Windows Server Roadmap Update -

Windows Server Roadmap Update -

Windows Server 2003 NAME: Ashraf Fakhouri TITLE: Senior Technology Specialist EMAIL:[email protected] Microsoft Corporation 1 Agenda Trustworthy Computing New administration features File System Features & Shadow Copy Customer Pains and why we are releasing Windows Server 2003 SP1 Goals for Windows Server 2003 SP1 Key enhancements and core functions of SP1 Roadmap Tied to Security and Windows OS Additional resources to ramp up on Windows Server 2003 SP1 Summary Q&A 2

Windows Server 2003 Goals Microsofts Security Framework Secure by Design Secure by Default Secure in Deployment

Communications Secure architecture Security aware features Reduce vulnerabilities in the code Reduce attack surface area Unused features off by default Only require minimum privilege Protect, detect, defend, recover, manage Process: How tos, architecture guides People: Training Clear security commitment

Full member of the security community Microsoft Security Response Center 3 Administration Features Drag and Drop Drag and drop is now supported Active Directory Users and Computers Active Directory Sites and Services Friendlier UI Works like other administrative tools

Drag and drop users into: New containers or OUs Groups 5 Administration Features Saved Queries A query saved in the Active Directory Users and Computers Accessed like a folder Only displays a specific set of objects based on the query Example define queries to display accounts based on:

User\Group name or description Account and password status Days since last logon 6 Administration Features Saved Queries Graphic 7 Active Directory Administration Using Scripts for Repetitive Tasks

Also see Microsoft Scripting home page en-us/dnanchor/html/scriptinga.asp 9 demonstration Active Directory Administration Drag-and-drop management Saved queries 10 File System Features General Improvements Offline Folders Encrypting File System New Command Line Tools

NTFSUtil, Diskpart, Defrag, Mountvol Easier to manage permissions Effective Permissions tab 11 File System Features Distributed File System Closest site selection Multiple roots allowed on servers

Allows highly-available DFS Configurable replication Control who replicates and when File Replication Service is improved Management and Delegation 12 File System Features Shadow Copy Service Shadow copies

Point-in-time copy of data Read-only -- cannot be edited Virtual Shadow Copy Service (VSS) Coordinates shadow copies for NTFS volumes and applications Makes APIs available to applications Example: Open file backup in Windows Server 2003 Enables shadow copies of shared folders 13

File System Features Shadow Copy Configuration Enabled per volume Configuration Select location of shadow copies Recommendation: place on a different volume Set storage limits

Not for individual shares Default is 10% of volume being copied 100mb minimum If limit is reached, oldest copy is deleted Schedule times when copies are taken Creates a task scheduler task 14 File System Features Utilizing Shadow Copies Users have access to shadow copies Open previous versions of shares

Requires XP or Windows Server 2003 Users can: Restore accidentally deleted files Recover previous versions of files Compare document versions Reduces administration Users can restore their own files 15 What Is A Shadow Copy?

Data Snapshot Infrastructure for creating a point-intime copy of a single volume or multiple volumes Appears static, even though the original data is changing Write some data t0 Create a shadow copy Data is written to the disk t1 t2 Backup the static shadow copy while

16 Demonstration 2 Configuring Shadow Copy Restore Configure Your Server Wizard Manage Your Server Wizard 17 Windows Server 2003 SP1 Why? Days between patch and exploit 331

Patch management too complex Time to exploit accelerating Exploits are more sophisticated Current approach is not sufficient 180 151 25 How? S Ni md SlamQL a mto

er flexibility We Bla ste Na lchia r ch / our i Role based approach will give customers in terms of time to test/deploy Proactive instead of reactive engineering i.e. Windows Firewall and AD policy for Windows Firewall rule sets A step in the journey to more secure computing platforms, applications, and devices. 18

What are the Goals of SP1? Enhanced Security reduced attack surface new security enhancements Stronger Defaults and privilege reduction on services RPC DCOM Support for no execute hardware Intel AMD

Windows Firewall enabled by default New install scenario Provide a Security Configuration Wizard to assist IT Admins Role-based configuration and lockdown IIS 6.0 metabase auditing Enhanced Reliability Enhanced Performance 10%+ improvement in TPC, TPC-H, SAP, SSL, etc. 19 SP1 Features and Enhancements

Relevant XP SP2 enhancements RPC, DCOM lockdown Windows Firewall Post-Setup Security Updates Boot-time network protection for clean installs Security Configuration Wizard Base 64-bit extension system 20 RPC and DCOM Enhancements Dovetails with Windows XP SP2 RPC attack surface reduced

Run RPC objects with reduced credentials New RPC registry keys Allow server applications to restrict access to the interface, typically through a security call back Enables application developers to more closely control access Additional DCOM access control restrictions Strengthening of DCOM authentication security model Overall reduction of risk of a successful network attack

RPC and DCOM ports handled as a special case by Windows Firewall 21 Windows Firewall/RPC Goals and customer benefit Provide by default better protection from network attacks Focus on role-based server configuration What were doing Windows Firewall (formerly ICF) will be on by default in almost all configurations More configuration options Group policy, command line, unattended setup Better user interface

Boot time protection Restrict anonymous connections to DCOM/RPC interfaces Application impact In-bound network connections will not be permitted by default Listening ports only open as long as the application is running 22 Windows Firewall Enhanced settings enable more granular control

More configuration options, improved interface provide customers greater ability to control network communications Internet User Or Employee Customer 23 Windows Firewall and AD Firewall Policy Deployment 24 Post-Setup Security Updates A new feature designed to protect servers between first boot and application of most recent security updates Opens on first admin login if Windows Firewall was not explicitly enabled using

unattend script or GP Blocks inbound connections until customer clicks Finish on PSSU dialog box 25 Post-Setup Security Updates Offers links to Windows Update Creates an opportunity to configure Automatic Updates Re-opens if not completed before first restart Forced closure (ALT+F4) makes no change to the firewall, system runs tests to display PSSU again at next log on 26 Post-Setup Security Updates

Applies To: Windows server admins who are concerned that new Windows Server 2003 servers may not be fully protected before application of updates Admins who perform new installs of Windows Server 2003 with a Service Pack Does Not Apply When: OS install with an unattend script enabling or disabling Windows Firewall Windows Firewall is enabled or disabled through GP before PSSU is displayed Performing OS updates to existing Windows Server 2003 server, or upgrading existing NT or 2000 server to Windows Server 2003

27 Post-Setup Security Update 28 Security Configuration Wizard Guided Attack Surface Reduction for Windows Servers Security Coverage Roles-Based Metaphor Disables Unnecessary Services Disables Unnecessary IIS Web Extensions Blocks unused Ports, inlcuding multi-homed scenarios Helps Secure Ports that are left open using IPSEC Reduces protocol exposure (LDAP, NTLM, SMB) Configures Audit Setting with high Signal to Noise Security for mere mortals Roles-based makes answering questions easy Automated versus Paper-Based Guidance Fully tested and supported by Microsoft

29 SCW Operational Coverage Rollback, when applied policies disrupt service expectation Analysis, to check that machines are in compliance with policies Remotability for configuration and analysis operations Command Line Support for remote config and analysis en-masse Active Directory Integratation for Group Policybased deployment Editing of previously created policies, when machines are repurposed

XSL Views of Knowledge base, policies and analysis results 30 Security Configuration Wizard 31 How To Get Involved Share your ideas with the Windows Server Development Team via You can also participate in: Online surveys about product feature priorities Product focus groups TechBeta

32 Summary SP1 Security-focused service pack, and includes performance and reliability improvements Exciting roadmap complement to XP SP2, precursor to Windows Server 2003 R2 and Longhorn Windows Server Roadmap is solid What you can do:

Test the product RC Communicate to your company on our roadmap Provide your ideas on how we can make further improvements in this area 33 More Information:

Windows Server 2003: windowsserver2003/ Windows XP SP2 on Microsoft TechNet: pro/maintain/winxpsp2.mspx Security home page on Microsoft Trustworthy Computing: Microsoft SGC Center : Enhancing Customer Security on Microsoft TechNet: sec.mspx Microsoft IT practices: 34 MICROSOFT CONFIDENTIAL 2004 Microsoft Corporation. All rights reserved.


Recently Viewed Presentations

  • Notes: Macroeconomics- The Business Cycle & Economic Indicators

    Notes: Macroeconomics- The Business Cycle & Economic Indicators

    The Macroeconomic Perspective. Macroeconomics: examines the overall health and growth of the economy as a whole, concerning itself with the aggregate behavior of consumers & producers.. What are the macroeconomic goals of the national economy and how do we measure...
  • College is Power - FastWeb

    College is Power - FastWeb

    High school graduates earn $430,000 more over their lifetimes than high school dropouts.. Double your income by graduating from college. An Associate's degree is worth $390,000 more than a high school diploma. A Bachelor's degree is worth $1.2 million more...
  • Neurobiology of autism

    Neurobiology of autism

    Autism spectrum disorders: are we there yet? Christopher Gillberg, MD, PhD Canberra October 2004
  • New York State Guide to Sustainable Winery Practices

    New York State Guide to Sustainable Winery Practices

    Initially, we work with companies upfront to do an assessment. 1) We listen to their pain points and understand their process. We look for potential opportunities and look for big hitters to reduce high costs when it comes to environmental...
  • Winning: Foreign Direct Investment 2015-2019 Brendan McDonagh Director

    Winning: Foreign Direct Investment 2015-2019 Brendan McDonagh Director

    Incentive aimed at regeneration of the historic inner cities of Cork, Dublin, Galway, Kilkenny, Limerick and Waterford. Encouraging people back to the centre of Irish cities to live in historic buildings; ... PowerPoint Presentation Last modified by:
  • A Software Defined Instrumentation Approach to Set-Top-Box Testing

    A Software Defined Instrumentation Approach to Set-Top-Box Testing

    STB Test Challenges. Creating an automated scalable and full functional test system with low complexity. Traditional instruments use separate instruments to test each functionality of the device under test.
  • Dear PowerPoint®* Users,

    Dear PowerPoint®* Users,

    In both examples, Distributor A would qualify to Qualified Producer on the first of the month after the qualification was achieved. 1,500 PPV + 1,000 DLV = 2,500 PV SUCCESS BUILDER at 42% 400 PPV + 600 DLV = 1,000...
  • An American Empire - PC\|MAC

    An American Empire - PC\|MAC

    An American Empire Chapter 17 Section 2 Building an Empire US and Spanish leader meet to discuss the terms for a peace treaty America debates on what to do w/ their newly acquired lands…