Donald Hester October 7, 2010 For audio call Toll Free and use PIN/code

Maximize your CCC Confer window. Phone audio will be in presenter-only mode. Ask questions and make comments using the chat window. Housekeeping

Adjusting Audio 1)If you’re listening on your computer, adjust your volume using the speaker slider. 2)If you’re listening over the phone, click on phone headset. Do not listen on both computer and phone.

Saving Files & Open/close Captions 1.Save chat window with floppy disc icon 2.Open/close captioning window with CC icon

Emoticons and Polling 1)Raise hand and Emoticons 2)Polling options

Donald Hester

Donald E. Hester CISSP, CISA, CAP, MCT, MCITP, MCTS, MCSE Security, Security+, CTT+ Director, Maze & Associates University of San Francisco / San Diego City College / Los Positas College

 History  What’s new in Hyper-V  What’s new in NTFS  What’s new with Service Accounts  What’s new in User Account Control  What’s Direct Access  What’s new with BitLocker  What’s AppLocker  What’s new in Biometric support  What’s new in SmartCard support  What’s new in Backup  What’s BranchCache  What’s new in DNS  What's New in Failover Clusters  What's New in Microsoft iSCSI Initiator  What's New in Remote Desktop Services  What’s new in performance and reliability monitoring  What’s new in Event Auditing  What’s new in Server Core  What’s New in Active Directory

Server OSCorresponding Client OSKernel VersionBuild Server 2008 R2Windows 7NT Server 2008Windows VistaNT Server 2003 R2NT Server 2003Windows XP Pro (x64)NT Windows XP Pro (x86)NT Server 2000Windows 2000 ProNT Windows NT 4 ServerWindows NT 4 WorkstationNT Windows NT 3.51 NT Windows NT 3.1 NT Note the following versions of Windows were DOS based: Windows 3.11, Windows 95, Windows 98, Windows Me

 The following changes to existing features: Dynamic virtual machine storage Enhanced processor support Enhanced networking support  New Live Migration 10

Quick Migration (Windows Server 2008 Hyper-V) Quick Migration (Windows Server 2008 Hyper-V) Save state Create VM on the target Write VM memory to shared storage Move virtual machine Move storage connectivity from source host to target host via Ethernet Restore state & Run Take VM memory from shared storage and restore on Target Run Live Migration (Windows Server 2008 R2 Hyper-V) Live Migration (Windows Server 2008 R2 Hyper-V) VM State/Memory Transfer Create VM on the target Move memory pages from the source to the target via Ethernet Final state transfer and virtual machine restore Pause virtual machine Move storage connectivity from source host to target host via Ethernet Un-pause & Run Host 2 Host 1 Host 2

VHD Boot in Windows Native VHD support Chkdsk performance improvements Robocopy performance enhancement Local file copy improvements Improvements in Volume Shrink Improved performance for solid state disks (SSD) Defrag for metadata

 Service accounts have always had issues Security hole Password never changes Nobody knows the passwords Not sure what services where are using the service accounts 13

 Want better isolation than existing service accounts Don’t want to manage passwords  Virtual accounts are like service accounts: Process runs with virtual SID as principal  Can ACL objects to that SID System-managed password Show up as computer account when accessing network  Services can specify a virtual account Account name must be “NT SERVICE\ ”  Service control manager verifies that service name matches account name Service control manager creates a user profile for the account  Also used by IIS app pool and SQL Server

 Services sometimes require network identity e.g. SQL, IIS  Before, domain account was only option Required administrator to manage password and Service Principal Names (SPN) Management could cause outage while clients updated to use new password  Windows Server 2008 R2 Active Directory introduces Managed Service Accounts (MSA) New AD class Password and SPN automatically managed by AD like computer accounts Configured via PowerShell scripts Limitation: can be assigned to one system only

 29% fewer user account control (UAC) prompts than Windows Vista has, and  fewer prompts in general  "We've put users in control and allowed them the ability to tune the level of prompting" using a slider bar Paul Cooke, director of Windows Client Enterprise Security

 DirectAccess offers remote workers the same level of seamless and secure connectivity as they have in the office.  The system automatically creates a secure tunnel to the corporate network and workers don't have to manually connect  DirectAccess also allows IT administrators to patch systems whenever a remote worker is on the network

 DirectAccess also uses IPsec to authenticate the computer and user, encrypt the data crossing over the Internet  Can even be used to require employees to authenticate with a smart card

 Active Directory  PKI Certificates  IPv6  Server 2008 R2  Windows 7 Or you can use ForeFront USG

 Windows Vista users have to repartition their hard drive to create the required hidden boot partition Windows 7 & Server 2008 R2 creates that partition automatically when BitLocker is enabled  Windows 7 & Server 2008 R2 extends the Data Recovery Agent (DRA) to include all encrypted volumes As a result, only one encryption key is needed on any BitLocker-encrypted Windows machine

 AppLocker technology that allows administrators to control the software that runs on Windows 7 & Server 2008 R2 machines  This ensures that only authorized scripts, installers, and dynamic load libraries are accessed  It can also be used to keep unlicensed software off machines

 Windows 7 & Server 2008 R2 in particular permit multiple firewall policies, so IT professionals can maintain a single set of rules for remote clients and for clients that are physically connected to their networks

 A Biometric Devices Control Panel  Device Manager support for managing drivers for biometric devices  Credential provider support (UAC elevation)  Group Policy settings to enable, disable, or limit the use of biometric data for a local computer or domain  Biometric device driver software available from Windows Update

 Windows 7 & Server 2008 R2 extends the smart card support offered in Windows Vista by automatically installing the drivers required to support smart cards and smart card readers, without administrative permission  Smart Card device driver software available from Windows Update

 Ability to back up/exclude individual files and to include/exclude file types and paths from a volume  Improved performance and use of incremental backups  Expanded options for backup storage  Improved options and performance for system state backups and recoveries  Expanded command-line support  Expanded Windows PowerShell support 28

 System Restore includes a list of programs that will be removed or added, providing users with more information before they choose which restore point to use  Restore points are also available in backups, providing a larger list to choose from, over a longer period of time

 First, System Restore displays a list of specific files that will be removed or added at each restore point.  Second, restore points are now available in backups, giving IT professionals and others a greater list of options over a longer period of time

 Microsoft recommends that users run Windows 7 clients in conjunction with Windows 2008 R2 servers in order to get the benefit of BranchCache, a caching application that makes networked applications faster and more responsive

32

 Improvements to the validation process for a new or existing cluster  Improvements in functionality for clustered virtual machines (which run with the Hyper-V feature)  The addition of a Windows PowerShell interface  Additional options for migrating settings from one cluster to another (Live Migration & Quick Migration) 33

 User interface enhancement and redesign  iSCSI digest offload support better CPU utilization  iSCSI boot support for up to 32 paths at boot time Redundancy needed to protect against network component failures or outages 34

 DNS Security Extensions (DNSSEC)  DNS Devolution  DNS Cache Locking  DNS Socket Pool 35

 Supports Domain Name System Security Extensions (DNSSEC), newly established protocols that give organizations greater confidence that DNS records are not being spoofed

 Helps clients in child domains resolve host names when they are not sure what domain the host is in  This can be set to specific levels of resolution (Domain Child/Parent Levels)  For example: 37 An application attempting to query the host name srv7 will attempt to resolve srv7.central.contoso.com and srv7.contoso.com

 Cache locking is a new security feature available with Windows Server® 2008 R2 that allows you to control whether or not information in the DNS cache can be overwritten. 38

 The socket pool enables a DNS server to use source port randomization when issuing DNS queries  This provides enhanced security against cache poisoning attacks 39

Server 2008 R2 with SP 1  Microsoft RemoteFX has been added to Remote Desktop Services 3D adapter USB redirection  Intelligent capture and compression that adapts for the best user experience  All Remote Desktop Services role services have been renamed 40

41

 Enhancements to event auditing  Regulatory and business requirements are easier to fulfill through management of audit configurations, monitoring of changes made by specific people or groups, and more-granular reporting.  For example, Windows 7 reports why someone was granted or denied access to specific information.

 Additional Server Roles Available The Active Directory® Certificate Services (AD CS) role The File Server Resource Manager component of the File Services role A subset of ASP.NET in the Web Server role 43

 Additional Features Support for.NET framework Windows PowerShell Windows-on-Windows 64-bit (WoW64)  Removed The removable storage feature  New support Remote configuration with Server Manager 44

 Active Directory Recycle Bin  Changes to Group Policies  Windows PowerShell cmdlets  AD Administrative Center  AD Best Practices Analyzer  Offline domain join  Managed Service Accounts  Management Pack 45

 Extended Windows 7 & Server 2008 R2 polices  Windows PowerShell Cmdlets for Group Policy  Additional Group Policy Preferences  Improved Starter Group Policy Objects  Improved UI Admin Template Functionality 46

 Information technology (IT) professionals can use Active Directory Recycle Bin to undo an accidental deletion of an Active Directory object.  Accidental object deletion causes business downtime.  This is the number one cause of Active Directory recovery scenarios.  Active Directory Recycle Bin works for both AD DS and Active Directory Lightweight Directory Services (AD LDS) objects.  This feature is enabled in AD DS at the Windows Server 2008 R2 forest functional level.

180 Days

Your slides here

Donald E. Hester CISSP, CISA, CAP, MCT, MCITP, MCTS, MCSE Security, Security+, CTT+ Director, Maze & Associates University of San Francisco / San Diego City College / Los Positas College

Evaluation Survey Link Help us improve our seminars by filing out a short online evaluation survey at:

Thanks for attending For upcoming events and links to recently archived seminars, check Web site at: