“Top 10 things you need to know”

Jeff Alexander | IT Pro Evangelist Jeff Alexander | IT Pro Evangelist | | Microsoft Microsoft

AustraliaAustralia

http://blogs.technet.com/jeffa36http://blogs.technet.com/jeffa36

The Top 10

• Server Role Management

• IIS 7.0 Features

• Windows Powershell

• Server Core

• Virtualization

• New Security Features

• Windows Deployment Services

• Terminal Services

• Group Policy

• Read Only Domain Controller

• Windows Server 2003 setupWindows Server 2003 setup

• Post-Setup security updatesPost-Setup security updates

• Manage your serverManage your server

• Configure your server wizardConfigure your server wizard

• Add/Remove Add/Remove Windows components components

• Computer ManagementComputer Management

• Security Configuration WizardSecurity Configuration Wizard

• Operating system setupOperating system setup

• Initial Configuration Initial Configuration Tasks

• Server ManagerServer Manager

Windows Server Windows Server “Longhorn”“Longhorn”Windows Server 2003Windows Server 2003

Server roles streamline management

Windows Server Setup Phases

• Administrator password

• Network IP address

• Domain membership

• Computer name

• Windows Updates

• Windows Firewall

Initial Configuration Tasks

What Works Differently

Server Manager ConsoleModifying Roles and Features

Internet Information Services (IIS) 7.0More than a Web server, Internet Information Services 7.0

provides an accessible, extensible platform for developing

and reliably hosting Web applications and services.

Modular Modular ArchitectureArchitecture

ManageableManageable

Built in Built in Request TracingRequest Tracing

Extensible Extensible DesignDesign

Integrated Integrated with .NETwith .NET

IIS 7.0 IIS 7.0 EnhancementsEnhancements

CreateStreamlined

ServersReduced Attack Surface

Extend/Modify IIS Features

Rapid Application Deployment

FastDiagnostics

New IIS 7.0 Features

Windows PowerShell

New interactive New interactive shell and scripting language and scripting language

Based on and takes advantage of .NET features

Current tools will still work

Current automation will still work

Windows PowerShell ResourcesWindows PowerShell Resources

Hundreds of Scripts Hundreds of Scripts

Books & Training Books & Training MaterialsMaterials

Community SupportCommunity Support

MS MVPsMS MVPs

PowerShell Team BlogPowerShell Team Blog

Active NewsgroupActive Newsgroup

Channel 9: DFO ShowChannel 9: DFO Show

IIS.netIIS.net

Manning PublicationsManning Publications

O’Reilly MediaO’Reilly Media

Sapien Press & others…Sapien Press & others…

TechNet ScriptCenterTechNet ScriptCenterExchange Server 2007Exchange Server 2007

Terminal ServerTerminal Server

WMI, Registry, Hardware, etc.WMI, Registry, Hardware, etc.

Community-Submitted scriptsCommunity-Submitted scripts

MyITForum.comMyITForum.com

Windows PowerShell

Minimal installation option

Low surface area

Command line interface

Limited set of server rolesServer Core Server Roles

Server CoreSecurity, TCP/IP, File Systems, RPC,plus other Core Server Sub-Systems

DNS DHCP File AD

ServerWith WinFx, Shell, Tools, etc.

TS IAS WebServer

SharePoint Etc..

Server, Server Roles (for example only)

•GUI, CLR, GUI, CLR, Shell, IE, Shell, IE, Media, OE, Media, OE, etc.etc.

Windows Server Core

Windows Server Core

Windows Virtualization

VirtualizationPlatform andManagement

Management toolsManagement tools

•VM 2VM 2

“Child”“Child”

•VM 1VM 1

“Parent”“Parent”

•VM 2VM 2

“Child”“Child”

Windows Virtualization Architecture

Parent PartitionParent Partition Child PartitionsChild Partitions

Kernel ModeKernel Mode

User ModeUser Mode

VirtualizationVirtualizationServiceService

ProvidersProviders(VSPs)(VSPs)

WindowsWindowsKernelKernel

Server CoreServer Core

IHVIHVDriversDrivers

VirtualizationVirtualizationServiceServiceClientsClients(VSCs)(VSCs)

WindowsWindowsKernelKernel

EnlightenmentsEnlightenmentsVMBusVMBus

Windows hypervisorWindows hypervisor

Virtualization StackVirtualization Stack

VM WorkerVM WorkerProcessesProcessesVMVM

ServiceService

WMI ProviderWMI ProviderApplicationsApplications

““Designed for Windows” Server HardwareDesigned for Windows” Server Hardware

Provided by:Provided by:

WindowsWindows

ISVISV

OEMOEM

Windows Windows

VirtualizationVirtualization

Windows Server 2008 HardeningWindows Server 2008 Hardening

WindowsWindows®® XP SP2/Server 2003 R2 XP SP2/Server 2003 R2

LocalSystemLocalSystem

Windows Vista/Server 2008Windows Vista/Server 2008

Network ServiceNetwork Service

Local ServiceLocal Service

LocalSystemLocalSystemFirewall RestrictedFirewall Restricted

Network ServiceNetwork ServiceNetwork RestrictedNetwork Restricted

Local ServiceLocal ServiceNo Network AccessNo Network Access

LocalSystemLocalSystem

Network ServiceNetwork ServiceFully RestrictedFully Restricted

Local ServiceLocal ServiceFully RestrictedFully Restricted

Windows Services Hardening

•DD •DD•DD

Reduce size of Reduce size of

high-risk layershigh-risk layers

Segment the Segment the

servicesservices

Increase number Increase number

of layersof layers

•Kernel DriversKernel Drivers•DD

•DD •User-mode DriversUser-mode Drivers

•DD•DD •DD

Service e 1

Service 2

Service 3

Service

……

Service …

Service A

Service B

BitLocker™ Drive Encryption BitLocker™ Drive Encryption

Group Policy allows central encryption policy and provides Branch Group Policy allows central encryption policy and provides Branch Office protectionOffice protection

Provides data protection, even when the system is in unauthorized Provides data protection, even when the system is in unauthorized hands or is running a different or exploiting Operating Systemhands or is running a different or exploiting Operating System

Uses a v1.2 TPM or USB flash drive for key storageUses a v1.2 TPM or USB flash drive for key storage

Full Volume Full Volume

Encryption Key Encryption Key

(FVEK)(FVEK)Encryption Encryption

Policy Policy

Network Access ProtectionNetwork Access Protection

RemediationServers

Example: PatchRestrictedNetwork

WindowsClient

Policy Policy compliantcompliant

NPSDHCP, VPN

Switch/Router

Policy Serverssuch as: Patch, AV

Corporate Network

Not policy Not policy compliantcompliant

What is Network Access What is Network Access Protection?Protection?

Cisco and Microsoft Cisco and Microsoft Integration StoryIntegration Story

Health Policy ValidationHealth Policy Validation Health Policy ComplianceHealth Policy Compliance

Ability to Provide Limited Ability to Provide Limited AccessAccess Enhanced SecurityEnhanced Security

Increased Business ValueIncreased Business Value

•RestrictedRestricted•NetworkNetwork

Using Network Access Protection

•11

•Client requests access to network and Client requests access to network and presents current health statepresents current health state

•11

•WindowsWindows•ClientClient

•22

•22•DHCP, VPN or Switch/Router relays health DHCP, VPN or Switch/Router relays health status to Microsoft Network Policy Server status to Microsoft Network Policy Server (RADIUS)(RADIUS)

•33

•33 •Network Policy Server (NPS) validates against Network Policy Server (NPS) validates against IT-defined health policyIT-defined health policy

•Policy ServersPolicy Servers•such as: Patch, AVsuch as: Patch, AV

•44•If not policy compliant, client is put in a restricted VLAN and given If not policy compliant, client is put in a restricted VLAN and given access to fix up resources to download patches, configurations, access to fix up resources to download patches, configurations, signatures (Repeat 1 - 4)signatures (Repeat 1 - 4)

•Not policy Not policy compliantcompliant

•Fix UpFix Up•ServersServers

•Example: PatchExample: Patch

•55 •If policy compliant, client is granted full access to corporate If policy compliant, client is granted full access to corporate networknetwork

•Policy Policy compliantcompliant

•MSFT NPS MSFT NPS

•Corporate NetworkCorporate Network•55

•44

•DHCP, VPNDHCP, VPN•Switch/Router Switch/Router

Network Access Protection

Windows Deployment Services

• Support for deploying Windows (all versions)• Boots WinPE over PXE • Use Windows Imaging (WIM) file format• Extensible• Granular Images Management• Longhorn Server Specifics

– Multicast

– TFTP download performance enhancements

– EFI x64 network boot support

Windows Deployment Services

Terminal Services Gateway

Perimeter Perimeter networknetwork

InternetInternet Corp LANCorp LAN

Exte

rnal

Fire

wal

lEx

tern

al F

irew

all

• Inte

rnal

Fire

wal

lIn

tern

al F

irew

all

HomeHome Terminal Terminal ServerServer

InternetInternet

TerminalTerminalServerServer

Terminal Services Terminal Services Gateway ServerGateway Server

E-mailE-mailServerServer

Business partner Business partner / client site/ client site

Roaming Roaming wirelesswireless

HotelHotel

Tunnels RDP Tunnels RDP over HTTPSover HTTPS

Tunnels RDP Tunnels RDP over HTTPSover HTTPS

Strips off Strips off RDP/HTTPSRDP/HTTPS

Strips off Strips off RDP/HTTPSRDP/HTTPS

RDP/SSL traffic RDP/SSL traffic passed to TSpassed to TS

RDP/SSL traffic RDP/SSL traffic passed to TSpassed to TS

Terminal Services Remote Programs

• Terminal Services Terminal Services Gateway ServerGateway Server

Remote Remote Desktop client Desktop client

requiredrequired

Remote Remote Desktop client Desktop client

requiredrequired

Using Terminal Services

Group Policy

• Comments– Enable per GPO and per setting comments

• Search/Filter – locate settings based on– Text search of setting title, explain text and comments

– Platform and applications “supported on”

– Managed (true GP policy setting)

– Configured (enabled or disabled)

– Results of search is a filtered GPedit view

Group Policy

• Starter GPOs

– Encapsulation of best practices/scenarios

– Will contain recommended Policy settings and values

– Microsoft will ship some initial scenario-based templates

– Anyone can create and share new custom templates

– Create new GPOs based on a template

– GPMC will provide ‘Template management’ support

• RODC

– Has no impact on Group Policy – its still replicated to the RODC

Read-Only Domain ControllerRead-Only Domain Controller

Main Office Branch Office

FeaturesFeaturesRead Only Active Directory DatabaseRead Only Active Directory DatabaseOnly allowed user passwords are stored on RODCOnly allowed user passwords are stored on RODCUnidirectional ReplicationUnidirectional ReplicationRole SeparationRole Separation

BenefitsBenefitsIncreases security for remote Domain Controllers where physical Increases security for remote Domain Controllers where physical security cannot be guaranteed security cannot be guaranteed

Support Support ADFS,DNS, DHCP, FRS V1, DFSR (FRS V2), Group Policy, IAS/VPN, ADFS,DNS, DHCP, FRS V1, DFSR (FRS V2), Group Policy, IAS/VPN, DFS, SMS, ADSI queries, MOMDFS, SMS, ADSI queries, MOM

RODC

BranchBranchHubHub

Read Read

Only DCOnly DC

How RODC WorksHow RODC Works

Windows Server Windows Server

2008 DC2008 DC

11

22

33

44

5566

66

112233445566User logs on and authenticatesUser logs on and authenticatesRODC: Looks in DB: "I don't have the users RODC: Looks in DB: "I don't have the users

secretssecrets""

Forwards Request to Windows Server 2008 Forwards Request to Windows Server 2008

DCDC

Windows Server 2008 DC authenticates Windows Server 2008 DC authenticates

requestrequest

Returns authentication response and TGT Returns authentication response and TGT

back to the RODCback to the RODC

RODC gives TGT to User and RODC will RODC gives TGT to User and RODC will

cache credentialscache credentials

RODC

Read-only DC Mitigates “Stolen DC”Read-only DC Mitigates “Stolen DC”

•Attacker PerspectiveAttacker PerspectiveHub Admin PerspectiveHub Admin Perspective

Examining the RODC

• Windows Server 2008 introduces RODC

• Server Core increases availability

• Many new GPO features

Session Summary

For more information, please visit: www.microsoft.com/technet/subscriptionsFor more information, please visit: www.microsoft.com/technet/subscriptions

Introducing: TechNet Plus Direct!

• All the benefits of TechNet Plus for 30% less, All the benefits of TechNet Plus for 30% less,

• TechNet Plus Direct subscribers receive…TechNet Plus Direct subscribers receive…

• Online Benefits Portal – Online Benefits Portal – New!New!

• Immediate download access: software and betas – Immediate download access: software and betas – New!New!

• 2 free Professional Support Incidents2 free Professional Support Incidents

• Managed Newsgroups and Online ConciergeManaged Newsgroups and Online Concierge

• The TechNet Library containing the KB, security updates, service The TechNet Library containing the KB, security updates, service

packs, resource kits, and morepacks, resource kits, and more

TechNet Plus Direct is available exclusively online without media shipmentsTechNet Plus Direct is available exclusively online without media shipments

Available Now!

Available Now!

• Live Events and Online webcast seriesLive Events and Online webcast series

• Microsoft Professional Blogs DirectoryMicrosoft Professional Blogs Directory

• Chats, Newsgroups, Forums, and Virtual Chats, Newsgroups, Forums, and Virtual

LabsLabs

Local Locator for Professional User GroupsLocal Locator for Professional User Groups

Where Else Can I Get Help?

www.microsoft.com/technet/communitywww.microsoft.com/technet/community