Windows Server Roadmap Update - download.microsoft.com
Windows Server 2003 NAME: Ashraf Fakhouri TITLE: Senior Technology Specialist EMAIL:[email protected] Microsoft Corporation 1 Agenda Trustworthy Computing New administration features File System Features & Shadow Copy Customer Pains and why we are releasing Windows Server 2003 SP1 Goals for Windows Server 2003 SP1 Key enhancements and core functions of SP1 Roadmap Tied to Security and Windows OS Additional resources to ramp up on Windows Server 2003 SP1 Summary Q&A 2
Windows Server 2003 Goals Microsofts Security Framework Secure by Design Secure by Default Secure in Deployment
Communications Secure architecture Security aware features Reduce vulnerabilities in the code Reduce attack surface area Unused features off by default Only require minimum privilege Protect, detect, defend, recover, manage Process: How tos, architecture guides People: Training Clear security commitment
Full member of the security community Microsoft Security Response Center 3 Administration Features Drag and Drop Drag and drop is now supported Active Directory Users and Computers Active Directory Sites and Services Friendlier UI Works like other administrative tools
Drag and drop users into: New containers or OUs Groups 5 Administration Features Saved Queries A query saved in the Active Directory Users and Computers Accessed like a folder Only displays a specific set of objects based on the query Example define queries to display accounts based on:
User\Group name or description Account and password status Days since last logon 6 Administration Features Saved Queries Graphic 7 Active Directory Administration Using Scripts for Repetitive Tasks
Also see Microsoft Scripting home page http://msdn.microsoft.com/library/default.asp?url=/library/ en-us/dnanchor/html/scriptinga.asp 9 demonstration Active Directory Administration Drag-and-drop management Saved queries 10 File System Features General Improvements Offline Folders Encrypting File System New Command Line Tools
NTFSUtil, Diskpart, Defrag, Mountvol Easier to manage permissions Effective Permissions tab 11 File System Features Distributed File System Closest site selection Multiple roots allowed on servers
Allows highly-available DFS Configurable replication Control who replicates and when File Replication Service is improved Management and Delegation 12 File System Features Shadow Copy Service Shadow copies
Point-in-time copy of data Read-only -- cannot be edited Virtual Shadow Copy Service (VSS) Coordinates shadow copies for NTFS volumes and applications Makes APIs available to applications Example: Open file backup in Windows Server 2003 Enables shadow copies of shared folders 13
File System Features Shadow Copy Configuration Enabled per volume Configuration Select location of shadow copies Recommendation: place on a different volume Set storage limits
Not for individual shares Default is 10% of volume being copied 100mb minimum If limit is reached, oldest copy is deleted Schedule times when copies are taken Creates a task scheduler task 14 File System Features Utilizing Shadow Copies Users have access to shadow copies Open previous versions of shares
Requires XP or Windows Server 2003 Users can: Restore accidentally deleted files Recover previous versions of files Compare document versions Reduces administration Users can restore their own files 15 What Is A Shadow Copy?
Data Snapshot Infrastructure for creating a point-intime copy of a single volume or multiple volumes Appears static, even though the original data is changing Write some data t0 Create a shadow copy Data is written to the disk t1 t2 Backup the static shadow copy while
16 Demonstration 2 Configuring Shadow Copy Restore Configure Your Server Wizard Manage Your Server Wizard 17 Windows Server 2003 SP1 Why? Days between patch and exploit 331
Patch management too complex Time to exploit accelerating Exploits are more sophisticated Current approach is not sufficient 180 151 25 How? S Ni md SlamQL a mto
er flexibility We Bla ste Na lchia r ch / our i Role based approach will give customers in terms of time to test/deploy Proactive instead of reactive engineering i.e. Windows Firewall and AD policy for Windows Firewall rule sets A step in the journey to more secure computing platforms, applications, and devices. 18
What are the Goals of SP1? Enhanced Security reduced attack surface new security enhancements Stronger Defaults and privilege reduction on services RPC DCOM Support for no execute hardware Intel AMD
Windows Firewall enabled by default New install scenario Provide a Security Configuration Wizard to assist IT Admins Role-based configuration and lockdown IIS 6.0 metabase auditing Enhanced Reliability Enhanced Performance 10%+ improvement in TPC, TPC-H, SAP, SSL, etc. 19 SP1 Features and Enhancements
Relevant XP SP2 enhancements RPC, DCOM lockdown Windows Firewall Post-Setup Security Updates Boot-time network protection for clean installs Security Configuration Wizard Base 64-bit extension system 20 RPC and DCOM Enhancements Dovetails with Windows XP SP2 RPC attack surface reduced
Run RPC objects with reduced credentials New RPC registry keys Allow server applications to restrict access to the interface, typically through a security call back Enables application developers to more closely control access Additional DCOM access control restrictions Strengthening of DCOM authentication security model Overall reduction of risk of a successful network attack
RPC and DCOM ports handled as a special case by Windows Firewall 21 Windows Firewall/RPC Goals and customer benefit Provide by default better protection from network attacks Focus on role-based server configuration What were doing Windows Firewall (formerly ICF) will be on by default in almost all configurations More configuration options Group policy, command line, unattended setup Better user interface
Boot time protection Restrict anonymous connections to DCOM/RPC interfaces Application impact In-bound network connections will not be permitted by default Listening ports only open as long as the application is running 22 Windows Firewall Enhanced settings enable more granular control
More configuration options, improved interface provide customers greater ability to control network communications Internet User Or Employee Customer 23 Windows Firewall and AD Firewall Policy Deployment 24 Post-Setup Security Updates A new feature designed to protect servers between first boot and application of most recent security updates Opens on first admin login if Windows Firewall was not explicitly enabled using
unattend script or GP Blocks inbound connections until customer clicks Finish on PSSU dialog box 25 Post-Setup Security Updates Offers links to Windows Update Creates an opportunity to configure Automatic Updates Re-opens if not completed before first restart Forced closure (ALT+F4) makes no change to the firewall, system runs tests to display PSSU again at next log on 26 Post-Setup Security Updates
Applies To: Windows server admins who are concerned that new Windows Server 2003 servers may not be fully protected before application of updates Admins who perform new installs of Windows Server 2003 with a Service Pack Does Not Apply When: OS install with an unattend script enabling or disabling Windows Firewall Windows Firewall is enabled or disabled through GP before PSSU is displayed Performing OS updates to existing Windows Server 2003 server, or upgrading existing NT or 2000 server to Windows Server 2003
27 Post-Setup Security Update 28 Security Configuration Wizard Guided Attack Surface Reduction for Windows Servers Security Coverage Roles-Based Metaphor Disables Unnecessary Services Disables Unnecessary IIS Web Extensions Blocks unused Ports, inlcuding multi-homed scenarios Helps Secure Ports that are left open using IPSEC Reduces protocol exposure (LDAP, NTLM, SMB) Configures Audit Setting with high Signal to Noise Security for mere mortals Roles-based makes answering questions easy Automated versus Paper-Based Guidance Fully tested and supported by Microsoft
29 SCW Operational Coverage Rollback, when applied policies disrupt service expectation Analysis, to check that machines are in compliance with policies Remotability for configuration and analysis operations Command Line Support for remote config and analysis en-masse Active Directory Integratation for Group Policybased deployment Editing of previously created policies, when machines are repurposed
XSL Views of Knowledge base, policies and analysis results 30 Security Configuration Wizard 31 How To Get Involved WindowsServerFeedback.com Share your ideas with the Windows Server Development Team via WindowsServerFeedback.com You can also participate in: Online surveys about product feature priorities Product focus groups TechBeta
32 Summary SP1 Security-focused service pack, and includes performance and reliability improvements Exciting roadmap complement to XP SP2, precursor to Windows Server 2003 R2 and Longhorn Windows Server Roadmap is solid What you can do:
Test the product RC Communicate to your company on our roadmap Provide your ideas on how we can make further improvements in this area 33 More Information:
Windows Server 2003: http://www.microsoft.com/ windowsserver2003/ Windows XP SP2 on Microsoft TechNet: http://www.microsoft.com/technet/prodtechnol/winxp pro/maintain/winxpsp2.mspx Security home page on Microsoft Trustworthy Computing: http://www.microsoft.com/security Microsoft SGC Center : http://www.microsoft.com/security/guidance/ Enhancing Customer Security on Microsoft TechNet: http://www.microsoft.com/technet/security/news/cust sec.mspx Microsoft IT practices: http://www.microsoft.com/itshowcase 34 MICROSOFT CONFIDENTIAL 2004 Microsoft Corporation. All rights reserved.
The Macroeconomic Perspective. Macroeconomics: examines the overall health and growth of the economy as a whole, concerning itself with the aggregate behavior of consumers & producers.. What are the macroeconomic goals of the national economy and how do we measure...
High school graduates earn $430,000 more over their lifetimes than high school dropouts.. Double your income by graduating from college. An Associate's degree is worth $390,000 more than a high school diploma. A Bachelor's degree is worth $1.2 million more...
Initially, we work with companies upfront to do an assessment. 1) We listen to their pain points and understand their process. We look for potential opportunities and look for big hitters to reduce high costs when it comes to environmental...
Incentive aimed at regeneration of the historic inner cities of Cork, Dublin, Galway, Kilkenny, Limerick and Waterford. Encouraging people back to the centre of Irish cities to live in historic buildings; ... PowerPoint Presentation Last modified by:
STB Test Challenges. Creating an automated scalable and full functional test system with low complexity. Traditional instruments use separate instruments to test each functionality of the device under test.
In both examples, Distributor A would qualify to Qualified Producer on the first of the month after the qualification was achieved. 1,500 PPV + 1,000 DLV = 2,500 PV SUCCESS BUILDER at 42% 400 PPV + 600 DLV = 1,000...