View
218
Download
3
Tags:
Embed Size (px)
Citation preview
“Top 10 things you need to know”
Jeff Alexander | IT Pro Evangelist Jeff Alexander | IT Pro Evangelist | | Microsoft Microsoft
AustraliaAustralia
http://blogs.technet.com/jeffa36http://blogs.technet.com/jeffa36
The Top 10
• Server Role Management
• IIS 7.0 Features
• Windows Powershell
• Server Core
• Virtualization
• New Security Features
• Windows Deployment Services
• Terminal Services
• Group Policy
• Read Only Domain Controller
• Windows Server 2003 setupWindows Server 2003 setup
• Post-Setup security updatesPost-Setup security updates
• Manage your serverManage your server
• Configure your server wizardConfigure your server wizard
• Add/Remove Add/Remove Windows components components
• Computer ManagementComputer Management
• Security Configuration WizardSecurity Configuration Wizard
• Operating system setupOperating system setup
• Initial Configuration Initial Configuration Tasks
• Server ManagerServer Manager
Windows Server Windows Server “Longhorn”“Longhorn”Windows Server 2003Windows Server 2003
Server roles streamline management
Windows Server Setup Phases
• Administrator password
• Network IP address
• Domain membership
• Computer name
• Windows Updates
• Windows Firewall
Initial Configuration Tasks
What Works Differently
Server Manager ConsoleModifying Roles and Features
Internet Information Services (IIS) 7.0More than a Web server, Internet Information Services 7.0
provides an accessible, extensible platform for developing
and reliably hosting Web applications and services.
Modular Modular ArchitectureArchitecture
ManageableManageable
Built in Built in Request TracingRequest Tracing
Extensible Extensible DesignDesign
Integrated Integrated with .NETwith .NET
IIS 7.0 IIS 7.0 EnhancementsEnhancements
CreateStreamlined
ServersReduced Attack Surface
Extend/Modify IIS Features
Rapid Application Deployment
FastDiagnostics
New IIS 7.0 Features
Windows PowerShell
New interactive New interactive shell and scripting language and scripting language
Based on and takes advantage of .NET features
Current tools will still work
Current automation will still work
Windows PowerShell ResourcesWindows PowerShell Resources
Hundreds of Scripts Hundreds of Scripts
Books & Training Books & Training MaterialsMaterials
Community SupportCommunity Support
MS MVPsMS MVPs
PowerShell Team BlogPowerShell Team Blog
Active NewsgroupActive Newsgroup
Channel 9: DFO ShowChannel 9: DFO Show
IIS.netIIS.net
Manning PublicationsManning Publications
O’Reilly MediaO’Reilly Media
Sapien Press & others…Sapien Press & others…
TechNet ScriptCenterTechNet ScriptCenterExchange Server 2007Exchange Server 2007
Terminal ServerTerminal Server
WMI, Registry, Hardware, etc.WMI, Registry, Hardware, etc.
Community-Submitted scriptsCommunity-Submitted scripts
MyITForum.comMyITForum.com
Windows PowerShell
Minimal installation option
Low surface area
Command line interface
Limited set of server rolesServer Core Server Roles
Server CoreSecurity, TCP/IP, File Systems, RPC,plus other Core Server Sub-Systems
DNS DHCP File AD
ServerWith WinFx, Shell, Tools, etc.
TS IAS WebServer
SharePoint Etc..
Server, Server Roles (for example only)
•GUI, CLR, GUI, CLR, Shell, IE, Shell, IE, Media, OE, Media, OE, etc.etc.
Windows Server Core
Windows Server Core
Windows Virtualization
VirtualizationPlatform andManagement
Management toolsManagement tools
•VM 2VM 2
“Child”“Child”
•VM 1VM 1
“Parent”“Parent”
•VM 2VM 2
“Child”“Child”
Windows Virtualization Architecture
Parent PartitionParent Partition Child PartitionsChild Partitions
Kernel ModeKernel Mode
User ModeUser Mode
VirtualizationVirtualizationServiceService
ProvidersProviders(VSPs)(VSPs)
WindowsWindowsKernelKernel
Server CoreServer Core
IHVIHVDriversDrivers
VirtualizationVirtualizationServiceServiceClientsClients(VSCs)(VSCs)
WindowsWindowsKernelKernel
EnlightenmentsEnlightenmentsVMBusVMBus
Windows hypervisorWindows hypervisor
Virtualization StackVirtualization Stack
VM WorkerVM WorkerProcessesProcessesVMVM
ServiceService
WMI ProviderWMI ProviderApplicationsApplications
““Designed for Windows” Server HardwareDesigned for Windows” Server Hardware
Provided by:Provided by:
WindowsWindows
ISVISV
OEMOEM
Windows Windows
VirtualizationVirtualization
Windows Server 2008 HardeningWindows Server 2008 Hardening
WindowsWindows®® XP SP2/Server 2003 R2 XP SP2/Server 2003 R2
LocalSystemLocalSystem
Windows Vista/Server 2008Windows Vista/Server 2008
Network ServiceNetwork Service
Local ServiceLocal Service
LocalSystemLocalSystemFirewall RestrictedFirewall Restricted
Network ServiceNetwork ServiceNetwork RestrictedNetwork Restricted
Local ServiceLocal ServiceNo Network AccessNo Network Access
LocalSystemLocalSystem
Network ServiceNetwork ServiceFully RestrictedFully Restricted
Local ServiceLocal ServiceFully RestrictedFully Restricted
Windows Services Hardening
•DD •DD•DD
Reduce size of Reduce size of
high-risk layershigh-risk layers
Segment the Segment the
servicesservices
Increase number Increase number
of layersof layers
•Kernel DriversKernel Drivers•DD
•DD •User-mode DriversUser-mode Drivers
•DD•DD •DD
Service e 1
Service 2
Service 3
Service
……
Service …
Service A
Service B
BitLocker™ Drive Encryption BitLocker™ Drive Encryption
Group Policy allows central encryption policy and provides Branch Group Policy allows central encryption policy and provides Branch Office protectionOffice protection
Provides data protection, even when the system is in unauthorized Provides data protection, even when the system is in unauthorized hands or is running a different or exploiting Operating Systemhands or is running a different or exploiting Operating System
Uses a v1.2 TPM or USB flash drive for key storageUses a v1.2 TPM or USB flash drive for key storage
Full Volume Full Volume
Encryption Key Encryption Key
(FVEK)(FVEK)Encryption Encryption
Policy Policy
Network Access ProtectionNetwork Access Protection
RemediationServers
Example: PatchRestrictedNetwork
WindowsClient
Policy Policy compliantcompliant
NPSDHCP, VPN
Switch/Router
Policy Serverssuch as: Patch, AV
Corporate Network
Not policy Not policy compliantcompliant
What is Network Access What is Network Access Protection?Protection?
Cisco and Microsoft Cisco and Microsoft Integration StoryIntegration Story
Health Policy ValidationHealth Policy Validation Health Policy ComplianceHealth Policy Compliance
Ability to Provide Limited Ability to Provide Limited AccessAccess Enhanced SecurityEnhanced Security
Increased Business ValueIncreased Business Value
•RestrictedRestricted•NetworkNetwork
Using Network Access Protection
•11
•Client requests access to network and Client requests access to network and presents current health statepresents current health state
•11
•WindowsWindows•ClientClient
•22
•22•DHCP, VPN or Switch/Router relays health DHCP, VPN or Switch/Router relays health status to Microsoft Network Policy Server status to Microsoft Network Policy Server (RADIUS)(RADIUS)
•33
•33 •Network Policy Server (NPS) validates against Network Policy Server (NPS) validates against IT-defined health policyIT-defined health policy
•Policy ServersPolicy Servers•such as: Patch, AVsuch as: Patch, AV
•44•If not policy compliant, client is put in a restricted VLAN and given If not policy compliant, client is put in a restricted VLAN and given access to fix up resources to download patches, configurations, access to fix up resources to download patches, configurations, signatures (Repeat 1 - 4)signatures (Repeat 1 - 4)
•Not policy Not policy compliantcompliant
•Fix UpFix Up•ServersServers
•Example: PatchExample: Patch
•55 •If policy compliant, client is granted full access to corporate If policy compliant, client is granted full access to corporate networknetwork
•Policy Policy compliantcompliant
•MSFT NPS MSFT NPS
•Corporate NetworkCorporate Network•55
•44
•DHCP, VPNDHCP, VPN•Switch/Router Switch/Router
Network Access Protection
Windows Deployment Services
• Support for deploying Windows (all versions)• Boots WinPE over PXE • Use Windows Imaging (WIM) file format• Extensible• Granular Images Management• Longhorn Server Specifics
– Multicast
– TFTP download performance enhancements
– EFI x64 network boot support
Windows Deployment Services
Terminal Services Gateway
Perimeter Perimeter networknetwork
InternetInternet Corp LANCorp LAN
Exte
rnal
Fire
wal
lEx
tern
al F
irew
all
• Inte
rnal
Fire
wal
lIn
tern
al F
irew
all
HomeHome Terminal Terminal ServerServer
InternetInternet
TerminalTerminalServerServer
Terminal Services Terminal Services Gateway ServerGateway Server
E-mailE-mailServerServer
Business partner Business partner / client site/ client site
Roaming Roaming wirelesswireless
HotelHotel
Tunnels RDP Tunnels RDP over HTTPSover HTTPS
Tunnels RDP Tunnels RDP over HTTPSover HTTPS
Strips off Strips off RDP/HTTPSRDP/HTTPS
Strips off Strips off RDP/HTTPSRDP/HTTPS
RDP/SSL traffic RDP/SSL traffic passed to TSpassed to TS
RDP/SSL traffic RDP/SSL traffic passed to TSpassed to TS
Terminal Services Remote Programs
• Terminal Services Terminal Services Gateway ServerGateway Server
Remote Remote Desktop client Desktop client
requiredrequired
Remote Remote Desktop client Desktop client
requiredrequired
Using Terminal Services
Group Policy
• Comments– Enable per GPO and per setting comments
• Search/Filter – locate settings based on– Text search of setting title, explain text and comments
– Platform and applications “supported on”
– Managed (true GP policy setting)
– Configured (enabled or disabled)
– Results of search is a filtered GPedit view
Group Policy
• Starter GPOs
– Encapsulation of best practices/scenarios
– Will contain recommended Policy settings and values
– Microsoft will ship some initial scenario-based templates
– Anyone can create and share new custom templates
– Create new GPOs based on a template
– GPMC will provide ‘Template management’ support
• RODC
– Has no impact on Group Policy – its still replicated to the RODC
Read-Only Domain ControllerRead-Only Domain Controller
Main Office Branch Office
FeaturesFeaturesRead Only Active Directory DatabaseRead Only Active Directory DatabaseOnly allowed user passwords are stored on RODCOnly allowed user passwords are stored on RODCUnidirectional ReplicationUnidirectional ReplicationRole SeparationRole Separation
BenefitsBenefitsIncreases security for remote Domain Controllers where physical Increases security for remote Domain Controllers where physical security cannot be guaranteed security cannot be guaranteed
Support Support ADFS,DNS, DHCP, FRS V1, DFSR (FRS V2), Group Policy, IAS/VPN, ADFS,DNS, DHCP, FRS V1, DFSR (FRS V2), Group Policy, IAS/VPN, DFS, SMS, ADSI queries, MOMDFS, SMS, ADSI queries, MOM
RODC
BranchBranchHubHub
Read Read
Only DCOnly DC
How RODC WorksHow RODC Works
Windows Server Windows Server
2008 DC2008 DC
11
22
33
44
5566
66
112233445566User logs on and authenticatesUser logs on and authenticatesRODC: Looks in DB: "I don't have the users RODC: Looks in DB: "I don't have the users
secretssecrets""
Forwards Request to Windows Server 2008 Forwards Request to Windows Server 2008
DCDC
Windows Server 2008 DC authenticates Windows Server 2008 DC authenticates
requestrequest
Returns authentication response and TGT Returns authentication response and TGT
back to the RODCback to the RODC
RODC gives TGT to User and RODC will RODC gives TGT to User and RODC will
cache credentialscache credentials
RODC
Read-only DC Mitigates “Stolen DC”Read-only DC Mitigates “Stolen DC”
•Attacker PerspectiveAttacker PerspectiveHub Admin PerspectiveHub Admin Perspective
Examining the RODC
• Windows Server 2008 introduces RODC
• Server Core increases availability
• Many new GPO features
Session Summary
For more information, please visit: www.microsoft.com/technet/subscriptionsFor more information, please visit: www.microsoft.com/technet/subscriptions
Introducing: TechNet Plus Direct!
• All the benefits of TechNet Plus for 30% less, All the benefits of TechNet Plus for 30% less,
• TechNet Plus Direct subscribers receive…TechNet Plus Direct subscribers receive…
• Online Benefits Portal – Online Benefits Portal – New!New!
• Immediate download access: software and betas – Immediate download access: software and betas – New!New!
• 2 free Professional Support Incidents2 free Professional Support Incidents
• Managed Newsgroups and Online ConciergeManaged Newsgroups and Online Concierge
• The TechNet Library containing the KB, security updates, service The TechNet Library containing the KB, security updates, service
packs, resource kits, and morepacks, resource kits, and more
TechNet Plus Direct is available exclusively online without media shipmentsTechNet Plus Direct is available exclusively online without media shipments
Available Now!
Available Now!
• Live Events and Online webcast seriesLive Events and Online webcast series
• Microsoft Professional Blogs DirectoryMicrosoft Professional Blogs Directory
• Chats, Newsgroups, Forums, and Virtual Chats, Newsgroups, Forums, and Virtual
LabsLabs
Local Locator for Professional User GroupsLocal Locator for Professional User Groups
Where Else Can I Get Help?
www.microsoft.com/technet/communitywww.microsoft.com/technet/community