Embed Size (px)
Citation preview
Windows 2003 TechnologyWindows 2003 Technology Volume Shadow CopyVolume Shadow CopyWireless SecurityWireless Security
AgendaAgendaVolume Shadow Copy ServiceVolume Shadow Copy Service
Need for Shadow Copy for Shared FoldersNeed for Shadow Copy for Shared FoldersTechnical overviewTechnical overviewClient and Server installation demoClient and Server installation demoRequirements, Setup and ConfigurationRequirements, Setup and ConfigurationBest Practices and Real World dataBest Practices and Real World data
Wireless SecurityWireless SecurityProblem statementProblem statementWEP/WPAWEP/WPAComponentsComponents802.1x802.1xWindows 2003 WirelessWindows 2003 WirelessDeployment Deployment
Q & AQ & A
Windows 2003 Volume Windows 2003 Volume Shadow Copy Service Shadow Copy Service (VSS)(VSS)
Why Shadow Copies For Why Shadow Copies For Shared Folders?Shared Folders?
In the real world, people make mistakesIn the real world, people make mistakesAccidentally delete filesAccidentally delete filesAccidentally overwrite important dataAccidentally overwrite important data
Today’s answer: Restore from backupToday’s answer: Restore from backupBUT: Single-file restore from backup tape BUT: Single-file restore from backup tape expensiveexpensiveInvolves “IT” – time and moneyInvolves “IT” – time and money
With Windows Server 2003, restore done With Windows Server 2003, restore done by user w/o IT involvementby user w/o IT involvement
Volume Shadow Copy Services (VSS)Volume Shadow Copy Services (VSS)Less end user “down time”Less end user “down time”Better use of IT resourcesBetter use of IT resourcesBetter TCOBetter TCO
VSS ComponentsVSS Components
Volume Shadow Copy Service Volume Shadow Copy Service CoordinatorCoordinator
Requestors – Backup AppsRequestors – Backup Apps
Writers – Represents Apps Writers – Represents Apps (i.e., SQL, Exchange, AD, etc.)(i.e., SQL, Exchange, AD, etc.)
Coordinates with backup applicationsCoordinates with backup applications
Differentiates VSS from competitorsDifferentiates VSS from competitors
Providers Providers Hardware snapshotsHardware snapshots
In-box software shadow copyIn-box software shadow copy
How Does It Work How Does It Work Together?Together?
RequestorsRequestors
Windows NT Backup was first user in Windows NT Backup was first user in Windows XPWindows XP
Backup ISVs – All major backup vendors Backup ISVs – All major backup vendors are developing VSS-based solutionsare developing VSS-based solutions
VeritasVeritas LegatoLegatoComputer AssociatesComputer Associates EMCEMCHewlett PackardHewlett Packard CommVaultCommVaultIBMIBM UltrabacUltrabacAelitaAelita Dantz, and Dantz, and
others!others!
VSS In Box WritersVSS In Box Writers
Active DirectoryActive DirectoryCertificate ServerCertificate ServerExchangeExchangeCluster ServerCluster ServerDHCP ServerDHCP ServerEvent LogEvent LogRemovableStorageRemovableStorageTerminal ServerTerminal Server
Internet Information Internet Information Server (IIS)Server (IIS)WINSWINSWMIWMICOM+COM+SFPSFPRegistryRegistrySQL/MSDESQL/MSDE
Shadow Copy TransportShadow Copy Transport
Multiple LUNs shadow copied at single point-in-time with data consistencyMultiple LUNs shadow copied at single point-in-time with data consistency
Storage ArrayStorage Array
SQL DBs1TB
SQL Logs200 GB
SQL DBs1TB
SQL Logs200 GB
Production Server Backup Server
Diff AreaDiff Area
Shadow Copy Technology Shadow Copy Technology – Copy-On-Write– Copy-On-Write
1111 2222 3333 4444 66665555
Shadow Copy ClientShadow Copy ClientShadow Copy ClientShadow Copy ClientMicrosoft WordMicrosoft WordMicrosoft WordMicrosoft Word
Microsoft Software Shadow Copy ProviderMicrosoft Software Shadow Copy ProviderMicrosoft Software Shadow Copy ProviderMicrosoft Software Shadow Copy Provider
1111 2222 3333 4444 6666
Original VolumeOriginal Volume
Shadow Copies for Shared Shadow Copies for Shared FoldersFolders
Pre-SetupPre-Setup
Is my hardware OK?Is my hardware OK?If you meet requirements for Windows Server If you meet requirements for Windows Server 2003, you meet requirements for shadow 2003, you meet requirements for shadow copiescopiesRAM, CPU are non-issues.RAM, CPU are non-issues.
Will it fill up my drives?Will it fill up my drives?You control what to allocateYou control what to allocate
Do I need to do anything to my existing Do I need to do anything to my existing data?data?
No. It just works!No. It just works!
I use failover clusters. Will this work?I use failover clusters. Will this work?Yes.Yes.
Do I need Active Directory?Do I need Active Directory?No.No.
Setup - ServerSetup - Server
If running Windows Server 2003If running Windows Server 20034 clicks and setup is done!4 clicks and setup is done!
If running Win2kIf running Win2kJust upgrade the server to Windows Just upgrade the server to Windows Server 2003 Server 2003
No preparations required for upgrade for No preparations required for upgrade for shadow copiesshadow copies
Just need to be an admin on the Just need to be an admin on the serverserver
Setting Up Shadow Setting Up Shadow CopiesCopies
demodemo
Setup - ClientSetup - Client
Windows Server 2003Windows Server 2003Works out of the boxWorks out of the box
Windows XPWindows XPXP code is on the Windows Server 2003 CDXP code is on the Windows Server 2003 CD
%windir%\system32\clients\twclient\x86\twcli32.msi%windir%\system32\clients\twclient\x86\twcli32.msi
Also available as a web-downloadAlso available as a web-downloadExternal URLExternal URL ( (This URL will be available after Windows Server 2003 release) This URL will be available after Windows Server 2003 release) http://www.microsoft.com/windowsserver2003/downloads/shadowcopyclient.mspxhttp://www.microsoft.com/windowsserver2003/downloads/shadowcopyclient.mspx
Windows 2000 Windows 2000 (SP3 and above)(SP3 and above)Available as a web-downloadAvailable as a web-download
Windows 98 Windows 98 (Second Edition)(Second Edition)Available as a web-downloadAvailable as a web-download
Windows NT4 and Windows ME not supportedWindows NT4 and Windows ME not supported
Default ConfigurationDefault Configuration
Disk SpaceDisk SpaceMinimum 100 Mb dedicated to VSS.Minimum 100 Mb dedicated to VSS.Default – 10% of volume.Default – 10% of volume.
FrequencyFrequencyDefault – twice a day (M-F)Default – twice a day (M-F)Default – 7 a.m. and 12 p.m.Default – 7 a.m. and 12 p.m.
Number of shadow copiesNumber of shadow copiesCannot guarantee number.Cannot guarantee number.Maximum possible – 64.Maximum possible – 64.
Optimizations to the environmentOptimizations to the environmentDedicated disk.Dedicated disk.What times should I take shadow copies?What times should I take shadow copies?
PerformancePerformance
Copy-on-write incurs runtime cost.Copy-on-write incurs runtime cost.5% throughput hit on Netbench5% throughput hit on Netbench
Lightly loaded server – No noticeable Lightly loaded server – No noticeable performance hitperformance hit
Heavily loaded server – Use a Heavily loaded server – Use a dedicated diskdedicated disk
OTG ScenariosOTG Scenarios
40 Redmond File Servers (File 40 Redmond File Servers (File Share/DFS)Share/DFS)
20 My Docs (User 20 My Docs (User Directories/Intellimirror Redirected)Directories/Intellimirror Redirected)
10 IIS Web Servers 10 IIS Web Servers
3 SQL Servers (SQL Dump Drive only) 3 SQL Servers (SQL Dump Drive only)
File Server Clustered SANFile Server Clustered SAN
OTG ConfigurationOTG Configuration
All Drives enabled for Shadow Copy All Drives enabled for Shadow Copy except OS / C Driveexcept OS / C Drive
C Drive was constrained on space for C Drive was constrained on space for page filepage file
Diff Area AllocationDiff Area Allocation10% Drive space Allocation default10% Drive space Allocation default1 GB increments if disk constrained (less 1 GB increments if disk constrained (less than 10% free)than 10% free)
ScheduleScheduleSC Default (Twice Daily 7am; 12pm)SC Default (Twice Daily 7am; 12pm)Disk Constrained (Once 7pm)Disk Constrained (Once 7pm)
Real World MetricsReal World Metrics
Metrics for Fifty -- 30GB Drives on Standard 300 GB Metrics for Fifty -- 30GB Drives on Standard 300 GB Windows Server 2003 File ServersWindows Server 2003 File Servers
Shadow Copy DiskShadow Copy DiskAverage Shadow Copy size 40MBAverage Shadow Copy size 40MB
Used Space for Shadow CopiesUsed Space for Shadow CopiesAverage 2 GB in Use per Drive (3.1 Max)Average 2 GB in Use per Drive (3.1 Max)
102 GB used in Diff area/542 GB content with 1.5 TB 102 GB used in Diff area/542 GB content with 1.5 TB CapacityCapacity
% Disk Used by Diff Area% Disk Used by Diff AreaAverage 7% per disk used for Diff Area; Max 9%Average 7% per disk used for Diff Area; Max 9%
Diff Area relationship to data 20%Diff Area relationship to data 20%
# of Shadow Copies# of Shadow CopiesAverage of 48.5; Min 4; Max 64 Average of 48.5; Min 4; Max 64
~ 4+ weeks available for end users on average~ 4+ weeks available for end users on average
Self Service RestoreSelf Service Restore
demodemo
IT Restore Vs. Shadow IT Restore Vs. Shadow CopiesCopies
MetricMetric Before Shadow Before Shadow CopiesCopies
After Shadow After Shadow CopiesCopies
Number of Number of Restore RequestsRestore Requests
20 – 30 per month20 – 30 per month 1 – 2 per month1 – 2 per month
TimeTime3 – 7 days3 – 7 days SecondsSeconds
CostCost$300 per restore$300 per restore
(+ time lost)(+ time lost)Cost of “unused” Cost of “unused” disk spacedisk space
EscalationsEscalationsMulti-tieredMulti-tiered No escalation No escalation
requiredrequired
View before View before RestoreRestore
Cannot view file Cannot view file before restoringbefore restoring
All versions All versions available for available for viewingviewing
Client And IT SatisfactionClient And IT Satisfaction
End-user commentsEnd-user comments““I have to say that is one of the coolest I have to say that is one of the coolest features I have ever seen! It worked features I have ever seen! It worked flawlessly! Thanks!”flawlessly! Thanks!”““Worked like a charm. You are my hero Worked like a charm. You are my hero for the foreseeable future.”for the foreseeable future.”
IT PraiseIT Praise““Very Cool. We need to advertise this Very Cool. We need to advertise this feature more.”feature more.”““This has to got to be the best new This has to got to be the best new feature in W2K3”feature in W2K3”““I can’t believe how easy it was to I can’t believe how easy it was to setup”setup”
Trying it outTrying it out
What do I need to try it out for pilot What do I need to try it out for pilot test?test?
A stand-alone Windows Server 2003 with A stand-alone Windows Server 2003 with shadow copies enabledshadow copies enabled
Multi-volume configurationMulti-volume configuration
No need to deploy any client to get the No need to deploy any client to get the benefits on the serverbenefits on the server
VSS SummaryVSS Summary
Very easy to install and useVery easy to install and use
Simple configurationSimple configuration
Saves IT costs and timeSaves IT costs and time
Minimal to no performance hitMinimal to no performance hit
Doesn’t affect the enterprise backup Doesn’t affect the enterprise backup strategystrategy
End-users love this feature!End-users love this feature!
Win-win for everyone!Win-win for everyone!
Windows 2003 and 802.1x Windows 2003 and 802.1x Secure Wireless Secure Wireless DeploymentsDeployments
Challenge of WirelessChallenge of Wireless
Impressions that wireless is insecureImpressions that wireless is insecureEarly implementations lacked securityEarly implementations lacked securityWEP shared secret, mac address filteringWEP shared secret, mac address filteringDifficult to administer and manageDifficult to administer and manage
Need to protect network integrityNeed to protect network integrityNeed to secure dataNeed to secure dataPrevent unauthorized network access Prevent unauthorized network access Must be able to trust an access point Must be able to trust an access point Prevent credential theftPrevent credential theftSecurity without excess complexitySecurity without excess complexity
Secure Wireless with Windows Secure Wireless with Windows 20032003
IASIASRADIUSRADIUS
•PKI integrated with Active DirectoryPKI integrated with Active Directory•Auto enrollment of certificatesAuto enrollment of certificates•Integrated 802.1x SupportIntegrated 802.1x Support•Integrated EAP SecurityIntegrated EAP Security
Checks for valid x509 CertificateChecks for valid x509 CertificateVia RADIUS to ADVia RADIUS to AD
Directory Enabled Directory Enabled NetworkingNetworking
Secure 802.1x Wireless Secure 802.1x Wireless SupportSupport
Effortless PKI ServicesEffortless PKI Services Password or certificate-Password or certificate-
based accessbased access
Active Active DirectoryDirectory
PKIPKI
WirelessWireless
•PKI Deployment OptionalPKI Deployment Optional•Passwords can be used w/ Trusted 3Passwords can be used w/ Trusted 3rdrd party Cert.party Cert.•Integrated 802.1x SupportIntegrated 802.1x Support
EAP/TLSEAP/TLSEAP/TLSEAP/TLS PEAPPEAPPEAPPEAP
All connections are authenticated and secured:All connections are authenticated and secured:All connections are authenticated and secured:All connections are authenticated and secured:
Why use 802.1X ?Why use 802.1X ?Eases manageability by centralizingEases manageability by centralizing
Authentication decisionsAuthentication decisions
Authorization decisionsAuthorization decisions
Distributes keys for data encryption Distributes keys for data encryption and integrity to the wireless client and integrity to the wireless client computercomputer
Minimizes Access Point cost by Minimizes Access Point cost by moving expensive authentication to moving expensive authentication to ADAD
Supports both WPA and WEPSupports both WPA and WEP
Why PEAP vs. EAP/TLS ?Why PEAP vs. EAP/TLS ?
Organizations may not ready for PKIOrganizations may not ready for PKIManaging user certificates stored on Managing user certificates stored on computer hard drives has challengescomputer hard drives has challenges
Some personnel might roam among Some personnel might roam among computerscomputersSmartcards solve thisSmartcards solve this
Technical and sociological issues can delay Technical and sociological issues can delay or prevent deploymentor prevent deployment
PEAP enables secure wireless nowPEAP enables secure wireless nowLeverages existing domain credentialsLeverages existing domain credentialsAllows easy migration to certificates and Allows easy migration to certificates and smartcards latersmartcards later
PEAP Security and Ease of PEAP Security and Ease of Deployment Advantages Deployment Advantages
PEAP is an open standard PEAP is an open standard
PEAP offers end-to-end negotiation PEAP offers end-to-end negotiation protection.protection.
PEAP uses mutual authentication.PEAP uses mutual authentication.
PEAP offers highly secure keys for data PEAP offers highly secure keys for data encryption. encryption.
PEAP does not require the deployment of a PEAP does not require the deployment of a full PKI or client certificates. full PKI or client certificates.
PEAP can be used efficiently with roaming PEAP can be used efficiently with roaming wireless devices. wireless devices.
User's credentials are not exposed to brute User's credentials are not exposed to brute force password attacks.force password attacks.
Windows 2003 WirelessWindows 2003 WirelessSecuritySecurity
Native support for IEEE 802.1XNative support for IEEE 802.1X
Complete with all required infrastructureComplete with all required infrastructureIAS: RADIUS Server and ProxyIAS: RADIUS Server and Proxy
Windows Certificate Server : PKIWindows Certificate Server : PKI
AD: User and Computer account and Certificate AD: User and Computer account and Certificate repositoryrepository
Same infrastructure used w/ RAS dial-up and Same infrastructure used w/ RAS dial-up and VPN authenticationVPN authentication
Native interop. w/ Windows XP Client: Native interop. w/ Windows XP Client: (WinXP SP-1)(WinXP SP-1)
Down-level client support (PPC2002, W2K, Down-level client support (PPC2002, W2K, NT4, 9x) NT4, 9x)
Windows 2003 Windows 2003 ImprovementsImprovementsWindows 2003 Active DirectoryWindows 2003 Active Directory
Auto Certificate enrollment and renewal for Auto Certificate enrollment and renewal for machines and users machines and users Performance enhancements when using Performance enhancements when using certificate deploymentcertificate deploymentGroup Policy support of Wireless settingsGroup Policy support of Wireless settings
Internet Authentication ServiceInternet Authentication ServiceEnhanced loggingEnhanced loggingAllows easier deployment of multiple Allows easier deployment of multiple authentication typesauthentication typesScaling up Scaling up
Load BalancingLoad BalancingRADIUS ProxyRADIUS Proxy
Configuration export and restoreConfiguration export and restoreRegistering AP’s with RADIUS serversRegistering AP’s with RADIUS servers
Large number of AP’s in wireless deploymentLarge number of AP’s in wireless deploymentRequires Server 2003 Enterprise EditionRequires Server 2003 Enterprise Edition
System RequirementsSystem Requirements
Client: Windows XP service pack 1Client: Windows XP service pack 1
Server: Windows Server 2003 IASServer: Windows Server 2003 IASInternet Authentication Service—our Internet Authentication Service—our RADIUS serverRADIUS server
Certificate on IAS computerCertificate on IAS computer
Backporting to Windows 2000Backporting to Windows 2000Client and IAS must have SP3Client and IAS must have SP3
No zero-config support in the clientNo zero-config support in the client
See KB article 313664See KB article 313664
Supports only TLS and MS-CHAPv2Supports only TLS and MS-CHAPv2Future EAP methods in XP and 2003 might Future EAP methods in XP and 2003 might not be backportednot be backported
802.1 x Setup802.1 x Setup
1.1. Build Windows Server 2003 IAS serverBuild Windows Server 2003 IAS server
2.2. Join to domainJoin to domain
3.3. Enroll computer certificateEnroll computer certificate
4.4. Register IAS in Active DirectoryRegister IAS in Active Directory
5.5. Configure RADIUS loggingConfigure RADIUS logging
6.6. Add AP as RADIUS clientAdd AP as RADIUS client
7.7. Configure AP for RADIUS and 802.1xConfigure AP for RADIUS and 802.1x
8.8. Create wireless client access policyCreate wireless client access policy
9.9. Configure clientsConfigure clientsDon’t forget to import CA rootDon’t forget to import CA root
© 2003 Microsoft Corporation. All rights reserved.© 2003 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
