Windows Server 2008
Technical Decision Maker
Presentation
More Pressure than Ever on IT
Technology
Change
Regulatory
Compliance
Competition
Security
Cost
Reduction
Keep Business
Up & Running
Customer
Connection
End User
Productivity
Business Results
& New Value
Windows Server 2008
Web
Virtualization
Security
Delivers rich webbased experiences
efficiently and
effectively
Reduces costs,
increases hardware
utilization, optimizes
your infrastructure,
and improves server
availability
Provides
unprecedented levels
of protection for your
network, your data,
and your business
Solid Foundation for Your Business Workloads
Most flexible and robust Windows Server operating
system to date
Provides the most versatile and reliable Windows
platform for all of your workload and application
requirements
Most Flexible and Robust Windows
Server Operating System to Date
Solid
Foundation
Management
Windows Server Manager
PowerShell
Windows Deployment
Services
Reliability
Server Core
Next Generation Networking
High Availability Clustering
Solid
Foundation
Windows PowerShell
New Command-line shell & Scripting Language
Improves productivity & control
Accelerates automation of system admin
Easy-to-use
Works with existing scripts
Solid
Foundation
Partners
Futures
Will ship in Windows
Admin GUIs layered over
PowerShell
One-to-many remote management
using WS-MGMT
Windows PowerShell Resources
Solid
Foundation
TechNet ScriptCenter
Hundreds of Scripts
Exchange Server 2007
Terminal Server
WMI, Registry, Hardware, etc.
Community-Submitted scripts
MyITForum.com
Books & Training
Materials
Community Support
Manning Publications
O’Reilly Media
Sapien Press & others…
MS MVPs
PowerShell Team Blog
Active Newsgroup
Channel 9: DFO Show
IIS.net
Managing Windows Server 2008
Solid
Foundation
Server Manager
Initial Configuration
Product Installation
Windows Server Core
Only a subset of the executable files and DLLs installed
No GUI interface installed
Five available Server Roles
Can be managed with remote tools
Solid
Foundation
Solid
Foundation
Complete Redesign of TCP/IP
Winsock
User Mode
WSK Clients
AFD
WSK
TDI
TDX
Next Generation TCP/IP Stack (tcpip.sys)
Next Generation TCP/IP Stack (tcpip.sys)
TCP
UDP
UDP
RAW
IPv6
IPv4
IPv6
IPv4
WLAN
WLAN
RAW
LoopLoopback
back
IPv4
IPv4
Tunnel
Tunnel
IPv6IPv6
Tunnel
Tunnel
Inspection API
TCP
802.3
802.3
Kernel Mode
TDI Clients
NDIS
Dual-IP layer architecture for native IPv4 and IPv6 support
Improved Network Performance Troubleshooting
Improved performance via hardware acceleration and autotuning
Greater extensibility and reliability through rich APIs
Completely manageable through Group Policy
Key New Networking Features
Receive Window Autotuning
Solid
Foundation
Windows Filtering Platform
Automatically senses network
environment and adjusts key
performance settings
Provides filtering capability at
all layers of the TCP/IP protocol
stack
Allows increase of the size of
the TCP/IP send / receive
window
Integrates and provides support
for next-generation firewall
features
Receive Side Scaling
Policy-based Quality of Service
Previous Windows operating
systems limits receive protocol
processing to single CPU
Prioritize or manage the
sending rate for outgoing
network traffic
RSS resolves this issue by
allowing network load from a
network adapter to be balanced
across multiple CPUs
Both DSCP marking and
throttling can be used together
to manage traffic effectively
Solid
Foundation
Windows Firewall w/ Advanced Security
Firewall
Policy-based
rules
become
moremanagement
intelligent
Combined
firewall
andnetworking
IPsec
Solid
Foundation
Branch Office Benefits
Optimization
SysVol Replication
DFS Replication
Protocols
Security
Hub Site
BitLocker
Server Core
Read-Only Domain Controller
Role Separation
Administration
Print Management Console
PowerShell, WinRS, WinRM
Virtualization
Restartable Active Directory
Branch Office
Solid
Foundation
Failover Clustering
Active Node
Heartbeat
Passive Node
New Validation Wizard
Support for GUID partition table (GPT) disks in cluster storage
Improved cluster setup and migration
Improvements to stability and security – no single point of failure
IPv6 support
Geographically dispersed clusters
Windows Deployment Services
Solid
Foundation
Rapidly deploy Windows
operating systems
Updated and redesigned
version of Remote Installation
Services (RIS)
Server components
Client components
Management components
Windows
Server 2008
Windows
Vista
Windows Deployment
Services provides several
enhancements to RIS
Reliability and Performance Monitor
Combines functionality of previous stand-alone tools
Tracks system changes
Provides new functionality
Solid
Foundation
Deliver Rich Web-based Experiences
Efficiently and Effectively
Internet
Information
Services 7.0
Web
Windows Media
Services
Windows
SharePoint
Services
IIS 7.0 Overview
Web
Web
Customization
Enhanced security and reduced
attack surface
Troubleshooting
True application xcopy
deployment
Administration
Application and health
management for WFC services
IIS 7.0 Web Administration
Web
Enhanced Web Administration at
Every Stage in the Application Lifecycle
Simpler Application
Deployment to Web
Farms & UNC Shares
Deploy
Host
Troubleshoot
Reduced Downtime
From Faster
Troubleshooting
More Secure, Reliable
Application Hosting
Manage
Greater Productivity Via
Delegated Management
& Better Tools
Managing Your Web with IIS 7.0
Web
Secure HTTPS
XML
Internet
AppHost.config
Administrator
Manage Remotely
Better Tools
Shared
Config
Intuitive, Task Oriented GUI
.NET Management API
Unified WMI Provider for IIS/ASP.NET
Powerful Command Line Support
Rich Runtime State Information
Shared App Hosting
XML
Automatic Failure Tracing & Logging
Site Owner
App
Web.config
Web Farm
• Arsenal of Admin Tools
• Secure Remote Management
• Delegated Management
• Shared Config for Web Farms
Windows SharePoint Services
Administration model enhancements
New and improved compliance features and capabilities
New and improved operational tools and capabilities
Improved support for network configuration
Extensibility enhancements
Web
Windows Media Services
Ultimate Streaming
Experience
Fast Streaming
delivers instanton/always-on
Intelligent Streaming
optimizes the
experience
Dynamic Content
Programming
Web
Industrial-Strength
Platform
Manage channels
on-the-fly
Increases industryleading scalability
Generate revenue
with Lead-In and
Interstitial Ads
Rich administration
with broad range of
tools
Optimize Your Infrastructure and
Improve Server Availability
Windows Server
Virtualization
Virtualization
Terminal Services
Gateway
Terminal
Services
RemoteApp
Virtualization Technologies
Server
Virtualization
Presentation
Virtualization
Virtualization
Management
Desktop
Virtualization
Virtualization
Windows Server
Virtualization
Application
Virtualization
Windows Server Virtualization
Greater Scalability and improved
performance
x64 bit host and guest
support
SMP support
Increased reliability and security
Minimal Trusted Code base
Windows running a
foundation role
Better flexibility and
manageability
New UI/Integration with
SCVMM
VM 2
VM 3
VM 1
“Parent”
Virtualization
VM 2
“Child”
VM 3
“Child”
Virtual Server 2005 R2
Windows Hypervisor
Windows Server 2003
AMD-V / Intel VT
Hardware
Virtual
Hard Disks
(VHD)
Application Virtualization
Application Isolation
Dynamic Streaming
System Center Integration
Software as a Centrallymanaged Service
Available through…
Virtualization
Virtualization Investments
Virtualization
A Multi-level Approach
Licensing
Infrastructure
Management Interoperability Applications
Terminal Services
Deliver
cost-effective,
flexible and
simplified
licensing
Royalty Free
VHD format
Create agility
Better utilize
server
resources
Partner with
AMD and Intel
Ease
consolidation
onto virtual
infrastructure
Better utilize
management
resources
Support
heterogeneity
across the
datacenter
OSP (Open
Specification
Promise) VHD
Accelerate
deployment
Reduce the
cost of
supporting
applications
Terminal Services Gateway
Internet
Tunnels RDP
over HTTPs
Perimeter
Network
Strips off
RDP / HTTPs
Corporate
Network
RDP traffic
passed to TS
Terminal
Servers
and other
RDP Hosts
Internet
Remote/
Mobile User
Virtualization
Terminal
Services
Gateway
Network
Active
Policy Server Directory DC
Terminal Services RemoteApp
•Only
•RemoteApp
•Programs
supported
look
console
like
by Remote
they
used
•Remote
programs
to
are
Desktop
make
running
application
client
locally
6.0,
integrated
with
localor
available
newer
computer
•Also
usedconfigure
to make a
•Centrally
programs
available
terminal server
with via
theTS
Web
Access
Terminal
Server
Configuration console
Remote
Desktop client
required
Terminal Services
Gateway Server
Virtualization
Hardens Operating System and
Increases Environment Protection
Network Access
Protection
Security
Federated
Rights
Management
Read-Only
Domain
Controller
Server Protection Features
Security
Compliance
Security
Development Process
Secure Startup and
shield up at install
Code integrity
Windows service
hardening
Inbound and outbound
firewall
Restart Manager
Improved auditing
Network Access
Protection
Event Forwarding
Policy Based Networking
Server and Domain
Isolation
Removable Device
Installation Control
Active Directory Rights
Management Services
Security
Windows Server 2008 Hardening
Windows® XP SP2/Server 2003 R2
Windows Vista/Server 2008
LocalSystem
Firewall Restricted
LocalSystem
Network Service
LocalSystem
Network Service
Fully Restricted
Local Service
Security
Network Service
Network Restricted
Local Service
No Network Access
Local Service
Fully Restricted
BitLocker™ Drive Encryption
Encryption
Policy
Security
Full Volume
Encryption Key
(FVEK)
Group Policy allows central encryption policy and provides
Branch Office protection
Provides data protection, even when the system is in
unauthorized hands or is running a different or exploiting
Operating System
Uses a v1.2 TPM or USB flash drive for key storage
Network Access Protection
Security
Policy Servers
such as: Patch, AV
What is Network Access
Protection?
Health Policy Validation
Windows
Client
DHCP, VPN
Switch/Router
Not policy
compliant
Health Policy Compliance
Remediation
NPS
Ability to Provide Limited
Access
Policy
compliant
Servers
Restricted
Network
Example: Patch
Enhanced Security
Corporate Network
Increased Business Value
Cisco and Microsoft
Integration Story
Using Network Access Protection
Security
Policy Servers
such as: Patch, AV
3
1
2
Not policy
compliant
Windows
Client
DHCP, VPN
Switch/Router
NPS
Policy
compliant
4
Remediation
Servers
Restricted
Network
Example: Patch
5
Corporate Network
2
3
4
5
1
If not policy compliant, client is put in a restricted
DHCP,
Network
If
Client
policy
requests
VPN
compliant,
Policy
or Server
Switch/Router
access
client
(NPS)
toto
isnetwork
granted
validates
relays
and
full
health
presents
against
access
status
ITVLAN
and
given
access
fix
up
resources
to to
to Microsoft
defined
corporate
current
health
health
network
Network
state
policy
Policy Server signatures
(RADIUS)
download
patches,
configurations,
(Repeat 1 - 4)
AD Rights Management Services
Security
AD RMS protects access to an
organization’s digital files
AD RMS in Windows Server 2008
includes several new features
Improved installation and
administration experience
Self-enrollment of the AD RMS
cluster
Integration with AD Federation
Services
Information Author
The Recipient
New AD RMS administrative roles
Active Directory Federation Services
Contoso
Security
Adatum
AD FS provides an identity
access solution
Account
Federation
Server
Federation Trust
Resource
Federation
Server
Deploy federation servers in
multiple organizations to
facilitate business-tobusiness (B2B) transactions
AD FS provides a Webbased, SSO solution
AD FS interoperates with
other security products that
support the Web Services
Architecture
Web
Server
AD FS improved in
Windows Server 2008
Federated Rights Management
Contoso
Account
Federation
Server
Security
Adatum
Federation Trust
Resource
Federation
Server
Web
SSO
Together AD FS and AD
RMS enable users from
different domains to
securely share documents
based on federated
identities
AD RMS is fully claimsaware and can interpret AD
FS claims
Office SharePoint Server
2007 can be configured to
accept federated identity
claims
Read-Only Domain Controller
Security
RODC
Main Office
Branch Office
Features
Read Only Active Directory Database
Only allowed user passwords are stored on RODC
Unidirectional Replication
Role Separation
Benefits
Increases security for remote Domain Controllers where physical security
cannot be guaranteed
Support
ADFS,DNS, DHCP, FRS V1, DFSR (FRS V2), Group Policy, IAS/VPN,
DFS, SMS, ADSI queries, MOM
How RODC Works
Windows Server
2008 DC
Security
3
Read
Only DC
4
2
Hub
RODC
5
Branch
6
1
6
6
5
4
3
2
1
RODC:
Looks
in DB:
"I
don't
have
theTGT
users
RODC
Forwards
Windows
Returns
gives
authentication
Server
Request
2008
totoUser
Windows
DC
response
and
authenticates
RODC
Server
and
will
2008
User logs
on TGT
and
authenticates
secrets"
DC
request
back
cache
tocredentials
the RODC
Read-only DC Mitigates “Stolen DC”
Hub
AdminPerspective
Perspective
Attacker
Security
Active Directory Certificate Services
Security
Security
Manageability
Interoperability
Cryptography Next
Generation
Windows Server
2008 Server Role
OCSP Support
Granular Admin
PKIView
IDP CRL Support
V3 Certificates
New GPOs
MSCEP Support
PKI Enhancements
Enterprise PKI (PKIView)
Now a Microsoft Management
Console snap-in
Support for Unicode characters
Network Device Enrollment
Service
Microsoft's implementation of
the Simple Certificate
Enrollment Protocol (SCEP)
Enhances security of
communications by using IPsec
Security
Online Certificate Status
Protocol (OSCP)
Online Responders
Responder Arrays
Web Enrollment
Removed previous ActiveX®
enrollment control - XEnroll.dll
Enhanced new COM
enrollment control CertEnroll.dll
Cryptography Next Generation
Security
Cryptography Next Generation
(CNG)
Includes algorithms for encryption, digital signatures, key exchange, and
hashing
Supports cryptography in kernel mode
Supports the current set of CryptoAPI 1.0 algorithms
Support for elliptic curve cryptography (ECC) algorithms
Perform basic cryptographic operations, such as creating hashes and
encrypting and decrypting data
App Platform
Management
.NET 3.0
MMC 3.0
IIS 7
Task Scheduler 2.0
The Fundamentals
Core
Server Roles
Windows Server 2008 for Developers
Transactions
Recovery
Networking
Concurrency
Integrated Hypervisor
Application Platform
Application Platform
Management
App Platform
.NET 3.0
MMC 3.0
IIS 7
Task Scheduler 2.0
Windows Activation Service
MSMQ
4.0
The
Fundamentals
Core
Server Roles
.NET Framework 3.0
Transactions
IIS 7.0
Networking
Integrated Hypervisor
Recovery
Concurrency
Management
Management
.NET 3.0
MMC 3.0
MMC 3.0
IIS 7
Task Scheduler 2.0
PowerShell
The Fundamentals
Core
Server Roles
Management
App Platform
Task Scheduler 2.0
Transactions
Recovery
Networking
Concurrency
Integrated Hypervisor
App Platform
Management
.NET 3.0
MMC 3.0
IISThe
7
Task Scheduler 2.0
Fundamentals
Transactions
Recovery
The Fundamentals
Core
Server Roles
The Fundamentals
Transactions
Networking
Recovery
Concurrency
Networking
Integrated Hypervisor
Concurrency
Windows Vista and Windows Server
2008 Better Together
More Efficient Management
Single worldwide servicing model
Event forwarding between client and server
Faster and more reliable remote operating system deployments
Network Access Protection ensures health of connecting systems
Greater Availability
Scalable print servers with client-side rendering
Smooth offline experience with client-side caching
Transactional File System for file and registry operations
Policy-based Quality of Service to prioritize application bandwidth
Efficient Communications
Fast enterprise class search on clients and servers
Faster networking with new TCP/IP stack and native IPv6
Improved file-sharing performance over high-latency links
Integrated remote access to internal applications and resources
Windows Server Roadmap
2008 R2
2008
“Cougar”
2008 RTM
2008 Beta 3
© 2005 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
Next Steps
Appendix
Windows Server 2008 Scenarios
Security and Policy
Enforcement
Branch Office
Web and
Applications Platform
Anywhere
Application Access
Server Management
Server Virtualization
High Availability
Windows Server 2008 Roles
Active
Streaming
Directory
DHCP
Media
Certificate
Server
Services
Services
Active Directory
Terminal
DNS Server
Domain
ServicesServices
Active Directory
UDDI
FaxFederation
Services
Server
Services
Active Directory Lightweight
File
WebServices
ServerDirectory Services
Active
Network
Directory
Windows
Policy
Rights
Deployment
andManagement
Access
Services
Services
Services
Windows
Application
Print
SharePoint
Services
Server
Services
Windows Server 2008 Edition Feature Differences
The Receive Window Limitation
Maximum Throughput (Mpbs)
North
America
Intercontinental
Fiber
Satellite
More
Control
64 KB
128 KB
256 KB
512 KB
RTT ms
Key Drivers of Core Infrastructure Optimization
People, Process and Technology
IT and Security Process
Identity and Access Management
Desktop, Server and Device Management
Security and Networking
Data Protection and Recovery
62
Key Development
Tenets
Security, Security,
Security
Scenario-focused
Integrated
innovation
Compatibility
Heterogeneous
interoperability
Enabling broad
industry ecosystem
and volume
economics
Best of breed
functionality for all
server workloads
Server Functions
Operational Infrastructure
Information Worker
Infrastructure
Workloads
Networking
Remote Access
Security
Identity Management
Terminal Server
Storage (file, portal)
Print
Email
Collaboration
Application/Web Server
Unix integration services
Database
High Performance Computing
Application Platform
Software Distribution
Virtualization
Operations Management
Management
General Purpose & Enterprise
Medium Business
Small Business
Solutions
IT Complexity Challenges
Management
• Every day tasks just take too much time
• Need to fix problems before users are affected
• Infrastructure is growing – need to manage more.
Security &
Reliability
•
•
•
•
Changing
Business
Needs
• Need infrastructure to adapt to the changing business needs
• Number of and access needs of remote users is increasing
• Too hard to deploy new technologies with existing systems
Keeping systems reliable and running is job #1
Patching - too much effort , too much downtime
Securing systems is complex and hard to manage
Mobile and remote devices provide a back door for viruses
Security Development Lifecycle
Tasks and Processes
Security Training
Security
Security Arch &
Security Kickoff
Design
Attack Surface
& Register with
Best
Review Threat
SWI
Practices
Modeling
Use Security
Development
Tools &
Security Best
Dev & Test
Practices
Create
Security
Docs
and Tools
For Product
Prepare
Security
Response
Plan
Security
Push
Pen
Testing
Final
Security
Review
Security
Servicing &
Response
Execution
Traditional Microsoft Software Product Development Lifecycle TasksCode
and Processes
Feature Lists
Quality Guidelines
Arch Docs
Schedules
Requirements
Design
Specifications
Testing and Verification
Functional
Specifications
Development
of New Code
Design
Implementation
Bug Fixes
Verification
Product Support
Signing A
Service Packs/
Checkpoint RTM
QFEs Security
Express
Updates
Signoff
Release
Support
&
Servicing
Windows Service Hardening
Defense In Depth – Factoring/Profiling



Reduce size of
high risk layers
Segment the
services
Increase #
of layers
Service
…
Service
1
D
Service
A
Service
…
D
D
Service
2
Service
3
Service
B
D Kernel Drivers
D User-mode Drivers
D
D
D
Network Access Protection
How it works
Policy Servers
e.g. Patch, AV
3
2
3
1
Not policy
compliant
Windows
Client
MSFT NPS
DHCP, VPN
Switch/Router
Client requests access to network and presents current
health state
2
DHCP, VPN or Switch/Router relays health status to
Microsoft Network Policy Server (RADIUS)
3
Network Policy Server (NPS) validates against IT-defined
health policy
If not policy compliant, client is put in a restricted VLAN
and given access to fix up resources to download patches,
configurations, signatures (Repeat 1 - 4)
5
Fix Up
Servers
Restricted
Network
e.g. Patch
Policy
compliant
1
4
4
5
If policy compliant, client is granted full access to corporate network
Corporate Network