Wednesday, August 24, 2011

New Technology Phase Change Memory

Introduction

My Dear friends this article discussed molecular memory, phase change memory, holographic memory, and magneto-resistive RAM. In this article I thought I’d revisit that article and expand a bit on the section discussing phase change memory. This will also give me a chance to introduce some advances in the technology recently announced by IBM.

Background

To understand the new advances made by IBM researchers you’ll need to know the basic science behind phase change memory and the challenges associated with it. Phase change memory is really very similar to the technology used in CD-R and DVD-R technologies.
In optical disc writing, a laser changes the opacity of small regions on the disc. The laser can make the small region more opaque or less opaque. It does this by changing the material from an amorphous state to a crystalline state or from a crystalline state to an amorphous state. When a disc reader then reads the reflection from the disc the reader will be able to determine if the region is in an amorphous or a crystalline state thus reading either a logical ‘1’ or a logical ‘0’.
Likewise, phase change memory also changes a small region from an amorphous state to a crystalline state and back again. In phase change memory implementations though, this change is done via an electrical current instead of a laser. More precisely, it is the heat that can change the state the optical disc and phase change memory implementations merely change how that heat is created/distributed. In my previous article Memory Storage, I highlighted the scientific similarities of resistivity to opacity, which even includes reflection!
Phase change memory systems can determine whether a region, often called a cell, is in an amorphous or crystalline state by measuring its electrical resistivity. This leads to one of the major advantages of a phase change memory system; the resistivity levels of amorphous and crystalline states are drastically different. This allows us to implement different levels of crystallization so that each region can have not just two states but potentially several states. This type of storage where one region can have multiple states is referred to as MultiLevel Cell (MLC) storage.

Advantages

Since phase change memory implementations are quite expensive to produce it is believed that a significant implementation of MLC storage will allow for very large amounts of storage and justify the high price of the technology in a competitive market. Of course, MLC storage isn’t unique to phase change memory implementations; it’s also seen in flash based memory. In flash based memory storage solutions it’s common to see four states supported per cell. This provides two bits of storage for each cell - as opposed to one bit per sell for Single Level Cell (SLC) storage.

Figure 1: attributes of phase change memory (PCM) compared to other types (Courtesty of hothardware.com)
Other than MLC, what are some other advantages of phase change memory solutions? Well, like flash, there are no moving parts which increase longevity and usability. Also, since the cell states are changed with heat via an electric pulse, there is no danger in having small magnets in close proximity to the memory. Also, these electrical pulses can change the states very quickly which can result in significantly faster write times when compared with flash.

Challenges

There are some drawbacks to MLC storage. Since there are more states stored in a single cell there is less of a difference between these states which can result in a higher bit error rate (BER). In flash based memory storage solutions this can be adequately handled via an increased role for error correction modules. The increased error correcting could potentially slow down an application, but this is the trade off for getting basically double the storage in the physical area.
In phase change memory the effect of having four states per cell is even more dramatic than in the flash based implementations. This is due to the cells having what’s known as a resistance drift. A resistance drift describe the effect of the resistance level of the different states chaning - or drifting - over time.
So you may be asking - what’s the big deal about this resistance drift? Can’t we just store a known value in some cells and measure the drift over time, then compensate for the drift when reading from the other cells? Yes, we could, if the drift was uniform across the cells. It’s not. The resistance drift is somewhat erratic and cannot be compensated for in this manner.

Group Policy Design principle

Active Directory Group Policy Design Principles


Finally we go to Group Policies. Personally, I find this feature one of the more compelling reasons to make the move to Active Directory. Properly designing and implementing it.
Group Policy processing rules of thumb
These are my 5 rules of thumb I tried to remember when I was taking up the Active Directory Implementation and Active Directory Design exams, and in my subsequent Group Policy design exercises.
Rule 1 – Execution Order: L > S > D > OU. Local policies are procesed first. Then follows the Site GPO’s, then Domain GPO’s, then OU GPO’s from top level OU until the direct container of the user or computer object. Any conflicting settings and the last processed GPO will prevail.
Rule 2 – Inheritance. GPO setings are inherited from the top level containers containers to the direct container of the user or computer object. If we need to remove the Run Menu from all users in our domain, we simply need to create the GPO for this and link it to our domain, instead of linking it on all OU’s where there are user accounts. There are of course, exceptions to the rule.
Rule 3 – Block Inheritance. Block Inheritance is applied to the container and ensures that any policy in the upper level containers are not applied to the container that it is applied to and the downstream containers. This is intended as an exception to Rule # 2 on Inheritance. The proper application to this is a downstream container.

Rule 4 – Link Enforced. Enforcing the link ensures that the GPO will be executed no matter what downstream GPO’s are applied to downstream containers. This provides an exception to Rule # 1 on Execution Order. The proper application to this is an upstream link. Note that Enforced is applied to the link, meaning the should GPO may be linked to more than one container, only those that we applied Enforced are those that will be enforced. Enforcing the link is a powerful exception that overrides the Block Inheritance exception

Rule 5 – GPO Access Control. If, for example, one would intend to enforce a specific GPO only to a subset of user accounts in an OU, we only need to change the default Access Control List of the GPO to allow both Read and Apply Group Policy to those user accounts that need to be enforced with the policy (we need to remove Authenticated Users from this ACL in the process). On the other hand, if we wish that a specific subset of users, say for example, Administrators SHOULD NOT be enforced with, say for example, a restrictive GPO, then we can just grant them Deny permissions on Apply Group Policy. Note that the Enterprise Admins, Domain Admins and Administrators groups are not subject to Group Policies because these group accounts are not given the Allow permission in Apply Group Policy permission by default, but they are also not explicitly given a Deny permission. This means that, making a user account a member of these groups does not necessarily liberate that user account from restrictive Group Policies. For really restrictive policies that endanger an administrative account being locked out, it is best to explicitly give the said group accounts the Deny permission on the Apply Group Policy access control entry.


Key pointers in designing and implementing Group Policies
  1. Although one can link a GPO to the Site container, it is not adviseable, given the fact that a site can contain multiple Domain Controllers from different domains.
  2. As mentioned in the OU Design document, implementing a wide but shallow OU structure is better than a narrow but deep structure for performance purposes. The deeper the OU, the more Group Policies that need to be processed and the longer it takes to start up the machine and/or log on the user. Although a wide but deep structure would eventually mean more GPO’s and more links, less GPO’s need to be enforced during the startup or logon process.
  3. Ensure that the Distributed File System (DFS) is working properly between domain controllers in the same domain. DFS is the means for the Group Policy files to be transferred between domain controllers. If DFS is malfunctioning, it is possible that multiple, copies of the same GPO get propagated and enforced on the client machines. Depending on the nature of the GPO, this can pose a serious security threat to the network.
  4. Download and install the Group Policy Management Console (GPMC)
  5. Learn the proper usage of Block Policy Inheritance and Link Enforced. Refrain from using these exceptions if you can get away with it. Remember: Block Policy Inheritance is applied to a downstream container, while Link Enforced is applied to an upstream Link.

Auditing a DNS Zone


1. Introduction

One of the main aspects of security is the maintenance and to do that correctly the administrator needs to be able to track changes that are done in the environment. There are a lot of challenges on this area and one of the biggest challenge is to log what needs to be logged without overwhelm the server.

When I was working in the platforms team I remember that I received a call from a customer saying that he wants to know who deleted a record on his DNS Zone. First question was:  do you have an audit policy for DNS enable?  He was like: what is that?  After review his environment I saw that the auditing was enabled, but not for the Active Directory Objects (his DNS Zone was integrated to AD).

This post will walk through the Auditing configuration of a DNS Zone (AD Integrated) on Windows Server 2003.

2. Preparing the Environment

There are three steps to prepare the environment:
·         Verify if the Audit Policy called Audit Directory Service Access is enabled and what is the setting.
·         Enabled the Auditing on the DNZ Zone that you want to audit.
·         Use the Event Viewer to find out which object of modified (in this case the example will be an object deletion).

3. Configuring the Audit Policy

Open the Default Domain Controllers Policy, and check if the policy highlighted below is selected just like that:

Figure 1 – Configuring Upload and Download Policy.

In my case I changed to audit Success and Failure, but the final configuration will be according to your needs.

4. Configuring the DNS Zone

Now that we have enabled the Audit Policy to all Domain Controller in the domain, we need to change the DNS Zone. To do that follow the steps below:

1) Open ADSIEdit (Start / Run / ADSIEDIT.msc)
2) Right click in the ADSI Edit and click in Connect To…
3) In the Connection Settings window, configure just like show below:

 
Figure 2 – Connection Setting.

Note: Change the dc= to reflect your domain name.

4) After that click OK.
5) Now expand the container until you get to the same node as show below:

 
Figure 3 – Configuring the Zone.

5) Right click in the name of the zone located under CN=MicrosoftDNS and click in Properties.
6) Click in Security and then Advanced.
7) Click in Auditing and click in Add.
8) Type Everyone and click OK. Add the following type of access:
·         Write All Properties
·         Delete
·         Delete Subtree

9) Click OK on all three windows.

Now we are ready to log !!

5. Testing

For testing purpose I delete the record called work01 and here what you should see on the security event log:

Event Type:    Success Audit
Event Source:  Security
Event Category:         Directory Service Access
Event ID:          566
Date:               3/5/2008
Time:               7:33:51 PM
User:                CONTOSO\Administrator
Computer:       DCCONT
Description:
Object Operation:
            Object Server: DS
            Operation Type:          Object Access
            Object Type:    dnsNode
            Object Name:            DC=work01,DC=contoso.msft,CN=MicrosoftDNS,DC=DomainDnsZones,DC=contoso,DC=msft
            Handle ID:       -
            Primary User Name:   DCCONT$
            Primary Domain:        CONTOSO
            Primary Logon ID:       (0x0,0x3E7)
            Client User Name:      Administrator
            Client Domain:            CONTOSO
            Client Logon ID:          (0x0,0x19062D)
            Accesses:         Write Property
                                   
            Properties:
            Write Property
                        Default property set
                                    dnsRecord
                                    dNSTombstoned
            dnsNode

            Additional Info:          
            Additional Info2:        
            Access Mask:   0x20

Note the following points in red (from top to down):
·         The event type: the user was able to successfully perform this operation.
·         Category: the object was categorized as a DS Object.
·         User: the name of the user that performed this operation.
·         Object Name: the complete path from where the object was located.
·         dNSTombstoned: this is probably the only one that is not friendly. This attribute is logged whenever an object is deleted. For more information review the DNS-Tombstoned Attribute at MSDN.