The IT Infrastructure
Platform for Business
Solution Enablement
Part 2 of 2
The IT Infrastructure Platform
IT Infrastructure Solutions
Identity Management
Server Consolidation
Network Access
Platform Fundamentals
Reliability and Availability
Performance & Scale
Secure Foundation
Management
Secure Network Access
Network Access Challenges

Increasing the productivity of users




Securing Access to corporate networks




Anywhere
Any Device
Any Connection
Keeping the “bad guys” out
Simplifying access for the good guys
Preserving the integrity & confidentiality of data
Interoperability



Access points and gateways
Networking authentication
VPN clients
Network Access
Windows Server 2003
Anywhere, Anytime Secure Network Access
Secure Network Access
Secure Mobile
Access
Secure Network
Authentication
Standard based
Networking









Secure VPN solution
Secure dial-up RAS Access
End-to-end solution for secure wireless
User management integrated w/ AD
Integrated RADIUS (IAS) server
Multi-Factor authentication support
Rich TCP/IP stack
Standard DNS DHCP
Broad networking protocols support
Network Access
Secure VPN Access
IAS/RADIUS
Exchange
Web Service
Internet
VPN/RAS Gateway
Corp Net
Active
Directory
File Share
Standards-Based VPN Solution
• L2TP/IPSEC for security and interoperability
ERP/CRM
• RADIUS Authentication using IAS in Windows Server 2003
• Support NAT Traversal to work across mobile networks
• Uses Active Directory for user management
• Interoperable with other standard VPN gateways
• Interoperability with Windows clients and other standard clients
Remote User
Network Access
Internet Authentication Service
Quarantined Client Policy Check
Remote
User
Internet
Corpnet
Active
Directory
VPN Gateway
Quarantine
Windows Server 2003
Internet Authentication Service
Connect
Authenticate
Authorize
Quarantine VSA
+ Normal Filters
Quarantine
Access
Policy Check
Result
Full Access
Remove Quarantine
Network Access
Internet Authentication Service
Quarantined Client Policy Check
Internet
Remote
User



Corpnet
Active
Directory
VPN Gateway
Quarantine
Windows Server 2003
Internet Authentication Service
Ensures that remote systems meet corporate
security standards
Reduces risk of security compromises
Reduces the spread of viruses


Remote Systems
Non-corporate supplied and compliant systems
Network Access
Secure Wireless Networking
Hacker
X
Legacy
File Sharing
email
Wireless
Windows Server 2003
•
•
•
•
•
•
Strengthens wireless security
Reduces risk of network attacks
Effortless PKI client enrollment
Password based wireless access
Strong certificate wireless access
PEAP for password
authentication
Checks for valid x509v3 Certificate
Web Apps
PKI integrated with Active Directory
Auto enrollment of certificates
802.1x for Certificate Auth
PEAP for Password-based Auth
Network Access
Windows Server 2003
Progress Since Windows NT Server 4.0
Windows
NT 4.0
Windows
2000 Server
Windows
Server 2003
*






802.1X for secure wireless & wired
authentication


PEAP for Password-based Network
Authentication


Capability
Integrated with Active Directory
Integrated PKI for smartcard authentication
Rich XML Logging
RADIUS Load Balancing
NAT Traversal for IPSEC-based VPN


Integrated IPv6 Networking Stack

Network Quarantine
P Included in Windows Server Product
* Integrated with Windows NT 4.0 User Domains
Secure Network
Access
Ali Jaleel
Microsoft
Network Access
Customer Examples
Guardia di Finanza (GdF)
 Security with smart card based network access
 Centralized client management with AD
 Increased employee productivity with remote access
Enterasys Networks
 Reduced costs by using same infrastructure for wireless/VPN
 Better identity management with integrated AD & IAS
 Single Windows XP client for all network access
Fortis Health
 Enhanced wireless security with PEAP
 Better client management with AD group policy
 Reduced costs with usage of passwords vs. certificates
Identity Management
The software and processes used to
manage the digital identities of users
and their digital entitlements.
Identity Management
The User Perspective
The User Problem


Web Service
File Share

Too many credentials
Which one for which app
Multiple logons
email
VPN
Mainframe
UNIX App
Internet
The Business Impact


User Account/Credentials
B2B

Increases risk of compromise
Reduced productivity
Increased helpdesk expenses
Identity Management
The IT Perspective
The IT Problem


Web Service
File Share
email




VPN
Too many user directories
Provisioning new accounts
Password management
Auditing user activity
De-provisioning users
Managing non-employee access
Mainframe
UNIX App
Internet
The Business Impact


B2B
Account Directory


People and time intensive
Delayed access for new hires
Risk of unauthorized access
No single view of the user
Identity Management
Windows Server 2003
Identity Management

Windows


Heterogeneous
Enterprise




The “Web”


Integrated Directory Services
Flexible & Strong Authentication
Single Sign-on to Integrated Apps
LDAP Directory Consolidation
Directory Integration & Synchronization
User Provisioning & Password Mgmt
Integrated B2E Web Single Sign-on
Passport Integration for B2C SSO
Extranet Access Management
Identity Management
Integrated Directory Services
Central Repository
• User Accounts & Attributes
• System Accounts & Attributes
• Organizational & Security Groups
• Application & Service Locations
• Management Policy
• Security Policy
• Digital Certificates
• Network Access Permissions
• Printer Locations
• File Shares Locations
…
Integrated Security
• Single Sign-on
• Kerberos v5
• x.509v3 Certificates (PKI)
• Security Domain
Active
Directory
Rich Directory Access
• LDAP v3 – Standards-based access
• ADSI – Simple COM-based Interface
• DSML – XML Interface
Key New Features in Windows Server 2003
• Cross-Forest Trust
• Schema Delete
• Domain Rename
• Application Partitions
• NT 4 Password Migration
• Improved Performance
Identity Management
Windows Single Sign-on
Exchange
Logon to Windows
Web Service
Active
Directory
File Share
Flexible Authentication
Single Sign-on to:
Kerberos
X509 v3/Smartcard
Biometrics
Passport (Web)
Basic (Web)
Digest (Web)
Windows File servers
Windows Web applications
Exchange email
SQL Server
BizTalk Server
Other Microsoft applications
3rd Party Integrated Apps
Windows Integrated
Applications
Identity Management
Windows Server 2003
Identity Management

Windows


Heterogeneous
Enterprise




Web


Integrated Directory Services
Flexible & Strong Authentication
Single Sign-on to Integrated Apps
LDAP Directory Consolidation
Directory Integration & Synchronization
User Provisioning & Password Mgmt
Integrated B2E Web Single Sign-on
Passport Integration for B2C SSO
Extranet Access Management
Identity Management
Enterprise Interoperability
Integrate LDAP directories with AD


Web Service
Application

File Share
Exchange
Active
Directory
LDAP v3 compliant
Single AD and LDAP user account
AD/AM for personalization data
Microsoft Metadirectory Server
Application

Directory synchronization




SQL
LDAP
Account Provisioning



Account Directory
Automate account creation
Automate account de-provisioning
Password Management (MMS 2003)

Enterprise
App
LDAP (eg iPlanet & others)
Relational databases
Application specific
Self-service password reset
Identity Management
Conrad Cahill
Microsoft
Identity Management
Windows Server 2003
Identity Management

Windows


Heterogeneous
Enterprise




Web


Integrated Directory Services
Flexible & Strong Authentication
Single Sign-on to Integrated Apps
LDAP Directory Consolidation
Directory Integration & Synchronization
User Provisioning & Password Mgmt
Integrated B2E Web Single Sign-on
Passport Integration for B2C SSO
Extranet Access Management
Web Single Sign-on
Identity Management
B2E Using Active Directory and IIS
Web App 1
IIS 6.0
Logon to AD
Web App 2
IIS6.0
Active
Directory
Web App 3
IIS 6.0
IIS Integrated Authentication
• Uses Kerberos or NTLM
New
• Supports RBAC in Windows Server 2003
New
• Supports URL authorization in Windows Server 2003
Internet
Explorer
Web Single Sign-on
Identity Management
B2C Using Passport and Active Directory
Active
Directory
(Step 3) Web app verifies
activation code & maps
PUID to AD account.
(Step 2) Passport verifies
the user’s credentials
and sends a PUID back to
the Web site
(Step 4) User is authorized
based AD account.
Windows .NET
IIS Web Server
(Step 1) Customer accesses
a Web site using any
standards-based browser
Passport manages user credentials
Passport manages user authentication
You manage user access controls
Applications
Web Single Sign-on
Identity Management
Extranet Access Management using AD
Enterprise Extranet
“Trusted” Business Partner
Cookie
Authorization
Check
Web App 1
SSO Agent
EAM
Web
SSO
Corporate
Identities
Web App 2
SSO Agent
Delegated
Admin
SSO Agent
Authentication
LDAP Bind
Partner
Identities
Active
Directory
SSL
Session
Active
Directory
Identity Management
Windows Server 2003
Progress Since Windows NT Server 4.0
Capability
Windows
NT 4.0
Integrated Directory Services
Windows
2000 Server
P
Windows
Server 2003
P
Heterogeneous Account Provisioning
MMS 2003*
Heterogeneous Password Management
MMS 2003*
P
P
P
Integrated PKI
Kerberos Security
Smartcard Logon
Role Based Authorization
Native Passport Authorization
Policy-Based User Management
Integrated Network Authentication
P
802.1x Network Authentication
PEAP Network Authentication
* MMS 2003 ships shortly after Windows Server 2003
P – Included in Windows Server Product
P
P
P
P
P
P
P
P
P
P
P
P
Identity Management
Customer Examples
Bundesministerium Fur Inneres
•
•
•
•
1,500 sites – each an NT domain
Exchange 5.5 infrastructure – multiple directories
Collapsed to 1 Active Directory domain, 1 directory
€7.26 million reduction in TCO over 5 years
Guardia di Finanza (GdF)
• 16,000 employees; 150 sites; single NT domain
• SAM reaching its limits; clustering/reliability failing
JetBlue Airways
• Biometrics and smartcards for employee access
• GPO ensures workstations locked when smartcard removed
Fujitsu
• Identities spread out across 80 systems
• Automated employee account provisioning with MMS 2003
• Automated the creation and management of distribution lists
using MMS 2003.
Server Consolidation
IT Challenges

Server Sprawl
 One
application per server
 Scalability limitations
 Departmental purchasing

Leads to…
 High
management cost
 Low application availability
 Difficult to secure
 High capital costs
Server Consolidation
Consolidation Scenarios
Homogeneous
Consolidation
(Single
Workloads)
Heterogeneous
Consolidation
(Multiple
Workloads)
File
Print
Database
Messaging
Domain
Web
LOB App
Application
LOB App
Mixed workloads
LOB App
Server Consolidation
Homogeneous Consolidation Enablers
Windows Server 2003
File Server
Print Server
Domain
Server
100% performance increase over Windows 2000
Improved SAN support: Multi-path I/O
Shadow Copy backup
100% performance increase over Windows 2000
Support for five times more print queues
Improved driver support & administration
Enterprise scale tested to 100 million objects
New group policy objects
Flexible change management
Server Consolidation
Heterogeneous Consolidation Enablers
Windows Server 2003
Web Server
Application
Server
Mixed
Workloads
Process isolation for application co-existence
Self-healing application monitoring
100-165% performance increase over IIS 5.0
Windows System Resource Manager (WSRM)
Virtual Server
Load balancing, failover & clustering
Side-by-side DLLs for application co-existence
100% performance increase over Win 2000
Volume Shadow Copy Service
Web Server
Consolidation
Jason Goodman
Microsoft
Server Consolidation
Application Consolidation
Tool
Best
for
Limit
Hardware
partitioning
(HP, IBM, Unisys)
Resource
Management
(WSRM)
Virtualization
(Virtual Server)
Very high-throughput
applications
Complete isolation of
applications
Medium-high
throughput
applications
Manages resource
usage
Low-throughput
applications
Legacy applications
Re-sizing partitions
requires a reboot
All applications
must run on same
OS level
OS/HW single point
of failure
More complex
management
Performance “tax”
Capacity in 4-proc
increments
Windows Server
Resource Manager
Mike Lekkarakos
Microsoft
Server Consolidation
Windows Server 2003
Progress since Windows NT Server 4.0
Capability
Windows
NT 4.0
Windows
2000 Server
Windows
Server 2003
*

* *




Workload Management
Virtualization (Virtual Server)
Hardware Partitioning
Load Balancing & Failover
Server Clustering
Web application process isolation
Side-by-side DLLs
Point in time copies (Shadow Copy)
Storage Area Network support

* Included in Windows Server 2003 Enterprise & Datacenter Editions only
** Third party product from Aurema








Customers on Consolidation
Standard Bank South Africa


Deployed Windows Server 2003 with Active Directory & IIS6.0
Reduce the time and effort required to administer its 400
servers running Microsoft® Windows NT®.
Microsoft OTG


Consolidated 16 Windows 2000 Servers to 4 servers running
Windows Server 2003
Reduced administration time by 50 percent
GE Medical Systems


Consolidated 70 autonomous NT4 domains to 4 Windows
Server 2003 domains with Active Directory forest infrastructure.
Effective central management of 40,000 users through the
implementation of enterprise-wide standards and policies
Making it all work
Prescriptive guidance based on tested
and proven deployments
Does your Infrastructure look like this?




Pieced together
No end to end architecture
Held together by strings
Not sure if it’s secure
Microsoft Systems Architecture
Proven Architecture for predictable infrastructure
Extranet
Corporate


Architecture for the
Enterprise
Internet
Branch Office
Department
Lab tested and proven
Architecture

End-to-end technology
integration
Networking
Servers
Storage
Software
Microsoft Systems Architecture V.2
Back-up/Restore

Built around modular
services
Remote Access
Data Services
Wireless

MSA v2.0 based on
Windows Server 2003
Messaging
Application

Enterprise
Platform for .NET
Framework based
applications
File/Print
Networking
Extranet
Branch Office
Department
Internet
Microsoft Solutions for Security
Available at the Launch of Windows Server 2003

Securing Windows Server 2003




Identity Management




Assessment
Implementation
Operations
Web Single Sign-on
Provisioning and password management
Enterprise Single-Sign On*
Secure Network Access




Deploying and managing a PKI
802.1x certificated-based wireless
L2TP/IPSEC VPN*
Smartcard logon*
* Available post Windows Server 2003
Summary

Do more with Less





Simplified and automated management
Improved performance & scalability
Platform for server consolation
Tested and prescribed solutions
Business Solution Enablement




Security focused release
Data center level reliability and availability
Identity management for business services
Anywhere, anytime Secure network access
Call to Action

Evaluate Windows Server 2003




Leverage Prescriptive Guidance



Active Directory and MMS 2003
Management Services
Secure VPN and Wireless
Microsoft System Architecture
Microsoft Solutions for Security
Migrate and Consolidate!



NT4 File and Print servers
NT4 Domain Controllers
Application Servers
More Information
Platform Fundamentals
Windows Server 2003

www.microsoft.com/windowsserver2003
Security



www.microsoft.com/windowsserver2003/technologies/security
www.microsoft.com/security
www.microsoft.com/technet/security
Reliability and Availability

www.microsoft.com/windowsserver2003/technologies/clustering
Performance and Scalability

www.microsoft.com/windowsserver2003/evaluation/performance/
Management


www.microsoft.com/windowsserver2003/technologies/management
www.microsoft.com/managment
More Information
IT Infrastructure Solutions
Identity Management




www.microsoft.com/windowsserver2003/technologies/activedirectory
www.microsoft.com/windowsserver2003/technologies/security
www.microsoft.com/ad
www.microsfot.com/mms
Secure Network Access


www.microsoft.com/windowsserver2003/technologies/networking
www.microsoft.com//vpn
Server Consolidation

www.microsoft.com/servers/consolidation
Solution Enablers and Quick Starts

www.microsoft.com/solutions/msa
www.microsoft.com/solutions/mss

http://www.microsoft.com/business/services/quickstart.asp

© 2003 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only.
MICROSOFT MAKES NO WARRANTIES, EXPRESS
OR IMPLIED, IN THIS SUMMARY.