Windows 2003 Technology Volume Shadow Copy Wireless Security

Agenda Volume Shadow Copy Service Need for Shadow Copy for Shared Folders Technical overview Client and Server installation demo Requirements, Setup and Configuration Best Practices and Real World data Wireless Security Problem statement WEP/WPAComponents802.1x Windows 2003 Wireless Deployment Q & A

Windows 2003 Volume Shadow Copy Service (VSS)

Why Shadow Copies For Shared Folders? In the real world, people make mistakes Accidentally delete files Accidentally overwrite important data Today’s answer: Restore from backup BUT: Single-file restore from backup tape expensive Involves “IT” – time and money With Windows Server 2003, restore done by user w/o IT involvement Volume Shadow Copy Services (VSS) Less end user “down time” Better use of IT resources Better TCO

VSS Components Volume Shadow Copy Service Coordinator Requestors – Backup Apps Writers – Represents Apps (i.e., SQL, Exchange, AD, etc.) Coordinates with backup applications Differentiates VSS from competitors Providers Hardware snapshots In-box software shadow copy

How Does It Work Together?

Requestors Windows NT Backup was first user in Windows XP Backup ISVs – All major backup vendors are developing VSS-based solutions VeritasLegato Computer Associates EMC Hewlett Packard CommVault IBMUltrabac Aelita Dantz, and others!

VSS In Box Writers Active Directory Certificate Server Exchange Cluster Server DHCP Server Event Log RemovableStorage Terminal Server Internet Information Server (IIS) WINSWMICOM+SFPRegistrySQL/MSDE

Shadow Copy Transport Multiple LUNs shadow copied at single point-in-time with data consistency Multiple LUNs shadow copied at single point-in-time with data consistency Storage Array SQL DBs 1TB SQL Logs 200 GB SQL DBs 1TB SQL Logs 200 GB Production ServerBackup Server

Diff Area Shadow Copy Technology – Copy-On-Write Shadow Copy Client Microsoft Word Microsoft Software Shadow Copy Provider Original Volume

Shadow Copies for Shared Folders

Pre-Setup Is my hardware OK? If you meet requirements for Windows Server 2003, you meet requirements for shadow copies RAM, CPU are non-issues. Will it fill up my drives? You control what to allocate Do I need to do anything to my existing data? No. It just works! I use failover clusters. Will this work? Yes. Do I need Active Directory? No.

Setup - Server If running Windows Server clicks and setup is done! If running Win2k Just upgrade the server to Windows Server 2003 No preparations required for upgrade for shadow copies Just need to be an admin on the server

Setting Up Shadow Copies demo demo

Setup - Client Windows Server 2003 Works out of the box Windows XP XP code is on the Windows Server 2003 CD %windir%\system32\clients\twclient\x86\twcli32.msi Also available as a web-download External URL ( This URL will be available after Windows Server 2003 release) Windows 2000 (SP3 and above) Available as a web-download Windows 98 (Second Edition) Available as a web-download Windows NT4 and Windows ME not supported

Default Configuration Disk Space Minimum 100 Mb dedicated to VSS. Default – 10% of volume. Frequency Default – twice a day (M-F) Default – 7 a.m. and 12 p.m. Number of shadow copies Cannot guarantee number. Maximum possible – 64. Optimizations to the environment Dedicated disk. What times should I take shadow copies?

Performance Copy-on-write incurs runtime cost. 5% throughput hit on Netbench Lightly loaded server – No noticeable performance hit Heavily loaded server – Use a dedicated disk

OTG Scenarios 40 Redmond File Servers (File Share/DFS) 20 My Docs (User Directories/Intellimirror Redirected) 10 IIS Web Servers 3 SQL Servers (SQL Dump Drive only) File Server Clustered SAN

OTG Configuration All Drives enabled for Shadow Copy except OS / C Drive C Drive was constrained on space for page file Diff Area Allocation 10% Drive space Allocation default 1 GB increments if disk constrained (less than 10% free) Schedule SC Default (Twice Daily 7am; 12pm) Disk Constrained (Once 7pm)

Real World Metrics Metrics for Fifty -- 30GB Drives on Standard 300 GB Windows Server 2003 File Servers Shadow Copy Disk Average Shadow Copy size 40MB Used Space for Shadow Copies Average 2 GB in Use per Drive (3.1 Max) 102 GB used in Diff area/542 GB content with 1.5 TB Capacity % Disk Used by Diff Area Average 7% per disk used for Diff Area; Max 9% Diff Area relationship to data 20% # of Shadow Copies Average of 48.5; Min 4; Max 64 ~ 4+ weeks available for end users on average

Self Service Restore demo demo

IT Restore Vs. Shadow Copies Metric Before Shadow Copies After Shadow Copies Number of Restore Requests 20 – 30 per month 1 – 2 per month Time 3 – 7 days Seconds Cost $300 per restore (+ time lost) (+ time lost) Cost of “unused” disk space Escalations Multi-tiered No escalation required View before Restore Cannot view file before restoring All versions available for viewing

Client And IT Satisfaction End-user comments “I have to say that is one of the coolest features I have ever seen! It worked flawlessly! Thanks!” “Worked like a charm. You are my hero for the foreseeable future.” IT Praise “Very Cool. We need to advertise this feature more.” “This has to got to be the best new feature in W2K3” “I can’t believe how easy it was to setup”

FAQ I can’t see shadow copies “from” the server. Why? Use UNC path \\localhost\C$ \\localhost\C$ I can see previous versions of folders, but not of files. Why? Client UI shows only previous versions of files different from current version What does folder restore involve? Restoring previous versions of all files, while maintaining newly created files

FAQ con’t. I am not getting as many shadow copies as I expected. Why? Cannot ensure number Space used depends on changes to original data Space used depends on changes to original dataSecurity? ACLs are preserved While restoring, current ACLs get precedence Current and previous versions can have different ACLs Can I turn this off for one share No. Per-volume basis Can I use Shadow Copies for Shared Folders for FAT volumes? No. Shadow Copies for Shared Folders is only for NTFS

Trying it out What do I need to try it out for pilot test? A stand-alone Windows Server 2003 with shadow copies enabled Multi-volume configuration No need to deploy any client to get the benefits on the server

VSS Summary Very easy to install and use Simple configuration Saves IT costs and time Minimal to no performance hit Doesn’t affect the enterprise backup strategy End-users love this feature! Win-win for everyone!

Windows 2003 and 802.1x Secure Wireless Deployments

Challenge of Wireless Impressions that wireless is insecure Early implementations lacked security WEP shared secret, mac address filtering Difficult to administer and manage Need to protect network integrity Need to secure data Prevent unauthorized network access Must be able to trust an access point Prevent credential theft Security without excess complexity

Secure Wireless with Windows 2003 IASRADIUS PKI integrated with Active Directory PKI integrated with Active Directory Auto enrollment of certificates Auto enrollment of certificates Integrated 802.1x Support Integrated 802.1x Support Integrated EAP Security Integrated EAP Security Checks for valid x509 Certificate Via RADIUS to AD Directory Enabled Networking Directory Enabled Networking Secure 802.1x Wireless Support Secure 802.1x Wireless Support Effortless PKI Services Effortless PKI Services Password or certificate- based access Password or certificate- based access Active Directory PKIWireless PKI Deployment Optional PKI Deployment Optional Passwords can be used w/ Trusted 3 rd party Cert. Passwords can be used w/ Trusted 3 rd party Cert. Integrated 802.1x Support Integrated 802.1x Support EAP/TLS PEAP All connections are authenticated and secured:

Components Access Point 802.1xPKI IAS (aka RADIUS) WEPWPAEAPTLSPEAP

Why use 802.1X ? Eases manageability by centralizing Authentication decisions Authorization decisions Distributes keys for data encryption and integrity to the wireless client computer Minimizes Access Point cost by moving expensive authentication to AD Supports both WPA and WEP

EAP-TLS Wireless Station Authentication Server Step 1: Use TLS to authenticate AS to Station Step 2: Use TLS key to protect the channel between Station, AS Step 3: Use Certificate method protected by TLS key to authenticate Station to AS Access Point

PEAP Wireless Station Authentication Server Step 1: Use TLS to authenticate AS to Station Step 2: Use TLS key to protect the channel between Station, AS Step 3: Use legacy method (e.g., MD5 Challenge, MS-Chapv2, etc.) protected by TLS key to authenticate Station to AS Access Point

Why PEAP vs. EAP/TLS ? Organizations may not ready for PKI Managing user certificates stored on computer hard drives has challenges Some personnel might roam among computers Smartcards solve this Technical and sociological issues can delay or prevent deployment PEAP enables secure wireless now Leverages existing domain credentials Allows easy migration to certificates and smartcards later

PEAP Security and Ease of Deployment Advantages PEAP is an open standard PEAP offers end-to-end negotiation protection. PEAP uses mutual authentication. PEAP offers highly secure keys for data encryption. PEAP does not require the deployment of a full PKI or client certificates. PEAP can be used efficiently with roaming wireless devices. User's credentials are not exposed to brute force password attacks.

Windows 2003 Wireless Security Native support for IEEE 802.1X Complete with all required infrastructure IAS: RADIUS Server and Proxy Windows Certificate Server : PKI AD: User and Computer account and Certificate repository Same infrastructure used w/ RAS dial-up and VPN authentication Native interop. w/ Windows XP Client: (WinXP SP-1) Down-level client support (PPC2002, W2K, NT4, 9x)

Windows 2003 Improvements Windows 2003 Active Directory Auto Certificate enrollment and renewal for machines and users Performance enhancements when using certificate deployment Group Policy support of Wireless settings Internet Authentication Service Enhanced logging Allows easier deployment of multiple authentication types Scaling up Load Balancing RADIUS Proxy Configuration export and restore Registering AP’s with RADIUS servers Large number of AP’s in wireless deployment Requires Server 2003 Enterprise Edition

PEAP Interoperability Confusion with PEAP versions Most RADIUS servers on market now support PEAP version 0: Cisco ACS (RADIUS server) Funk Steal Belted RADIUS (both server and client) Interlink RADIUS (only server) MeetingHouse RADIUS (both server and client) PEAP is supported in the following families: Natively - Microsoft® Windows® 2003, Windows XPSP1, Windows® 2000 SP4 Application or system upgrade - Windows 98, Windows NT 4.0 and Pocket PC 2002 Internet Authentication Service (IAS) Windows Server® 2003 family support PEAP no need to install third party RADIUS software. PEAP is an open standard and has been submitted to the IETF.

Windows PEAP Authentication First phase—machine logon association Authenticate AP Authenticate computer Transition controlled port status For machine account access to authorized resources Second phase—user logon Authenticate user Transition controlled port status For user account access to authorized resources

Why Use Machine Accounts? Domain logon required for: Machine group policies Computer startup scripts Software installation settings When user account passwords expire Need associated WIC and transitioned controlled port for user notification and change dialog Machine account logon phase allows password expiration notices and changes to occur normally Cisco’s LEAP can’t deal with this No facility for machine authentication

System Requirements Client: Windows XP service pack 1 Server: Windows Server 2003 IAS Internet Authentication Service—our RADIUS server Certificate on IAS computer Backporting to Windows 2000 Client and IAS must have SP3 No zero-config support in the client See KB article Supports only TLS and MS-CHAPv2 Future EAP methods in XP and 2003 might not be backported

802.1 x Setup 1.Build Windows Server 2003 IAS server 2.Join to domain 3.Enroll computer certificate 4.Register IAS in Active Directory 5.Configure RADIUS logging 6.Add AP as RADIUS client 7.Configure AP for RADIUS and 802.1x 8.Create wireless client access policy 9.Configure clients Don’t forget to import CA root

© 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.