Windows Server 2008

Yesterday the editor from the IT section at Amazon.com sent me some questions about the Windows Server 2008 Security Resource Kit. The answers will eventually go on the book detail page. The questions, particularly questions 3 - 6, were interesting and thought-provoking, so I thought I would post them here as well. Question 1: The credentials of the contributors to Windows Server 2008 Security Resource Kit are quite impressive (six of the 12 are Microsoft MVPs, and the others are all either current or former product group employees at Microsoft). How important was it to assemble such a group for this title? Answer 1: In my opinion, it was necessary. Server products are necessarily complex, and security, by its very nature, requires a very broad understanding of the product. Developing that understanding in a single person is possible, but very time consuming and still does not lead to the breadth of perspective that you find in a group of people. No single person can truly understand both what it is like to implement Active Directory in a 50,000 seat organization, and how to run a 50-seat small business network long-term, and neither of them is probably going to also be one of the world's foremost experts on implementing public key cryptography infrastructures. By putting together this world-wide team of experts (representing four countries on three continents) we were able to produce a resource that had far more depth and breadth of knowledge than would otherwise have been possible, and you get the expertise of 12 of the foremost experts on Windows Security in a single package. Question 2: What extras are available on the Resource Kit CD? Answer 2: First, you get a bonus chapter on Rights Management Services, as well as an electronic copy of the entire book. I am very excited about the electronic copy because it provides a searchable way to read the book. These types of books are always used as references and being able to search it is very valuable. You also get some tools that may come in handy for managing servers. Scripting Guru Ed Wilson wrote some custom PowerShell scripts specifically for this book to manage user accounts and other security related aspects of your deployment. In addition, I wrote a couple of tools for the book. One is my password generator, which I first made available several years ago. It enables you to manage unique administrator account passwords and service account passwords on hundreds or thousands of servers on a network. I also included my elevation tools, which allow you to launch an elevated instance of Windows Explorer, as well as elevating any command you want from the command line. Having worked with User Account Control (UAC) daily for about two years I find that one of the biggest impediments to running under UAC is the multiple prompts you get when you perform many file operations. As an administrator, that is a very common task. Elevating Windows Explorer lets you do those operations with a single elevation prompt, and still leave UAC turned on. Question 3: Comparing the two programs, what are some of the fundamental differences between Windows Server 2008 and Windows Server 2003? Answer 3: To me, the biggest difference is the fact that while Windows Server 2003 was built under the security best practices of 2002, Windows Server 2008 incorporates all the secure development practices Microsoft learned in the five years since. The field of secure software development has progressed immensely between 2002 and 2007, and incorporating them will make Windows Server 2008 much more able to stand up to the threats we will see in the next five years. By the way, it is with a heavy heart that I say that, as I worked hard on security in Windows Server 2003, but it is true. Apart from the engineering process, the first thing people will notice is the completely new management model in Windows Server 2008. Instead of installing a lot of separate components, you now deploy roles to the server. This makes a lot of sense because the roles are what you bought the server to fill. By implementing that metaphor in the management tools the risk for misconfiguration is greatly reduced. The new kernel features are also very important and will make a big difference for many. First, the new virtualization features are fundamentally going to change how we build and run data centers. The improvements in security, reliability, and performance in the kernel features, such as thread scheduling, and in the networking features, such as the new network file system, also are going to be valuable to many. Question 4: What do you feel is the biggest security oversight made by network admins? Answer 4: Put a slightly different way, the area where I see the most room for improvement is in security posture management. Administrators are far too focused on vulnerabilities and on the types of "hardening" tweaks that were useful in the 1990s, when software shipped wide open by default. Today, those things are not nearly as important as it is to manage the security posture of your servers. Far too many administrators still believe in the perimeter and fail to recognize that just about every organizational network today is semi-hostile, at best. The biggest security oversight is not to analyze and manage the threats posed to servers by other actors on the network. The Security Resource Kit goes into depth in discussing what I refer to as Network Threat Modeling, as the analysis phase of Server and Domain Isolation – probably the most powerful security tool in the arsenal today. Yet, the proportion of networks that use these tools is infinitesimal. Question 5: What are your thoughts on the constant hype surrounding potential security flaws in Vista? Answer 5: As I have written elsewhere (http://msinfluentials.com/blogs/jesper/archive/2008/01/24/do-vista-users-need-fewer-patches-than-xp-users.aspx) I fail to see any data backing up the argument. Certainly, there have been flaws in Vista – and anyone who expected it to be flawless was unrealistic – but the improvements are tremendous over Windows XP. Windows Vista has about half as many critical problems as Windows XP in the same time-frame. I'm not sure that it would have been reasonable to expect it to perform much better than that given how large and complex modern software is and how fast the security landscape is moving. Therefore, I have to think that the reasons for the hype are something other than data. The popular press seems to operate on the assumption that complaining about Microsoft generates advertising revenue, and they are probably correct. The fact of the matter today is that a significant portion of the software industry, specifically the security portion, has built its business almost exclusively on selling software that purports to protect Microsoft's customers from Microsoft's screw-ups. It is simply terrifying to it, and a grave threat to its business model, that Microsoft should actually manage to produce software, and particularly operating systems, that are so secure they do not need most of the products that portion of the industry sells. The popular press, being a largely advertising funded business, has happily latched on to this perception and boosted the unsubstantiated claims of Windows Vista's vulnerability to the benefit of their major advertisers. It is truly a sick eco-system that harms the customer in both the short and long term. The threats today, as I mentioned above, are trending toward the types of things that the security software industry cannot protect against. The new threats are against people, and the focus needs to shift to helping people make better security decisions and take responsibility for their own actions. Unfortunately, the current unsubstantiated hype about Windows Vista is not about protecting customers, it is about selling unnecessary security software and inculcating users and IT managers alike in the belief that they must buy third party software to run Windows safely; a belief that, with a few notable exceptions, such as anti-virus software, is falsified by the data. In fact, the hype has even lead to a huge growth industry in malicious, fake, security software. I have seen a lot of people lured by the hype into buying security software that is not security software at all, but simply malware in disguise. The average consumer, inundated with hype, is unable to make out what to really believe. This sick ecosystem is harmful and the press and the pundits are not helping, but only increasing the hype. Question 6: In your opinion, which network faces the biggest security risks today: the small office with multiple power users or large corporation with a large LUA base? Answer 6: The unmanaged networks. I have seen very well managed and very secure networks in both small and large organizations, and I have seen poorly managed and very insecure networks in both as well. It is not really a matter of size but of how much time and effort is put into the security aspects of it. One of the largest weaknesses seems to be training. Security today is about end-points. The attacks are against people far more prevalent than those against technology and vulnerabilities. We need to, as an industry, understand how to push the security out to the assets that we are trying to protect. In the past we have centralized security because it was a way to centralize management of security. The challenge now is to de-centralize security, while still permitting centralized management. This is a non-trivial task, but it must be done. As a starting point, I dare every IT manager to start analyzing the risks to his or her network, and specifically, what it is they want the network to be used for. Once you understand what it is you want the network to provide you have a chance to work on making it provide that and nothing else. To me, that is the most important thing we can do. A properly staffed IT group, with adequate training and resources to train its users, an organizational mandate to protect the organization's assets, and a keen understanding of the business they serve will build a network that is adequately secured regardless of the size of the network. Windows Server 2008 certainly provides some very powerful technologies to help you manage security in your network, but while that is a necessary component, it is insufficient by itself. At a very base level, it is about the people and the processes you have, more than about the technology. Technology will help, but it is just a tool that your people will implement using a process that helps or hurts.

Microsoft released a document today with some SQL Server 2008 benchmarks I found this sentence very interesting

The result demonstrates the scale-up capabilities of SQL Server 2008 on HP Integrity. The 10TB benchmark is so demanding that only six other results have been published in the nine-year history of TPC-H.

More information on the results is available at http://www.microsoft.com/presspass/events/HHHlaunch/docs/BenchmarkFS.doc

Share this post: email it! | bookmark it! | digg it! | reddit! | kick it! | live it!

After what seems like years of planning (oh wait, hang on, it has been years of planning), the Heroes Happen Here launch is underway at the Nokia Theater here in Los Angeles. We have been saying that this is the biggest event for IT professionals and developers that Microsoft has ever hosted, and it certainly seems that way. There is a huge crowd here and this morning the lines snaked all around the LA Convention Center and our registration booths were inundated with customers and partners trying to be part of this historic day. Of course, today is the day we launch Windows Server 2008, SQL Server 2008, and Visual Studio 2008, but more importantly, today is the day we celebrate all the individuals around the world who go the extra mile and put in the extra efffort in their daily lives to make I.T. work for the masses. You know them. In fact, you're one yourself - Heroes. We've just been treated to a wonderful opening speech by Tom Brokaw, of NBC Nightly News, and now Steve Ballmer is describing the move towards Dynamic IT, and how these new products can help customers to really take best advantage of their IT resources and make their infrastructure and solutions more agile and more impactful. These products have been developed with more customer involvement and input than any other release we've ever had, and it shows. For example, Windows Server 2008 is our most tested server release ever, with over 3,000,000 copies downloaded and distributed throughout the world since our first public release at Beta 3. We've had customers in Technology Adoption Programs, Technical Beta programs, Rapid Deployment Programs, Go Live programs, and of course, IT professionals and developers have been treated to Community Technology Preview releases through MSDN and TechNet over the course of the development cycle. All of this input has helped us to polish highly-regarded and well-reviewed features such as Server Core, IIS 7.0, Network Access Protection, Terminal Services RemoteApp, Hyper-V, Windows PowerShell, Failover Clustering, Server Manager and more. Even if you couldn't make it to LA. yourself, or if you haven't been able to register for one of the other 200+ launch events around the world, check out the Virtual Launch Experience online for an incredibly rich and interactive experience that is almost as good as being here. I'll post further updates later today on some of the launch announcements and cool things that are happening here. In the meantime, you can read our full launch press release on the Server and Tools Business News Bytes blog, and you can read more detail on these announcements on the following blogs:

• http://blogs.msdn.com/somasegar/
• http://blogs.technet.com/mapblog/
• http://blogs.msdn.com/applicationplatform/
• http://blogs.technet.com/dataplatforminsider/
• http://blogs.msdn.com/stevemar/default.aspx

UPDATE: Microsoft CEO Steve Ballmer announces the launch of Windows Server 2008, Visual Studio 2008 and SQL Server 2008 with 4,000 customers and partners in Los Angeles.  Watch the keynote here.   Couple more videos for you: Watch: Jim DuBois, General Manager of Information Security & Infrastructure Services for Microsoft IT, highlights the internal Microsoft deployment of Windows Server 2008, SQL Server 2008 and Visual Studio 2008. Watch: Microsoft CEO Steve Ballmer talks with Al Gillen, system software research VP at IDC, about what the launch means for business customers and industry partners. David Lowe.

As we ramp up for the largest enterprise launch in Microsoft history, Windows Server 2008, SQL Server 2008 and Visual Studio 2008, this is a great time to share some additional big news. In August of 2007, when Microsoft and Cisco made an announcement that we were committed to working together, there was already some tangible work on interoperability between our companies, including NAC/NAP integration and several interoperability initiatives with our respective unified communications products.  Today, we are announcing that we are expanding our collaboration into the branch office market. Microsoft and Cisco are announcing that Cisco will offer Windows Server 2008 as part of their Wide Area Application Services (WAAS) appliances. Let’s start by looking at what Cisco WAAS is and then we’ll look at how Windows Server 2008 fits in.

Cisco WAAS: Cisco Wide Area Application Services (WAAS) is a WAN optimization solution that improves the performance of TCP-based applications operating in a WAN environment. The basic idea is to accelerate access to servers and applications that have been centralized into corporate data centers. This provides LAN-like application performance for branch office users while taking advantage of the IT infrastructure simplification that comes from centralization. This certainly sounds like a win-win situation for customers, but we need to look a little deeper to understand why Cisco and Microsoft decided this was the next major area of collaboration for our companies. Base IT Services: When you centralize servers you quickly find out that there are some critical services that branch users and IT pros alike depend on. There are services like DHCP and DNS, that are required for just about everything, and then there is the “little” matter of managing printers, print queues and print driver distribution in the branch. And finally, users need to authenticate, process login scripts, and apply appropriate policies to connect to corporate resources – most often through Microsoft Active Directory®. All of this infrastructure is provided by Windows Server for many Microsoft and Cisco customers. Customers have been talking with us about continuing to provide these services in the branch – even if they want to centralize everything else – and eliminate the need to deploy multiple physical devices into each branch office.

Windows Server 2008 on WAAS – here is where the announcement comes in and the technologies come together:

With features such as Read-Only Domain Controller, BitLocker Drive Encryption, Server Core, and network protocol improvements, Windows Server 2008 is a great platform for the branch office. And now, through a virtualization component that Cisco will be embedding in their WAAS appliances, Cisco will offer Windows Server 2008 as part of their WAN optimization solution.  This means that IT can offer all of the performance and availability benefits of having base IT services in the branch office without the need for extra hardware. In fact, deployment is all centrally managed, entirely through software! And in order to make sure that this is a solution that our customers can depend on, both Cisco and Microsoft will be validating the resulting architecture, provide deployment guidance, and most importantly, provide integrated support. That is why we are so excited about this announcement – this is more than just a high-level commitment to cooperate, it’s about delivering real IT solutions that work well together across software and networks. Enterprise customers tell us that it is great to see Cisco and Microsoft working together like this. We would love to hear what you think, so let us know how you see solutions like this fitting into your branch infrastructure. Adam J Skewgar Group Product Manager, Branch & Storage Solutions

 By Tom Henderson and Rand Dvorak, Network World Lab Alliance , Network World , 02/21/2008.

We tested Windows Server 2008 Enterprise Edition RTM on a switched Gigabit Ethernet D-Link network using primarily a Dell 1950 server equipped with a dual quad-core 1.6GHz CPU, 32GB of dynamic RAM, two Broadcom Gigabit Ethernet network interface cards connecting it to the network and a QLogic 2GB Fibre Channel card connecting it to our internal storage-area network.

To assess operating system compatibility, we also ran Windows Server 2008 on other servers including an HP585G2 with four, dual-core AMD Athlon 64 CPUs with 4GB of DRAM per card and Compaq NetIntelligent Gigabit Ethernet NICs; three Compaq DL-140 boxes (each with dual Intel Xeon CPUs running at 3GHz). The client machines used in testing included various HP and Apple workstations and notebooks running Windows XP SP2, Windows 2000 Professional, Apple 10.4.11 or 10.5.1.

We imported 100,000 users into the Active Directory using LDIFF, creating 32 groups, and seven administrative domains. After importation, we randomly checked each of the Active Directory components for signs of an accurate importation; it was successful. We then made various changes to users, groups, and policy objects and watched for the changes to appear in the new Windows 2008 AD audit logs. Despite the comparative size, changes were fast.

In terms of performance testing, we ran a series of tests where files and folder were copied using four HP PCs, each formatted with fresh copies of Windows XP SP2 first and then with fresh copies of Vista SP1. We copied identical folders containing 60MB of files (a mixture of files ranging from 1K to 17.2MB) on our Dell 1950 PowerEdge server (no antivirus software was used on clients or server) using a batch file, noting copy execution times. Vista SP1 copies were significantly faster over the Ethernet 10Base-T hub that we connected the PCs to the server with (emulating slower speed links). We also compared streaming times using MP3 files from each server.

We also tested performance between NDIS2 (Vista) and NDIS1 (Windows XP, and various SAMBA clients) for file/folder copy speed performance, and found NDIS2/VISTA clients are strongly favored in busy networks.

We measured simple disk access through file/folder copying on a server (rather than client-to-server) to be the same between Windows 2003 and Windows 2008 Server Editions. We tested iSCSI host and target software, and found it to have the same speed as R2-supported file I/O.

We also tested IIS 7 via Web get/posts using inclining concurrency of the get/posts (using static pages), and found that there was no additional performance advantage of Windows 2003 over 2008 server editions until concurrency (number of users getting and posting) was raised significantly, where Windows 2008 and IIS 7 became very fast compared with Windows 2003 and IIS 6. Both versions of IIS were running in default/unoptimized configurations.

Logon compatibility was checked between Windows 2008 Enterprise Edition with Windows 2000 Professional, XP (SP1 and SP2), Vista (with and without SP1,which was released on the same day with the RTM of Windows 2008 Server editions), MacOS 10.4.11, 10.5.1, Ubuntu Linux, Red Hat Linux Enteprise 5, and Debian Sarge. We also used Windows 2008 Enterprise Server (six instances) as a VM guest operating system under VMware ESX 3.5 with no issues. We discovered that support for Macintosh/Linux in advanced services such as Network Access Protection is absent (and can be handled as an unprotected exception), and other Macintosh services (formerly known as Microsoft Services for Macintosh) are no longer supported; these included AppleTalk cross-platform support, and secure logon (encrypted with hash using differing access methods).

http://www.networkworld.com/reviews/2008/022108-windows-2008-test-how.html