SVR219 Ten Reasons to Prepare for Windows Server Code Named "Longhorn" Ward Ralston wardr@microsoft.com Sr. Technical Product Manager Windows Server Division Microsoft Corporation Nuo Yan Microsoft MVP – Windows Shell / User More Pressure than Ever on IT Technology Change Regulatory Compliance Competition Security Cost Reduction Keep Business Up & Running Customer Connection End User Productivity Business Results & New Value IT Challenges Over 60% of TCO a 5-year Those people are over spending period driven by people costs their time on manual tasks Degree of Automation: Manual Scripts Automated Tools 62% 13% 25% 60% 16% 24% Event 58% 18% 24% 30 Performance 56% 16% 28% 54% 17% 29% 53% 24% 23% 70 Security Mgmt 60 Network 50 40 20 Storage 10 Change/Config 0 0% 10% 20% Staff Costs Downtime 30% 40% 50% 60% 70% Training Software Percent of Responses 80% 90% 100% Hardware Source: IDC 2002, Microsoft Primary Quantitative Research. 400 30-minute phone surveys of IT professionals in data centers with 25 or more servers Microsoft’s Promises to You Enabling IT Pros & Development Teams Across the IT Lifecycle Ten Reasons to Prepare for Windows Server “Longhorn” Improvements in Server Security Network Access Protection (NAP) New Terminal Services capabilities Improvements in Networking Enhancements to Directory Services New Deployment Roles Improved Interoperability with Unix Reliability and Performance Improvements New Application Server Management improvements Operations infrastructure Control Flexibility Availability Application platform Flexible Solutions Connected Systems Rich Experiences Investment in the fundamentals Security Reliability Performance Improvements in Server Security Windows Service Hardening Defense In Depth – Factoring/Profiling Reduce size of high risk layers Segment the services Increase # of layers Service … Service 1 D Service A Service … D D Service 2 Service 3 Service B D Kernel Drivers D User-mode Drivers D D D Service Changes in Windows Server “Longhorn“ Windows XP SP2 / Server 2003 R2 Windows Vista / Windows Server “Longhorn” Account Services Account Services LocalSystem Wireless Configuration System Event Notification Network Connections (netman) COM+ Event System NLA Rasauto Shell Hardware Detection Themes Telephony Windows Audio Error Reporting Workstation ICS LocalSystem WMI Perf Adapter Automatic updates Secondary Logon App Management Wireless Configuration LocalSystem BITS Themes Rasman TrkWks Error Reporting 6to4 Task scheduler RemoteAccess Rasauto WMI Network Service DNS Client ICS DHCP Client browser Server W32time Cryptographic Services Telephony PolicyAgent Nlasvc System Event Notification Network Connections Shell Hardware Detection COM+ Event System Windows Audio TCP/IP NetBIOS helper WebClient SSDP Event Log Workstation Remote registry Network Service DNS Client Local Service SSDP WebClient TCP/IP NetBIOS helper Remote registry RemoteAccess DHCP Client W32time Rasman browser 6to4 Help and support Task scheduler TrkWks Cryptographic Services Removable Storage WMI Perf Adapter Automatic updates WMI App Management Secondary Logon BITS Firewall Restricted Fully Restricted Network Service Network Restricted Local Service No Network Access Local Service Fully Restricted BitLocker™ Drive Encryption Designed specifically to help prevent a thief who boots another Operating System or runs a hacking tool from breaking Windows file and system protections Secure Startup - Helps provides data protection on your Windows systems, even when the system is in unauthorized hands Uses a v1.2 TPM or USB flash drive for key storage BitLocker BitLocker™ Features Overview Ensures Boot Process Integrity Protects the system from offline software based attacks. Protects data while the system is offline Encrypts entire Windows volume including both user data and system files, the hibernation file, the page file and temporary files. Force Recovery Sys-admin ONLY tool to securely speed-up PC re-deployment Eases Equipment Recycling Single Microsoft TPM driver Improved stability and security TPM Base Services (TBS) Windows and 3rd party SW access to TPM Scenarios: Lost or stolen laptop Branch-office Server Server Integrity Code Integrity: OS File Protection Validates the integrity of the boot process Checks kernel, HAL and boot-start drivers If validation fails, image won’t load Validates the integrity of each binary image Implemented as a file system filter driver Checks hashes for every page as it’s loaded Checks any image loading to a protected process Hashes stored in system catalog or in X.509 certificate embedded in file Controlling Device Installation Ability to block all new device installs Can deploy a machine and allow no new devices to be installed Set exceptions based on device class or device ID Allow keyboards and mice to be added, but nothing else Allow specific device IDs Configurable via Group Policy Set at the computer level Network Access Protection (NAP) Network Access Protection How it works Policy Servers e.g. Patch, AV 3 1 2 Not policy compliant Windows Client MSFT NPS DHCP, VPN Switch/Router Client requests access to network and presents current health state 2 DHCP, VPN or Switch/Router relays health status to Microsoft Network Policy Server (RADIUS) 3 Network Policy Server (NPS) validates against IT-defined health policy If not policy compliant, client is put in a restricted VLAN and given access to fix up resources to download patches, configurations, signatures (Repeat 1 - 4) 5 If policy compliant, client is granted full access to corporate network Fix Up Servers Restricted Network e.g. Patch Policy compliant 1 4 4 5 Corporate Network NAP - Enforcement Options Enforcement Healthy Client Unhealthy Client DHCP Full IP address given, full access Restricted set of routes VPN (Microsoft and 3rd Party) Full access Restricted VLAN 802.1X Full access Restricted VLAN Can communicate with any trusted peer Healthy peers reject connection requests from unhealthy systems IPsec Complements layer 2 protection Works with existing servers and infrastructure Flexible isolation NAP Benefits Feature Support Benefit Built-in client Windows Vista, Windows XP No need to deploy/license 3rd party client Updates via WUS / WSUS / SMS Flexible enforcement DHCP, VPN, 802.1x, Terminal Services, Server and Domain isolation Works with today’s & tomorrow’s networks Enables risk-benefit trade offs 3rd party enforcement All major switch / router / firewall / VPN Customers can use any network or security infrastructure vendor Health assessment SMS, WUS, SecurityCenter, 3rd party Seamless integration with Windows infrastructure Works with any AV, patch or endpoint security solution User experience Integrated with Windows Vista glass. Branding supported. Polished look and feel tailored for the customer environment Management Integration with SMS, AD, Group Policy and MOM for client, server and service operations Complete policy based administration and operation New Terminal Services Capabilities Terminal Services (Secure centralized application access) Centralized Application Access Central Location App Deployment (“app virtualization”) Branch Office Secure Anywhere Access New features TS Gateway TS Remote Programs SSO for managed clients Branch Office Home Office Mobile Worker In Airport Terminal Services Gateway Remote Access to internal applications resources Corp LAN External Firewall Tunnels RDP Home over HTTPS Internet Internal Firewall DMZ Internet Passes Strips off RDP/SSL traffic RDP/HTTPS to TS Terminal Server Terminal Server HTTPS / 443 Hotel Terminal Services Gateway Server Email Server Business Partner/ Client Site TS Gateway Security Authentication with passwords, smartcards Uses industry standard encryption and firewall traversal (SSL, HTTPS) RDP traffic still encrypted end-to-end – client to terminal server Client machine health can be validated (using NAP) SSL termination devices can terminate SSL traffic on separate device. (for intrusion detection or filtering in DMZ) Compared to VPN User can access corporate applications and corporate desktops via Web Browser Friendly with home machines Crosses firewalls and NATs (w/ HTTPS:443) Granular access control at the perimeter Connection Authorization Policy (CAP) Resource Authorization Policy (RAP) Terminal Services Remote Programs Simple, fast application deployment Central management of LOB applications Light-weight deployment of data-intensive apps Programs roam easily—Anywhere access Staged rollout of new application releases Application consolidation Integrates with local programs Drag and Drop (B3) System Tray Integration Local Devices and files available Terminal Services Remote Programs Improvements in Networking Services Complete Redesign of TCP/IP Winsock User Mode Kernel Mode TDI Clients WSK Clients AFD TDI WSK TDX Next Generation TCP/IP Stack (tcpip.sys) IPv6 IPv4 802.3 RAW UDP WLAN Loopback IPv4 Tunnel IPv6 Tunnel NDIS Dual-IP layer architecture for native IPv4 and IPv6 support Seamless security through expanded IPsec integration Improved performance via hardware acceleration Network auto-tuning and optimization algorithms Greater extensibility and reliability through rich APIs Inspection API TCP A Short List of New Features Technologies Security IPsec X VPN Routing Compartments X Windows Filtering Platform (WFP) X Secure Sockets API X Experience Scalability X IPv6 X TCP Chimney X TCP-A (I/OAT) X Receive Side Scaling (RSS) X Receive Window Auto-Tuning X X Compound-TCP (CTCP) – Congestion Control X X Wireless Reliability X Black-Hole Router Detection (BHRD) X Dead Gateway Detection X Network Diagnostics Framework/Extended TCP Statistics X Policy-based Quality of Service (eQoS) X X Windows Firewall with Advanced Security Combined firewall and IPsec management New management tools – Windows Firewall with Advanced Security MMC snap-in Reduces conflicts and coordination overhead between technologies Firewall rules become more intelligent Specify security requirements such as authentication and encryption Specify Active Directory computer or user groups Outbound filtering Enterprise management feature – not for consumers Simplified protection policy reduces management overhead Improvements in Directory Services Active Directory Features Restart-able Active Directory Read only domain Controllers Group Policy and ADMX Active Directory Read Only Domain Controller Introduction to Read Only Domain Controller How it works in general Read Only Active Directory Database Unidirectional Replication Credential Caching Benefits of Read Only Domain Controller Increases security for remote Domain Controllers where physical security cannot be guaranteed Active Directory Restartable Active Directory Introduction to Restartable Active Directory Restart Active Directory without rebooting Can be done through command line and MMC Can’t boot the DC to stopped mode of Active Directory No effect on non-related services while restarting Active Directory Several ways to process login under stopped mode Benefits of Restartable Active Directory Reduces time for offline operations Improves availability for other services on DC when Active Directory is stopped Reduces overall DC servicing requirements with Server Core Read-only DC 1. AS_Req sent to RODC (request for TGT) 2. RODC: Looks in DB: "I don't have the users secrets" 3. Forwards Request to Windows Server “Longhorn” DC 4. Windows Server “Longhorn” DC authenticates request 5. Returns authentication response and TGT back to the RODC How it works: Secret caching during first logon Hub Branch Hub Windows Server “Longhorn” Hub Longhorn DC ReadOnly Only DC DC 3Read 4 2 5 7 6 7 1 6. RODC gives TGT to User and Queues a replication request for the secrets 6 7) Hub DC checks Password Replication Policy to see if Password can be replicated ` Note: At this point the user will have a hub signed TGT Read-only DC: Application Support Planning to Support ADFS,DNS, DHCP, FRS V1, DFSR (FRS V2), Group Policy, IAS/VPN, DFS, SMS, ADSI queries, MOM Best Effort Generic LDAP apps which support write referrals and can tolerate write failures if WAN is offline. Application guidance whitepaper will be published by Beta2 Will include checklist to verify RODC app compatibility Restartable Active Directory New Deployment Roles What is Server Core? Part of the “Windows Server” SKU, available as an install option Delivers the core set of server OS functionality Can boot and operate stand-alone in headless/embedded scenarios Part of an overall Windows/Widows Server “Longhorn” infrastructure solution Server Core Provides support to basic server roles File Server DNS DHCP Active Directory Can be managed by: Local and remote command-line tools Terminal Services (Remote) Microsoft Management Console (Remote) Server Core Improved Interoperability with Unix Environments Windows Server “Longhorn” Features for UNIX Interoperability Improve and enhance UNIX integration features as a part of Windows Server Authentication integration UNIX scripting and application migration tools Support for 32-bit and 64-bit Extensions to Active Directory default schema to support UNIX-related attributes (RFC 2307) SUA Overview SUA provides the basic infrastructure to run UNIX-based applications and scripts on Windows Server Native subsystem residing on top of the kernel just like the win32 subsystem Complete UNIX semantics and system call support Utilities and SDK Package available for download from the beta website BSD Utilities and SDK System-V Release 5 Utilities and SDK GNU Utilities and SDK UNIX Perl Utilities Coverage Shells Korn C Job Control ps nice kill Development gcc gdb make Connectivity bind sendmail ftp Text Processing grep less awk sed pr tr Batch Processing at cron batch Graphics xterm xrdb xset xclock Password Sync – Advantages Supported Platforms HP-UX 11i Sun Solaris 7, Solaris 8 IBM AIX 5L 5.2 Red Hat Linux 8.0 and higher Benefits Logging Debugging MD5 Support Supports over 60,000 users Improved data migration times Password Synchronization Pluggable Authentication Module (pam) Password Synchronization Service in Windows Server Single Sign On Daemon (ssod) HP-UX Solaris AIX Red Hat Linux LEGEND: Windows Password Changed UNIX Password Changed Server for NIS UNIX NIS Servers(UID/GID) Windows Servers (SID) Subordinate SubordinateSubordinate Master NIS Clients Makes a Windows Server into an NIS master server Reliability and Performance Improvements New Reliability Technology Windows Performance Diagnostic Console and Reliability Monitor Introduction to Windows Performance Diagnostic Console and Reliability Monitor Combination of performance tools Keep track of system activity and resource usage with Resource View Reliability Monitor diagnoses potential causes of instability Benefits of Windows Performance Diagnostic Console and Reliability Monitor Combines performance tools in a single interface increases efficiency of operations Resource View is easier to use but more powerful than Task Manager Reliability Monitor saves administrator’s time for recovering the system from instability in a targeted manner New Application Server Internet Information Services (IIS) 7.0 More than an Enterprise-class Web server, IIS 7.0 is an extensible platform for securely delivering business applications and services over the Web Compelling Custom Solutions IIS 7.0 Enhancements Extensible Modular Architecture Integrated Application Stack Optimized Security & Patching Scalable Streamlined Infrastructure Distributed Configuration Model Delegated Management Tools Comprehensive Diagnostic Support Rapid Solution Deployment Efficient Administrators & Developers Administration IIS Previous User Interface Easy Navigation Limited Application Concept Tabs, tabs, and more tabs IIS7 Administration Experience Nice Tree View Categorysorting for easy to find features Management Improvements Windows Server 2003 Installing, securing, and managing server roles fragmented across multiple tools Windows Server 2003 Setup Post-Setup Security Updates Manage Your Server Configure Your Server Wizard Add/Remove Windows Components Computer Management Security Configuration Wizard Windows Server “Longhorn” Setup Phases Server Manager Initial Configuration Tasks OS Setup Server Manager Provides a great, out-of-the-box experience for adding, configuring, and managing server roles 1. Out of box experience (OOBE) Walks the user through the tasks necessary to complete setup and operationalize the server 2. Single experience for configuring Windows Server “Longhorn” Steps the user through adding and removing server roles and features securely 3. Portal for ongoing management Display server status, expose key management tasks, and guide the user to advanced management tools Server Manager in Windows Server “Longhorn” Timeline PDC Sept 2005 Developer engagement Beta 2 Q2 CY 2006 Enterprise engagement and deployment Beta 3 TBD Customer Preview Program Community Technology Preview (CTP) Program Releases Ship 2007 Broad availability Resources Technical Chats and Webcasts http://www.microsoft.com/communities/chats/default.mspx http://www.microsoft.com/usa/webcasts/default.asp Microsoft Learning and Certification http://www.microsoft.com/learning/default.mspx MSDN & TechNet http://microsoft.com/msdn http://microsoft.com/technet Virtual Labs http://www.microsoft.com/technet/traincert/virtuallab/rms.mspx Newsgroups http://communities2.microsoft.com/ communities/newsgroups/en-us/default.aspx Technical Community Sites/Blogs http://www.microsoft.com/communities/default.mspx http://blogs.technet.com/windowsserver User Groups http://www.microsoft.com/communities/usergroups/default.mspx Live from Tech·Ed Webcast Series has Been Brought to You by: www.microsoft.com/hpc Fill out a session evaluation on CommNet for a chance to Win an XBOX 360! © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.