An Avanade Blogging Community

Recently at Black Hat / DEFCON, a presentation was given which indicated that a couple of security researchers had found isolated ways around the Windows Vista stack of security features intended to protect against the buffer overflows and predictable memory address space attacks very common in the Windows XP days.  This news, not surprisingly, was immediately seized upon by the uninformed technology media which soon started screaming that the sky was falling.

This morning, a colleague of mine sent me an article at Ars Technica called "The Sky isn't Falling" that takes a deeper look at the vulnerabilities in question and offers a balanced approach to the issue.

This issue of the news media sensationalizing vulnerabilities is a subject that I have touched on time and time and time again but seems to rear its ugly little head every month or so as some new researcher comes out with The Threat.  Then a number of news services, including particularly Slashdot and CNet seize on the initial announcement from the researchers, before it has usually been validated by others, and proclaim to the world that [insert Microsoft platform here] has been [choose one:  broken|compromised|DoS'd|DDoS'd|Owned|vulnerable], OMG, run for your lives off of your [Microsoft Platform here] installation.  You get the point.

One of the things that I love about this post, and the reason that I am blogging about what someone else has already covered pretty well, is that this is one of the first times that I have seen a technical media site publish the real world take on the latest "super-threat" that some researcher has presented.  One entire section of the article is entitled "Chicken Little runs amok" and even goes on to state that, "Sensationalism Sells, and there's no news like bad news, but sometimes - particularly when covering security issues - it would be nice to see accuracy and level-headedness instead.  Alarmism helps no one."

And the "vulnerabilities" themselves?  Traditionally, a vulnerability is something that people thing of as a bug or some mistake in the software.  In this case, thats not what is happening here.  A vulnerability is any feature, whether by design or unintentional, which poses a risk to the greater system.  The vulnerabilities that are being published is simply a well consolidated statement of the limitations of Data Execution Protection in Windows Vista.  Applications can opt out.  And some do.  So if you are using Firefox or IE7, Java, or flash, they may be opting out of Data Execution Protection (keeping memory from being arbitrarily executing by crashing the application that tries it) and Address Space Layout Randomization (windows vista's work to keep the application guessing where a system DLL is so that predictable memory space attacks are minimized).

The truth is that the paper is correct.  By exploiting the fact that these applications do not comply with the windows vista security measures, you can bypass the security measures on a Windows Vista system and it will be just as exploitable specifically on buffer overflow as a Windows XP system... as long as you are running in the context of one of these mostly web-related applications.

These attacks do NOT circumvent the IE protected mode sandbox or UAC! 

One of the things I really like about the aforementioned article as well, is that this is one of the few discussions which actually goes into detail on just what can be immediately fixed: "Some of the specific features of the attacks can be resolved by Microsoft itself -- preventing IE plug-ins from opting out of the protection schemes... and by making Windows default to enabling all the protection schemes".  At some point however, you have to wonder how much of this is really a vulnerability of Windows Vista? 

The protection schemes are there, if applications are making the informed decision to opt out (firefox and the JRE from sun, for example), isn't that really a vulnerability being introduced by the insecure choices of that application?

As the industry settles into a market where virtualization has major offerings from Microsoft, VMWare, and the Open Source communities, administrators and security engineers are beginning to grapple with the implications of virtualization on infrastructure security.  Fortunately, virtualization is really nothing new.  While the utility (and cost savings!) of infrastructure consolidation are being increasingly recognized every day, infrastructures constructed on virtualization and virtual partitioning platforms extend back into the days of mainframe, as well as adoption of hypervisor-based platforms throughout the late 90s and this decade.  Security professionals are not without lessons learned to apply in building the next generation of Hyper-V driven infrastructures; the start of securing your enterprise is merely a trick of recognizing how to modify them for today's intensive needs.

In order to understand the security model in a Hyper-V virtualized environment, the administrator or security professional needs to examine the most basic mechanics of virtualization and the relationship that the Guest Virtual Machines (VMs, also called Hosted Instances or Logical Partitions -- LPARs -- in some environments), the Host operating system, and the hypervisor kernel share in Microsoft's Hyper-V architecture.

In Windows Server 2008, the Hyper-V  virtualization layer is actually running "below" the level of the Host Operating System and directly handles the low level functions which make a computer operate -- as well as mediating the access requests between the host operating system components and the Guest VMs. 

Those working with Virtual Server 2005 will recall that this is a major reconstruction of the operation of the virtualization layer.  In Virtual Server 2005, the virtualization layer was running "on top" of the operating system, as a series of windows system services.  In Windows Server 2005, this resulted in sometimes harsh performance losses because any input or output request from a guest VM was made from the application on the guest needing the access, had to complete the operating system "stack" on the guest and then was relayed by the VM to the Virtual Server software service(s) through the appropriate emulated hardware.  The virtual service in question would then make the necessary requests of the underlying host operating system.  The host operating system running Virtual Server would then need to complete its entire stack of software functions to actually make the necessary request of the hardware the server was running on, before passing the resultant data all the way back up through all of these layers.

In Hyper-V the virtualized guest's resource request never has to go through the Host operating system!  This is a very important point in Hyper-V which not only results in vastly improved efficiency rates for I/O intensive operations on guest VMs but also is critical to understand in the protection of the consolidated environment.   The Hypervisor microkernel, not the Host Operating System, is the only component between the guest VMs and the hardware.  Along with this efficiency gain (and its attendant increase in the attractiveness of Hyper-V for enterprise consolidation implementations, is the considerations that a security engineer or network administrator needs to be conscious of all four components: the hardware, hypervisor, host VM, and guest VMs.

When a security engineer examines a Hyper-V virtualized environment, there spring to mind two primary divisions of strategy that apply to your consolidated infrastructure:  The first, is that the same security principles that apply anywhere else in your environment need to apply to both host and guests in Hyper-V hosting.  The second, is that virtualization has special strategy demands which require closer attention to detail in some areas in order to consider the effect that a unified server has on multiple potential services run in independent VMs on the same underlying hardware.

The Basics Still Apply

Maintain Physical Security

As with any information technology infrastructure, once an attacker has physical access to the hardware that a server is running on, the attacker can easily compromise nearly any level of the operating capacities of the machine through the use of offline threats.  Key loggers, local networking monitors, forensic analysis of the hard drives, booting into a "Live CD" with a built-for-the-purpose set of tools.  In consolidated environments, it is true that much of the time the data of the guests is not directly stored on Direct Attached Storage, however keep in mind that if use of offline tools by an attacker allows them to obtain administrative credentials on the host and then return the server to service, they can use the host level access to enable further attacks on the guest, including making shadow copies of the storage for the guest VMs which can themselves be subjected to further offline attacks.

To protect physical security of the server, in an enterprise environment, consider investing in remote management hardware such as physical remote management cards which allow server-level access to KVM and drive functions, a consolidated KVM-over-IP solution, and implementing separation of duties.  These days, remote management tools are sophisticated enough to ensure that a remote administrator can start a session with a remote management unit and have comparable access to the base keyboard, mouse, and console display (and sometimes even the CD/DVD drive) that the administrator would have accessing the box in person.  Note the word 'and' in 'and implementing separation of duties'.  Giving your administrators the ability to remotely administer the box is effective only if you also remove their physical access to the data center.  In the enterprise, data centers often have specifically employed individuals who can address the operational needs of cabling, racking hardware, installing new hardware, and possibly hitting the power button for a power cycle in the case of some catastrophic failure.

Separating the duties of those with logical access to the server (and administrative ownership over the function of the operating system and applications running on the server) from those with physical access to the server for operational requests allows you to reduce risk of physical access-based attacks through minimizing the number of people with that access.  The data center administrators have physical access to the server, but not the authorization information to change the operating system, and the network administrator or engineer has necessary authorization to operate the software running on the server without enabling another entire class of users to have direct access to the data center.

Less Software Means Less Attack Surface

Given that the host operating system in a Hyper-V server acts as little more than a platform for administration tools,  the administrator has a new ability to trim down the software packages that run on the server itself.  Each installed role or package which is surplus to the Hyper-V server provides another set of code which could either potentially be used directly by an attacker against the host itself (particularly in the case of superfluous pre-staged administration tools), or could contain vulnerabilities which, in the case of running services, could allow an attack vector in the first place.

An administrator which needs to perform changes on the Hyper-V server has access to the server remotely through the Server Manager for the most common administration tasks.  For those of less commonality, once an administrator logs into the server, he or she could then map a drive to a shared folder of utilities or could have an installer or zip file which can be copied over from a share, used during the course of the task at hand, and then removed.

In an enterprise environment where the Hyper-V server is expected to host instances of production services, the host Windows Server 2008 installation should be made with Server Core!  Server Core provides a somewhat hardened environment for the virtualization services at the expense of removing many of the most common administration tools.  Guides are available across the web, including my own, on how to install Hyper-V on a Windows Server 2008 Server Core machine.   Additionally, Microsoft has made ample documentation available on how to use the command line and PowerShell to provide advanced from-the-console administrative actions.

Updating the System is Key

Implementing an aggressive firewall on the server and restricting direct access to the machine will be of little avail if the firewall code, or any of the services which are exposed (such as the terminal services instance in most installations), is found to have a vulnerability in the software which remains unpatched on your server.  Updating your software on the host as well as each of the guests should be part of the planned architecture of the environment.  In some cases, this has policy implications as well.  How will your change management work to allow you to reboot the host after applying updates, which also takes down the guest instances?  Do you have a universally applicable change window?  Do you need to plan a change ticket?

Virtualization does not affect the tenet that your software should be updated!  Virtualization simply complicates the planning for host downtime but the update process must still be considered and planned for.

Use Domain Based Credentials to Minimize Threat from Turnover

Managing access to the environment requires attention to your authorization and identity strategy. Credentials which are based on the standalone server provide an opportunity for mistakes in de-provisioning, creating a series of active accounts with privileges possibly as high as local administrator on your host Hyper-V servers and your guest VMs.  Just as in any other information technology environment, the virtualized server environment can be easily compromised by these obsolete user accounts. 

Engineers should minimize the number of standalone credentials created on the server itself which provide the potential for running into problems.  Reduce host services which require custom local accounts to be established.  Create a strong password for the local administrator account.  If your local environment uses a common password across the environment for administrative access, change the password periodically.  Minimize the number of local accounts being created, rather join the server to the domain early in the setup process and add a domain based group or account to the necessary permissions.

Apply the Concept of Least Privilege

Accounts which are granted privilege to the environment, regardless of the origin of the account (local or domain-based), should only have the privileges on the local system which are required for their needs.  During installation, the account which will enable the Hyper-V role needs to have administrator privileges, either based on the local administrator account, or a domain administrator.  Once the actual installation is done, and sub-administrators and end-users are working with the guest VMs, administrator privileges are no longer required for most operations IF you have invested the time to setup the local permissions. 

There is a great blog post specifically on the subject on how to delegate permissions to work with VMs without host privileges, by Lukas Beeler:
http://projectdream.org/wordpress/2008/07/03/delegating-hyper-v-virtual-machines/

Some basic tenants apply.  Do not grant permissions on the host data storage to the extent possible except to the directories where the individual is supposed to be able to save ISOs and other files.  Use a file share if possible to grant access to the storage location for ISOs and other locally hosted materials that the VM should have direct access to.  Avoid giving any users the ability to directly log on to the host via RDP if they do not absolutely need that ability (and force users to justify that request by providing the exact delta of what they need to do over and above what is provided by a file share and use of server manager).  Using the above blog, grant end-users permissions only to the VMs to which they should have rights and control.

Virtualization has Special Strategy Demands

Documentation of your Environment is Critical to Success

In a virtualized environment, the relationship of logical servers to physical hardware is no longer 1:1.  Many systems documentation systems expect each server to be associated with a physical hardware platform and hence do not make the provision for a logical server to be associated to a host server.  In order to properly maintain your environment, virtual servers need to have documentation readily available on what guest VMs are hosted on which physical machines, as well as (critically!) the person or contact for the "owner" of the guest VM!  In my experience with virtualized environments, a number of different businesses or administrators will "own" individual virtual machines hosted on the server.  In order to prepare for downtime on a given host, it is necessary that the organization be able to properly notify affected teams of needed downtime or changes to the underlying virtual host.

If the organization does not maintain an enterprise-level documentation system for the infrastructure environment, individual administrators can counter this vulnerability by using locally hosted documentation.  Create a directory on the server called "Documentation" in a standardized location and use locally hosted text files to store information about the individual VM names, basic configuration information, and the contact information of the owning administrator or business unit.

Planning for Downtime affects More than the Host

The relationship of the host to its guest VMs means at its base that as goes the host, so go the guests.  This means downtime has direct effects.  The change management, business continuity, and disaster recovery strategies of the organization may need to be modified to take into account the cascading effect that downtime on the Hyper-V host implies.  As noted previously, the documentation that your organization maintains should provide the basis for a procedure of approvals or notifications when a host should be taken down or is experiencing a downtime event.  Each of the guest VM owners needs to be involved in the downtime discussions as well as the necessary groups which administer the service of the Hyper-V host itself.

In many enterprise environments, this means ensuring that there is some kind of tagging applicable to the Hyper-V hosts themselves to indicate additional teams that are involved in change requests as well as operational functions related to downtime itself.  Formalizing this approach in a policy could mean that in the case of an unexpected downtime event, a representative from each operational group affected by the host downtime would be present on a call or system to test and validate the application's return to service as well as to represent the importance of the downtime itself and the criticality of resolving that component in a case where more extended prioritization is required.

In smaller environments, this could take the form of simply expanding the existing process to include additional business owners.  Adding a rep from each "owning" team to an email thread and asking for a one-line approval statement from each could be one of the simplest ways to implement the same form of interaction

The Hypervisor has Access to Near Everything

The micro-kernel which provides the hypervisor services between the host and guests and the underlying hardware performs the function of interpreting all of the resource requests for the system.  As a result, this system is the linchpin which has direct, low-level access, to every bit and byte of data that will be returned to either the host operating system or the guest VMs.  Once an organization introduces Hyper-V into the software stack in your environment, from that point forward, the primary administrators or architects in the environment need to be regularly updating themselves on the status of updates to the Hyper-V platform and understanding how attendant vulnerabilities work.

Once a vulnerability is released that has the capacity to target the Hypervisor, the internal administrator will want to be able to escalate any attendant repair following patch release to ensure that the patch can be applied to the environment as soon as possible. 

The administrator also needs to be in a position to protect the hypervisor to the extent possible.  Workarounds should be immediately implemented in an environment if a high-severity issue is discovered in the industry that may affect the hypervisor layer so it is necessary to examine a mitigation approach based on operational awareness rather than with any immediate proactive protective action.  Establish a process whereby one or more engineers are responsible for staying absolutely up to date on the security of the Hyper-V platform, patches, as well as security discussions in major communities.  Ensure that there is a defined and documented process that the selected engineer(s) or administrator(s) can use to immediately raise the visibility of the issue to the appropriate project, management, or change teams that can authorize necessary fixes or being a "fast-tracked" engineering process to determine an acceptable workaround in the environment that takes into account the risk of the potential threat.

Data Classification Assigned to the Hypervisor/Host Should be No Less than the Most Sensitive Guest

Given that the hypervisor micro-kernel has access to all data passing back and forth in streams from the host OS and guest VMs to the underlying hardware platforms, an implied corollary would then dictate that the data classification which is applied to the Hypervisor and Host OS should be no less sensitive in classification than that of the guest VM storing or using the most sensitive data.  If your hypervisor is compromised, even though the data being stored in storage partitions of the host OS may be seemingly trivial, it is critical to realize that the host OS has access to everything!  Not just its own loaded utilities and tools!  In cases of VMs which are using iSCSI LUNs for storage, you also have the consideration that the LUN itself is directly loaded on the host OS as a drive in order to make it available as a passed-through drive to the guest VM. 

This approach to using iSCSI LUNs means that the host OS and the hypervisor have the ability to obtain direct and complete access to all of the data stored on that LUN.

In enterprise environments subject to regulatory requirements, your system of documentation should indicate the sensitivity of the host OS for your Hyper-V server at the heightened state of sensitivity in order for your organization to respond appropriately in the case of a compromise.  Further, for security settings auditing purposes and ensuring that policy or application requirements for high sensitivity infrastructure is properly applied to your Hyper-V host machines.

Virtualization Enables More than Consolidation Savings!

Implementing Hyper-V to initially consolidate your environment drives a savings in the enterprise that goes beyond reducing the server count in the environment.  A security engineer examining the virtualization environment to be implemented in the environment needs to be aware of the available disaster recovery and business continuity benefits available in Hyper-V.  Designing the infrastructure to take advantage of System Center Virtual Machine Management 2008 as well as the backup possibilities available in the virtualized environment is best done during the initial design rather than attempting to return and retrofit these technology approaches into the environment, which was already established.

Hyper-V installations accompanied by System Center Virtual Machine Manager 2008 bring to the table the ability to apply high availability to the environment including virtualized clustering, V2V migration, as well as a suite of features to monitor performance and localized resource use.  There are several key applications for VMM in the environment, the first and most basic is using the performance monitoring capabilities to determine a baseline of the expectable range of resource use in the environment should be.  By establishing this baseline and then configuring alerts based on significant performance deviations, the administrator or engineer could detect when a Denial of Service, either purposeful or incidental to expected traffic, is in place that is preventing the function of one or more guest VMs in the environment.

The SCVMM product provides more than simply the ability to monitor performance and utilization in the environment, Virtual Machine Manager also provides the security administrator the ability to cluster virtual hosts so that in the case of a downtime event, virtual machines can be manually failed over to be brought up on another similarly configured host.  This approach provides something of a warm standby at all times in environments where there is a unified storage model such as that provided by a shared SAN.  Combining the ability of VMM to provide V2V and P2V migration in the current generation SCVMM product as well as the stated intention for the next version of SCVMM to provide live migration capability to the environment, provides a strong roadmap for security professionals and architects to build a consolidation environment that provides a roadmap for immediate and future improvements in reliability.

Snapshot as Practical Storage Considerations Allow

Hyper-V introduces the capability to take live snapshots of the state of the virtual machine at a point in time.  Similar to the mechanics of the snapshot process for a NetApp filer in a storage environment, the snapshot concept in Hyper-V extends the undo disks of Virtual PC and Virtual Server 2005 to provide the ability to capture multiple states and return to any of them according to the needs of the owning organization.   The engineer or architect for the consolidation environment should plan on the ability to host snapshots at least to be able to return to the state of the guest VM at the time of initial complete application configuration.  In development environments, snapshots provide the ability to return to a pre-change state relatively quickly when a developer is applying an unverified hotfix or software patch to the applications hosted on the guest VM.

When you start taking these kinds of snapshots, however, it is important to recognize that the storage the snapshot takes up is a consideration for which space must be allocated to utilize the snapshot capability.  The reliance on differencing between the virtual hard disk and the snapshot allows the snapshot to be significantly smaller than the size of the underlying VHD.  The drawback here is that differencing indicates that snapshot growth is based on the amount of change between snapshots and the underlying disk VHD which makes the exact amount of space to set aside difficult to estimate a baseline to plan for.

Applying SOA with Distributed Guests Can Provides More Security in a Virtual Environment

In Service Oriented Architecture, the components of the overall solution being developed can, and often do, exist on independent physical servers.  When consolidating the data center using a virtualization platform, these sometimes not-fully-utilized server instances are often an excellent target for virtualization.  Larger environments that involve a number of hosts provide the theoretical capacity to design additional security into the environment by partitioning the physical layer on which each layer of the service oriented architecture would be hosted.  In theory, if a single host were to host 3 tiers of a multi-tiered service-based application, if the underlying physical server were to be compromised (or the hypervisor residing thereon), all three guests are highly open to compromise and essentially would be assumed to potentially be compromised in short order.

In a larger Hyper-V based architecture, the engineer or architect can plan to distribute the tiers that comprise the entire application across multiple independent servers allows the architect to extend the modular approach to protect against the simultaneous compromise by, at minimum, partitioning the individual tiers onto different host platforms.  While the organization needs to be careful not to fall back into the anti-practice of attempting to establish security by obscurity, there is the potential for very real value from the segregation in this solution.  If one host, for example, could not apply a critical patch for some reason, and is subsequently compromised, the separated platform would mean that in our 3-tier example above, theoretically the other two tiers may not be compromised based on the design and architecture of the application being hosted.  This separation offers the potential ability to extend the overall security of the architecture slightly simply by being careful not to group all instances of application services in the physical space to be compromised.

Recently, I have seen a number of posts in various places around the 'net and it is clear that many folks (even those posting about these programs) do not really understand the difference between the Microsoft Certified Master, Microsoft Certified Architect and other programs, their offerings, process and cost. 

I'll try to break it down for you:

Microsoft Certified Technology Specialist (MCTS)

A technical credential earned with a single product focused exam.  Cost of $125.  Many specialties available.  Examples include the MCTS: Windows Vista, Configuring and MCTS: Microsoft Exchange Server 2007, Configuring.  The exam can be taken through Prometric.

Microsoft Certified Information Technology Specialist (MCITP)

A technical credential focused on role-based competencies that include technical knowledge as well as the ability to apply that knowledge in the given role.  The MCITP usually requires at least 2 additional specific MCTS credentials to form the technical basis of the credential.  In addition there is one or more professional-level exams which focus on the application of the technical knowledge in the specified role.  One or more role-focused exams.  Cost between $125 for single pro exam tracks to $250 for multi-exam professional tracks.  Examples of this credential include the MCITP: Enterprise Administrator and MCITP: Enterprise Messaging Administrator.  The exam can be taken through Prometric.

Microsoft Certified Professional Developer (MCPD)

What the MCITP is for engineers, the MCPD is for developers.  The MCPD tracks credential a candidate's experience in a professional development role applying a range of specific development platforms.  Each MCPD track requires multiple additional MCTS exams as a pre-requisite to the single pro level exam to earn one of the three MCPD credentials.  MCPD level credentials are available for Web Developer, Windows Developer, and Enterprise Application Developer specializations.  Cost $125 for single pro level exam.  The exam can be taken through Prometric.

Microsoft Certified Master (MCM)

A technical credential which indicates a deep specialization in a specific product area with Microsoft technology.  MCM certified candidates have communications channels to the product group, have completed rigorous training with Microsoft, and have a documented history of delivery experience with the product as well as knowledge-based and experience-based exam passes.  The MCM programs are 3 weeks in duration and a candidate must attend the full session to complete the MCM program. 

There are currently available only two programs in Exchange Server (Exchange) and SQL Server (Database).  About to release later this year will be Active Directory (Directory or Windows Server 2008).  Also announced for development and release are tracks specializing in Office Communications Server and Office SharePoint Server.

The MCM program requires Microsoft's approval to attend as well as specific technical certification pre-requisites the candidate must have completed.  During the course, there are multiple written assessments as well as a lab-based exam at the conclusion of the course.  The candidate must pass all assessments to earn the MCM title.

The MCM program costs $18,500 for each program.

Microsoft Certified Architect (MCA)

The Microsoft Certified Architect is intended to certify individuals who have reached a stage of competency with both technology and delivery management such that they can be relied upon to make excellent, repeatable delivery on a large scale project for an enterprise customer.  The MCAs have demonstrated a series of competencies in architecture including knowledge and application of several external architecture and operational frameworks, integration of broad based technology knowledge, and the ability to work with the customer at almost any level of the organization.

There are two sets of MCA programs.  The first set are credential programs that focus on the architect as a design and delivery professional and are offered in the general Infrastructure and Solutions tracks.  The second set are technology focused and indicate a professional has both the advanced architecture knowledge as well as the deep technical knowledge of an MCM.  Presently, MCA technology tracks are available for MCA: Database and MCA: Messaging.   For either technology track, the candidate must hold the MCM in the specified area.  For any MCA program, the credentials and documentation on the candidate's history must be accepted to even sit the review board.

The actual MCA procedure itself is a peer-based review board interview which is 2 hours in length.  The time investment that must go into candidate documentation and preparation to sit the review board is considerate and candidates should not assume that the review board itself is the only time commitment required.  The pass rate for this program is historically EXTREMELY low for first attempts as candidates often require additional preparation to appropriately demonstrate ALL of the required competencies. 

Cost to attempt the review board has been announced around $4,950.

As a technical interviewer at Avanade, when I complete the technical portion of the interview, one of the most common questions that I get from prospective consultants is “What is it really like as a consultant? What is your day like?” Sometimes I get random emails from people on the web, “Hey, I am thinking about applying to Avanade, do you like it? What is your day like?” I love these kinds of questions because there really isn’t a single right answer.

Avanade is a variety of experiences and that is part why being an Avanade consultant is so great to me.

Falconic Note: This blog post is my own personal view and experience as an engineer at Avanade. This blog post is not endorsed by Avanade nor should it be construed as making a statement in any official capacity for Avanade. The views expressed in this blog post are my own. Nothing in this blog post should be construed to constitute an offer of employment or a supplement to any existing or future offer.

I totally welcome emails with questions about Avanade. For obvious legal and HR reasons, there are some things I just can’t talk about but I am more than happy to field questions about why Avanade really is an awesome place to work for a Microsoft technologist.

Feel free to drop me an email at wayne.anderson@avanade.com . If I cannot answer the question, I can point you towards one of our recruiters who might be able to talk with you a little more about opportunities at Avanade.

Consulting for Avanade changes a bit depending on the project that you happen to be working on. There are really 4 “main” scenarios that you will encounter for your work at Avanade.

• Working on a Customer Project On-Site (Out of Town)
• Working on a Customer Project On-Site (In-Town)
• Working on a Customer Project Remote (@ Home)
• “On the Bench” (@ Home)

Let’s have a look, shall we?

Working on a Customer Project On-Site (Out of Town)

Only slightly less frequently asked in an interview is the question, “how often do you travel, really?”

With the caveat that this is my experience only, and that your experience will vary, the company line is “up to 100% travel”, do not use within reach of children, caution: contents may be hot, etc, the average that I see is about 70% of the time. This varies based on the location that you are based out of. Being based out of a very large city where we have a thriving practice in the US or Overseas can bring down your travel. Being based out of a smaller city with plentiful competition like Denver, CO, can push your travel percentage upwards.

At any rate, when you are traveling on a customer engagement, Avanade uses a model where on an engagement in the same country, you will travel home every weekend. The engagement will either be a travel Sunday night to Thursday morning, Monday morning to Friday afternoon, or on a few engagements, travel Sunday night to Friday midday. This means that you have at least most of the weekend with family, and the other part of the week you are on a customer site.

At the same time, we have a commitment to the customer to be putting in a standard work week. Thus, while at the customer location, generally you can expect a 9 to 10 hour day.

One of the other questions I hear a lot is, “will I be out of town on a project by myself?” Most of the time, the answer is no. There are very few projects that I personally have experience with where an Avanade consultant is working solo on a project for which they are traveling. Usually we are there in one of three scenarios.

1) Working as a fully integrated Avanade team with the customer.

2) Working in concert with some Avanade, some Accenture.

3) Working with some Avanade, some Microsoft.

In any of these cases, you almost always have “friendlies” for which you are part of the project team that you will be working with. Most of the time, there are lunch groups and various casual dinners available that you can be a part of. One of the nice things about everyone on a project traveling (or even most of everyone on the project), is that those other people are on per diem too and are going to be looking for some socialization time in the evenings as well.

Without going too far, I can safely say that I have seen the inside of innumerable bars and restaurants with Avanade colleagues. Avanade unequivocally believes in safe and professional conduct but within those guidelines of conducting yourself appropriately, there are plenty of opportunities to enjoy the hospitality of a city that you might not otherwise experience.

Working on a Customer Project On-Site (In Town)

Sometimes, particularly if you are based out of one of our larger cities, like LA and Seattle in the US, you will be placed on projects local to the home city that you are based out of. When these kinds of opportunities come up, you will have a steady commuting schedule just like going into the office for any other job. The only difference in consulting is sometimes we have a tendency to require a few after-hours work hours from you in order to be able to take part in the types of migration/installation/testing that we do outside of the customer’s business hours.

Despite the small request of some additional hours to facilitate after-work testing/install/migration (which can be mitigated by adjusting start times during the affected period on the project schedule), in-town work is by far the preferred work arrangement for many consultants because you are back home with your family every night.

Working on a Customer Project Remotely (@ Home)

Remote work is the kind of work we all like to have but tends not to be available as often as one would hope. Remote work allows us to save a customer money by saving on travel expenses but also requires that the customer places a certain degree of trust in our consultants being able to connect to the customer resources remotely through a VPN or other type of arrangement. For this reason, some customers opt to pay for the onsite consulting that is the mainstay of our business.

In development projects, the remote work tends to be more available as many of the projects we engage on do not require the full and prolonged presence of the entire project team, instead providing ways for them to check in code and attend meetings remotely. If you are a developer, you will find that your travel is rather more balanced as many of our customers offer more opportunity to save costs by coding remotely in a TS environment, allowing remote check in to code control systems, and other methods of remote work while maintaining appropriate control of the work product.

Even though working from home for the length of a project for months at a time sounds really cool, the honest fact of the matter is that it takes focus to be able to really bring your skills to bear on a project. For those that have families, this can be particularly difficult as our tendencies as husbands and fathers is to spend the time that we have with them as much as we can.

I recommend to anyone who gets involved as a consultant to count on having some portion of time at home working on projects and working on the bench. If you can, set up an office area. Your office should, at the very least, be a bedroom or basement area, or otherwise dedicated space where you can close the door and maintain quiet that semi-isolates you from the animals, children, etc that each of our homes maintain.

“On the Bench” (@ Home)

Another common question that I hear a lot is, “If I am not working for a customer, am I still getting paid?” This is particularly true from folks that have work for other consulting companies that may or may not do that. When you work for Avanade as a full-time technical consultant, Avanade maintains a “bench” which is the resource pool in a given region which is immediately available for projects.

When you are on the bench, your job is to go out and sharpen your skills to get back in the field. This often entails working on your certification. Avanade not only supports certification, but up until the project lead levels, Avanade requires it! Provide resources to study with and vouchers to take the exams. We provide the resources for it. It’s in Avanade’s interest to make sure that you are fully credentialed and trained to succeed on current and next-generation technologies from Microsoft.

Your time on the bench is in the anticipation that you will use it to further your formal training and experience on the technologies you work with, certifying it with credentials from Microsoft.

Consulting at Avanade offers Variety

Avanade offers every one of its consultants the opportunity to build their own training and experience to develop themselves. You are in the driver’s seat for your career. Want to certify? The resources are there and available. Want to be a project manager? You can work with our Global Learning department and your region to build a career path and map out the steps you need to take to meet the competencies to be in that role. Want to be an expert? The learning team can help you figure out the experience and training you need to work towards an architecture role.

I came to Avanade from IBM Global Services because I wanted a job that would grow me along with the business. I wanted a job where I could be working on something different every 3-4 months. I wanted a job where the management chain was as much about supporting me in building my capability and customer management skills as it was in putting me in front of customers. I wanted a job where I was working with people who knew more about the technologies I work with than I do.

Avanade provided that opportunity for me.

If Avanade sounds like something you might be interested in, you have a passion for technology and constantly training and building your experience, and don’t mind some travel, check out some of the job postings the recruiting team has put up on the corporate homepage at www.avanade.com, there might be something there that fits what you are looking for.

Falconic Note: This blog post is my own personal view and experience as an engineer at Avanade. This blog post is not endorsed by Avanade nor should it be construed as making a statement in any official capacity for Avanade. The views expressed in this blog post are my own. Nothing in this blog post should be construed to constitute an offer of employment or a supplement to any existing or future offer.

Information about consulting, training, and certification activities that Avanade consultants engage in is current as of the time of this writing and may be subject to change.

This is the one of my Preparing for Certification series of experience blogs.  One of the fortunate things of working in consulting and subsequently moving into a role where I am assisting others to prepare for consulting themselves is the opportunity to really build my own experience with preparing for and completing certification exams to accredit my skills, the work that I do, and to build credibility with the folks that I am teaching.  As such, I have taken some time to put together my thoughts about my experiences as I have recently [in the past 2 years] completed various credentials. 

Please understand that this is intended as a preparation material, to provide targeted resources to help you prepare for the exam.  NOT to help you pass the exam.  You do that.  You need to make sure that you budget an appropriate amount of time to prepare to sit an exam.

Please understand that these are just observations based off of just my own experience with each of the tests.  This information is mostly just my observation of the strength of certain items which are on the Microsoft Objectives for the exam and your perception as a unique professional may vary depending on your own strengths.  My difficulty scale is as follows:

Easier <-Easy—Moderately Easy—Moderate—Moderately Difficult—Difficult-> Harder

70-649 TS: Upgrade to Windows Server 2008

Moderately Difficult – Q&A – In much the same vein as the upgrade exams for the Windows Server 2000 to 2003 transition, the Windows Server 2008 upgrade exam is a broad based exam that, while not particularly difficult on an item by item basis, presents a challenge to candidates solely on the broad base of knowledge the individual needs to be familiar with. In my experience taking this exam in beta and in production, probably 30% of the content you should be able to pass based on up-to-date experience with Windows Server 2003 SP2 implementation and troubleshooting.

This exam is actually presented in a different manner than most exams I am familiar with in the Microsoft track, opting for fully divided 3 sections rather than a number of questions from different content domains in a single, unified exam. The three sections cover the primary content domains that Microsoft has targeted on the exam page and outlined for the MCSE-to-MCTS upgrade path, aligning with WS2008 Active Directory, WS2008 Network Infrastructure, and WS2003 Application Infrastructure.

A candidate needs to be highly familiar with the Active Directory Certificate Services interaction with Active directory (revocation list publishing, and enterprise CA pre-requisites spring to mind). Also important to a testing candidate are the specifics of working with AD LDS partitions, controlling LDS replication throughout global catalogs, and understanding the scope of schema modifications. As to the directory services themselves underlying these add on services, a solid understanding of backup and recovery for automatic and manual backups as well as how to restore system state information and authoritatively restore a database to correct information loss.

Focusing on Network Infrastructure requires only the lightest review of networking concepts. Ensure that given a super-netted IP block you can distribute the IP addresses into smaller subnets according to a given set of host counts and also that you can adequately choose an appropriate IPv6 address for a given network size and communication need. At a higher level, you need to be familiar with the very basic concepts involved in WSUS architecture and accessibility. Also important are basics of the infrastructure services involved in remote access (particularly when dealing with wireless hosts), DNS, and DHCP services. On top of all of these subjects, a candidate needs to be familiar with the basic mechanics of NPS and how to implement health policies to achieve a specified security policy.

The true heart of the exam is Application Infrastructure, driven home to the candidate by more complex scenarios that an individual will need to be able to logically “parse”, understand the specifics and underlying mechanics, and determine an appropriate configuration path for the situation. It is important to know the terminal services relationships in the 2008 infrastructure, how to publish and load balance terminal servers, how to use ISA to publish terminal services, as well as methods to make applications available through a gateway and publish to a client. Also make sure that before you do your final review to sit the exam, you are VERY comfortable and thoroughly versed in the features and administration of the new IIS 7.0.

A large number of changes are embodied in the IIS release for Windows Server 2008 and, as one might