SVR219
Ten Reasons to Prepare for
Windows Server Code Named
"Longhorn"
Ward Ralston wardr@microsoft.com
Sr. Technical Product Manager
Windows Server Division
Microsoft Corporation
Nuo Yan
Microsoft MVP – Windows Shell / User
More Pressure than Ever on IT
Technology
Change
Regulatory
Compliance
Competition
Security
Cost
Reduction
Keep Business
Up & Running
Customer
Connection
End User
Productivity
Business Results
& New Value
IT Challenges
Over 60%
of TCO
a 5-year
Those
people
are over
spending
period
driven
by people
costs
their
time
on manual
tasks
Degree of Automation:
Manual
Scripts
Automated Tools
62%
13%
25%
60%
16%
24%
Event
58%
18%
24%
30
Performance
56%
16%
28%
54%
17%
29%
53%
24%
23%
70
Security Mgmt
60
Network
50
40
20
Storage
10
Change/Config
0
0%
10%
20%
Staff Costs Downtime
30%
40%
50%
60%
70%
Training
Software
Percent of Responses
80%
90%
100%
Hardware
Source: IDC 2002, Microsoft Primary Quantitative Research. 400 30-minute phone surveys of IT professionals in data centers with 25 or more servers
Microsoft’s Promises to You
Enabling IT Pros & Development Teams Across the IT Lifecycle
Ten Reasons to Prepare for
Windows Server “Longhorn”
Improvements in Server Security
Network Access Protection (NAP)
New Terminal Services capabilities
Improvements in Networking
Enhancements to Directory Services
New Deployment Roles
Improved Interoperability with Unix
Reliability and Performance Improvements
New Application Server
Management improvements
Operations infrastructure
Control
Flexibility
Availability
Application platform
Flexible Solutions
Connected Systems
Rich Experiences
Investment in the fundamentals
Security
Reliability
Performance
Improvements in
Server Security
Windows Service Hardening
Defense In Depth – Factoring/Profiling
Reduce size of
high risk layers
Segment the
services
Increase #
of layers
Service
…
Service
1
D
Service
A
Service
…
D
D
Service
2
Service
3
Service
B
D Kernel Drivers
D User-mode Drivers
D
D
D
Service Changes in Windows
Server “Longhorn“
Windows XP SP2 / Server 2003 R2
Windows Vista /
Windows Server “Longhorn”
Account
Services
Account
Services
LocalSystem
Wireless Configuration
System Event
Notification
Network Connections
(netman)
COM+ Event System
NLA
Rasauto
Shell Hardware
Detection
Themes
Telephony
Windows Audio
Error Reporting
Workstation
ICS
LocalSystem
WMI Perf Adapter
Automatic updates
Secondary Logon
App Management
Wireless Configuration
LocalSystem
BITS
Themes
Rasman
TrkWks
Error Reporting
6to4
Task scheduler
RemoteAccess
Rasauto
WMI
Network Service
DNS Client
ICS
DHCP Client
browser
Server
W32time
Cryptographic Services
Telephony
PolicyAgent
Nlasvc
System Event Notification
Network Connections
Shell Hardware Detection
COM+ Event System
Windows Audio
TCP/IP NetBIOS helper
WebClient
SSDP
Event Log
Workstation
Remote registry
Network
Service
DNS Client
Local Service
SSDP
WebClient
TCP/IP NetBIOS helper
Remote registry
RemoteAccess
DHCP Client
W32time
Rasman
browser
6to4
Help and support
Task scheduler
TrkWks
Cryptographic Services
Removable Storage
WMI Perf Adapter
Automatic updates
WMI
App Management
Secondary Logon
BITS
Firewall Restricted
Fully Restricted
Network Service
Network Restricted
Local Service
No Network
Access
Local Service
Fully Restricted
BitLocker™ Drive Encryption
Designed specifically to
help prevent a thief who
boots another Operating
System or runs a hacking
tool from breaking
Windows file and system
protections
Secure Startup - Helps
provides data protection
on your Windows
systems, even when the
system is in unauthorized
hands
Uses a v1.2 TPM or USB
flash drive for key storage
BitLocker
BitLocker™
Features Overview
Ensures Boot Process Integrity
Protects the system from offline software based attacks.
Protects data while the system is offline
Encrypts entire Windows volume including both user data and system files, the
hibernation file, the page file and temporary files.
Force Recovery
Sys-admin ONLY tool to securely speed-up PC re-deployment
Eases Equipment Recycling
Single Microsoft TPM driver
Improved stability and security
TPM Base Services (TBS)
Windows and 3rd party SW access to TPM
Scenarios:
Lost or stolen laptop
Branch-office Server
Server Integrity
Code Integrity: OS File Protection
Validates the integrity of the boot process
Checks kernel, HAL and boot-start drivers
If validation fails, image won’t load
Validates the integrity of each binary image
Implemented as a file system filter driver
Checks hashes for every page as it’s loaded
Checks any image loading to a protected process
Hashes stored in system catalog or in X.509 certificate
embedded in file
Controlling Device Installation
Ability to block all new device installs
Can deploy a machine and allow no new devices
to be installed
Set exceptions based on device class or device
ID
Allow keyboards and mice to be added, but
nothing else
Allow specific device IDs
Configurable via Group Policy
Set at the computer level
Network Access Protection (NAP)
Network Access Protection
How it works
Policy Servers
e.g. Patch, AV
3
1
2
Not policy
compliant
Windows
Client
MSFT NPS
DHCP, VPN
Switch/Router
Client requests access to network and presents current
health state
2
DHCP, VPN or Switch/Router relays health status to
Microsoft Network Policy Server (RADIUS)
3
Network Policy Server (NPS) validates against IT-defined
health policy
If not policy compliant, client is put in a restricted VLAN
and given access to fix up resources to download patches,
configurations, signatures (Repeat 1 - 4)
5
If policy compliant, client is granted full access to
corporate network
Fix Up
Servers
Restricted
Network
e.g. Patch
Policy
compliant
1
4
4
5
Corporate Network
NAP - Enforcement Options
Enforcement
Healthy Client
Unhealthy Client
DHCP
Full IP address given,
full access
Restricted set of routes
VPN (Microsoft
and 3rd Party)
Full access
Restricted VLAN
802.1X
Full access
Restricted VLAN
Can communicate with
any trusted peer
Healthy peers reject
connection requests from
unhealthy systems
IPsec
Complements layer 2 protection
Works with existing servers and infrastructure
Flexible isolation
NAP Benefits
Feature
Support
Benefit
Built-in client
Windows Vista, Windows
XP
No need to deploy/license 3rd party client
Updates via WUS / WSUS / SMS
Flexible
enforcement
DHCP, VPN, 802.1x,
Terminal Services, Server
and Domain isolation
Works with today’s & tomorrow’s networks
Enables risk-benefit trade offs
3rd party
enforcement
All major switch / router /
firewall / VPN
Customers can use any network or security
infrastructure vendor
Health
assessment
SMS, WUS,
SecurityCenter, 3rd party
Seamless integration with Windows infrastructure
Works with any AV, patch or endpoint security
solution
User experience
Integrated with Windows
Vista glass. Branding
supported.
Polished look and feel tailored for the customer
environment
Management
Integration with SMS, AD,
Group Policy and MOM for
client, server and service
operations
Complete policy based administration and
operation
New Terminal Services
Capabilities
Terminal Services
(Secure centralized application access)
Centralized Application Access
Central Location
App Deployment
(“app virtualization”)
Branch Office
Secure Anywhere Access
New features
TS Gateway
TS Remote Programs
SSO for managed clients
Branch Office
Home Office
Mobile Worker
In Airport
Terminal Services Gateway
Remote Access to internal applications resources
Corp LAN
External Firewall
Tunnels RDP
Home
over HTTPS
Internet
Internal Firewall
DMZ
Internet
Passes
Strips
off
RDP/SSL traffic
RDP/HTTPS
to TS
Terminal
Server
Terminal
Server
HTTPS / 443
Hotel
Terminal Services
Gateway Server
Email
Server
Business Partner/
Client Site
TS Gateway
Security
Authentication with passwords, smartcards
Uses industry standard encryption and firewall traversal (SSL, HTTPS)
RDP traffic still encrypted end-to-end – client to terminal server
Client machine health can be validated (using NAP)
SSL termination devices can terminate SSL traffic on separate device.
(for intrusion detection or filtering in DMZ)
Compared to VPN
User can access corporate applications and corporate desktops via Web
Browser
Friendly with home machines
Crosses firewalls and NATs (w/ HTTPS:443)
Granular access control at the perimeter
Connection Authorization Policy (CAP)
Resource Authorization Policy (RAP)
Terminal Services Remote
Programs
Simple, fast application deployment
Central management of LOB applications
Light-weight deployment of data-intensive apps
Programs roam easily—Anywhere access
Staged rollout of new application releases
Application consolidation
Integrates with local programs
Drag and Drop (B3)
System Tray Integration
Local Devices and
files available
Terminal Services
Remote Programs
Improvements in
Networking Services
Complete Redesign of TCP/IP
Winsock
User Mode
Kernel Mode
TDI Clients
WSK Clients
AFD
TDI
WSK
TDX
Next Generation TCP/IP Stack (tcpip.sys)
IPv6
IPv4
802.3
RAW
UDP
WLAN
Loopback
IPv4
Tunnel
IPv6
Tunnel
NDIS
Dual-IP layer architecture for native IPv4 and IPv6 support
Seamless security through expanded IPsec integration
Improved performance via hardware acceleration
Network auto-tuning and optimization algorithms
Greater extensibility and reliability through rich APIs
Inspection API
TCP
A Short List of New Features
Technologies
Security
IPsec
X
VPN Routing Compartments
X
Windows Filtering Platform (WFP)
X
Secure Sockets API
X
Experience
Scalability
X
IPv6
X
TCP Chimney
X
TCP-A (I/OAT)
X
Receive Side Scaling (RSS)
X
Receive Window Auto-Tuning
X
X
Compound-TCP (CTCP) – Congestion Control
X
X
Wireless Reliability
X
Black-Hole Router Detection (BHRD)
X
Dead Gateway Detection
X
Network Diagnostics Framework/Extended TCP
Statistics
X
Policy-based Quality of Service (eQoS)
X
X
Windows Firewall
with Advanced Security
Combined firewall and IPsec management
New management tools – Windows Firewall with Advanced Security
MMC snap-in
Reduces conflicts and coordination overhead between technologies
Firewall rules become more intelligent
Specify security requirements such as
authentication and encryption
Specify Active Directory computer
or user groups
Outbound filtering
Enterprise management feature –
not for consumers
Simplified protection policy
reduces management overhead
Improvements in Directory
Services
Active Directory Features
Restart-able Active Directory
Read only domain Controllers
Group Policy and ADMX
Active Directory
Read Only Domain Controller
Introduction to Read Only Domain Controller
How it works in general
Read Only Active Directory Database
Unidirectional Replication
Credential Caching
Benefits of Read Only Domain Controller
Increases security for remote Domain Controllers
where physical security cannot be guaranteed
Active Directory
Restartable Active Directory
Introduction to Restartable Active Directory
Restart Active Directory without rebooting
Can be done through command line and MMC
Can’t boot the DC to stopped mode of Active Directory
No effect on non-related services while restarting
Active Directory
Several ways to process login under stopped mode
Benefits of Restartable Active Directory
Reduces time for offline operations
Improves availability for other services on DC when
Active Directory is stopped
Reduces overall DC servicing requirements with
Server Core
Read-only DC
1.
AS_Req sent to RODC
(request for TGT)
2.
RODC: Looks in DB: "I
don't have the users
secrets"
3.
Forwards Request to
Windows Server
“Longhorn” DC
4.
Windows Server
“Longhorn” DC
authenticates request
5.
Returns authentication
response and TGT back to
the RODC
How it works: Secret caching during first logon
Hub
Branch
Hub Windows
Server
“Longhorn”
Hub
Longhorn
DC
ReadOnly
Only DC
DC
3Read
4
2
5
7
6
7
1
6.
RODC gives TGT to User
and Queues a replication
request for the secrets
6
7) Hub DC checks
Password Replication
Policy to see if
Password can be
replicated
`
Note: At this point the user will have a hub signed TGT
Read-only DC: Application Support
Planning to Support
ADFS,DNS, DHCP, FRS V1, DFSR (FRS V2), Group
Policy, IAS/VPN, DFS, SMS, ADSI queries, MOM
Best Effort
Generic LDAP apps which support write referrals and
can tolerate write failures if WAN is offline.
Application guidance whitepaper will be
published by Beta2
Will include checklist to verify RODC app compatibility
Restartable Active Directory
New Deployment Roles
What is Server Core?
Part of the “Windows Server” SKU, available as
an install option
Delivers the core set of server OS functionality
Can boot and operate stand-alone in
headless/embedded scenarios
Part of an overall Windows/Widows Server
“Longhorn” infrastructure solution
Server Core
Provides support to basic server roles
File Server
DNS
DHCP
Active Directory
Can be managed by:
Local and remote command-line tools
Terminal Services (Remote)
Microsoft Management Console (Remote)
Server Core
Improved Interoperability with
Unix Environments
Windows Server “Longhorn”
Features for UNIX Interoperability
Improve and enhance UNIX integration features
as a part of Windows Server
Authentication integration
UNIX scripting and application migration tools
Support for 32-bit and 64-bit
Extensions to Active Directory default schema to
support UNIX-related attributes (RFC 2307)
SUA Overview
SUA provides the basic infrastructure to run
UNIX-based applications and scripts on
Windows Server
Native subsystem residing on top of the
kernel just like the win32 subsystem
Complete UNIX semantics and system
call support
Utilities and SDK
Package available for download from the
beta website
BSD Utilities and SDK
System-V Release 5 Utilities and SDK
GNU Utilities and SDK
UNIX Perl
Utilities Coverage
Shells
Korn
C
Job Control
ps
nice
kill
Development
gcc
gdb
make
Connectivity
bind
sendmail
ftp
Text
Processing
grep
less
awk
sed
pr
tr
Batch
Processing
at
cron
batch
Graphics
xterm
xrdb
xset
xclock
Password Sync – Advantages
Supported Platforms
HP-UX 11i
Sun Solaris 7, Solaris 8
IBM AIX 5L 5.2
Red Hat Linux 8.0 and higher
Benefits
Logging
Debugging
MD5 Support
Supports over 60,000 users
Improved data migration times
Password Synchronization
Pluggable
Authentication
Module (pam)
Password
Synchronization
Service
in
Windows Server
Single
Sign On
Daemon (ssod)
HP-UX
Solaris
AIX
Red Hat
Linux
LEGEND:
Windows Password Changed
UNIX Password Changed
Server for NIS
UNIX NIS Servers(UID/GID)
Windows Servers (SID)
Subordinate SubordinateSubordinate
Master
NIS Clients
Makes a Windows Server into an NIS master server
Reliability and Performance
Improvements
New Reliability Technology
Windows Performance Diagnostic Console and
Reliability Monitor
Introduction to Windows Performance Diagnostic
Console and Reliability Monitor
Combination of performance tools
Keep track of system activity and resource usage with Resource
View
Reliability Monitor diagnoses potential causes of instability
Benefits of Windows Performance Diagnostic Console
and Reliability Monitor
Combines performance tools in a single interface increases
efficiency of operations
Resource View is easier to use but more powerful than Task
Manager
Reliability Monitor saves administrator’s time for recovering the
system from instability in a targeted manner
New Application Server
Internet Information Services (IIS) 7.0
More than an Enterprise-class Web server,
IIS 7.0 is an extensible platform for securely delivering
business applications and services over the Web
Compelling
Custom
Solutions
IIS 7.0 Enhancements
Extensible Modular
Architecture
Integrated
Application Stack
Optimized
Security &
Patching
Scalable
Streamlined
Infrastructure
Distributed
Configuration Model
Delegated
Management Tools
Comprehensive
Diagnostic Support
Rapid
Solution
Deployment
Efficient
Administrators &
Developers
Administration
IIS Previous User Interface
Easy
Navigation
Limited
Application
Concept
Tabs, tabs,
and more tabs
IIS7 Administration Experience
Nice Tree
View
Categorysorting
for easy to find
features
Management Improvements
Windows Server 2003
Installing, securing, and managing server roles fragmented across multiple tools
Windows Server 2003 Setup
Post-Setup Security Updates
Manage Your Server
Configure Your Server Wizard
Add/Remove Windows Components
Computer Management
Security Configuration Wizard
Windows Server “Longhorn”
Setup Phases
Server Manager
Initial Configuration Tasks
OS Setup
Server Manager
Provides a great, out-of-the-box experience for
adding, configuring, and managing server roles
1. Out of box experience (OOBE)
Walks the user through the tasks necessary to
complete setup and operationalize the server
2. Single experience for configuring Windows
Server “Longhorn”
Steps the user through adding and removing server
roles and features securely
3. Portal for ongoing management
Display server status, expose key management tasks,
and guide the user to advanced management tools
Server Manager in Windows
Server “Longhorn”
Timeline
PDC
Sept 2005
Developer
engagement
Beta 2
Q2 CY 2006
Enterprise
engagement
and
deployment
Beta 3
TBD
Customer
Preview
Program
Community Technology
Preview (CTP) Program
Releases
Ship
2007
Broad
availability
Resources
Technical Chats and Webcasts
http://www.microsoft.com/communities/chats/default.mspx
http://www.microsoft.com/usa/webcasts/default.asp
Microsoft Learning and Certification
http://www.microsoft.com/learning/default.mspx
MSDN & TechNet
http://microsoft.com/msdn
http://microsoft.com/technet
Virtual Labs
http://www.microsoft.com/technet/traincert/virtuallab/rms.mspx
Newsgroups
http://communities2.microsoft.com/
communities/newsgroups/en-us/default.aspx
Technical Community Sites/Blogs
http://www.microsoft.com/communities/default.mspx
http://blogs.technet.com/windowsserver
User Groups
http://www.microsoft.com/communities/usergroups/default.mspx
Live from Tech·Ed Webcast
Series has Been
Brought to You by:
www.microsoft.com/hpc
Fill out a session
evaluation on
CommNet for
a chance to
Win an XBOX 360!
© 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not
be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.
MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.