold down the right mouse button and drag on your desktop to define an area, and a little context menu will pop up that says, “Create New Fence Here.” Click on that, and you’ve just created a defined area on your desktop that you can name, resize, drag to whatever position you want, and then fill with desktop icons just by dragging them inside the “fence” (see below - click to view larger picture):

"Fences" Screen Capture

Double-click anywhere on the desktop, and all the icons disappear for that nice, clean, uncluttered look. Double-click again and they come back. Create a “snapshot” of your current fence configuration, so that if things do get scrambled by a random cosmic ray, you don’t have to re-create everything from scratch. I love it!

Multiple Monitors
Second, I have become highly dependent on multiple monitors. My primary business computer is a Motion Computing LE1700 Tablet. I have docking stations in both my work office and my home office. When I dock it, my desktop is automatically spread across a large external monitor as well as the screen of the tablet itself. My multi-media studio PC at home has two widescreen monitors that are essential when I’m doing multi-track hard disk recording. My personal desktop PC has multiple monitors simply because I reached the point where I found a single monitor to be annoyingly limiting. But I was always annoyed by not having an easy way to have different desktop images on the different monitors.

The answer for me was “DisplayFusion” from Binary Fortress Software. DisplayFusion can do a number of cool things, including random “slide show” changes of your wallpaper, and multiple taskbars on your multiple monitors. But the key thing for me was that I finally had an easy way to put a different picture on each of my monitors.

DisplayFusion Example

You’ll notice that the two pictures aren’t the same size. The one on the right is the screen of my tablet, which is only 1024 x 768, whereas my external monitor is 1280 x 1024. DisplayFusion doesn’t care about the size mismatch.

And in case you’re curious, yes, I took both of those pictures. Both were taken last summer in the Mountain Loop Highway area of Washington State. The one on the left was one of many incredible views on the way from Barlow Summit to the old, abandoned mining town of Monte Cristo. The one on the right is of Perry Creek just above Perry Creek Falls - about 2 miles in and 3300 feet up on the Perry Creek - Mount Forgotten trail. Yes, I’m lucky to live in such an awesome part of the country.

But I’m sure you have some awesome pictures of your own, and now you know how to put them to use with multiple monitors and how to manage that desktop icon clutter.

Pending Changes in SQL 2008 Pricing

If you’re looking at buying more SQL Server licenses, this may be a good time to do it. Microsoft recently announced that there will be several changes, including price increases, when SQL Server 2008 R2 is released - which is still supposed to happen in the first half of this year.

The price increases affect only the per-processor licensing model - at present, the Server/CAL licensing model remains unchanged. The processor pricing for SQL Server Standard edition is going up by 25%, and the processor pricing for Enterprise Edition is going up by 15%. Bear in mind that this is per processor socket, regardless of the number of cores - and Microsoft is the only major database vendor whose pricing does not depend on the number of processor cores.

In addition, there will be some limits placed on the capabilities of the Enterprise Edition, and two new premium editions will be released. In R2, Enterprise Edition will support no more than 2 Tb of RAM, and no more than 8 processors. Virtualization rights will be limited as well.

The new Datacenter Edition will support unlimited memory (up to whatever the underlying OS can support), and up to 256 logical processors. If that still isn’t enough horsepower, you can check out the new “Parallel Data Warehouse” edition with its support for “massively parallel processing” (MPP).

You can find more information on SQL Server 2008 R2 at

Understanding Microsoft Server Virtualization Rights

So, grasshopper, you have decided to take the plunge and virtualize your server infrastructure. Someone (perhaps us) explained the business benefits of virtualization, you decided that it made sense, and that it’s time to make the move. But do you know how virtualization will affect your Windows Server licensing model?

The first thing you need to know is that Windows Server licenses are assigned to physical hardware, not to server workloads. When you purchase a license, you must “assign” that license to a physical server. How do you do that? Well, in today’s world, there is no formal process for doing that, although if it makes you feel better, you can write it down somewhere.

You may assign more than one license to a physical server, but you may not assign the same license to more than one physical server. You may reassign a license from one physical server to another, but not more frequently than every 90 days, unless the server it was assigned to is being retired due to “permanent hardware failure.”

Sound reasonable so far? Of course it does. Right up until the license model runs head-on into one of the coolest features of virtualization: live motion. Most virtualization platforms, including Microsoft’s Hyper-V R2, allow you to easily move a virtual server from one physical host to another. Great feature, right? But if you do it, you may have just violated your Windows license agreement.

I say “may” because different versions of Windows Server come with different virtualization rights. For example, a Windows Server Standard license can be used to run one physical instance of Windows (and by “physical instance,” I mean Windows is installed directly on the hardware) or one virtual instance of Windows, but not both - unless the physical instance is being used solely to manage the virtual environment.

Let me say that another way: If you buy a single license for Windows Server Standard Edition with Hyper-V, you can install it directly on the hardware without bothering with the Hyper-V role. Or you can install the Hyper-V role, have one virtual Windows Server running on top of Hyper-V, and use the physical instance exclusively to manage the virtual instance. Of course, you haven’t really gained anything by doing that…but you can purchase additional copies of Windows Server Standard, assign them to the same physical host, and run more virtual servers on Hyper-V.

Thinking this scenario through, then, if you currently have a bunch of physical Windows Servers - each licensed with Windows Standard Edition - and you want to virtualize them all, that’s no problem. You can reassign your server licenses to your virtual hosts and be perfectly legal. As long as you don’t move a server from one host to another. But if all you own are Standard Edition licenses, and you move a server from one host to another, you’ve just violated the license agreement - unless you own a “spare” server license that you have “assigned” to the target server (the host you’re moving it to) but that is not being used.

Now, in the scenario I just described, it’s possible that the most cost-effective thing you could do is to just buy a few additional licenses as “spares” rather than re-licensing your entire environment. But let’s move ahead - once we’ve covered the other Windows editions that are available to you, you’ll be better able to decide what makes financial sense for your project.

Windows Server Enterprise Edition comes with expanded virtualization rights. Each Enterprise Edition license gives you the rights to run one physical instance and up to four virtual instances on the physical host to which it is assigned. Once again, if you want to run all four virtual instances, then the physical instance may only be used to manage the virtual environment. If you want to run other services on the physical instance - and that’s actually fairly common in a Hyper-V deployment - then you only get to run three virtual instances. And you may not split the license across multiple physical hosts.

The “estimated retail price” (just the license, no Software Assurance, assuming Open Business pricing) for Windows Enterprise is $2,358, vs. $726 for Windows Standard. So Enterprise is less expensive than four copies of Standard. Therefore, if you need to buy new licenses (perhaps you’re upgrading from Server 2003 to Server 2008 as part of your virtualization project), it may make sense in a small environment to buy a copy of Enterprise Edition for each virtual host, and perhaps supplement it with a few spare copies of Standard Edition. Here’s an example:

Let’s say you have a total of nine physical servers today, and you want to virtualize them on three dual-processor virtualization hosts. (You could probably run them on two hosts, but if one failed, it might be a stretch to run all nine on one host. If you start with three hosts, and one fails, you still have two to carry the load.) You could buy nine new copies of Windows Standard Edition for $6,534, but you’d have no flexibility to use live motion to move things around. On the other hand, you could buy three copies of Enterprise Edition for your three hosts for $7,074, and effectively have one “spare” instance on each host that’s available for moving a virtual machine from one host to another.

Of course, that may not be quite enough if you want to completely unload one of your servers (perhaps to take it off-line for maintenance), because unless you’re prepared to shut down one VM completely, you’re going to need to run five VMs on one of your remaining servers. Since you may not know in advance which server needs to assume the extra VM workload, you could just buy three additional copies of Standard Edition, and assign one to each host. That would push your total license acquisition cost to $9,252, but you would then be licensed for five VMs on each of your hosts.

The ultimate in flexibility is Windows Server Datacenter Edition. Datacenter Edition is licensed per processor socket rather than per physical host, but includes unlimited virtualization rights. You can run as many VMs on your hosts as they’re capable of running, and move them around to your heart’s content. If you just don’t want to worry about what’s running where or whether or not it’s technically legal to move a given VM around, this is the license model to use.

Of course, this is also the most expensive edition of Windows. The estimated retail price for Datacenter Edition is $2,405 per processor socket (regardless of the number of cores per processor). So it would cost $14,430 to license three dual-processor servers with Datacenter Edition. This probably isn’t cost effective if you’re only virtualizing nine servers. However, if you have lots of servers, and many of them are fairly lightly loaded (in terms of processor utilization), the picture could change. If your average consolidation ratio is greater than or equal to four servers per physical processor then Datacenter Edition becomes the most cost-effective license.

In fact, if you’re even close to that 4:1 ratio, you should strongly consider Datacenter Edition, for two reasons:

  1. Windows environments inevitably grow. However many servers you have today, you’re probably going to have more of them a year from now. With Datacenter Edition, you can continue to fire up new servers to the limits of your hardware without having to buy more server licenses.
  2. AMD already has six-core processors. You know the “arms race” between Intel and AMD will continue. So the number of servers per processor that you can reasonably expect to support will continue to increase as the processors themselves become more powerful and contain more cores, and as this happens, Datacenter Edition will look better and better.

Note that everything we’ve discussed holds true if you’re virtualizing on XenServer or VMware rather than on Hyper-V. The only difference is that you won’t be using any of the allowed physical instances of Windows.

If you want to delve deeper into this issue, you can download a copy of the Microsoft Product Use Rights document from their Web site. Happy virtualizing!

Minimum Requirements for XenDesktop

We were recently asked, by someone who was planning a XenDesktop 4 Proof of Concept, what minimum components were required to conduct the POC. Rather than prepare a document just for them, it seemed like a good idea to put the information here so others can read and contribute.

In its most basic configuration, XenDesktop is, functionally, going to look like this (click on picture to view full-size):

XenDesktop Functional Diagram

I lifted this drawing from a three-year-old Citrix PowerPoint presentation, and while XenDesktop has evolved considerably since then, the functional building blocks are still much the same:

  • You’re going to have a Desktop Delivery Controller (“DDC”). This is the Windows server that brokers the connection between the client device and the virtual OS. As you move into production and scale up the environment, you will probably have multiple DDCs.
  • You’re going to have a Citrix License Server. In a small deployment, like a POC, this service can also reside on the DDC.
  • You’re going to need a place for Citrix to store configuration data. In a production deployment, you’ll probably want the Data Store on a SQL Server. For the POC, it can also reside on the DDC.
  • You’re going to need a “Web Interface” server. One way or another, the client devices are going to communicate with the WI server, which will consume the user’s authentication credentials and (in most cases) present the user with the desktop choices that are available to him/her. I say “in most cases,” because it is possible to configure a client such that it will immediately connect to a designated virtual desktop without requiring the user to click on an icon.

    Once again, in a small deployment like a POC, the Web Interface services can run on the same Windows Server as the DDC, the Licensing Services, and the Data Store. So far, we haven’t moved beyond just a single Windows server - although, of course, as the environment expands and moves into production, these Web services should also be migrated to their own server.

  • All of this needs to live in a Windows Active Directory Domain, so if you’re building a POC that is isolated from your production environment, you’re going to need to provide a Domain Controller. That poor little DDC system already has enough running on it, so let’s make the Domain Controller a separate server.
  • You’re going to need some kind of virtualization infrastructure. XenDesktop is platform-agnostic at this level - it will run on XenServer, Hyper-V, or VMware. All of the other servers/services we’ve been talking about so far can be virtual servers running on this infrastructure. In a small POC, that’s the obvious way to go anyway.

Now things start to get a little tricky. That gray box that surrounds the repositories labeled “Profiles,” “Apps,” and “OS” can be broken down in a couple of ways.

Let’s assume that we are going to stream an OS, from a single, shared, read-only image, to virtual PCs that will be instantiated (I love that word - it just rolls off the tongue, and it sounds so technical) on-demand on whatever virtualization platform we’ve chosen. That means we need a Provisioning Server, and a place to store those read-only images. For a POC, the images can be stored on the Provisioning Server itself. When we move into production, since we don’t want the Provisioning Server to be a single point of failure in our VDI infrastructure, we’re going to want more than one Provisioning Server, which means that the OS images are going to need to reside on shared storage of some kind that can be accessed by all of our Provisioning Servers.

Elisabeth Teixeira of Citrix has a great 4-part series on High Availability for Provisioning Services over on the Citrix Community Blog site. Rather than go into detail here, I’d strongly recommend reading through her posts.

For our POC, the Provisioning Server can be virtualized. When we move into production, it’s probably best, for a variety of reasons that we won’t go into here, that they be physical servers.

Our virtual PCs are going to need apps as well. (After all, the entire purpose of a PC is to run apps, right?) If you wish, you can “bake” the applications into the read-only “golden” image that we’re going to use for provisioning, by first installing them on the PC that we’re going to use to create the image. Of course, that means that whenever you make a change to an app, you have to change the whole image, and we know what a pain that is, because many of us have been managing images for physical PCs that way for years. So we’re going to be better off if we stream the applications on-demand onto the virtual PCs after they’re booted up and users have attached to them. We will therefore need at least one XenApp server to manage the application streaming.

Finally, we’re going to need a file server to serve as a repository for user profiles and user data. The streamed OS images are, after all, read-only, so we’re going to need to use AD Group Policies to specify where that data is stored, since it can’t be stored in a profile that’s part of the streamed image.

One more thing comes into play, depending on what Windows OS you’re going to use for your virtual PCs. As we’ve noted in other posts, the process of converting a Vista or Windows 7 PC into a shared golden image will break the license key. You must therefore have a KMS Server available to auto-activate the PCs as they boot up. For best results, the KMS service should be running on a Windows 2008 R2 server. For more information on KMS and how it works, please see our earlier blog post on KMS.

That’s really all you need to do a POC, provided that all your clients will be connecting from within the protected network. If you want to grant access to clients connecting in from the public Internet, you’re going to need a secure way to do that. The simplest way is to use the software Citrix Secure Gateway that comes with XenApp. The CSG is basically an application-specific software SSL/VPN - running on a Windows Web server - that provides a secure proxy between the public Internet and the Web Interface server. For more demanding environments, you should consider the line of Citrix Access Gateway appliances, which can function as general-purpose SSL/VPN appliances as well as providing access to the XenDesktop infrastructure, and can provide advanced features like redundancy, automatic failover and, with the NetScaler software load, even provide Global Network Load Balancing for automatic failover between a primary site and a DR site.

If you have clients in branch offices connecting to your XenDesktop infrastructure across a Wide Area Network, you may see some benefits from deploying the Citrix Branch Repeater line of WAN optimization appliances. It’s likely that as we move through the year and see the release of new technology like XenClient, we will see an expanded role for the Branch Repeater with Windows Server and its ability to cache data locally at the branch office level - but that’s another post for another day.

So there you have it. To summarize, our minimum POC environment will consist of the following servers/services running on our virtualization infrastructure:

  • Domain Controller
  • A Windows Server hosting the following services (which can be broken out onto separate servers as the environment scales):
    • Desktop Delivery Controller
    • License Server
    • Data Store
    • Web Interface
  • Provisioning Server
  • XenApp Server (for application streaming)
  • File Server (optional - in a pinch you could make file shares available on one of the other servers)
  • KMS Server (if you want to provision Vista or Win7 PCs)
  • Secure Gateway Server or Access Gateway Appliance (if you want to provide secure access from the public Internet…note that this server or appliance should be in a DMZ for best security)