Ten Reasons to Prepare for Windows Server Code Named "Longhorn"

quicksandwalleyeInternet and Web Development

Oct 31, 2013 (3 years and 1 month ago)

51 views

SVR219

Ten Reasons to Prepare for
Windows Server Code Named
"Longhorn"

Ward Ralston
wardr@microsoft.com

Sr. Technical Product Manager

Windows Server Division

Microsoft Corporation


Nuo Yan

Microsoft MVP


Windows Shell / User

Business Results

& New Value

End User

Productivity

Customer

Connection

Keep Business

Up & Running

Security

More Pressure than Ever on IT

Competition

Technology

Change

Regulatory

Compliance

Cost

Reduction

Source: IDC 2002, Microsoft Primary Quantitative Research. 400 30
-
minute phone surveys of IT professionals in data centers with
25 or more servers

Over 60% of TCO over a 5
-
year
period driven by
people

costs

0

10

20

30

40

50

60

70

Staff Costs

Downtime

Training

Software

Hardware

Those people are spending
their time on manual tasks

Degree of Automation:

53%

24%

23%

54%

17%

29%

56%

16%

28%

58%

18%

24%

60%

16%

24%

62%

13%

25%

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

Percent of Responses

Security Mgmt

Network

Event

Performance

Storage

Change/Config

Manual

Scripts

Automated Tools

IT Challenges

Microsoft’s Promises to You

Enabling IT Pros & Development Teams Across the IT Lifecycle

Ten Reasons to Prepare for
Windows Server “Longhorn”


Improvements in Server Security

Network Access Protection (NAP)

New Terminal Services capabilities

Improvements in Networking

Enhancements to Directory Services

New Deployment Roles

Improved Interoperability with Unix

Reliability and Performance Improvements

New Application Server

Management improvements

Application platform


Flexible Solutions

Connected Systems

Rich Experiences


Operations infrastructure


Control

Flexibility

Availability

Investment in the fundamentals

Security

Reliability

Performance

Improvements in
Server Security

D

D

D

Windows Service Hardening

Defense In Depth


Factoring/Profiling

Reduce size of

high risk layers

Segment the

services

Increase #

of layers

Kernel Drivers

D

D

User
-
mode Drivers

D

D

D

Service

1

Service

2

Service

3

Service



Service



Service

A

Service

B

Service Changes in Windows
Server “Longhorn“

Windows XP SP2 / Server 2003 R2

Windows Vista /

Windows Server “Longhorn”

Account

Services

Account

Services

LocalSystem

Wireless Configuration

System Event
Notification

Network Connections
(netman)

COM+ Event System

NLA

Rasauto

Shell Hardware
Detection

Themes

Telephony

Windows Audio

Error Reporting

Workstation

ICS

RemoteAccess

DHCP Client

W32time

Rasman

browser

6to4

Help and support

Task scheduler

TrkWks

Cryptographic Services

Removable Storage

WMI Perf Adapter

Automatic updates

WMI

App Management

Secondary Logon

BITS

LocalSystem

Firewall Restricted

WMI Perf Adapter

Automatic updates

Secondary Logon

App Management

Wireless Configuration

LocalSystem

BITS

Themes

Rasman

TrkWks

Error Reporting

6to4

Task scheduler

RemoteAccess

Rasauto

WMI

Network Service

Fully Restricted

DNS Client

ICS

DHCP Client

browser

Server

W32time

Network Service

Network Restricted

Cryptographic Services

Telephony

PolicyAgent

Nlasvc

Network

Service


DNS Client

Local Service

No Network
Access

System Event Notification

Network Connections

Shell Hardware

Detection

COM+ Event System


Local Service

SSDP

WebClient

TCP/IP NetBIOS helper

Remote registry

Local Service

Fully Restricted

Windows Audio

TCP/IP NetBIOS helper

WebClient

SSDP

Event Log

Workstation

Remote registry

BitLocker™ Drive Encryption

Designed specifically to
help prevent a thief who
boots another Operating
System or runs a hacking
tool from breaking
Windows file and system
protections

Secure Startup
-

Helps
provides data protection
on your Windows
systems, even when the
system is in unauthorized
hands

Uses a v1.2 TPM or USB
flash drive for key storage



BitLocker

BitLocker™

Features Overview

Ensures Boot Process Integrity

Protects the system from offline software based attacks.

Protects data while the system is offline

Encrypts entire Windows volume including both user data and system files, the
hibernation file, the page file and temporary files.

Force Recovery

Sys
-
admin ONLY tool to securely speed
-
up PC re
-
deployment

Eases Equipment Recycling

Single Microsoft TPM driver

Improved stability and security

TPM Base Services (TBS)

Windows and 3rd party SW access to TPM

Scenarios:

Lost or stolen laptop


Branch
-
office Server

Server Integrity

Code Integrity: OS File Protection

Validates the integrity of the boot process

Checks kernel, HAL and boot
-
start drivers

If validation fails, image won’t load

Validates the integrity of each binary image

Implemented as a file system filter driver

Checks hashes for every page as it’s loaded

Checks any image loading to a protected process

Hashes stored in system catalog or in X.509 certificate
embedded in file

Controlling Device Installation

Ability to block all new device installs

Can deploy a machine and allow no new devices

to be installed

Set exceptions based on device class or device
ID

Allow keyboards and mice to be added, but

nothing else

Allow specific device IDs

Configurable via Group Policy

Set at the computer level

Network Access Protection
(NAP)

Network Access Protection

How it works

Not policy
compliant

1

Restricted

Network

Client requests access to network and presents current
health state

1

4

If not policy compliant, client is put in a restricted VLAN
and given access to fix up resources to download patches,
configurations, signatures (Repeat 1
-

4)

2

DHCP, VPN or Switch/Router relays health status to
Microsoft Network Policy Server (RADIUS)

5

If policy compliant, client is granted full access to

corporate network

MSFT NPS

3

Policy Servers

e.g. Patch, AV

Policy
compliant

DHCP, VPN

Switch/Router

3

Network Policy Server (NPS) validates against IT
-
defined
health policy

2

Windows

Client

Fix Up

Servers

e.g. Patch

Corporate Network

5

4

NAP
-

Enforcement Options

Enforcement

Healthy Client

Unhealthy Client

DHCP

Full IP address given,

full access

Restricted set of routes

VPN (Microsoft
and 3
rd

Party)

Full access

Restricted VLAN

802.1X

Full access

Restricted VLAN

IPsec

Can communicate with
any trusted peer

Healthy peers reject
connection requests from
unhealthy systems

Complements layer 2 protection

Works with existing servers and infrastructure

Flexible isolation

NAP Benefits

Feature

Support

Benefit

Built
-
in client

Windows Vista, Windows
XP


No need to deploy/license 3
rd

party client


Updates via WUS / WSUS / SMS


Flexible
enforcement

DHCP, VPN, 802.1x,
Terminal Services, Server
and Domain isolation


Works with today’s & tomorrow’s networks


Enables risk
-
benefit trade offs


3
rd

party
enforcement

All major switch / router /
firewall / VPN

Customers can use any network or security
infrastructure vendor

Health
assessment

SMS, WUS,
SecurityCenter, 3
rd

party


Seamless integration with Windows infrastructure


Works with any AV, patch or endpoint security
solution

User experience

Integrated with Windows
Vista glass. Branding
supported.

Polished look and feel tailored for the customer
environment

Management

Integration with SMS, AD,
Group Policy and MOM for
client, server and service
operations

Complete policy based administration and
operation

New Terminal Services
Capabilities


Terminal Services

(Secure centralized application access)

Centralized Application Access

App Deployment

(“app virtualization”)

Branch Office

Secure Anywhere Access

New features

TS Gateway

TS Remote Programs

SSO for managed clients



Central Location

Mobile Worker

In Airport

Branch Office

Home Office

Terminal Services Gateway

Remote Access to internal applications resources

DMZ

HTTPS / 443

Internet

Corp LAN

Terminal

Server

Hotel

External Firewall

Internal Firewall

Home

Business Partner/

Client Site

Email

Server

Terminal

Server

Internet

Terminal Services
Gateway Server

Tunnels RDP
over HTTPS

Passes
RDP/SSL traffic
to TS

Strips off
RDP/HTTPS

TS Gateway

Security

Authentication with passwords, smartcards

Uses industry standard encryption and firewall traversal (SSL, HTTPS)

RDP traffic still encrypted end
-
to
-
end


client to terminal server

Client machine health can be validated (using NAP)

SSL termination devices can terminate SSL traffic on separate device.
(for intrusion detection or filtering in DMZ)

Compared to VPN

User can access corporate applications and corporate desktops via Web
Browser

Friendly with home machines

Crosses firewalls and NATs (w/ HTTPS:443)

Granular access control at the perimeter

Connection Authorization Policy (CAP)

Resource Authorization Policy (RAP)

Terminal Services Remote
Programs

Simple, fast application deployment

Central management of LOB applications

Light
-
weight deployment of data
-
intensive apps

Programs roam easily

Anywhere access

Staged rollout of new application releases

Application consolidation

Integrates with local programs

Drag and Drop (B3)

System Tray Integration

Local Devices and

files available

Terminal Services

Remote Programs

Improvements in

Networking Services

Complete Redesign of TCP/IP

Inspection API

IPv4

802.3

WSK

WSK Clients

TDI Clients

NDIS

WLAN

Loop
-
back

IPv4
Tunnel

IPv6
Tunnel

IPv6

RAW

UDP

TCP

Next Generation TCP/IP Stack (tcpip.sys)

AFD

TDX

TDI

Winsock

User Mode

Kernel Mode

Dual
-
IP layer architecture for native IPv4 and IPv6 support

Seamless security through expanded IPsec integration

Improved performance via hardware acceleration

Network auto
-
tuning and optimization algorithms

Greater extensibility and reliability through rich APIs

A Short List of New Features

Technologies

Security

Experience

Scalability

IPsec

X

VPN Routing Compartments

X

Windows Filtering Platform (WFP)

X

X

Secure Sockets API

X

IPv6

X

TCP Chimney

X

TCP
-
A (I/OAT)

X

Receive Side Scaling (RSS)

X

Receive Window Auto
-
Tuning

X

X

Compound
-
TCP (CTCP)


Congestion Control

X

X

Wireless Reliability

X

Black
-
Hole Router Detection (BHRD)

X

Dead Gateway Detection

X

Network Diagnostics Framework/Extended TCP
Statistics

X

Policy
-
based Quality of Service (eQoS)

X

X

Windows Firewall

with Advanced Security


Combined firewall and IPsec management

New management tools


Windows Firewall with Advanced Security

MMC snap
-
in

Reduces conflicts and coordination overhead between technologies

Firewall rules become more intelligent

Specify security requirements such as

authentication and encryption

Specify Active Directory computer

or user groups

Outbound filtering

Enterprise management feature


not for consumers

Simplified protection policy

reduces management overhead

Improvements in Directory
Services

Active Directory Features

Restart
-
able Active Directory

Read only domain Controllers

Group Policy and ADMX




Active Directory

Read Only Domain Controller

Introduction to Read Only Domain Controller

How it works in general

Read Only Active Directory Database

Unidirectional Replication

Credential Caching

Benefits of Read Only Domain Controller

Increases security for remote Domain Controllers
where physical security cannot be guaranteed


Active Directory

Restartable Active Directory

Introduction to Restartable Active Directory

Restart Active Directory without rebooting

Can be done through command line and MMC

Can’t boot the DC to stopped mode of Active Directory

No effect on non
-
related services while restarting
Active Directory

Several ways to process login under stopped mode

Benefits of Restartable Active Directory

Reduces time for offline operations

Improves availability for other services on DC when
Active Directory is stopped

Reduces overall DC servicing requirements with

Server Core

Read Only DC

Read
-
only DC

How it works
: Secret caching during first logon


2.
RODC: Looks in DB: "I
don't have the users
secrets"


3.
Forwards Request to
Windows Server
“Longhorn” DC


4.
Windows Server
“Longhorn” DC
authenticates request


5.
Returns authentication
response and TGT back to
the RODC


6.
RODC gives TGT to User
and Queues a replication
request for the secrets

7) Hub DC checks
Password Replication
Policy to see if

Password can be
replicated


1.
AS_Req sent to RODC
(request for TGT)

Note:

At this point the user will have a hub signed TGT

Hub Windows

Server “Longhorn”

Read
-
only DC: Application Support

Planning to Support

ADFS,DNS, DHCP, FRS V1, DFSR (FRS V2), Group
Policy, IAS/VPN, DFS, SMS, ADSI queries, MOM

Best Effort

Generic LDAP apps which support write referrals and
can tolerate write failures if WAN is offline.

Application guidance whitepaper will be
published by Beta2

Will include checklist to verify RODC app compatibility

Restartable Active Directory

New Deployment Roles

What is Server Core?

Part of the “Windows Server” SKU, available as
an install option

Delivers the core set of server OS functionality

Can boot and operate stand
-
alone in
headless/embedded scenarios

Part of an overall Windows/Widows Server
“Longhorn” infrastructure solution

Server Core

Provides support to basic server roles

File Server

DNS

DHCP

Active Directory

Can be managed by:

Local and remote command
-
line tools

Terminal Services (Remote)

Microsoft Management Console (Remote)


Server Core

Improved Interoperability with

Unix Environments

Windows Server “Longhorn”
Features for UNIX Interoperability


Improve and enhance UNIX integration features
as a part of Windows Server

Authentication integration

UNIX scripting and application migration tools


Support for 32
-
bit and 64
-
bit


Extensions to Active Directory default schema to
support UNIX
-
related attributes (RFC 2307)

SUA Overview

SUA provides the basic infrastructure to run
UNIX
-
based applications and scripts on
Windows Server

Native subsystem residing on top of the
kernel just like the win32 subsystem

Complete UNIX semantics and system

call support

Utilities and SDK

Package available for download from the

beta website

BSD Utilities and SDK

System
-
V Release 5 Utilities and SDK

GNU Utilities and SDK

UNIX Perl

Utilities Coverage

Shells


Korn

C


Development

gcc

gdb

make


Connectivity

bind

sendmail

ftp

Job Control

ps

nice

kill


Text
Processing

grep

less

awk

sed

pr

tr

Batch
Processing

at

cron

batch


Graphics

xterm

xrdb

xset

xclock

Password Sync


Advantages

Supported Platforms

HP
-
UX 11i

Sun Solaris 7, Solaris 8

IBM AIX 5L 5.2

Red Hat Linux 8.0 and higher

Benefits

Logging

Debugging

MD5 Support

Supports over 60,000 users

Improved data migration times

Password Synchronization

Pluggable

Authentication

Module (pam)

Password

Synchronization

Service

in

Windows Server

Single

Sign On

Daemon (ssod)

LEGEND:

Windows Password Changed

UNIX Password Changed

HP
-
UX

Solaris

AIX

Red Hat
Linux

Server for NIS


UNIX NIS Servers(UID/GID)

Windows Servers (SID)

NIS Clients

Subordinate

Subordinate

Subordinate

Master

Makes a Windows Server into an NIS master server

Reliability and Performance
Improvements

New Reliability Technology

Windows Performance Diagnostic Console and
Reliability Monitor

Introduction to Windows Performance Diagnostic
Console and Reliability Monitor

Combination of performance tools

Keep track of system activity and resource usage with Resource
View

Reliability Monitor diagnoses potential causes of instability

Benefits of Windows Performance Diagnostic Console
and Reliability Monitor

Combines performance tools in a single interface increases
efficiency of operations

Resource View is easier to use but more powerful than Task
Manager

Reliability Monitor saves administrator’s time for recovering the
system from instability in a targeted manner

New Application Server

Internet Information Services (IIS) 7.0

More than an Enterprise
-
class Web server,

IIS 7.0 is an extensible platform for securely delivering
business applications and services over the Web

Extensible Modular
Architecture

Delegated
Management Tools

Comprehensive
Diagnostic Support

Integrated
Application Stack

Distributed

Configuration Model

IIS 7.0 Enhancements

Compelling
Custom
Solutions

Optimized

Security &
Patching

Scalable
Streamlined
Infrastructure

Rapid

Solution
Deployment

Efficient
Administrators &
Developers

Administration

IIS Previous User Interface

Easy

Navigation

Limited
Application
Concept

Tabs, tabs,

and more tabs

IIS7 Administration Experience

Nice Tree

View

Categorysorting
for easy to find
features

Management Improvements

Windows Server 2003

Installing, securing, and managing server roles fragmented across multiple tools

Windows Server 2003 Setup

Post
-
Setup Security Updates

Manage Your Server

Configure Your Server Wizard

Add/Remove Windows Components

Computer Management

Security Configuration Wizard

Windows Server “Longhorn”

Setup Phases

OS Setup

Initial Configuration Tasks

Server Manager

Server Manager

Provides a great, out
-
of
-
the
-
box experience for
adding, configuring, and managing server roles


1. Out of box experience (OOBE)

Walks the user through the tasks necessary to
complete setup and operationalize the server

2. Single experience for configuring Windows
Server “Longhorn”

Steps the user through adding and removing server
roles and features securely

3. Portal for ongoing management

Display server status, expose key management tasks,
and guide the user to advanced management tools

Server Manager in Windows
Server “Longhorn”

TBD

Customer
Preview
Program

Beta 3

Community Technology

Preview (CTP) Program

Releases

Timeline

Q2 CY 2006

Enterprise
engagement
and
deployment

Beta 2

Sept 2005

Developer
engagement

PDC

2007

Broad

availability

Ship

Resources

Technical Chats and Webcasts

http://www.microsoft.com/communities/chats/default.mspx


http://www.microsoft.com/usa/webcasts/default.asp

Microsoft Learning and Certification

http://www.microsoft.com/learning/default.mspx

MSDN & TechNet

http://microsoft.com/msdn

http://microsoft.com/technet

Virtual Labs

http://www.microsoft.com/technet/traincert/virtuallab/rms.mspx

Newsgroups

http://communities2.microsoft.com/

communities/newsgroups/en
-
us/default.aspx

Technical Community Sites/Blogs

http://www.microsoft.com/communities/default.mspx

http://blogs.technet.com/windowsserver


User Groups

http://www.microsoft.com/communities/usergroups/default.mspx

Live from Tech∙Ed Webcast
Series has Been

Brought to You by:

www.microsoft.com/hpc


Fill out a session
evaluation on
CommNet for

a chance to

Win an XBOX 360!

© 2006 Microsof t Corporation. All rights reserv ed. Microsof t, Windows, Windows Vista and other product names are or may be re
gis
tered trademarks and/or trademarks in the U.S. and/or other countries.

The inf ormation herein is f or inf ormational purposes only and represents the current v iew of Microsof t Corporation as of the
dat
e of this presentation. Because Microsof t must respond to changing market conditions, it should not
be interpreted to be a commitment on the part of Microsof t, and Microsof t cannot guarantee the accuracy of any inf ormation pr
ov i
ded af ter the date of this presentation.

MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.