In my previous article, Top 5 cool Longhorn/Vista features, I discussed some very important features in Windows Longhorn (now officially called Windows Server 2008) and Vista -- server roles, Vista Group Policy, Read-Only Domain Controller, Restartable Active Directory and BitLocker drive encryption. There are several other features that are important advancements in technology, but they may not be as obvious as those, including Network Access Protection (NAP), new Terminal Services features, a new TCP/IP stack and enhanced Unix interoperability features.
Network Access Protection (NAP)
This isn't a particularly new technology, but Microsoft has championed NAP's development in Windows Server 2008. One of the biggest challenges facing IT managers and administrators alike is how to maintain a secure network. Keeping hundreds, thousands or tens of thousands of workstations and servers up to date on new antivirus engine versions, Microsoft security updates, antispyware updates and firewall configurations is a daunting task for IT managers and administrators. Microsoft has implemented some monitoring tools that identify out-of-date machines, and the company's Windows Update Service has made it easier to keep up on Microsoft updates. But it's still a huge challenge.
NAP has a fairly simple goal in that it makes networks secure in an easier-to-manage environment. Basically, any client that comes into the network that is out of date on virus protection or a firewall, for example, will be isolated in the network and updated before it is allowed back in the network.
Lets look at a step-by-step description of how this would work:
- Client presents it's current health state and requests access to the network.
- The Dynamic Host Configuration Protocol (DHCP) server, VPN server or switch/router connects to a RADIUS server that serves as the Microsoft Network Policy Server (NPS). You have the flexibility here to use almost any third-party product.
- NPS compares the client against the health policy that has been defined by your IT staff. This assessment works with Microsoft products like SMS, WUS or third-party products. An IPSec policy can also be applied to the assessment.
- If the client fails the test, it is put in a restricted VLAN, where "patch servers" are available to update the client (AV, WUS, etc.). Once it is up to date, return to step one for another assessment.
- When the client is determined to be compliant with the policy, the client is granted access to the network.
Note that the client pieces are integrated in Windows Vista, and XP clients are supported. Management components for policy-based administration and operation are integrated with SMS, Active Directory, Group Policy and MOM.
For more information on Microsoft's implementation of NAP, go to these Web sites:
Terminal Services gets a makeover in Windows Server 2008 with some interesting features. After viewing Microsoft's description of Terminal Services features in what was then Windows Longhorn, it seemed to dovetail quite nicely with the company's vision of branch office technologies. That is, it puts application servers -- especially mission critical applications -- user data, mission critical data and so forth in a centralized location and then uses secure access and efficient replication and transports to get the data to the users.
Using what Microsoft calls Secure Anywhere Access, users can securely access centrally stored data and applications, which makes it very easy and secure to manage, backup and restore data at the central site rather than managing data and applications distributed over many locations. Along with this, Microsoft promises a single sign-on capability for managed clients to improve the user experience.
One of the pieces that makes that happen is the Terminal Services Gateway. It is a special server that will sit in the DMZ between the external and internal firewalls. External clients connecting from a client site, hotel room, Internet hotspot or a home network would connect using RDP over HTTPs rather than a VPN (more about that later). The Terminal Services Gateway server then strips off the RDP/HTTPs and allows access to terminal servers, mail servers and other resources behind the internal firewall.
RDP/HTTPs is used quite nicely in Outlook 2003. I've used it for a year or so now and I love it. I can run the full version of Outlook without having to VPN into our corporate network. This is very handy when the VPN tunnel is down, and I am not limited to the features of Outlook Web Access (OWA).
Another cool looking technology in the application realm is what is referred to as application virtualization.
Recently, Microsoft acquired a company called Softricity Inc., which developed a product using that technology. Applications are installed on servers in a central site and accessed from the user's desktop in a virtual image without interaction with the operating system. It integrates with local programs using drag and drop, task bar and system tray integration, and uses streaming technology to improve the user experience.
I haven't personally seen this work but it is definitely something to keep your eye on. Microsoft is attempting to break down the performance barriers of Terminal Services applications and give the user a seamless application from a remote server. Again, it fits in the vision of centralizing application and data servers for easier management and better security.
Another area in which some interesting improvements have been made is Unix Integration. Most of us are painfully aware of the Services for Unix (SFU) product, which gave us some valuable bits, but it was still an add-on. I work a lot these days with the NAS (network-attached storage) servers, which provide a gateway of sorts for Unix and Windows clients to connect to Windows file shares and files. These servers run the Windows Storage Server OS (Windows 2003 binaries) and each OEM bundles the NAS bits, including SFU. This makes upgrades quite challenging since SFU stands on its own, has its own upgrade procedure and each OEM bundles SFU so you can't just use the SFU download from Microsoft -- it has to come from the vendor.
In Windows Server 2003 R2, Microsoft incorporated the SFU components -- Microsoft Services for NFS, Subsystem for Unix-based Applications and Identity Management for Unix -- into the OS. With R2 installed, these components show up in add/remove programs as Windows components. Windows Server 2008 also supports all of these features and password synchronization for certain Unix systems including:
- HPUX 11i
- Sun Solaris 7 and 8
- Red Hat Linux 8.0 and higher
- IBM AIX 5L 5.2
The great thing about this is that with these components built into the OS it takes all those messy SFU upgrade procedures -- at least for the NAS boxes -- out of the picture. Upgrade the OS with service packs, and the Unix components are included.
A few points about these features:
- Microsoft Services for NFS supports NFS protocol v2 and v3. I haven't seen anything on support for v4 yet. When you install Windows Server 2008, you will be presented with an NFS Sharing tab in the folder properties page, allowing you to easily create an NFS share. One thing to note here is that we have seen some limits on the number of files in a single directory that a Unix/Linux client can reliably see. There is a limiting factor in the way that Windows handles the client access that can cause Unix clients not to be able to see all the files. See KB 910619 for more information. This is a hotfix that makes the situation better, but the best answer is to spread the files out in multiple directories, which makes the problem less likely to occur.
- Subsystem for Unix-based Applications allows Unix apps to run natively on Windows clients and servers.
- Identity Management for Unix is really the ability of a Windows server to be a Network Information Service (NIS) Master Server. Yes, it must be the master. Microsoft seems to need the upper hand even in the Unix world.
Besides these features, there is a new TCP/IP stack that supports IPV4 and IPV6 protocols natively. It includes IPSec, Secure Sockets API, black-hole router detection (BHRD), dead gateway detection and more. See the article Next Generation TCP/IP Stack in Windows Vista and Windows Server "Longhorn" for more details.
As you can see from this article and my previous one on the top five new features in Windows Longhorn and Vista, there are a bundle of new features in Windows Server 2008. If you have been ignoring Longhorn because (a) it's way in the future, (b) you just don't have time yet or (c) you are still on NT, then it's time to get up to speed.
Gary Olsen is a systems software engineer for Hewlett-Packard in Global Solutions Engineering. He authored Windows 2000: Active Directory Design and Deployment and co-authored Windows Server 2003 on HP ProLiant Servers.