The IT Infrastructure Platform for Business Solution Enablement Part 2 of 2 The IT Infrastructure Platform IT Infrastructure Solutions Identity Management Server Consolidation Network Access Platform Fundamentals Reliability and Availability Performance & Scale Secure Foundation Management Secure Network Access Network Access Challenges Increasing the productivity of users Securing Access to corporate networks Anywhere Any Device Any Connection Keeping the “bad guys” out Simplifying access for the good guys Preserving the integrity & confidentiality of data Interoperability Access points and gateways Networking authentication VPN clients Network Access Windows Server 2003 Anywhere, Anytime Secure Network Access Secure Network Access Secure Mobile Access Secure Network Authentication Standard based Networking Secure VPN solution Secure dial-up RAS Access End-to-end solution for secure wireless User management integrated w/ AD Integrated RADIUS (IAS) server Multi-Factor authentication support Rich TCP/IP stack Standard DNS DHCP Broad networking protocols support Network Access Secure VPN Access IAS/RADIUS Exchange Web Service Internet VPN/RAS Gateway Corp Net Active Directory File Share Standards-Based VPN Solution • L2TP/IPSEC for security and interoperability ERP/CRM • RADIUS Authentication using IAS in Windows Server 2003 • Support NAT Traversal to work across mobile networks • Uses Active Directory for user management • Interoperable with other standard VPN gateways • Interoperability with Windows clients and other standard clients Remote User Network Access Internet Authentication Service Quarantined Client Policy Check Remote User Internet Corpnet Active Directory VPN Gateway Quarantine Windows Server 2003 Internet Authentication Service Connect Authenticate Authorize Quarantine VSA + Normal Filters Quarantine Access Policy Check Result Full Access Remove Quarantine Network Access Internet Authentication Service Quarantined Client Policy Check Internet Remote User Corpnet Active Directory VPN Gateway Quarantine Windows Server 2003 Internet Authentication Service Ensures that remote systems meet corporate security standards Reduces risk of security compromises Reduces the spread of viruses Remote Systems Non-corporate supplied and compliant systems Network Access Secure Wireless Networking Hacker X Legacy File Sharing email Wireless Windows Server 2003 • • • • • • Strengthens wireless security Reduces risk of network attacks Effortless PKI client enrollment Password based wireless access Strong certificate wireless access PEAP for password authentication Checks for valid x509v3 Certificate Web Apps PKI integrated with Active Directory Auto enrollment of certificates 802.1x for Certificate Auth PEAP for Password-based Auth Network Access Windows Server 2003 Progress Since Windows NT Server 4.0 Windows NT 4.0 Windows 2000 Server Windows Server 2003 * 802.1X for secure wireless & wired authentication PEAP for Password-based Network Authentication Capability Integrated with Active Directory Integrated PKI for smartcard authentication Rich XML Logging RADIUS Load Balancing NAT Traversal for IPSEC-based VPN Integrated IPv6 Networking Stack Network Quarantine P Included in Windows Server Product * Integrated with Windows NT 4.0 User Domains Secure Network Access Ali Jaleel Microsoft Network Access Customer Examples Guardia di Finanza (GdF) Security with smart card based network access Centralized client management with AD Increased employee productivity with remote access Enterasys Networks Reduced costs by using same infrastructure for wireless/VPN Better identity management with integrated AD & IAS Single Windows XP client for all network access Fortis Health Enhanced wireless security with PEAP Better client management with AD group policy Reduced costs with usage of passwords vs. certificates Identity Management The software and processes used to manage the digital identities of users and their digital entitlements. Identity Management The User Perspective The User Problem Web Service File Share Too many credentials Which one for which app Multiple logons email VPN Mainframe UNIX App Internet The Business Impact User Account/Credentials B2B Increases risk of compromise Reduced productivity Increased helpdesk expenses Identity Management The IT Perspective The IT Problem Web Service File Share email VPN Too many user directories Provisioning new accounts Password management Auditing user activity De-provisioning users Managing non-employee access Mainframe UNIX App Internet The Business Impact B2B Account Directory People and time intensive Delayed access for new hires Risk of unauthorized access No single view of the user Identity Management Windows Server 2003 Identity Management Windows Heterogeneous Enterprise The “Web” Integrated Directory Services Flexible & Strong Authentication Single Sign-on to Integrated Apps LDAP Directory Consolidation Directory Integration & Synchronization User Provisioning & Password Mgmt Integrated B2E Web Single Sign-on Passport Integration for B2C SSO Extranet Access Management Identity Management Integrated Directory Services Central Repository • User Accounts & Attributes • System Accounts & Attributes • Organizational & Security Groups • Application & Service Locations • Management Policy • Security Policy • Digital Certificates • Network Access Permissions • Printer Locations • File Shares Locations … Integrated Security • Single Sign-on • Kerberos v5 • x.509v3 Certificates (PKI) • Security Domain Active Directory Rich Directory Access • LDAP v3 – Standards-based access • ADSI – Simple COM-based Interface • DSML – XML Interface Key New Features in Windows Server 2003 • Cross-Forest Trust • Schema Delete • Domain Rename • Application Partitions • NT 4 Password Migration • Improved Performance Identity Management Windows Single Sign-on Exchange Logon to Windows Web Service Active Directory File Share Flexible Authentication Single Sign-on to: Kerberos X509 v3/Smartcard Biometrics Passport (Web) Basic (Web) Digest (Web) Windows File servers Windows Web applications Exchange email SQL Server BizTalk Server Other Microsoft applications 3rd Party Integrated Apps Windows Integrated Applications Identity Management Windows Server 2003 Identity Management Windows Heterogeneous Enterprise Web Integrated Directory Services Flexible & Strong Authentication Single Sign-on to Integrated Apps LDAP Directory Consolidation Directory Integration & Synchronization User Provisioning & Password Mgmt Integrated B2E Web Single Sign-on Passport Integration for B2C SSO Extranet Access Management Identity Management Enterprise Interoperability Integrate LDAP directories with AD Web Service Application File Share Exchange Active Directory LDAP v3 compliant Single AD and LDAP user account AD/AM for personalization data Microsoft Metadirectory Server Application Directory synchronization SQL LDAP Account Provisioning Account Directory Automate account creation Automate account de-provisioning Password Management (MMS 2003) Enterprise App LDAP (eg iPlanet & others) Relational databases Application specific Self-service password reset Identity Management Conrad Cahill Microsoft Identity Management Windows Server 2003 Identity Management Windows Heterogeneous Enterprise Web Integrated Directory Services Flexible & Strong Authentication Single Sign-on to Integrated Apps LDAP Directory Consolidation Directory Integration & Synchronization User Provisioning & Password Mgmt Integrated B2E Web Single Sign-on Passport Integration for B2C SSO Extranet Access Management Web Single Sign-on Identity Management B2E Using Active Directory and IIS Web App 1 IIS 6.0 Logon to AD Web App 2 IIS6.0 Active Directory Web App 3 IIS 6.0 IIS Integrated Authentication • Uses Kerberos or NTLM New • Supports RBAC in Windows Server 2003 New • Supports URL authorization in Windows Server 2003 Internet Explorer Web Single Sign-on Identity Management B2C Using Passport and Active Directory Active Directory (Step 3) Web app verifies activation code & maps PUID to AD account. (Step 2) Passport verifies the user’s credentials and sends a PUID back to the Web site (Step 4) User is authorized based AD account. Windows .NET IIS Web Server (Step 1) Customer accesses a Web site using any standards-based browser Passport manages user credentials Passport manages user authentication You manage user access controls Applications Web Single Sign-on Identity Management Extranet Access Management using AD Enterprise Extranet “Trusted” Business Partner Cookie Authorization Check Web App 1 SSO Agent EAM Web SSO Corporate Identities Web App 2 SSO Agent Delegated Admin SSO Agent Authentication LDAP Bind Partner Identities Active Directory SSL Session Active Directory Identity Management Windows Server 2003 Progress Since Windows NT Server 4.0 Capability Windows NT 4.0 Integrated Directory Services Windows 2000 Server P Windows Server 2003 P Heterogeneous Account Provisioning MMS 2003* Heterogeneous Password Management MMS 2003* P P P Integrated PKI Kerberos Security Smartcard Logon Role Based Authorization Native Passport Authorization Policy-Based User Management Integrated Network Authentication P 802.1x Network Authentication PEAP Network Authentication * MMS 2003 ships shortly after Windows Server 2003 P – Included in Windows Server Product P P P P P P P P P P P P Identity Management Customer Examples Bundesministerium Fur Inneres • • • • 1,500 sites – each an NT domain Exchange 5.5 infrastructure – multiple directories Collapsed to 1 Active Directory domain, 1 directory €7.26 million reduction in TCO over 5 years Guardia di Finanza (GdF) • 16,000 employees; 150 sites; single NT domain • SAM reaching its limits; clustering/reliability failing JetBlue Airways • Biometrics and smartcards for employee access • GPO ensures workstations locked when smartcard removed Fujitsu • Identities spread out across 80 systems • Automated employee account provisioning with MMS 2003 • Automated the creation and management of distribution lists using MMS 2003. Server Consolidation IT Challenges Server Sprawl One application per server Scalability limitations Departmental purchasing Leads to… High management cost Low application availability Difficult to secure High capital costs Server Consolidation Consolidation Scenarios Homogeneous Consolidation (Single Workloads) Heterogeneous Consolidation (Multiple Workloads) File Print Database Messaging Domain Web LOB App Application LOB App Mixed workloads LOB App Server Consolidation Homogeneous Consolidation Enablers Windows Server 2003 File Server Print Server Domain Server 100% performance increase over Windows 2000 Improved SAN support: Multi-path I/O Shadow Copy backup 100% performance increase over Windows 2000 Support for five times more print queues Improved driver support & administration Enterprise scale tested to 100 million objects New group policy objects Flexible change management Server Consolidation Heterogeneous Consolidation Enablers Windows Server 2003 Web Server Application Server Mixed Workloads Process isolation for application co-existence Self-healing application monitoring 100-165% performance increase over IIS 5.0 Windows System Resource Manager (WSRM) Virtual Server Load balancing, failover & clustering Side-by-side DLLs for application co-existence 100% performance increase over Win 2000 Volume Shadow Copy Service Web Server Consolidation Jason Goodman Microsoft Server Consolidation Application Consolidation Tool Best for Limit Hardware partitioning (HP, IBM, Unisys) Resource Management (WSRM) Virtualization (Virtual Server) Very high-throughput applications Complete isolation of applications Medium-high throughput applications Manages resource usage Low-throughput applications Legacy applications Re-sizing partitions requires a reboot All applications must run on same OS level OS/HW single point of failure More complex management Performance “tax” Capacity in 4-proc increments Windows Server Resource Manager Mike Lekkarakos Microsoft Server Consolidation Windows Server 2003 Progress since Windows NT Server 4.0 Capability Windows NT 4.0 Windows 2000 Server Windows Server 2003 * * * Workload Management Virtualization (Virtual Server) Hardware Partitioning Load Balancing & Failover Server Clustering Web application process isolation Side-by-side DLLs Point in time copies (Shadow Copy) Storage Area Network support * Included in Windows Server 2003 Enterprise & Datacenter Editions only ** Third party product from Aurema Customers on Consolidation Standard Bank South Africa Deployed Windows Server 2003 with Active Directory & IIS6.0 Reduce the time and effort required to administer its 400 servers running Microsoft® Windows NT®. Microsoft OTG Consolidated 16 Windows 2000 Servers to 4 servers running Windows Server 2003 Reduced administration time by 50 percent GE Medical Systems Consolidated 70 autonomous NT4 domains to 4 Windows Server 2003 domains with Active Directory forest infrastructure. Effective central management of 40,000 users through the implementation of enterprise-wide standards and policies Making it all work Prescriptive guidance based on tested and proven deployments Does your Infrastructure look like this? Pieced together No end to end architecture Held together by strings Not sure if it’s secure Microsoft Systems Architecture Proven Architecture for predictable infrastructure Extranet Corporate Architecture for the Enterprise Internet Branch Office Department Lab tested and proven Architecture End-to-end technology integration Networking Servers Storage Software Microsoft Systems Architecture V.2 Back-up/Restore Built around modular services Remote Access Data Services Wireless MSA v2.0 based on Windows Server 2003 Messaging Application Enterprise Platform for .NET Framework based applications File/Print Networking Extranet Branch Office Department Internet Microsoft Solutions for Security Available at the Launch of Windows Server 2003 Securing Windows Server 2003 Identity Management Assessment Implementation Operations Web Single Sign-on Provisioning and password management Enterprise Single-Sign On* Secure Network Access Deploying and managing a PKI 802.1x certificated-based wireless L2TP/IPSEC VPN* Smartcard logon* * Available post Windows Server 2003 Summary Do more with Less Simplified and automated management Improved performance & scalability Platform for server consolation Tested and prescribed solutions Business Solution Enablement Security focused release Data center level reliability and availability Identity management for business services Anywhere, anytime Secure network access Call to Action Evaluate Windows Server 2003 Leverage Prescriptive Guidance Active Directory and MMS 2003 Management Services Secure VPN and Wireless Microsoft System Architecture Microsoft Solutions for Security Migrate and Consolidate! NT4 File and Print servers NT4 Domain Controllers Application Servers More Information Platform Fundamentals Windows Server 2003 www.microsoft.com/windowsserver2003 Security www.microsoft.com/windowsserver2003/technologies/security www.microsoft.com/security www.microsoft.com/technet/security Reliability and Availability www.microsoft.com/windowsserver2003/technologies/clustering Performance and Scalability www.microsoft.com/windowsserver2003/evaluation/performance/ Management www.microsoft.com/windowsserver2003/technologies/management www.microsoft.com/managment More Information IT Infrastructure Solutions Identity Management www.microsoft.com/windowsserver2003/technologies/activedirectory www.microsoft.com/windowsserver2003/technologies/security www.microsoft.com/ad www.microsfot.com/mms Secure Network Access www.microsoft.com/windowsserver2003/technologies/networking www.microsoft.com//vpn Server Consolidation www.microsoft.com/servers/consolidation Solution Enablers and Quick Starts www.microsoft.com/solutions/msa www.microsoft.com/solutions/mss http://www.microsoft.com/business/services/quickstart.asp © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.