What’s New in Azure Guest OS 2.2?

This Azure Guest OS release come two months after the previous (v. 2.1).  Does this release provide minor changes, or does it include patches for substantial security issues?  Let’s dig and find out.

Microsoft announced Windows Azure Guest OS 2.2 (Release 201101-01) which contains 11 specified security patches.  More specifically, this Azure Guest OS is comprised of:

  • Windows Server 2008 R2, plus
  • All security patches through December, 2010, and
  • 2 updates to previous security patches

The 11 specified patches specified in the bulletin fall in to a few vulnerability categories.  9 of the patches were included in December’s Security Bulletin; the 3 marked with ‘*’ are patch updates.  The bulletin IDs, ‘MS10-…’ gives away that they originated in 2010.

Vulnerability Bulletins
Elevation of Privilege MS10-092, MS10-098, MS10-100
Remote Code Execution MS10-077*, MS10-091, MS10-095, MS10-096
Denial of Service MS10-101, MS10-102
IE Cumulative Updates MS10-090*
ASP.NET, Information Disclosure MS10-070*

MS10-070 & MS10-077 were originally released last year in September and October, respectively.  MS10-090 was originally released in December, 2010, but was update in early January, 2011.

Even though most of these were in December’s Security Bulletin, we should take a look at the criticality and exploitability ratings for each (relative to Windows Server 2008 R2 for x64 only; impacts to Itanium-based systems my differ slightly)

Bulletin Severity Rating Exploitability Rating
MS10-090 Critical Consistent Exploit Code Likely
MS10-091 Critical Consistent Exploit Code Likely
MS10-092 Important Consistent Exploit Code Likely
MS10-095 Important Consistent Exploit Code Likely
MS10-096 Important Consistent Exploit Code Likely
MS10-098 Important Consistent Exploit Code Likely
MS10-100 Important Consistent Exploit Code Likely
MS10-101 Important Functioning exploit code unlikely
MS10-102 Important Functioning exploit code unlikely

So, I think it’s safe to assess that this new Azure Guest OS includes some very significant security patches.  Agree? Don’t agree?  Leave a comment for us below.

Better Management Certificates for Azure

As I wrote earlier this week, the Silverlight-based Management Portal may be the best feature of Azure’s 1.3 release.  It is a handsome UI, Azure components are far easier to access, and (most importantly) the amount of time required for common tasks is sharply reduced.

This post is only partly about the Management Portal, however.  The certificate generating code in the Azure Tools for VS 2010 is also involved.

The Problem

Although it’s nice to be able to create the necessary management certificate from within Visual Studio, the resulting certificate naming is confusing.  The following dialog shows an existing certificate and the selection for creating a new certificate.

AzVSTools - Certificate Selection

When this tool creates a certificate, it sets the Friendly Name you entered and sets Issued By to Windows Azure Tools.  No big deal, right?  Right – until you add the certificate via the Azure Portal….

Azure Mgmt - Mgmt Certs with Comments

This view of the portal shows the Management Certificates, but you can’t really tell which is which.  For example, which of the two certificates corresponds to the one with Friendly Name: Deployment Credentials in the Azure Tools dialog?  You really can’t tell unless you are able to distinguish them by their thumbprints or validity dates.  Why doesn’t Deployment Credentials  appear in one of the fields?  Well, let’s take a quick look at the certificate in Certificate Manager (certmgr.msc).

CertMgr - Personal Certs - Windows Azure Tools-Deployment Credentials

When Azure Tools created the certificate, it set Windows Azure Tools in the Issued To and Issued By fields.  The name I provided the tool appears in the Friendly Name field.  I’m glad that I can distinguish the certificate in my local store with the friendly name, but it’s only known in my local store.  That’s the problem: Friendly Name is not part of the certificate; it’s metadata associated with the certificate, and only locally.

What’s A Better Way?

Instead of using the Azure Tools to create a certificate, use the MakeCert tool.  Azure only accepts certain certificates (X.509, 2k-bits, SHA1, etc.), so you have to provide a few specific parameters.  Here’s a sample command line:

makecert -sky exchange -r -n “CN=<CertName>” -pe –a sha1 -len 2048 -ss My “<CertFileName>”

where CertName specifies the name you want to appear in Name field in Management Certificates of the management portal, and CertFileName specifies where to store the certificate file on your local drive.

Now, when you upload the certificate to the management portal, you can easily distinguish the certificates.

Azure Mgmt - Mgmt Certs - Better Names2

Then, when you Publish from Visual Studio, simply choose the appropriate certificate from the list.

AzVSTools - Certificate Selection2

Admittedly, the Friendly Name isn’t set, but you have no trouble distinguishing between certificates in either Visual Studio or Azure’s Management Portal.

BIG Release of Azure Components This Week!

Windows Azure SDK 1.3 (a.k.a., November release) has just been released.  You can download just the SDK, but if you’re using Visual Studio, use the Windows Azure Tools for Visual Studio instead.  This package, VSCloudService.exe, includes the SDK package.

The major features / benefits of this release include:

  • Management Portal – the new Silverlight-based portal may be the most significant improvement of this release.  Managing Roles, Storage, Service Bus, Access Control, etc. are so much easier to access, and the portal’s performance improvements make a substantial impact on management tasks.
  • Full IIS – Finally! Each Web Role can host multiple sites – web apps, services.  Additionally, developers can now install IIS modules as well (some apps haven’t been migrated due to dependence on 3rd party or custom modules)
  • Remote Desktop – I’ve been looking forward to this for a while!  Being able to connect to Azure Roles and VMs via RDP is going to make a huge difference in so many ways – configuration, deployment, debugging, etc.
  • Windows Server 2008 R2 – Azure Roles and VMs can now be based on R2 which brings in IIS 7.5, ability to restrict what apps can run via AppLocker, PowerShell 2.0 for better administration and automation.
  • Elevated Role Privileges – I’m not so sure this is a really good idea, but it’s in now.  Azure Roles allow running with administrator privileges (sounds like “running with scissors”).  I can imaging some scenarios in which a Worker Role does a bit of admin level work, or a Web Role hosting a custom administrative portal.  But, in general, devs need to be very careful with this “feature.”
  • Multiple Admins – Multiple Live IDs can be assigned admin privileges in an Azure account.  This provides better traceability when you’re doing around-the-clock administration.  But it may also introduce risk of “stepping on each other’s toes” problems.

Also in this round of updates are a couple of betas and CTP.

  • Extra Small Instance – in BETA – at just 5 cents per compute hour, the Extra Small Instance is less than half the cost of the Small Instance (12 cents per compute hour). At the time of this writing, the Extra Small Instance is comprised of 1.0 GHz CPU, 768 MB RAM, 20 GB local storage and “low” I/O Performance.
  • Virtual Machine Role – in BETA – Now you can define and manage your own virtual machine. Based on the (very) little info I have right now, the VM is based on a differencing disk over a Windows 2008 Server R2 VM.  That limits the options of what to run in the VM.  IMO, this is the last check-box for Azure qualifying as Infrastructure as a Service (IaaS).
  • Azure Connect – in CTP – Connect provides the ability to create a virtual network between multiple devices. For example, if companies A & B want two of their systems to communicate with each other, those systems connect to Azure, establish the private network, and then communicate directly between A & B.  I really want to test this one out!

The Best and Worst of PDC 2010

I attended Microsoft’s PDC 2010 simulcast in their offices in Alpharetta, Georgia.  Here are my thoughts on the best and worst items from the day.

The Best of PDC 2010

  1. [Re]connecting with Friends & Colleagues – The best part of the day was seeing colleagues I haven’t seen in a while and talking to new people.  Randy, Doug, Jeremy, David, Chad – it was great seeing you guys.  Isaac, I enjoyed meeting you – best wishes in your new role.  The guy from India whose name I didn’t catch – our conversation was very interesting and raised some important points – thanks!
  2. Mark Russinovich on Azure – OK, I know this is old news, but Mark has so much geek cred & seeing him in action with Azure boosts my confidence in the platform.  I formerly just believed that Microsoft cared about making the guts of the platform accessible & diagnosable for developers.  Now I know there’s a guy in place who will make sure that happens.
  3. Asynch in C# 5.0 – I didn’t see much of Anders Hejlsberg’s, but what I did see was striking.  He demonstrated the capabilities of async and await which result in multithreaded code under the covers.  Of course multithreading is nothing new, and the Parallel framework in .NET 4.0 renders multithreaded code, but the addition of these keywords and compiler support will dramatically improve code performance at much lower development cost.
  4. Component Applications – Karandeep Anand’s presentation on AppFabric announced Azure’s upcoming Component Application features.  These features provide modeling capabilities for connecting various services together (inside Azure or not) and treating them all as a cohesive whole.  By adding and connecting a new service, all the glue code between the services was generated.  These capabilities will reduce development time and reduce manual code risks.
  5. Azure Management Portal – As with every Azure demo I saw, Karandeep used a new, Silverlight-based management portal, and it was really powerful.  The best example of ‘really powerful’ was during his presentation regarding Component Applications.  Karandeep was modeling several different services on a collection of Azure instances and he could deploy all of it atomically with a single action!  No more deploying individually.  Very cool and big time savings to boot!
  6. Windows VM hosting – Microsoft’s focus on the PaaS side of Azure has been the right course, but migrating existing apps to the cloud almost always involves some software that needs to remain as it is (due to cost, complexity, ‘it just works,’ etc.)  Now Azure will have true IaaS-level virtual machine support (but only for specific versions of Windows Server 2003 and 2008 R2)
  7. RDP to Azure Instances – In the “They Have to Do This Eventually” category, Microsoft has finally announced the ability to use Remote Desktop to access instances and VMs in Azure.  Beta coming by end of year.

The Worst of PDC 2010

  1. Buffering! My biggest disappointment of the day was that it seemed like we were watching the simulcast feed over the internet, just as we would have at our own offices.  Every session I saw encountered long pauses due to buffering.  Some sessions were so bad that people just left the room to do something (anything!) valuable with their time.  It was painful! Can’t Microsoft get these feeds over their WAN with some QOS support?  Many people in my sessions agreed that this is a make or break issue for attending next year.
  2. Azure Management Portal Not Available Until H1-2011 – The new portal will save every Azure developer a lot of time.  But, its first availability, even as a CTP, is set for the entirely nebulous “first half of 2011.”  In case you’re new to this game, that statement roughly translates to:
    • Q1 of 2011 – Wow!  You should be pleasantly surprised (shocked) if it is available in Jan, Feb or Mar
    • Q2 of 2011 – Microsoft’s internal target is probably in this quarter, and probably more toward the end.  No need to be shocked in this time-frame; pleasantly surprised is appropriate.
    • H2 of 2011 – Right, H2 is not part of H1; they don’t even overlap.  But hey, schedule slips happen!
  3. Component Application features, CTP in H1-2011 – Same as above; disappointing that we may not even get to CTP it prior to next summer.  Schedule slips are probably a higher risk for this component than the portal.
  4. Silver-what? There was a noticeable lack of Silverlight references or discussion.  If you took your guidance from yesterday’s keynote and other general sessions, you’d drop Silverlight and immediately switch to HTML5.  Silverlight still has a great future, and Microsoft continues to invest in it; so should you.

Well, that’s about it.  I hope this has been helpful or informative in some way.  If you attended PDC 2010 and think I missed a best or worst, just comment below.  If you think my Best and Worst items or commentary are wrong-headed, post a comment.  If you think I’m a lunatic, well just join the crowd.

Technorati Tags: ,,

Clemens Vasters’ Scheduler-Agent-Supervisor Pattern

Microsoft’s Clemens Vasters published a pattern the Azure team is using which he calls the Scheduler-Agent-Supervisor pattern (http://blogs.msdn.com/b/clemensv/archive/2010/09/27/cloud-architecture-the-scheduler-agent-supervisor-pattern.aspx)

This pattern is reminiscent of the solution we architected and implemented a few years ago (at a much smaller scale, obviously).  We used SQL Server for persistent storage of pipelines of step-wise tasks, .NET-based agents and a good ol’ Windows Service to execute the pipelines.  The service polled for pipelines waiting for work to execute, instantiate the appropriate agents for the work and provide context and threads for agent execution.  After quite a bit of rigorous stress and negative testing, the system proved to be very efficient.  Separately, it was actually very adaptable to other purposes since the agents implemented the business logic — new agents or agents used in different ways could implement different functionality.

Ok, enough of what we did before.  Clemens’ post builds on the Scheduler-Agent pattern by adding a Supervisor.  This Supervisor appears to be a sort of über-agent which is scheduled to check for problems in the pipelines (i.e., lists of tasks) and attempt to correct them.  Clemens writes,

“If the agent keels over and dies as it is processing the step [pipeline task] (or right before or right after), it is obviously no longer in a position to let the scheduler know about its fate.”

In these cases, the pipeline is likely in an indeterminate state.  The scheduler has handed off the responsibility to the agent, but the agent hasn’t reported that it has finished its work (or even that it encountered an error).  Enter the Supervisor.  Just look for incomplete work and start over, right?  Well, it’s not a simple as it seems at first.  What if the agent had calculated and added tax to a total amount and then died just before reporting that it was done?  The Supervisor shouldn’t trigger this agent to execute again because the tax would be added a second time.  This particular case is very simple, but you get the point.  The entire Schedule-Agent-Supervisor pattern requires a level of atomicity in various areas to reduce these risks.

In case anyone is curious to know how we dealt with this in our solution a few years ago, we used a “supervisor,” too:  a developer who found the broken agent in the database and reset it!  How’s that for sophisticated? 😉

Azure’s Global DNS changes coming tonight!

If you have any production Azure systems or cloud components you depend on (overnight testing, etc.), you should keep an eye on tonight’s DNS switch-over.

As the blog posting on 9/24 announced, Azure’s DNS is “…moving to a new globally distributed infrastructure…” to “…increase performance and improve reliability….”  This change is set to occur at midnight UTC on 9/5.

Midnight UTC on 9/5 maps to:

8:00 PM today (9/4) in Atlanta, New York, Boston, etc.

5:00 PM today (9/4) in Redmond, Silicon Valley, etc.

Technorati Tags: ,,

No Swimming for 30 Minutes After Azure DNS Changes

The Windows Azure team recently published Windows Azure Domain Name System Improvements.  If you only saw this on Twitter, or just took a cursory glance the announcement, you probably just thought, “Good.  Azure’s DNS will be faster.” and moved on to something else.  It’s important to note, however, that the announcement also includes some gotchas.

DNS Entry Propagation

Although DNS entry propagation delays are not new, you’ll need to keep the following issues in mind regarding Azure’s DNS infrastructure:

  1. New DNS entries may take up to 2 minutes to propagate through all of Azure’s global DNS system
  2. Systems that cache responses to DNS queries (such as web browsers, DNS Client, etc.), typically cache responses for about 15 minutes.

So, What’s the Problem?

These issues can add up to significant pain when you are launching a new Azure application, service, etc.  The end users of the application or service may receive errors due to these timing issues, and first impressions are often lasting impressions.

The problem due to the first item above is the more obvious: When you create a new entry in Azure’s DNS, you should wait at least two minutes before expecting DNS queries will receive the right answer.  Any DNS queries occurring inside this two minute window may encounter an “entry not found,” “DNS Not Found” or similar error.  When this error situation occurs, it can be compounded by the second problem…

Most systems which query DNS (e.g., Windows’ DNS Client) will also cache the response for a period of time – typically 15 minutes.  If a system queries DNS inside the 2 minute window and then caches the resulting error, subsequent queries for that entry will typically be resolved by the cache and will respond with the error.  If you try to use the name in your web browser, for example, it may take as much as 15 minutes until you stop getting the cached error and actually get the right answer.

You can manually flush the local DNS cache on Windows systems using ipconfig /flushdns, but be aware that this method does not impact other caching systems along the DNS resolution route.

Theoretically, an additional 15 minutes could be incurred if the route for DNS resolution changes between queries.  But the incidence of this scenario is very rare.

Risk Reduction

The best practice for reducing the risk of these errors occurring – and the resulting negative impressions – is to get your DNS house in order in advance.  Simply registering the appropriate names (DNS entries) well in advance of publishing the application or system should eliminate these issues.  Early registration also gives your team an opportunity to verify / test the name resolutions in advance.

In a situation in which we were forced to “live on the edge” and quick-publish software, we would wait at least 30 minutes before announcing that the software was ready to access.

OAuth & WRAP for Development Teams

We posted some code to CodePlex which smooths OAuth integration for development teams.

Enable Multiple Action Claims in AppFabric WRAP/SWT Sample

If you’re using the ASPNETSimpleService sample for investigating Azure’s August release of AppFabric (currently in AppFabric Labs), you might like to know a simple change to enable more action claims.

The sample provides instructions for creating the necessary ‘reverse’ value for the ‘action’ claim in an ACS Rule Group.  But what happens if you have more than one ‘action’ claim in the rule group (either by adding or by reusing an existing rule group)?  The sample breaks and renders WebException, (401) Unauthorized.  What gives?

The client app retrieves a SWT from AppFabric’s ACS and passes it to the web service.  The web service (implemented in the sample’s default.aspx) verifies that the SWT contains the ‘reverse’ value of the ‘action’ claim.  Unfortunately, the sample expects the SWT to look like:

“action=reverse&Audience=http://localhost:8000/Service/&ExpiresOn=1281474685&Issuer=https://<your-namespace>.accesscontrol.appfabriclabs.com/&HMACSHA256=muXlPgsuZkO9BHNAZqA97TZj4gz4NLKc0Ut58Y=”

This SWT will work fine.  Notice the claim “action=reverse” at the beginning.  If you aren’t aware (I wasn’t), multiple values of an claim are combined and separated by commas.  So, if you have another value ‘translate’ for the ‘action’ claim, the SWT will look like this:

“action=reverse,translate&Audience=http://localhost:8000/Service/&ExpiresOn=1281474685&Issuer=https://<your-namespace>.accesscontrol.appfabriclabs.com/&HMACSHA256=muXlPgsuZkO9BHNAZqA97TZj4gz4NLKc0Ut58Y=”

And that makes sense.  Why include multiple ‘action=<value>’ sections?  One simple change to the sample enables it to handle this situation.  Around line 90 of the sample’s default.aspx you’ll see

// check for the correct action claim value
if (!actionClaimValue.Equals(this.requiredClaimValue))
{
this.ReturnUnauthorized();
return;
}

This bit of code is requiring that the actionClaimValue (which comes from the SWT) EQUALS the expected value (requiredClaimValue which set to ‘reverse’).  In the second SWT above, the value of actionClaimValue will be “reverse,translate” which do not equal “reverse”

Simply changing Equals to use the Contains method fixes the sample.  Based on this situation, I don’t think using Equals is a good idea for your apps.  Contains is a reasonable alternative, but you may want to use a more rigorous practice.

CloudStorageAccount.Parse fails on trailing semicolon

Be careful not to let a sneaky little semicolon add itself to the end of your Azure connection string!  It’ll cause CloudStorageAccount.Parse to throw “Invalid Account String” exception.  For example

“AccountName=<account>;AccountKey=<key>;DefaultEndpointsProtocol=http”

works as expected, but

“AccountName=<account>;AccountKey=<key>;DefaultEndpointsProtocol=http;

causes the exception.  Spaces after the semicolon result in the exception, too.  The easiest fix is to use TrimEnd

azureConnStr = azureConnStr.TrimEnd(new char[] {‘;’});

I wish Microsoft would code Parse to handle this case more gracefully.  I guess it seems like just a little thing, but when you’re connecting to the cloud tracking down problems like this takes too long.