Robert NottoliPrincipal Technology Specialist | Windows Server | Microsoft Corporation

Business ResultsBusiness Results& New Value& New Value

End User End User ProductivityProductivity

CustomerCustomerConnectionConnection

Keep BusinessKeep BusinessUp & RunningUp & Running

SecuritySecurityCompetitionCompetition

TechnologyTechnologyChangeChange

RegulatoryRegulatoryComplianceCompliance

CostCostReductionReduction

Client

ControlControlManage your Manage your environmentenvironment

AvailabilityAvailabilityMaximize uptime and Maximize uptime and productivityproductivity

FlexibilityFlexibilityFor your changing For your changing business needsbusiness needs

ClearClearUser ExperiencesUser Experiences

ConfidentConfidentSafe for users, Safe for users, easier for ITeasier for IT

ConnectedConnectedTo information, To information, people, devicespeople, devices

Server

Investing in the FundamentalsInvesting in the FundamentalsA solid foundation for your businessA solid foundation for your business

Challenges Windows Server Longhorn

ReliabilityAdvanced reliability enhancements to reduce loss of access, work, time, data and control

Performance and ScalabilityScalability advancements that enable you to deploy even the most demanding infrastructure for your business

SecurityDelivers a more robust & secure computing experience for PCs and Servers

Patch Management Applying security patches is time consuming and disruptive

Keep System RunningToo much time trying to keep things running and not enough time improving systems and adding business value

SecurityProtecting critical systems and high-valued data from unauthorized access and malicious code is job #1

Security, Security, Security, Security, SecuritySecurityScenarioScenario--focused focused Integrated Integrated innovationinnovationCompatibilityCompatibilityHeterogeneous Heterogeneous interoperabilityinteroperabilityEnabling broad Enabling broad industry ecosystem industry ecosystem and volume and volume economicseconomicsBest of breed Best of breed functionality for all functionality for all server workloadsserver workloads

Key Development Key Development TenetsTenets

Server FunctionsServer Functions

Operational InfrastructureOperational Infrastructure

SolutionsSolutions

Application PlatformApplication Platform

Information Worker Information Worker InfrastructureInfrastructure

ManagementManagement

WorkloadsWorkloads

Storage (file, portal)Storage (file, portal)PrintPrintEmail Email CollaborationCollaboration

Application/Web ServerApplication/Web ServerUnix integration servicesUnix integration servicesDatabaseDatabaseHigh Performance ComputingHigh Performance Computing

Software DistributionSoftware DistributionVirtualizationVirtualizationOperations ManagementOperations Management

General Purpose & EnterpriseGeneral Purpose & EnterpriseMedium BusinessMedium BusinessSmall BusinessSmall Business

NetworkingNetworkingRemote AccessRemote AccessSecuritySecurityIdentity ManagementIdentity ManagementTerminal ServerTerminal Server

WR-7

Slide 6

WR-7 Do we still really need this slide? Perhaps the promises slide will work better here with an emphasis on our tenantsWard Ralston, 5/7/2006

Security Features

DD DDDD

Windows Service HardeningWindows Service HardeningDefense In Depth Defense In Depth –– Factoring/ProfilingFactoring/Profiling

Reduce size ofReduce size ofhigh risk layershigh risk layersSegment theSegment theservicesservicesIncrease # Increase # of layersof layers

Kernel DriversKernel DriversDD

DD UserUser--mode Driversmode Drivers

DDDD DD

Service Service 11

Service Service 22

Service Service 33

ServiceService……

Service Service ……

Service Service AA

Service Service BB

Service Changes in Longhorn ServerService Changes in Longhorn Server

ServicesAccountServicesAccount

Windows XP SP2 / Server 2003 R2 Windows Vista / Longhorn Server

LocalSystem Wireless ConfigurationSystem Event NotificationNetwork Connections (netman)COM+ Event SystemNLARasautoShell Hardware DetectionThemesTelephonyWindows AudioError ReportingWorkstationICS

RemoteAccessDHCP ClientW32timeRasmanbrowser6to4Help and supportTask schedulerTrkWksCryptographic ServicesRemovable StorageWMI Perf AdapterAutomatic updatesWMIApp ManagementSecondary LogonBITS

LocalSystemFirewall Restricted

WMI Perf AdapterAutomatic updatesSecondary Logon

App ManagementWireless Configuration

LocalSystem BITS ThemesRasmanTrkWksError Reporting

6to4Task schedulerRemoteAccessRasautoWMI

Network ServiceFully Restricted

DNS ClientICSDHCP Client

browserServerW32time

Network ServiceNetwork Restricted

Cryptographic ServicesTelephony

PolicyAgentNlasvc

NetworkService

DNS Client Local ServiceNo Network Access

System Event NotificationNetwork ConnectionsShell Hardware Detection

COM+ Event System

Local Service SSDPWebClientTCP/IP NetBIOS helperRemote registry

Local ServiceFully Restricted

Windows AudioTCP/IP NetBIOS helperWebClientSSDP

Event LogWorkstationRemote registry

WR-4

Slide 9

WR-4 To me - this is a great slie to introduce why upgrades to Win2K are a security risk and we are not supporting....Ward Ralston, 5/7/2006

BitLockerBitLocker™™ Drive Encryption Drive Encryption

Designed specifically to Designed specifically to help prevent a thief who help prevent a thief who boots another Operating boots another Operating System or runs a hacking System or runs a hacking tool from breaking tool from breaking Windows file and system Windows file and system protectionsprotectionsSecure Startup Secure Startup -- Helps Helps provides data protection provides data protection on your Windows on your Windows systems, even when the systems, even when the system is in unauthorized system is in unauthorized hands hands Uses a v1.2 TPM or USB Uses a v1.2 TPM or USB flash drive for key storageflash drive for key storage

BitLockerBitLocker

BitLockerBitLocker™™ Features OverviewFeatures OverviewEnsures Boot Process IntegrityEnsures Boot Process Integrity

Protects the system from offline software based attacks.Protects the system from offline software based attacks.Protects data while the system is offlineProtects data while the system is offline

Encrypts entire Windows volume including both user data and systEncrypts entire Windows volume including both user data and system em files, the hibernation file, the page file and temporary files.files, the hibernation file, the page file and temporary files.

Force RecoveryForce RecoverySysSys--admin ONLY tool to securely speedadmin ONLY tool to securely speed--up PC reup PC re--deploymentdeployment

Eases Equipment Recycling Eases Equipment Recycling Single MS TPM driverSingle MS TPM driver

Improved stability and securityImproved stability and securityTPM Base Services (TBS) TPM Base Services (TBS)

Windows and 3Windows and 3rdrd party SW access to TPMparty SW access to TPMScenarios: Scenarios:

Lost or stolen laptopLost or stolen laptopBranchBranch--office Serveroffice ServerServer IntegrityServer Integrity

Code Integrity: OS File Code Integrity: OS File ProtectionProtectionValidates the integrity of the boot processValidates the integrity of the boot process

Checks kernel, HAL and bootChecks kernel, HAL and boot--start driversstart driversIf validation fails, image wonIf validation fails, image won’’t loadt load

Validates the integrity of each binary imageValidates the integrity of each binary imageImplemented as a file system filter driverImplemented as a file system filter driverChecks hashes for every page as itChecks hashes for every page as it’’s loadeds loadedChecks any image loading to a protected Checks any image loading to a protected processprocessHashes stored in system catalog or in X.509 Hashes stored in system catalog or in X.509 certificate embedded in filecertificate embedded in file

Controlling Device InstallationControlling Device InstallationAbility to block all new device installsAbility to block all new device installs

Can deploy a machine and allow no new Can deploy a machine and allow no new devices to be installeddevices to be installed

Set exceptions based on device class or Set exceptions based on device class or device IDdevice ID

Allow keyboards and mice to be added, but Allow keyboards and mice to be added, but nothing elsenothing elseAllow specific device IDs Allow specific device IDs Configurable via Group PolicyConfigurable via Group PolicySet at the computer levelSet at the computer level

Next Generation TCP/IPNext Generation TCP/IP

Improved security without need to Improved security without need to change the user experiencechange the user experienceGreater reliability for a more resilient, Greater reliability for a more resilient, easy to use and manage networking easy to use and manage networking experienceexperienceBetter scalability to meet growing Better scalability to meet growing connectivity demands and maximize connectivity demands and maximize server resources in a cost effective server resources in a cost effective mannermanner

Automatically adjusts for maximum Automatically adjusts for maximum efficiencyefficiencyOptimized performance without lossOptimized performance without lossCostCost--effectively scale networking up effectively scale networking up and outand outAdopt hardware acceleration and Adopt hardware acceleration and offloadingoffloading

Provide more efficient, scalable, highProvide more efficient, scalable, high--speed, more secure and manageable speed, more secure and manageable networkingnetworkingIntegrate new capabilities and functionality Integrate new capabilities and functionality to meet customer needsto meet customer needsReduce cost of ownershipReduce cost of ownershipImprove reliability and servicingImprove reliability and servicing

Reduce the risk of network security Reduce the risk of network security threatsthreatsSafeguard sensitive data and Safeguard sensitive data and intellectual propertyintellectual propertyFullFull--featured, enterprise featured, enterprise functionalityfunctionality

Motivation and Focus Benefits

Security Performance

Complete Redesign of TCP/IPComplete Redesign of TCP/IP

Inspection API

IPv4

802.3

WSK

WSK Clients TDI Clients

NDIS

WLAN Loop-back

IPv4 Tunnel

IPv6 Tunnel

IPv6

RAWUDPTCPNext Generation TCP/IP Stack (tcpip.sys)

AFDTDXTDI

Winsock User ModeKernel Mode

DualDual--IP layer architecture for native IPv4 and IPv6 supportIP layer architecture for native IPv4 and IPv6 supportSeamless security through expanded Seamless security through expanded IPsecIPsec integrationintegrationImproved performance via hardware accelerationImproved performance via hardware accelerationNetwork autoNetwork auto--tuning and optimization algorithmstuning and optimization algorithmsGreater extensibility and reliability through rich APIsGreater extensibility and reliability through rich APIs

A Short List of New FeaturesA Short List of New FeaturesTechnologies Security Experience Scalability

IPsec XX

VPN Routing Compartments XX

Windows Filtering Platform (WFP) XX XX

Secure Sockets API XX

IPv6 XX

TCP Chimney XX

TCP-A (I/OAT) XX

Receive Side Scaling (RSS) XX

Receive Window Auto-Tuning XX XX

Compound-TCP (CTCP) – Congestion Control XX XX

Wireless Reliability XX

Black-Hole Router Detection (BHRD) XX

Dead Gateway Detection XX

Network Diagnostics Framework/Extended TCP Statistics XX

Policy-based Quality of Service (eQoS) XX XX

Windows FirewallWindows Firewallwith Advanced Securitywith Advanced Security

Combined firewall and Combined firewall and IPsecIPsec managementmanagementNew management tools New management tools –– Windows Firewall with Advanced Windows Firewall with Advanced Security MMC snapSecurity MMC snap--in in Reduces conflicts and coordination overhead between Reduces conflicts and coordination overhead between technologiestechnologies

Firewall rules become more intelligentFirewall rules become more intelligentSpecify security requirements such asSpecify security requirements such asauthentication and encryptionauthentication and encryptionSpecify Active Directory computerSpecify Active Directory computeror user groupsor user groups

Outbound filteringOutbound filteringEnterprise management feature Enterprise management feature ––not for consumersnot for consumers

Simplified protection policySimplified protection policyreduces management overheadreduces management overhead

Windows Server 2003 SetupWindows Server 2003 SetupPostPost--Setup Security UpdatesSetup Security UpdatesManage Your ServerManage Your ServerConfigure Your Server WizardConfigure Your Server WizardAdd/Remove Windows ComponentsAdd/Remove Windows ComponentsComputer ManagementComputer ManagementSecurity Configuration WizardSecurity Configuration Wizard

Windows Server 2003Windows Server 2003Installing, securing, and managing server roles Installing, securing, and managing server roles fragmented across multiple toolsfragmented across multiple tools

Longhorn Server Setup PhasesLonghorn Server Setup Phases

OS Setup

Initial Configuration Tasks

Server Manager

Server ManagerServer ManagerProvides a great, outProvides a great, out--ofof--thethe--box experience for adding, box experience for adding, configuring, and managing server rolesconfiguring, and managing server roles

1. 1. Out of box experience (OOBE)Out of box experience (OOBE)Walks the user through the tasks necessary to Walks the user through the tasks necessary to complete setup and complete setup and operationalizeoperationalize the serverthe server

2. 2. Single experience for configuring LH ServerSingle experience for configuring LH ServerSteps the user through adding and removing server Steps the user through adding and removing server roles and features securelyroles and features securely

3. 3. Portal for ongoing managementPortal for ongoing managementDisplay server status, expose key management tasks, Display server status, expose key management tasks, and guide the user to advanced management toolsand guide the user to advanced management tools

Network Access ProtectionNetwork Access ProtectionHow it worksHow it works

Not policy Not policy compliantcompliant

11

RestrictedRestrictedNetworkNetwork

Client requests access to network and presents current Client requests access to network and presents current health statehealth state

11

44If not policy compliant, client is put in a restricted VLAN If not policy compliant, client is put in a restricted VLAN and given access to fix up resources to download patches, and given access to fix up resources to download patches, configurations, signatures (Repeat 1 configurations, signatures (Repeat 1 -- 4)4)

22 DHCP, VPN or Switch/Router relays health status to DHCP, VPN or Switch/Router relays health status to Microsoft Network Policy Server (RADIUS)Microsoft Network Policy Server (RADIUS)

55 If policy compliant, client is granted full access to corporate If policy compliant, client is granted full access to corporate networknetwork

MSFT NPS MSFT NPS

33

Policy ServersPolicy Serverse.g. Patch, AVe.g. Patch, AV

Policy Policy compliantcompliant

DHCP, VPNDHCP, VPNSwitch/Router Switch/Router

33 Network Policy Server (NPS) validates against ITNetwork Policy Server (NPS) validates against IT--defined defined health policyhealth policy

22

WindowsWindowsClientClient

Fix UpFix UpServersServerse.g. Patche.g. Patch

Corporate NetworkCorporate Network55

44

NAP NAP -- Enforcement OptionsEnforcement OptionsEnforcement Healthy Client Unhealthy Client

DHCP Full IP address given, full access Restricted set of routes

VPN (MS and 3rd

Party) Full access Restricted VLAN

802.1X Full access Restricted VLAN

IPsec

Can communicate with any trusted peer

Healthy peers reject connection requests from unhealthy systems

Complements layer 2 protectionWorks with existing servers and infrastructureFlexible isolation

NAP BenefitsNAP BenefitsSupport Benefit

Built-in client Windows Vista, XP No need to deploy/license 3rd party clientUpdates via WUS / WSUS / SMS

Flexible enforcement

DHCP, VPN, 802.1x, Terminal Services, Server and Domain isolation

Works with today’s & tomorrow’s networksEnables risk-benefit trade offs

3rd party enforcement

All major switch / router / firewall / VPN

Customers can use any network or security infrastructure vendor

Health assessment

SMS, WUS, SecurityCenter, 3rd

party

Seamless integration with Windows infrastructure

Works with any AV, patch or endpoint security solution

User experience

Integrated with Vista glass. Branding supported.

Polished look and feel tailored for the customer environment

Management Integration with SMS, AD, Group Policy and MOM for client, server and service operations

Complete policy based administration and operation

DemoDemo

Investing in the Fundamentals Investing in the Fundamentals

Security Security Threat modeling, tools, testing and code review Threat modeling, tools, testing and code review Secure startup with Secure startup with BitLockerBitLocker drive encryptiondrive encryptionService hardening and user access controlService hardening and user access control

ReliabilityReliabilityHotHot--pluggable subsystems and selfpluggable subsystems and self--healing file systemhealing file systemServer core and composite roles require fewer rebootsServer core and composite roles require fewer rebootsRestart manager and Restart manager and restartablerestartable Active DirectoryActive Directory

PerformancePerformanceRedesigned TCP/IP stack for better bandwidth useRedesigned TCP/IP stack for better bandwidth useOptimized virtualization platformOptimized virtualization platformSupport for 64x64Support for 64x64--bit cores and 1TB RAMbit cores and 1TB RAM

GoalsGoalsCommon ServicesCommon ServicesCommon ExperiencesCommon ExperiencesIntegrated InnovationsIntegrated Innovations

3 Step Process3 Step ProcessGather requirements, prioritize and create specificationsGather requirements, prioritize and create specificationsReview products at three milestones Review products at three milestones ––product definition, beta, and RTMproduct definition, beta, and RTM

Product release Product release -- Go/No Go DecisionGo/No Go Decision

Publish report for reviewed products at public betaPublish report for reviewed products at public betaExternal Publication of ReportExternal Publication of Report

TransparencyTransparencyPredictabilityPredictability

ReadRead--only DC value propositiononly DC value propositionAttack surface has been reduced for DCs in physically Attack surface has been reduced for DCs in physically unsecured locationsunsecured locations

Impact of stolen DC to the Active Directory reducedImpact of stolen DC to the Active Directory reducedBy default, no usersBy default, no users\\computers passwords stored on RODCcomputers passwords stored on RODC

Attack surface to the Active Directory for a compromised DC has Attack surface to the Active Directory for a compromised DC has been reducedbeen reduced

ReadRead--only stateonly state

Unidirectional replication for AD and FRSUnidirectional replication for AD and FRS\\DFSRDFSR

Each RODC has its own KDC Each RODC has its own KDC KrbTGTKrbTGT accountaccount

Very limited rights to write in DirectoryVery limited rights to write in Directory

RODCsRODCs are workstation accounts, no EDC or DDC group membershipare workstation accounts, no EDC or DDC group membership

Easier management and configuration of DCs in branch Easier management and configuration of DCs in branch officesoffices

Most AD branch office guide recommendations enabled by defaultMost AD branch office guide recommendations enabled by default

ReadRead--only DConly DCDemoDemo: How RODC mitigates : How RODC mitigates ““stolen DCstolen DC””

Hub Admin perspectiveAttacker perspective

RODC deployment prerequisitesRODC deployment prerequisitesSummarySummary: Works in existing environments!!!: Works in existing environments!!!No patching to downNo patching to down--level level DCsDCs or clients or clients neededneeded

No domain restructuringNo domain restructuringMay be able to consolidate bridgehead serversMay be able to consolidate bridgehead servers

Incremental RequirementsIncremental RequirementsMust be in Win2003 Forest Functional ModeMust be in Win2003 Forest Functional Mode

Linked value replication reduces lost updatesLinked value replication reduces lost updatesRODCsRODCs require constrained delegationrequire constrained delegation

PDC FSMO must be running LonghornPDC FSMO must be running LonghornTo ensure uniqueness of RODC Kerberos TGT To ensure uniqueness of RODC Kerberos TGT accountsaccountsPDC FSMO understands RODC accounts for PDC FSMO understands RODC accounts for secure channelsecure channel

Recommend multiple LH Recommend multiple LH DCsDCs per domainper domainTo load balance RODC replicationTo load balance RODC replication

1 RODC per domain per site supported1 RODC per domain per site supportedWriteable LH DC and RODC can coexistWriteable LH DC and RODC can coexistRODCs from different domains can coexistRODCs from different domains can coexist

Admin Role Separation: Admin Role Separation: OverviewOverviewProblem:Problem:

Customers have too many Domain Customers have too many Domain AdminsAdminsMost of these DAs are really server Most of these DAs are really server adminsadmins (patch (patch management, etc)management, etc)

Solution:Solution:Provides a new Provides a new ““local administratorlocal administrator”” level of level of access per RODCaccess per RODC

Also includes all Also includes all BuiltinBuiltin groups (Backup Operators, groups (Backup Operators, etc)etc)

Prevents accidental AD modifications by Prevents accidental AD modifications by machine administratorsmachine administratorsDoes Does notnot prevent prevent ““local administratorlocal administrator”” from from maliciously modifying the local DBmaliciously modifying the local DB

What is Server Core?What is Server Core?Part of the Part of the ““Windows ServerWindows Server”” SKU, available SKU, available as an install optionas an install optionDelivers the core set of server OS Delivers the core set of server OS functionalityfunctionalityCan boot and operate standCan boot and operate stand--alone in alone in headless/embedded scenariosheadless/embedded scenariosPart of an overall Windows/LH Server Part of an overall Windows/LH Server infrastructure solutioninfrastructure solution

Tying it all togetherTying it all togetherServer Core + Restartable ADServer Core + Restartable AD

Reduced reboots for servicingReduced reboots for servicing

Server Core + RODC + Admin Role Server Core + RODC + Admin Role SeparationSeparation

The ultimate secure appliance domain The ultimate secure appliance domain controllercontroller

Authentication EnhancementsAuthentication EnhancementsNew logon architectureNew logon architecture

GINA (the old Windows logon model) is gone. GINA (the old Windows logon model) is gone. Third parties can add biometrics, oneThird parties can add biometrics, one--time time password tokens, and other authentication password tokens, and other authentication methods to Windows with much less codingmethods to Windows with much less coding

Easier Smart Card DeploymentsEasier Smart Card DeploymentsDrivers and Certificate Service Provider (CSP) Drivers and Certificate Service Provider (CSP) included in Windows Vista and Windows included in Windows Vista and Windows UpdateUpdateLogin and credential prompts for User Account Login and credential prompts for User Account Control all support Smart CardsControl all support Smart Cards

Credential ProvidersCredential ProvidersTechnology IntroductionTechnology IntroductionCredential Providers replace GINACredential Providers replace GINACredential Providers plug in to Logon UICredential Providers plug in to Logon UI

Logon UI can interact simultaneously with Logon UI can interact simultaneously with multiple credential providersmultiple credential providersCredential Providers can be user selectedCredential Providers can be user selectedand/orand/or event drivenevent driven

Inbox Credential ProvidersInbox Credential ProvidersPasswordPasswordSmart Card Smart Card

What Credential Providers cannot doWhat Credential Providers cannot doReplace the UI for the logon screenReplace the UI for the logon screen

Credential ProvidersCredential ProvidersValue PropositionValue Proposition

Easier to write a Credential Provider than it Easier to write a Credential Provider than it was to write a GINAwas to write a GINA

LogonUILogonUI and CredUI provide all UIand CredUI provide all UIWinlogon handles Winlogon handles LSALogonUserLSALogonUser and and Terminal Services supportTerminal Services supportCredential providers simply define credentials Credential providers simply define credentials and use and use LogonUILogonUI to gather the data to gather the data Uses COM to interact with Uses COM to interact with LogonUILogonUI and and CredUICredUI

Other Security Features Other Security Features Redesigned/ImprovedRedesigned/Improved

ADFSADFSPKI ImprovementsPKI ImprovementsIndigoIndigo--Common Development PlatformCommon Development PlatformClaims aware applicationsClaims aware applicationsWeb SSOWeb SSORMS 2.0RMS 2.0Group PolicyGroup Policy

© 2004 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.