Windows 7 for the Enterprise

advertisement
Produktpresentasjon
Morgan Simonsen
Senior Systemkonsulent, Atea
Agenda
• Introducing Windows 7
• Windows 7 New features and highlights
• Windows 7 in the Enterprise
• Windows 7 Security
• Windows 7 Deployment
Windows 7 vs. Windows Vista
• The release of Windows Vista fundamentally changed the Windows
platform
– This caught people by surprise!
• Microsoft did not prepare its customers or partners
• IT Pros, experts and journalists did not thoroughly review Vista
• OEMs and ISVs did not trust Microsoft’s release schedule and no
drivers or certified software were available at launch
• Result: an unstoppable snowball of bad press and reviews
• Conclusion: forget Vista go directly to 7*
– But you still have to do appcompat testing
Windows 7 Development Process
New approach for Windows development and disclosure
Planning
Predictability
Ecosystem
Spend more time on planning and vision phase analyzing
trends and needs before building features
Focus on end-to-end business scenarios – not just new
features and technologies
Give our customer and partners a timeframe for the release
and stick to our plan–3 years for Windows 7
Disclose with higher degree of certainty and minimize changes
Engaging with partners earlier and more closely to enable
seamless experiences and compatibility across hardware,
software and services
We are here
Vision
Development & Test
Pre-Beta
Beta
Release
Windows 7 Builds on Windows Vista
Deployment, testing, and pilots today will continue to pay off
Similar compatibility
Most software that runs on Windows Vista will run on Windows 7,
exceptions will be low level code (AV, firewall, imaging, etc)
Hardware that runs Windows Vista well will run Windows 7 well
Few Changes: Focus on quality and reliability improvements
Deep Changes: New models for security, drivers,
deployment, and networking
Windows 7 Editions (SKU)
• 2 main SKUs which 80% of the users will choose:
– Windows 7 Home Premium
– Windows 7 Professional
• 4 Additional SKUs for niche markets:
– Windows 7 Starter (only OEM)
– Windows 7 Home basic (only OEM)
– Windows 7 Enterprise (only through Volume License Programs)
– Windows 7 Ultimate
• Now each SKU is a superset of the previous SKU
– You never loose any features
• All SKUs are now one image
– All bits present on machine
Professional vs. Enterprise
• Windows® 7 Professional
• Ability to join a managed network with Domain Join
• Protect data with advanced network backup and Encrypted File System
• Print to the right printer at home or work with Location Aware Printing
• Windows® 7 Enterprise (only available through Software
Assurance (SA)):
• BitLocker™ data protection on internal and external drives
• DirectAccess provides seamless connectivity to your corporate network
• Decrease time branch office workers wait to open file across the network
with BranchCache™
• Prevent unauthorized software from running with AppLocker
Windows 7 Editions (SKU) cont.
• Windows Anytime Upgrade
• Windows Live Essentials
– Windows Live ID Sign-in Assistant 6.5 (enables linking of Windows 7
user accounts to Live IDs):
http://www.microsoft.com/downloads/details.aspx?displaylang=en&F
amilyID=5e193cfe-f45a-4e29-b6b7-984e7802c639
– Link ID: http://windows.microsoft.com/enUS/Windows7/OnlineIDProviders
• Microsoft Security Essentials
– Free anti-virus, anti-malware and anti-spyware from Microsoft
• Windows 7 last x86 compatible OS (Windows Server 2008
R2 does not support x86)
Windows 7 System Requirements
• 1 GHz or faster 32-bit (x86) or 64-bit (x64) processor
• 1 GB of RAM (32-bit)/2 GB of RAM (64-bit)
• 16 GB of available disk space (32-bit)/20 GB (64-bit)
• DirectX 9 graphics device with Windows Display Driver Model 1.0 or higher
driver
• Windows 7 is faster than Windows Vista (but not by much)
Upgrading to Windows 7
• Windows 7 Upgrade Advisor
• Upgrade only available from Windows Vista SP1
• Migrating from any other Windows version requires clean install
• Data can be migrated:
– User State Migration Tool
– Windows Easy Transfer
• Any clean install preserves data
Windows 7 Migration Challenges
• Application Compatibility
– How to get your LOB applications to run on Windows 7?
– Application Compatibility Toolkit (ACT)
• Deployment
–
–
–
–
–
–
How to install Windows 7 on business machines?
DVD/Flash
Windows Deployment Services (WDS)
System Center Configuration Manager (SCCM)
Windows Automated Installation Kit (WAIK)
Microsoft Deployment Toolkit (MDT)
Microsoft Deployment Guidance
Windows 7 Features
• GUI Enhancements
– Enhanced Aero (Aero Snap/Gestures)
– New taskbar (preview)
– Jump lists
• Gadgets
• View Available Network (VAN)
• Libraries/Search
• Power Management
• Trigger-Start Services
• Multitouch
• Troubleshooting
– Troubleshooting Platform
Windows 7 Features (cont.)
• Device Stage
– http://www.microsoft.com/windows/windows-7/devices.aspx
• Location Aware Printing
• Internet Explorer 8
– Standards compliance
– Instant Search
– Accelerators
– Web Slices
– InPrivate browsing/InPrivate Filtering
• Mobile Broadband support
• Native VHD support
Homegroup
• Easy sharing of files/media/printers between Windows 7 PCs and compatible
hardware
• Domain joined machines can join a Homegroup, but not create one
– Network location must be Home (not Domain)
• Homegroup uses regular SMB file sharing and Windows NTFS and share
permissions
Homegroup – Media Streaming
• Windows 7 fully compatible with Universal Plug and Play (UPnP) and Digital
Living Network Alliance (DLNA)
• Supports a variety of devices:
–
–
–
–
–
–
–
TVs
Speakers
Stereos
PVR
Cell phones
Digital Photo Frames
All devices must be DNLA logoed
Homegroup – Media Streaming (cont.)
• DLNA defines device roles:
–
–
–
–
Servers
Players
Renderers
Controllers
• And protocols that these devices use to discover each other and communicate
with each other (e.g. UPnP, HTTP, RTP, etc.)
Enterprise
Windows 7 for the Enterprise
Make Users
Productive
Anywhere
At their desk
In a branch
On the road
Enhance
Security
& Control
Protect data & PCs
Built on Windows
Vista foundation
Streamline PC
Management
Easy migration
Keep PCs running
Virtualization
Windows 7 Deployment Enhancements
IMAGING
DELIVERY
MIGRATION
SOLUTIONS
Deployment
Image Servicing
and Management
Windows
Deployment Services
User State
Migration Tool
Microsoft
Deployment Toolkit
Multicast
Hardlink Migration
Add/Remove Drivers
and Packages
Multiple Stream Transfer
Offline File Gather
Application
Compatibility Toolkit
WIM and VHD Image
Management
Dynamic Driver
Provisioning
Improved user file
detection
Microsoft Assessment
and Planning
Branch Office Network Performance
Make users productive anywhere
Situation today
Application and data access over
WAN is slow in branch offices
Slow connections hurt
user productivity
Improving network
performance is expensive
and difficult to implement
Windows 7 solution
BranchCache™
BranchCache
Caches content downloaded
from file and Web servers
Users in the branch can quickly
open files stored in the cache
Frees up network bandwidth
for other uses
Search in the Enterprise
Make users productive anywhere
Situation today
Current desktop and Enterprise
search solutions are good, but
not integrated
Users need to take different steps to
find data on PC and data on servers
Data sources are hard to discover
Windows 7 solution
Search Federation
Consistent user experience for
finding data from multiple
locations, including SharePoint
IT can pre-populate links on
Start menu and Explorer to
preferred sites with
“Enterprise Search Scopes”
Windows 7 Federated Search
• In a nutshell:
Federated Search enables you to search a remote web service from Windows
explorer and get results back that you can act on like any normal file
• Goals:
– Natural for people to use
– Easy for IT admins to deploy
– Easy for developers to adopt
• Content aleady indexed by hosting server or dedicated search solution
(Microsoft Search Server)
• Federated Search based on OpenSearch 1.1 standard
• .osdx files are XML files using the OpenSearch description document to
describe how to connect to a web service
• .searchconnector-ms (XML) files can be deployed via several techniques to
pre-populate machines with search connectors
Windows 7 Manageability
Windows PowerShell
2.0
Integrated Scripting
Environment
Group Policy Scripting
Windows
Troubleshooting
Platform
Remoteable Reliability
Data
Problem Steps
Recorder
Enhanced Group
Policy Scenarios
Group Policy
Preferences
PowerShell
• Windows 7 includes PowerShell 2.0
• No longer an optional component
– Cannot be removed
• Many old commands implemented as PowerShell cmdlets:
– Netdom.exe: Add-Computer/Remove-Computer
– Ping: Test-Connection
– Shutdown.exe: Stop-Computer/Restart-Computer
PowerShell 2.0 Highlights
• Remote execution
– Windows Remote Management (WS-Management 2.0)
• Background jobs
• Integrated Scripting Environment (ISE)
Windows Virtual PC
• New version of Microsoft Virtual PC
• System requirements:
– Windows 7 only
– 1 GHz 32bit or 64bit processor or better
– CPU w/ AMD-VTM or Intel VT features turned on
– 2 GB of memory recommended
– Additional 15GB of hard disk space per virtual Windows environment
recommended
Windows Virtual PC Features
• Seamless Applications (RemoteApp)
• Folder Integration
• Clipboard Sharing
• Printer Redirection
• USB Support
Windows Virtual PC
• Supported host operating system:
– Windows 7 Home Basic
– Windows 7 Home Premium
– Windows 7 Enterprise
– Windows 7 Professional
– Windows 7 Ultimate
– Note: Windows XP Mode is only available in Windows 7 Enterprise,
Windows 7 Professional, and Windows 7 Ultimate.
Windows Virtual PC
• Supported guest operating system:
– Windows XP
• Virtual Applications feature is supported only on Windows XP Service
Pack 3 (SP3) Professional
– Windows Vista
• Virtual Applications feature is supported only on Windows Vista
Enterprise and Windows Vista Ultimate
– Windows 7
• Virtual Applications feature is supported only on Windows 7 Enterprise
and Windows 7 Ultimate
Windows XP Mode
• Enables running older Windows XP productivity applications directly from
Windows 7 Desktop (Seamless)
• Pre-created Windows XP Service Pack 3 VHD with Terminal Services RAIL
components
• Targeted at SMB, corporate customers should use MED-V (MDOP)
• Works with Windows Vista and Windows 7 guests also
Windows XP Mode - Components
• Windows Virtual PC (RC):
– http://www.microsoft.com/windows/virtual-pc/download.aspx
• Windows XP Mode (RC):
– http://www.microsoft.com/downloads/details.aspx?familyid=0E8FA9B3-C236-4B77BE26-173F032F5159&displaylang=en
• Update for Windows® XP SP3 to enable RemoteApp™(if running own VM):
– http://www.microsoft.com/downloads/details.aspx?familyid=E5433D88-685F-4036B435-570FF53598CD&displaylang=en
• Windows Virtual PC and Windows XP Mode went RTM 1.10.2009 and will be
available for download when Windows 7 is released (today!)
Virtual Desktop Infrastructure
Streamline PC Management
Situation today
Windows 7 solution
Richer remote experience
What is Virtual Desktop Infrastructure?
Deploying desktops in virtual
machines on server hardware
Centralized management & security
Users can access their desktop and
applications wherever they are
Richer graphics with improved
multi-monitor support
Use voice for telephony
and applications with
microphone support
Improved printing
Do more with VHDs
Maintain VHD: Offline servicing
of VHD images with same tools
used for WIM
Boot from VHD: Reuse VHD
files for deployment to
managed desktop PCs
Using Windows for VDI scenarios requires additional VECD license
Windows Optimized Desktop
Core PC
Platform
Unique Value with
SA+MDOP
Windows Optimized Desktop: MDOP
Better management to save costs; ease future upgrades
SA Customer Satisfaction
1
2
3
Provide immediate ROI
•Regular updates
•Faster upgrade cycle, separate from Windows
•Minimal deployment effort
Deliver end-to-end solutions
•Run out of the box
•Integrate with existing management solutions
Lower Desktop TCO
•>95% of MDOP customers are (very) satisfied
•$70$70-$80 net cost savings per PC per year using MDOP*
* Gartner, Inc. “Quantifying the Value of Microsoft’s Desktop Optimization Pack”, July 2008
Windows Optimized Desktop:
Windows 7 & MDOP Investment areas
MDOP
Make Users Productive
Anywhere
Improve Security
and Control
Streamline PC
Management to
Save Costs
Direct Access
BranchCache
Federated Search
Navigation
BitLocker
BitLocker To Go
AppLocker
Security development
lifecycle
PowerShell
Windows
Troubleshooting
Platform
Deployment Tools
VDI Enhancements
AppApp-V
MEDMED-V
AIS
DEM
DART
AGPM
Performance | Reliability | Compatibility
Increased Value in Optimized Desktop
Make Users Productive Anywhere
• DirectAccess
• BranchCache™
BranchCache™
• Enterprise Search Scopes
Enhance Security and Protect Data
• BitLocker & BitLocker To Go
• AppLocker
Streamline PC Management
• MUI Language Packs
• VDI Enhancements
(VDI requires VECD license)
• Boot from VHD
• Subsystem for UNIX
• 4 Virtual Operating Systems
• Network Boot License
Windows Optimized Desktop and Dynamic IT
Amplifies the talent and abilities of
everyone in the organization…
Familiar, Easy
to Use
Consistent
experience for
office, mobile,
and remote end
users
Simple
management
tools for IT Pros
Unified,
Seamless
…with the scale, agility and
protection required by the
enterprise.
Lower
TCO
Enterprise
Ready
Breadth of
Choice
Achieve desktop
to datacenter to
device oversight
of all IT assets
Protect existing
IT investments
by extending
hardware life
Quickly respond
to changing
business
requirements
Broad range of
devices, form
factors, and price
points
Manage all clients
and applications
from a single
management
console
-Stretch IT labor
by automating
routine tasks and
reducing IT
complexity
Transform
software
applications into
managed
services
Large ecosystem
of trained and
certified Microsoft
IT professionals
and partners
Security
Windows 7 Security
• Builds on the major security improvements of Windows Vista:
–
–
–
–
–
Kernel Patch Protection
Service Hardening
Data Execution Prevention
Address Space Layout Randomization
Mandatory Integrity Levels
Windows 7 Enterprise Security
Building upon the security foundations of Windows Vista, Windows 7 provides IT
Professionals security features that are simple to use, manageable, and valuable
Fundamentally
Secure Platform
Windows Vista
Foundation
User Account
Control
Enhanced Auditing
Securing
Anywhere
Access
Network Security
Network Access
Protection
DirectAccessTM
Protect Users &
Infrastructure
AppLockerTM
Internet Explorer 8
Data Recovery
Protect Data from
Unauthorized
Viewing
RMS
EFS
BitLockerTM
User Account Control (UAC)
• UAC introduced for two reasons:
– Incompatibility of software across user types
– Lack of user knowledge of system-level changes
• UAC introduced the Protected Admin (PA) account type:
– An administrative user with 2 security tokens; one for standard user and one for
admin
• Ecosystem impact:
– When Vista was launched users experienced the UAC prompt in 50 % of sessions
and 775 312 unique applications produced prompts
– 2 years later the numbers were 33 % and 168 149
• Windows impact:
– Increased engineering quality; fewer Windows components require admin rights
• Impact on Customers:
– Deep hatred!
User Account Control (cont.)
• Improvements to UAC in Windows 7:
– Users can tune UAC
– Reduce duplicate prompts (IE + UAC)
– Better prompt information
Data Protection
Enhance security and control
Situation today
Windows 7 solution
BitLocker To Go™
Go
+
Worldwide Shipments (000s)
Gartner “Forecast: USB Flash Drives, Worldwide, 2001-2011” 24 September 2007,
Joseph Unsworth ; Gartner “Dataquest Insight: PC Forecast Analysis, Worldwide,
1H08” 18 April 2008, Mikako Kitagawa, George Shiffler III
Protect data on internal and
removable drives
Mandate the use of encryption
with Group Policies
Store recovery information in
Active Directory for manageability
Simplify BitLocker setup and
configuration of primary hard
drive
BitLocker Drive Encryption
• BitLocker Drive Preparation Tool included in Windows 7 setup and volumes
automatically created to support BitLocker
• Windows 7/Windows Server 2008 R2 introduces BitLocker DRAs to enable
recovery of data if BitLocker encryption key is lost
– AD key escrow should still be primary recovery mechanism
• BitLocker only available in Windows 7 Enterprise and Ultimate Editions
BitLocker To Go
• Enables encryption of removable devices
• Devices can be formatted with exFAT, FAT16, FAT32, or NTFS file system and
be at least 128 MB
• BitLocker To Go allows read-only access on Windows XP and Windows Vista
• Removable driver can be protected with password or smart card
• 128-bit AES encryption by default, 256-bit AES available
Application Control
Enhance security and control
Situation today
Users can install and run unapproved
applications
Even standard users can install some
types of software
Unauthorized applications may:
introduce malware
increase helpdesk calls
reduce user productivity
undermine compliance efforts
Windows 7 solution
AppLocker™
AppLocker
Eliminate unwanted/unknown
applications in your network
Enforce application standardization
within your organization
Easily create and manage flexible
rules using Group Policy
DirectAccess
DirectAccess – Why?
• Mobile workforce steadily increasing
– According to IDC, the third quarter of 2008 marked the point at which
computer manufacturers began shipping more mobile computers than
desktop computers worldwide (IDC Worldwide Quarterly PC Tracker,
December 2008).
– The number of mobile users is expected to grow; in 2008, mobile workers
worldwide will be 26.8% of the total workforce, and that number will increase
to 30.4% by 2011 (IDC, "Worldwide Mobile Worker Population 2007–2011
Forecast," Doc #209813, Dec 2007).
Granting access to internal resources - VPN
• With so many mobile users we need to give access to internal network
resources, this means VPNs
• VPN technology largely unchanged for a long time
• VPNs are problematic:
– Complex
– Slow
– Loss of Internet access means VPN has to be reconnected (Windows 7
supports VPN roaming/reconnect)
Granting access to internal resources - Gateways
• Outlook Web Access
• Outlook Anywhere
• OCS Anywhere
• SCCM Internet MPs
• Common for all these is that there is an ”inside” and an
”outside”
DirectAccess
• Seamless connection to the corporate network any time users have
Internet access (no outside or inside)
• Connections automatically established
• All communication is bi-directional
• A connection is established by the computer (before the user logs on)
DirectAccess – Benefits for IT Pros
• Improved Manageability of Remote Users
• Secure and Flexible Network Infrastructure
– Authentication
– Encryption
– Access Control
• IT Simplification and Cost Reduction
DirectAccess – Key enablers:
• IPv6
– DirectAccess requires globally routable addresses, which IPv6
provides automatically
• IPSec
– Establishes a tunnel for IPv6 traffic between the client and the
DirectAccess server
– Authenticates both the user and the computer; Kerberos or
certificate (Smart Card)
– Encrypts traffic; 3DES or AES
• NAP
– Optional; can check a clients health before access to DirectAccess
is granted
• Domain/Server Isolation
– Optional; segregate the network
DirectAccess Connections
• DirectAccess establishes two IPSec tunnels:
– IPsec Encapsulating Security Payload (ESP) tunnel using a computer certificate
• Connect computer to DNS and DC to download Group Policy and be managed
– IPsec ESP tunnel using both a computer certificate and user credentials
• Connect the user to the internal resources
DirectAccess Scenarios
• End-to-End protection (most secure)
– Secure, encrypted connections are established through the DirectAccess server
directly to application servers
– Requires that all application servers run Windows Server 2008/2008 R2 with IPSec
and IPv6
• End-to-Edge protection (easiest setup)
– A secure, encrypted connection is established with a IPSec Gateway Server which
forwards traffic to internal application servers
– Does not require IPSec on application servers, but requires (any) IPv6
DirectAccess - Requirements
• One or more DirectAccess servers running
Windows Server 2008 R2 with two network adapters: one that is
connected directly to the Internet, and a second that is
connected to the intranet
• On the DirectAccess server, at least two consecutive, public
IPv4 addresses assigned to the network adapter that is
connected to the Internet
• DirectAccess clients running Windows 7
• At least one domain controller and Domain Name System (DNS)
server running Windows Server 2008 SP2 or
Windows Server 2008 R2
• A public key infrastructure (PKI) to issue computer certificates,
smart card certificates, and, for NAP, health certificates
• IPsec policies to specify protection for traffic
• IPv6 transition technologies available for use on the
DirectAccess server: ISATAP, Teredo, and 6to4
DirectAccess
IPv4 Devices
IPv6 Devices
Support IPv4 via 6to4
transition services or
NAT-PT
IT desktop
management
AD Group Policy,
NAP, software
updates
Native IPv6
with IPSec
Supports direct
connectivity to IPv6based intranet
resources
IPv6 Transition
Services
DirectAccess
Server
Allows IPSec encryption and
authentication
DirectAccess
provides
Allows desktop
transparent,
secured
management
of
access to intranet
DirectAccess clients
resources without a VPN
Internet
Supports variety of
remote network Windows 7
protocols
Client
More info
• Windows 7 Blog:
http://windowsteamblog.com/blogs/windows7
• Windows 7 Web site:
http://www.microsoft.com/windows/windows-7/
• Engineering Windows 7 Blog:
http://blogs.msdn.com/e7/
• Official Windows 7 Launch Web site;
http://www.win741.com
Q&A
Download