Windows Server 2008 Technical Decision Maker Presentation

Business Results & New Value End User Productivity Customer Connection Keep Business Up & Running Security Competition Technology Change Regulatory Compliance Cost Reduction More Pressure than Ever on IT

SecurityWebVirtualization Solid Foundation for Your Business Workloads Windows Server 2008 Reduces costs, increases hardware utilization, optimizes your infrastructure, and improves server availability Delivers rich web- based experiences efficiently and effectively Provides unprecedented levels of protection for your network, your data, and your business Most flexible and robust Windows Server operating system to date Provides the most versatile and reliable Windows platform for all of your workload and application requirements

Management Reliability Solid Foundation Windows Server Manager PowerShell Windows Deployment Services Server Core Next Generation Networking High Availability Clustering Most Flexible and Robust Windows Server Operating System to Date

Windows PowerShell New Command-line shell & Scripting Language Futures Improves productivity & control Accelerates automation of system admin Easy-to-use Works with existing scripts Will ship in Windows Admin GUIs layered over PowerShell One-to-many remote management using WS-MGMT Partners Solid Foundation

Windows PowerShell Resources Hundreds of Scripts Books & Training Materials Community Support MS MVPs PowerShell Team Blog Active Newsgroup Channel 9: DFO Show IIS.net Manning Publications O’Reilly Media Sapien Press & others… TechNet ScriptCenter Exchange Server 2007 Terminal Server WMI, Registry, Hardware, etc. Community-Submitted scripts MyITForum.com Solid Foundation

PowerShell

Server Manager Product Installation Initial Configuration Managing Windows Server 2008 Solid Foundation

Server Manager Solid Foundation

Windows Server Core Only a subset of the executable files and DLLs installed No GUI interface installed Five available Server Roles Can be managed with remote tools Solid Foundation

Server Core Solid Foundation

Complete Redesign of TCP/IP Inspection API WSK WSK Clients TDI Clients NDIS AFD TDX TDI Winsock User Mode Kernel Mode Dual-IP layer architecture for native IPv4 and IPv6 support Improved Network Performance Troubleshooting Improved performance via hardware acceleration and autotuning Greater extensibility and reliability through rich APIs Completely manageable through Group Policy Next Generation TCP/IP Stack (tcpip.sys) IPv WLAN Loop- back IPv4 Tunnel IPv6 Tunnel IPv6 RAW UDP TCP Solid Foundation

Key New Networking Features Receive Window Autotuning Windows Filtering Platform Receive Side Scaling Policy-based Quality of Service Automatically senses network environment and adjusts key performance settings Allows increase of the size of the TCP/IP send / receive window Provides filtering capability at all layers of the TCP/IP protocol stack Integrates and provides support for next-generation firewall features Previous Windows operating systems limits receive protocol processing to single CPU RSS resolves this issue by allowing network load from a network adapter to be balanced across multiple CPUs Prioritize or manage the sending rate for outgoing network traffic Both DSCP marking and throttling can be used together to manage traffic effectively Solid Foundation

Windows Firewall w/ Advanced Security Combined firewall and IPsec management Firewall rules become more intelligent Policy-based networking

Hub Site Branch Office Branch Office Benefits Optimization SysVol Replication DFS Replication Protocols Security BitLocker Server Core Read-Only Domain Controller Role Separation Administration Print Management Console PowerShell, WinRS, WinRM Virtualization Restartable Active Directory Solid Foundation

Failover Clustering Heartbeat New Validation Wizard Support for GUID partition table (GPT) disks in cluster storage Improved cluster setup and migration Improvements to stability and security – no single point of failure IPv6 support Geographically dispersed clusters Active Node Passive Node Solid Foundation

Windows Deployment Services Rapidly deploy Windows operating systems Updated and redesigned version of Remote Installation Services (RIS) Server components Client components Management components Windows Deployment Services provides several enhancements to RIS Windows Vista Windows Server 2008 Solid Foundation

Reliability and Performance Monitor Combines functionality of previous stand-alone tools Tracks system changes Provides new functionality Solid Foundation

Deliver Rich Web-based Experiences Efficiently and Effectively Internet Information Services 7.0 Windows SharePoint Services Web Windows Media Services

Web IIS 7.0 Overview Customization Troubleshooting Administration Enhanced security and reduced attack surface True application xcopy deployment Application and health management for WFC services

IIS 7.0 Web Administration Enhanced Web Administration at Every Stage in the Application Lifecycle Simpler Application Deployment to Web Farms & UNC Shares More Secure, Reliable Application Hosting Greater Productivity Via Delegated Management & Better Tools Reduced Downtime From Faster Troubleshooting Web

Managing Your Web with IIS 7.0 Arsenal of Admin Tools Delegated Management Secure Remote Management Shared Config for Web Farms Better Tools Intuitive, Task Oriented GUI.NET Management API Unified WMI Provider for IIS/ASP.NET Powerful Command Line Support Rich Runtime State Information Automatic Failure Tracing & Logging Site Owner Web.config XML DelegationDelegation XCopy Deploy Administrator Internet Manage Remotely Secure HTTPS AppHost.config XML Shared Config Shared App Hosting Web Farm App Web

Windows SharePoint Services Administration model enhancements New and improved compliance features and capabilities New and improved operational tools and capabilities Improved support for network configuration Extensibility enhancements Web

Windows Media Services Ultimate Streaming Experience Fast Streaming delivers instant- on/always-on Intelligent Streaming optimizes the experience Dynamic Content Programming Manage channels on-the-fly Generate revenue with Lead-In and Interstitial AdsIndustrial-StrengthPlatform Increases industry- leading scalability Rich administration with broad range of tools Web

Optimize Your Infrastructure and Improve Server Availability Terminal Services RemoteApp Terminal Services Gateway Windows Server Virtualization Virtualization

Virtualization Technologies Windows Server Virtualization Server Virtualization Presentation Virtualization Application Virtualization Desktop Virtualization Management Virtualization

Windows Server Virtualization Greater Scalability and improved performance x64 bit host and guest support SMP support Increased reliability and security Minimal Trusted Code base Windows running a foundation role Better flexibility and manageability New UI/Integration with SCVMM VM 1 “Parent” VM 2 “Child” VM 3 “Child” HardwareHardware Windows Server 2003 Virtual Server 2005 R2 VM 2 VM 3 Virtualization

Windows Server Virtualization Application Virtualization Application Isolation Dynamic Streaming System Center Integration Software as a Centrally- managed Service Available through… Virtualization

Virtualization Investments ManagementInfrastructureApplicationsInteroperabilityLicensing Create agility Better utilize server resources Partner with AMD and Intel Ease consolidation onto virtual infrastructure Better utilize management resources Support heterogeneity across the datacenter OSP (Open Specification Promise) VHD Accelerate deployment Reduce the cost of supporting applications Deliver cost-effective, flexible and simplified licensing Royalty Free VHD format A Multi-level Approach Terminal Services Virtualization

Terminal Services Gateway Internet Perimeter Network Corporate Network Remote/ Mobile User Terminal Services Gateway Network Policy Server Active Directory DC Tunnels RDP over HTTPs Strips off RDP / HTTPs Terminal Servers and other RDP Hosts RDP traffic passed to TS Internet Virtualization

Terminal Services RemoteApp Terminal Services Gateway Server Remote programs integrated with local computer Centrally configure a terminal server with the Terminal Server Configuration console Remote programs integrated with local computer Centrally configure a terminal server with the Terminal Server Configuration console RemoteApp console used to make application available Also used to make programs available via TS Web Access Programs look like they are running locally Only supported by Remote Desktop client 6.0, or newer Remote Desktop client required Virtualization

Terminal Services Virtualization

Hardens Operating System and Increases Environment Protection Read-Only Domain Controller Network Access Protection Federated Rights Management Security

Server Protection Features Security Development Process Secure Startup and shield up at install Code integrity Windows service hardening Inbound and outbound firewall Restart Manager Improved auditing Network Access Protection Event Forwarding Policy Based Networking Server and Domain Isolation Removable Device Installation Control Active Directory Rights Management Services Security Compliance

Windows Server 2008 Hardening Windows ® XP SP2/Server 2003 R2 LocalSystem Windows Vista/Server 2008 Network Service Local Service LocalSystem Firewall Restricted LocalSystem Firewall Restricted Network Service Network Restricted Network Service Network Restricted Local Service No Network Access Local Service No Network Access LocalSystem Network Service Fully Restricted Network Service Fully Restricted Local Service Fully Restricted Local Service Fully Restricted Security

BitLocker™ Drive Encryption Group Policy allows central encryption policy and provides Branch Office protection Provides data protection, even when the system is in unauthorized hands or is running a different or exploiting Operating System Uses a v1.2 TPM or USB flash drive for key storage Full Volume Encryption Key (FVEK) Encryption Policy Security

Network Access Protection Remediation Servers Example: Patch Restricted Network Windows Client Policy compliant NPS DHCP, VPN Switch/Router Policy Servers such as: Patch, AV Corporate Network Not policy compliant What is Network Access Protection? Cisco and Microsoft Integration Story Health Policy Validation Health Policy Compliance Ability to Provide Limited Access Enhanced Security Increased Business Value Security

11 Remediation Servers Example: Patch Using Network Access Protection Restricted Network 11 Windows Client DHCP, VPN or Switch/Router relays health status to Microsoft Network Policy Server (RADIUS) Network Policy Server (NPS) validates against IT- defined health policy 44 If not policy compliant, client is put in a restricted VLAN and given access to fix up resources to download patches, configurations, signatures (Repeat 1 - 4) Not policy compliant 55 If policy compliant, client is granted full access to corporate network Policy compliant NPS DHCP, VPN Switch/Router 44 Policy Servers such as: Patch, AV Corporate Network 55 Client requests access to network and presents current health state Security

Network Access Protection Security

AD Rights Management Services AD RMS protects access to an organization’s digital files AD RMS in Windows Server 2008 includes several new features Improved installation and administration experience Self-enrollment of the AD RMS cluster Integration with AD Federation Services New AD RMS administrative roles Information Author The Recipient Security

Active Directory Federation Services AD FS provides an identity access solution Deploy federation servers in multiple organizations to facilitate business-to- business (B2B) transactions AD FS provides a Web- based, SSO solution AD FS interoperates with other security products that support the Web Services Architecture AD FS improved in Windows Server 2008 Web Server Account Federation Server Resource Federation Server Adatum Contoso Federation Trust Security

Federated Rights Management Together AD FS and AD RMS enable users from different domains to securely share documents based on federated identities AD RMS is fully claims- aware and can interpret AD FS claims Office SharePoint Server 2007 can be configured to accept federated identity claims Account Federation Server Resource Federation Server Adatum Contoso Federation Trust Web SSO Security

Read-Only Domain Controller Main Office Branch Office Features Read Only Active Directory Database Only allowed user passwords are stored on RODC Unidirectional Replication Role Separation Benefits Increases security for remote Domain Controllers where physical security cannot be guaranteed Support ADFS,DNS, DHCP, FRS V1, DFSR (FRS V2), Group Policy, IAS/VPN, DFS, SMS, ADSI queries, MOM RODC Security

Branch Hub Read Only DC How RODC Works Windows Server 2008 DC User logs on and authenticates RODC: Looks in DB: "I don't have the users secrets" Forwards Request to Windows Server 2008 DC Windows Server 2008 DC authenticates request Returns authentication response and TGT back to the RODC RODC gives TGT to User and RODC will cache credentials RODC Security

Read-only DC Mitigates “Stolen DC” Attacker Perspective Hub Admin Perspective Security

Active Directory Certificate Services SecurityManageabilityInteroperability Cryptography Next Generation Granular Admin V3 Certificates Windows Server 2008 Server Role PKIView New GPOs OCSP Support IDP CRL Support MSCEP Support Security

PKI Enhancements Enterprise PKI (PKIView) Now a Microsoft Management Console snap-in Support for Unicode characters Online Certificate Status Protocol (OSCP) Online Responders Responder Arrays Network Device Enrollment Service Microsoft's implementation of the Simple Certificate Enrollment Protocol (SCEP) Enhances security of communications by using IPsec Web Enrollment Removed previous ActiveX® enrollment control - XEnroll.dll Enhanced new COM enrollment control - CertEnroll.dll Security

Cryptography Next Generation Cryptography Next Generation (CNG) Includes algorithms for encryption, digital signatures, key exchange, and hashing Supports cryptography in kernel mode Supports the current set of CryptoAPI 1.0 algorithms Support for elliptic curve cryptography (ECC) algorithms Perform basic cryptographic operations, such as creating hashes and encrypting and decrypting data Security

Windows Server 2008 for Developers Core The Fundamentals App Platform Management.NET 3.0 IIS 7Task Scheduler 2.0 MMC 3.0 TransactionsRecovery ConcurrencyNetworking Server Roles

Application Platform.NET Framework 3.0 IIS 7.0 Windows Activation Service MSMQ 4.0

Management Management MMC 3.0 PowerShell Task Scheduler 2.0

The Fundamentals TransactionsRecovery ConcurrencyNetworking The Fundamentals

Efficient Communications Fast enterprise class search on clients and servers Faster networking with new TCP/IP stack and native IPv6 Improved file-sharing performance over high-latency links Integrated remote access to internal applications and resources More Efficient Management Single worldwide servicing model Event forwarding between client and server Faster and more reliable remote operating system deployments Network Access Protection ensures health of connecting systems Greater Availability Scalable print servers with client-side rendering Smooth offline experience with client-side caching Transactional File System for file and registry operations Policy-based Quality of Service to prioritize application bandwidth Windows Vista and Windows Server 2008 Better Together

Windows Server Roadmap 2008 Beta RTM R2 “Cougar”

© 2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

Next Steps

Appendix

Windows Server 2008 Scenarios Branch Office Security and Policy Enforcement Server Virtualization Anywhere Application Access Web and Applications Platform Server Management High Availability

Windows Server 2008 Roles Active Directory Certificate Services Active Directory Domain Services Active Directory Federation Services Active Directory Lightweight Directory Services Active Directory Rights Management Services Application Server DHCP Server DNS Server Fax Server File Services Network Policy and Access Services Print Services Streaming Media Services Terminal Services UDDI Services Web Server Windows Deployment Services Windows SharePoint Services

Windows Server 2008 Edition Feature Differences

The Receive Window Limitation More Control Maximum Throughput (Mpbs) RTT ms North America Intercontinental Fiber Satellite 64 KB 128 KB 256 KB 512 KB

62 Key Drivers of Core Infrastructure Optimization People, Process and Technology Desktop, Server and Device Management Security and Networking Identity and Access Management Data Protection and Recovery IT and Security Process

Security, Security, Security Scenario-focused Integrated innovation Compatibility Heterogeneous interoperability Enabling broad industry ecosystem and volume economics Best of breed functionality for all server workloads Key Development Tenets Server Functions Operational Infrastructure Solutions Application Platform Information Worker Infrastructure Management Workloads Storage (file, portal) Print Collaboration Application/Web Server Unix integration services Database High Performance Computing Software Distribution Virtualization Operations Management General Purpose & Enterprise Medium Business Small Business Networking Remote Access Security Identity Management Terminal Server

IT Complexity Challenges Every day tasks just take too much time Need to fix problems before users are affected Infrastructure is growing – need to manage more. Management Keeping systems reliable and running is job #1 Patching - too much effort, too much downtime Securing systems is complex and hard to manage Mobile and remote devices provide a back door for viruses Security & Reliability Need infrastructure to adapt to the changing business needs Number of and access needs of remote users is increasing Too hard to deploy new technologies with existing systems Changing Business Needs

Security Development Lifecycle Tasks and Processes Security Kickoff & Register with SWI Security Design Best Practices Security Arch & Attack Surface Review Use Security Development Tools & Security Best Dev & Test Practices Create Security Docs and Tools For Product Prepare Security Response Plan Security Push Pen Testing Final Security Review Security Servicing & Response Execution Feature Lists Quality Guidelines Arch Docs Schedules Design Specifications Testing and Verification Development of New Code Bug Fixes Code Signing A Checkpoint Express Signoff RTM Product Support Service Packs/ QFEs Security Updates RequirementsDesignImplementationVerificationRelease Support & Servicing Threat Modeling Functional Specifications Traditional Microsoft Software Product Development Lifecycle Tasks and Processes Security Training

DD D Windows Service Hardening Windows Service Hardening Defense In Depth – Factoring/Profiling Reduce size of high risk layers Segment the services Increase # of layers Kernel Drivers D D User-mode Drivers D DD Service1 Service2 Service3 Service … Service… ServiceA ServiceB

Network Access Protection Network Access Protection How it works Not policy compliant 1 RestrictedNetwork Client requests access to network and presents current health state 1 4 If not policy compliant, client is put in a restricted VLAN and given access to fix up resources to download patches, configurations, signatures (Repeat 1 - 4) 2 DHCP, VPN or Switch/Router relays health status to Microsoft Network Policy Server (RADIUS) 5 If policy compliant, client is granted full access to corporate network MSFT NPS 3 Policy Servers e.g. Patch, AV Policy compliant DHCP, VPN Switch/Router 3 Network Policy Server (NPS) validates against IT-defined health policy 2 WindowsClient Fix Up Servers e.g. Patch Corporate Network 5 4 3