Presentation is loading. Please wait.

Presentation is loading. Please wait.

Windows 2003 Technology Volume Shadow Copy Wireless Security.

Published byRonald Haynes Modified over 9 years ago

Similar presentations

Presentation on theme: "Windows 2003 Technology Volume Shadow Copy Wireless Security."— Presentation transcript:

1 Windows 2003 Technology Volume Shadow Copy Wireless Security

2 Agenda Volume Shadow Copy Service Need for Shadow Copy for Shared Folders Technical overview Client and Server installation demo Requirements, Setup and Configuration Best Practices and Real World data Wireless Security Problem statement WEP/WPAComponents802.1x Windows 2003 Wireless Deployment Q & A

3 Windows 2003 Volume Shadow Copy Service (VSS)

4 Why Shadow Copies For Shared Folders? In the real world, people make mistakes Accidentally delete files Accidentally overwrite important data Today’s answer: Restore from backup BUT: Single-file restore from backup tape expensive Involves “IT” – time and money With Windows Server 2003, restore done by user w/o IT involvement Volume Shadow Copy Services (VSS) Less end user “down time” Better use of IT resources Better TCO

5 VSS Components Volume Shadow Copy Service Coordinator Requestors – Backup Apps Writers – Represents Apps (i.e., SQL, Exchange, AD, etc.) Coordinates with backup applications Differentiates VSS from competitors Providers Hardware snapshots In-box software shadow copy

6 How Does It Work Together?

7 Requestors Windows NT Backup was first user in Windows XP Backup ISVs – All major backup vendors are developing VSS-based solutions VeritasLegato Computer Associates EMC Hewlett Packard CommVault IBMUltrabac Aelita Dantz, and others!

8 VSS In Box Writers Active Directory Certificate Server Exchange Cluster Server DHCP Server Event Log RemovableStorage Terminal Server Internet Information Server (IIS) WINSWMICOM+SFPRegistrySQL/MSDE

9 Shadow Copy Transport Multiple LUNs shadow copied at single point-in-time with data consistency Multiple LUNs shadow copied at single point-in-time with data consistency Storage Array SQL DBs 1TB SQL Logs 200 GB SQL DBs 1TB SQL Logs 200 GB Production ServerBackup Server

10 Diff Area Shadow Copy Technology – Copy-On-Write 112233446655 Shadow Copy Client Microsoft Word Microsoft Software Shadow Copy Provider 1122334466 Original Volume

11 Shadow Copies for Shared Folders

12 Pre-Setup Is my hardware OK? If you meet requirements for Windows Server 2003, you meet requirements for shadow copies RAM, CPU are non-issues. Will it fill up my drives? You control what to allocate Do I need to do anything to my existing data? No. It just works! I use failover clusters. Will this work? Yes. Do I need Active Directory? No.

13 Setup - Server If running Windows Server 2003 4 clicks and setup is done! If running Win2k Just upgrade the server to Windows Server 2003 No preparations required for upgrade for shadow copies Just need to be an admin on the server

14 Setting Up Shadow Copies demo demo

15 Setup - Client Windows Server 2003 Works out of the box Windows XP XP code is on the Windows Server 2003 CD %windir%\system32\clients\twclient\x86\twcli32.msi Also available as a web-download External URL ( This URL will be available after Windows Server 2003 release) http://www.microsoft.com/windowsserver2003/downloads/shadowcopyclient.mspx http://www.microsoft.com/windowsserver2003/downloads/shadowcopyclient.mspx Windows 2000 (SP3 and above) Available as a web-download Windows 98 (Second Edition) Available as a web-download Windows NT4 and Windows ME not supported

16 Default Configuration Disk Space Minimum 100 Mb dedicated to VSS. Default – 10% of volume. Frequency Default – twice a day (M-F) Default – 7 a.m. and 12 p.m. Number of shadow copies Cannot guarantee number. Maximum possible – 64. Optimizations to the environment Dedicated disk. What times should I take shadow copies?

17 Performance Copy-on-write incurs runtime cost. 5% throughput hit on Netbench Lightly loaded server – No noticeable performance hit Heavily loaded server – Use a dedicated disk

18 OTG Scenarios 40 Redmond File Servers (File Share/DFS) 20 My Docs (User Directories/Intellimirror Redirected) 10 IIS Web Servers 3 SQL Servers (SQL Dump Drive only) File Server Clustered SAN

19 OTG Configuration All Drives enabled for Shadow Copy except OS / C Drive C Drive was constrained on space for page file Diff Area Allocation 10% Drive space Allocation default 1 GB increments if disk constrained (less than 10% free) Schedule SC Default (Twice Daily 7am; 12pm) Disk Constrained (Once 7pm)

20 Real World Metrics Metrics for Fifty -- 30GB Drives on Standard 300 GB Windows Server 2003 File Servers Shadow Copy Disk Average Shadow Copy size 40MB Used Space for Shadow Copies Average 2 GB in Use per Drive (3.1 Max) 102 GB used in Diff area/542 GB content with 1.5 TB Capacity % Disk Used by Diff Area Average 7% per disk used for Diff Area; Max 9% Diff Area relationship to data 20% # of Shadow Copies Average of 48.5; Min 4; Max 64 ~ 4+ weeks available for end users on average

21 Self Service Restore demo demo

22 IT Restore Vs. Shadow Copies Metric Before Shadow Copies After Shadow Copies Number of Restore Requests 20 – 30 per month 1 – 2 per month Time 3 – 7 days Seconds Cost $300 per restore (+ time lost) (+ time lost) Cost of “unused” disk space Escalations Multi-tiered No escalation required View before Restore Cannot view file before restoring All versions available for viewing

23 Client And IT Satisfaction End-user comments “I have to say that is one of the coolest features I have ever seen! It worked flawlessly! Thanks!” “Worked like a charm. You are my hero for the foreseeable future.” IT Praise “Very Cool. We need to advertise this feature more.” “This has to got to be the best new feature in W2K3” “I can’t believe how easy it was to setup”

24 FAQ I can’t see shadow copies “from” the server. Why? Use UNC path \\localhost\C$ \\localhost\C$ I can see previous versions of folders, but not of files. Why? Client UI shows only previous versions of files different from current version What does folder restore involve? Restoring previous versions of all files, while maintaining newly created files

25 FAQ con’t. I am not getting as many shadow copies as I expected. Why? Cannot ensure number Space used depends on changes to original data Space used depends on changes to original dataSecurity? ACLs are preserved While restoring, current ACLs get precedence Current and previous versions can have different ACLs Can I turn this off for one share No. Per-volume basis Can I use Shadow Copies for Shared Folders for FAT volumes? No. Shadow Copies for Shared Folders is only for NTFS

26 Trying it out What do I need to try it out for pilot test? A stand-alone Windows Server 2003 with shadow copies enabled Multi-volume configuration No need to deploy any client to get the benefits on the server

27 VSS Summary Very easy to install and use Simple configuration Saves IT costs and time Minimal to no performance hit Doesn’t affect the enterprise backup strategy End-users love this feature! Win-win for everyone!

28 Windows 2003 and 802.1x Secure Wireless Deployments

29 Challenge of Wireless Impressions that wireless is insecure Early implementations lacked security WEP shared secret, mac address filtering Difficult to administer and manage Need to protect network integrity Need to secure data Prevent unauthorized network access Must be able to trust an access point Prevent credential theft Security without excess complexity

30 Secure Wireless with Windows 2003 IASRADIUS PKI integrated with Active Directory PKI integrated with Active Directory Auto enrollment of certificates Auto enrollment of certificates Integrated 802.1x Support Integrated 802.1x Support Integrated EAP Security Integrated EAP Security Checks for valid x509 Certificate Via RADIUS to AD Directory Enabled Networking Directory Enabled Networking Secure 802.1x Wireless Support Secure 802.1x Wireless Support Effortless PKI Services Effortless PKI Services Password or certificate- based access Password or certificate- based access Active Directory PKIWireless PKI Deployment Optional PKI Deployment Optional Passwords can be used w/ Trusted 3 rd party Cert. Passwords can be used w/ Trusted 3 rd party Cert. Integrated 802.1x Support Integrated 802.1x Support EAP/TLS PEAP All connections are authenticated and secured:

31 Components Access Point 802.1xPKI IAS (aka RADIUS) WEPWPAEAPTLSPEAP

32 Why use 802.1X ? Eases manageability by centralizing Authentication decisions Authorization decisions Distributes keys for data encryption and integrity to the wireless client computer Minimizes Access Point cost by moving expensive authentication to AD Supports both WPA and WEP

33 EAP-TLS Wireless Station Authentication Server Step 1: Use TLS to authenticate AS to Station Step 2: Use TLS key to protect the channel between Station, AS Step 3: Use Certificate method protected by TLS key to authenticate Station to AS Access Point

34 PEAP Wireless Station Authentication Server Step 1: Use TLS to authenticate AS to Station Step 2: Use TLS key to protect the channel between Station, AS Step 3: Use legacy method (e.g., MD5 Challenge, MS-Chapv2, etc.) protected by TLS key to authenticate Station to AS Access Point

35 Why PEAP vs. EAP/TLS ? Organizations may not ready for PKI Managing user certificates stored on computer hard drives has challenges Some personnel might roam among computers Smartcards solve this Technical and sociological issues can delay or prevent deployment PEAP enables secure wireless now Leverages existing domain credentials Allows easy migration to certificates and smartcards later

36 PEAP Security and Ease of Deployment Advantages PEAP is an open standard PEAP offers end-to-end negotiation protection. PEAP uses mutual authentication. PEAP offers highly secure keys for data encryption. PEAP does not require the deployment of a full PKI or client certificates. PEAP can be used efficiently with roaming wireless devices. User's credentials are not exposed to brute force password attacks.

37 Windows 2003 Wireless Security Native support for IEEE 802.1X Complete with all required infrastructure IAS: RADIUS Server and Proxy Windows Certificate Server : PKI AD: User and Computer account and Certificate repository Same infrastructure used w/ RAS dial-up and VPN authentication Native interop. w/ Windows XP Client: (WinXP SP-1) Down-level client support (PPC2002, W2K, NT4, 9x)

38 Windows 2003 Improvements Windows 2003 Active Directory Auto Certificate enrollment and renewal for machines and users Performance enhancements when using certificate deployment Group Policy support of Wireless settings Internet Authentication Service Enhanced logging Allows easier deployment of multiple authentication types Scaling up Load Balancing RADIUS Proxy Configuration export and restore Registering AP’s with RADIUS servers Large number of AP’s in wireless deployment Requires Server 2003 Enterprise Edition

39 PEAP Interoperability Confusion with PEAP versions Most RADIUS servers on market now support PEAP version 0: Cisco ACS (RADIUS server) Funk Steal Belted RADIUS (both server and client) Interlink RADIUS (only server) MeetingHouse RADIUS (both server and client) PEAP is supported in the following families: Natively - Microsoft® Windows® 2003, Windows XPSP1, Windows® 2000 SP4 Application or system upgrade - Windows 98, Windows NT 4.0 and Pocket PC 2002 Internet Authentication Service (IAS) Windows Server® 2003 family support PEAP no need to install third party RADIUS software. PEAP is an open standard and has been submitted to the IETF.

40 Windows PEAP Authentication First phase—machine logon 802.11 association Authenticate AP Authenticate computer Transition controlled port status For machine account access to authorized resources Second phase—user logon Authenticate user Transition controlled port status For user account access to authorized resources

41 Why Use Machine Accounts? Domain logon required for: Machine group policies Computer startup scripts Software installation settings When user account passwords expire Need associated WIC and transitioned controlled port for user notification and change dialog Machine account logon phase allows password expiration notices and changes to occur normally Cisco’s LEAP can’t deal with this No facility for machine authentication

42 System Requirements Client: Windows XP service pack 1 Server: Windows Server 2003 IAS Internet Authentication Service—our RADIUS server Certificate on IAS computer Backporting to Windows 2000 Client and IAS must have SP3 No zero-config support in the client See KB article 313664 Supports only TLS and MS-CHAPv2 Future EAP methods in XP and 2003 might not be backported

43 802.1 x Setup 1.Build Windows Server 2003 IAS server 2.Join to domain 3.Enroll computer certificate 4.Register IAS in Active Directory 5.Configure RADIUS logging 6.Add AP as RADIUS client 7.Configure AP for RADIUS and 802.1x 8.Create wireless client access policy 9.Configure clients Don’t forget to import CA root

44 © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

Download ppt "Windows 2003 Technology Volume Shadow Copy Wireless Security."

Similar presentations

Security Features in Microsoft® Windows® XP James Noyce, Senior Consultant Security Solutions Team, Business Critical Services Microsoft Security Solutions,

Security Features in Microsoft® Windows® XP James Noyce, Senior Consultant Security Solutions Team, Business Critical Services Microsoft Security Solutions,
The System Center Family Microsoft. Mobile Device Manager 2008.

The System Center Family Microsoft. Mobile Device Manager 2008.
1 Preparing Windows 2000 installation (Week 3, Wednesday 2/25/2006) © Abdou Illia, Spring 2006.

1 Preparing Windows 2000 installation (Week 3, Wednesday 2/25/2006) © Abdou Illia, Spring 2006.
1 Distributed File System, and Disk Quotas (Week 7, Thursday 2/21/2007) © Abdou Illia, Spring 2007.

1 Distributed File System, and Disk Quotas (Week 7, Thursday 2/21/2007) © Abdou Illia, Spring 2007.
Security and Policy Enforcement Mark Gibson Dave Northey

Security and Policy Enforcement Mark Gibson Dave Northey
Lesson 18 – INSTALLING AND SETTING UP WINDOWS 2000 SERVER.

Lesson 18 – INSTALLING AND SETTING UP WINDOWS 2000 SERVER.
1.1 Installing Windows Server 2008 Windows Server 2008 Editions Windows Server 2008 Installation Requirements X64 Installation Considerations Preparing.

1.1 Installing Windows Server 2008 Windows Server 2008 Editions Windows Server 2008 Installation Requirements X64 Installation Considerations Preparing.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 12: Managing and Implementing Backups and Disaster Recovery.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 12: Managing and Implementing Backups and Disaster Recovery.
5.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 5: Working with File Systems.

5.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 5: Working with File Systems.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 11 Managing and Monitoring a Windows Server 2008 Network.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 11 Managing and Monitoring a Windows Server 2008 Network.
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.

Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
Module 8 Implementing Backup and Recovery. Module Overview Planning Backup and Recovery Backing Up Exchange Server 2010 Restoring Exchange Server 2010.

Module 8 Implementing Backup and Recovery. Module Overview Planning Backup and Recovery Backing Up Exchange Server 2010 Restoring Exchange Server 2010.
PKI Network Authentication Dartmouth Applications Robert Brentrup Educause/Dartmouth PKI Summit July 27, 2005.

PKI Network Authentication Dartmouth Applications Robert Brentrup Educause/Dartmouth PKI Summit July 27, 2005.
NovaBACKUP 10 xSP Technical Training By: Nathan Fouarge

NovaBACKUP 10 xSP Technical Training By: Nathan Fouarge
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 12: Managing and Implementing Backups and Disaster Recovery.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 12: Managing and Implementing Backups and Disaster Recovery.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 14: Problem Recovery.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 14: Problem Recovery.
1 Objectives Discuss the Windows Printer Model and how it is implemented in Windows Server 2008 Install the Print Services components of Windows Server.

1 Objectives Discuss the Windows Printer Model and how it is implemented in Windows Server 2008 Install the Print Services components of Windows Server.
Windows 2003 and 802.1x Secure Wireless Deployments.

Windows 2003 and 802.1x Secure Wireless Deployments.
Microsoft Desktop Virtualization Migrating to Windows 7 With MED-V.

Microsoft Desktop Virtualization Migrating to Windows 7 With MED-V.

Similar presentations

Ads by Google