In part 5 of this series I talked about the server core and which impact it can have when we look at security. Because there is a smaller footprint there is less to patch and thus less security risks. This can be a valuable server to put into a branch office, take the possibility to encrypt the hard drives with the Bitlocker technology into consideration and you have a secured server. No need to put this server into a secured room, drives are encrypted and not readable when accessed from another computer, most of the branch offices don't have any these server rooms.
You now know the first improvement for the Branch Offices, but there are more. Take the Read only Domain controller for example.
An RODC hosts a read-only replica of the database in Active Directory Domain Services (AD DS). Before Longhorn server when the users from the branch offices needed to authenticate they had to do it with a Domain Controller over the WAN links. Another alternative was to put a Domain controller at the branch office. However this was not a good solution because most of the branch offices doesn't have the adequate security for the domain controllers.
Furthermore, branch offices often have poor network bandwidth when connected to a hub site. This can increase the amount of time required to log on. Now RODC will give the possibility to deploy a Domain Controller the remote site without to be concerned about the physical security. Because there is only read-only replica of the database and by default all attributes are replicated except the account passwords. However this can be defined through group policies, you can specify which accounts that are allowed to replicate the passwords.
Another security feature within the RODC is the possibility to assign an Administrator that can do a local logon without being a Domain Administrator, this will also limit the security risks.
RODC functionality addresses these problems:
Another new feature is the Restartable Active Directory. With the Restartable AD we can stop the AD services so that we are able to apply the updates to the Domain controller or for example do and offline defragmentation of the AD without the need of restarting the server. Because most of AD Domain controllers hosts other services, we do not impact the availability of other services like DHCP or DNS.
When AD is stopped on a server it behaves it two ways, first the server will be in a Active Directory Restore mode, the AD database is offline, further the server behaves as it is a member server of a domain and users can still logon through another domain controller.
If you take the combination of a Server Core, Read Only Domain Controller and Bitlocker technology you have a secured server with a limited footprint.
Previous Posts in this series:
Part 7: Windows Failover Cluster Part 6: Network Access Protection Part 5: Server Core Part 4: Server Hardening Part 3: Internet Information Services 7.0 Part 2: Windows PowerShell Part 1: Server Management Improvements
Part 7: Windows Failover Cluster
Part 6: Network Access Protection
Part 5: Server Core
Part 4: Server Hardening
Part 3: Internet Information Services 7.0
Part 2: Windows PowerShell
Part 1: Server Management Improvements
Gunter Staes delivered another Funcast SQL Server Analysis Services & Microsoft Excel 2007, better together
View Recording
Next he will be delivering the next Funcast session in his BI The Mac-Guyver Techniques:
The new Excel Services in Microsoft Office SharePoint Server 2007 puts Excel spreadsheet calculation and rendering on the server. Excel Services enables managed and secure distribution of Excel reports, and the ability to incorporate spreadsheets into business intelligence dashboards and portals, protect the proprietary information in spreadsheets and build custom applications with Excel-based logic. This session explains Excel Services' basic concepts and architecture in combination with Single Sign On (SSO) & Centrally managed Data Connections. After this session you will be able to understand the concepts so that you will be able to set up a Excel Services in a secure & well managed way.
When: 04/04 from 16:00 - 16:40
Register Here
I just received a mail from Heather Schwenk through my blog about the Microsoft Global Hosting Summit 2007. Here is an excerpt of that mail that I wanted to share with you:
Today at the Microsoft Hosting Summit, Microsoft announced updates to two solutions for hosting service providers: Microsoft Solution for Hosted Messaging and Collaboration (HMC) Version 4.0 and Microsoft Solution for Windows-based Hosting Version 4.5.
Following are key highlights:
In addition, video clips from the Microsoft Hosting Summit 2007 that highlight these new solutions will be available at http://www.mshostingsummit.spaces.live.com.
Microsoft Solution for Hosted Messaging and Collaboration Version 4.0 will be available worldwide in April 2007. More information is available at http://www.microsoft.com/hostedmessaging.
Microsoft Solution for Windows-based Hosting Version 4.5 is available immediately. More information on Windows-based Hosting can be found at http://www.microsoft.com/serviceproviders/solutions/windowsbasedhosting.mspx.
Thanks Heather for sharing this information with me US!
Download preview handlers for Outlook/Vista
Want to know more check the ProExchange UG site : http://www.pro-exchange.be/modules.php?name=News&file=article&sid=366
There is a Microsoft Developer & IT Pro Days offering for the Academic Community. During the"Developer & IT Pro Days 2007 - Satisfy your technical curiosity", Walter Stiers from our Academic Relations team will host an Academic track. He just finalized the agenda of his track and asked me if I could blog about it.
Here it is:
Academic Days - Day 1 - 28/03/200707:30 - 08:45 Welcome & Registration / Partner Expo08:45 - 10:15 Opening Keynote (Dev & IT Pro days)10:45 - 12:00 Dirk Daelemans Vista & Office 2007 in Education12:00 - 13:00 Lunch13:00 - 14:15 Antonio Zurlo Deploying and Managing a Windows-Based High-Performance Compute Cluster14:30 - 15:45 Carrie Longson UX: Building Schools of the Future. How technology can support learning in 201216:15 - 17:30 Benoît Haut & Frédéric Debaste HPC for fluid flow modelling in a Chemical Engineering Department : from archaeology to industrial processes17:45 - 19:00 Antonio Zurlo Case study - HPC in Financial Services.Academic Days - Day 2 - 29/03/200707:30 - 09:00 Welcome & Registration / Partner Expo09:00 - 10:15 Brecht Kets Gaming in curriculum: XNA10.45 - 12.00 Martin Timmerman Embedded development tools: ECLIPSE vs Windows Embedded CE 6.0 Platform Builder12:00 - 13:00 Lunch13:00 - 14:15 Chad Z. Hower Microsoft .NET MicroFramework14:30 - 15:45 John Lefor Microsoft Innovation through European Collaboration16:15 - 17:30 Fotini Kaklamanou, Gérard Leblanc, Walter Stiers Academic Relations Team : MD-AA & Imagine Cup17:45 - 18:45 Closing Keynote (Dev & IT Pro days)
You still can register
Note: The High Performance Computing session given by Antonio Zurlo is also very interesting for our IT Pro audience.
With Windows Longhorn we will change the name of clustering technology. Let's look back at what the cluster terminology was:
When we first introduced the clustering technology in Beta we called it Wolfpack. In Windows NT 4.0 we called it Microsoft Cluster Service (MSCS), lot's of people still use this terminology.
With Windows 2000 Server and Windows Server 2003 we called it Server Clustering. Because we introduced a new clustering technology called Windows Compute Cluster server we had to change the name in order to avoid confusion.
Now it will be Windows Server Failover Clustering (WSFC).
We aim to simplify the cluster installation and management, increase security and stability. Before installing the actual cluster you will have to validate the hardware against a set of tests.
These tests include specific simulations of cluster actions, and fall into the following three categories:
Once the tests are completed successfully we can start the installation, we have simplified the setup so that the administrators can create the cluster in a few steps, we will also support scripting to automate the installation.
The new management console is based on our MMC technology and let you manage multiple clusters within one central console.
Some other management improvements:
We also made improvements to the cluster infrastructure to maximize the availability:
Windows Server Failover Clustering will have an improved security model:
We will now have better support for geographically dispersed clusters, the nodes doesn't have to reside onto the same network subnet and we can control the heartbeat timeout, these changes in functionality will let you create clusters without the need of hardware to create V-Lans over WAN network.
Part 6: Network Access Protection Part 5: Server Core Part 4: Server Hardening Part 3: Internet Information Services 7.0 Part 2: Windows PowerShell Part 1: Server Management Improvements
Network Access Protection provides limited access enforcement components for the following technologies:
How NAP works:
1. Client requests access to network and presents current health status
2. DHCP, VPN or Switch Router relays health status to Microsoft’s Network Policy Server
3. The Network Policy Server validates this against IT-defined health policies
4. If the machine is policy compliant, it’s given immediate access to the corporate network
5. If the machine is not policy compliant, it is put in a restricted VLAN and given access to fix up resources to download patches, configurations, signatures, etc. Repeat 1-3.
On the Network Policy Server (NPS), administrators set the policy against which computer compliance will be measured before granting connecting computers access to the network. On the image below you can see which protection you can select onto the NAP protected client. For example you could decide that the client computer needs a firewall enabled, Antivirus enabled and up to date, Spyware protection enabled and up to date and if your client computer is updated through the WSus server we can enforce that the updates must be applied.
NAP Scenarios:
Network Access Protection is not designed to secure a network from malicious users. It is designed to help administrators maintain the health of the computers on the network.
Part 5: Server Core Part 4: Server Hardening Part 3: Internet Information Services 7.0 Part 2: Windows PowerShell Part 1: Server Management Improvements
My colleague David Boschmans blogged about the Full Developer Session List for Developer & IT-Pro Days 2007. I wanted to give you the same information for the IT Pro sessions. I finalized the IT Pro agenda this week and it's online as we speak. Below you can find all the IT Pro - oriented sessions, session level and the speakers listed.
In the Virtualization Pre-conference Ronald Beekelaar will be delivering following sessions:
During the main conference we will have 3 Level 200, 26 Level 300 and 4 Level 400 sessions for the IT Professionals :
The full agenda with the exact scheduling will be published soon here: overview - day 1 - day 2.
We have reached 1100+ registrations and it's less then two weeks before the start of the event. If you aren't registered yet, you can still do so here!
When I talked about the server management improvements in the first part of this series I explained that we have defined different server roles and features. Now with the introduction of Windows Server Core which is a minimal installation of Windows Longhorn server.
What I mean with minimal installation is that we only install the core server functionality without any extra overhead. The server core can be used for the following server roles:
At RTM time there will be additional roles like Media server, Print Server and Virtualization with the Hypervisor technology.
Beside those roles we do support some additional optional features like:
The choice to install a server core or a full server is done during the setup,a there is no upgrade, downgrade path. You cannot migrate from a Windows 2003 to server core, you cannot upgrade from server core to full server, all these operations require a reinstall.
Because we don't install all executables and dll's we will have a much smaller footprint than with a full server. We even don't have the explorer, Internet Explorer, no CLR, etc ...
A server core can be a headless server, no need for keyboard or mouse, but it's still manageable from the console. The other options to manage the server core is through remote MMC consoles, Terminal Services, WinRS.
Look at the sexy interface :)
Can you imagine which interface you will get when you are connecting through the Terminal Services :)
Once you installed the server there are several tasks you need to perform to have it completely up and running, here are some of them:
Note: The slmgr.vbs is a script that can be used remotely and is also installed onto Windows Vista.
I must admit that any scripting knowledge will be welcome to manage a Windows Server core. For example to change the display resolution you can either open the registry and change a registry key or use WMI to change it. Server core will be available for the x86 and x64 versions of Longhorn server.
We see that customers who has a lot of servers to maintain will use this kind of servers due to the lower patch and management needs.
Part 4: Server Hardening Part 3: Internet Information Services 7.0 Part 2: Windows PowerShell Part 1: Server Management Improvements
Watch the latest recorded funcasts:
In this webcast, we introduce Microsoft SQL Server 2005 Reporting Services. You will understand the report life cycle, and see how to create, publish, manage, and deliver reports using the new tools and features in SQL Server 2005 Reporting Services. You'll also discover tips and tricks for creating interactive reports & the integration with Sharepoint.
View Recording Technorati tags: SQL Server 2005, Funcast, Webcasts
Ever tried to manage the agenda of your team with Outlook? I had to do it several times when I was a project manager. When I had to manage the agenda of the project team and to make my planning. Ok there is Group calendaring and now there is some Calendar overlay feature within Outlook 2007. Yesterday a colleague of mine showed me the Calendar Printing Assistant for Outlook 2007. I immediately installed this tool to play with it.
This is really a neat tool, It detects which calendars you have in the calendar tab in Outlook and you can than create different views going from daily to monthly or even yearly views. For each view there are different templates available.
Once you have the template you want, you can print the different calendars.
This tool can be downloaded for free.
A new event log event has been created to address certain situations in which the Cluster service account becomes excessively restricted by domain policy.
The new event ID is 1239. The event text includes troubleshooting information. You can also refer to article 871236 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkID=69284 ) for further information.
XmlLite is new with Windows Server 2003 SP2. XmlLite is a fast, low-level, native XML parser with a small memory footprint. For more information, including the Programmer's Guide and API reference, see the MSDN Web site (http://go.microsoft.com/fwlink/?LinkID=69285 ).
New options have been added to the Dcdiag.exe Domain Name System (DNS) tests. These new options are /x and /xsl:xslfile.xsl or /xsl:xsltfile.xslt. They generate XML tags when the tests are run with the /test:dns option. You can use this new output mechanism to more easily parse the verbose log that the DNS tests generate.
To direct the XML output file to XMLLog.xml, use the /x option. For example:
dcdiag /test:dns /v /e /x:XMLLog.xml
Icacls.exe is an upgrade of the Cacls.exe tool in Windows Server 2003 SP2, and can be used to reset the access control lists (ACLs) on files from Recovery Console, and to back up ACLs. Also, unlike Cacls.exe, Icacles.exe correctly propagates the creation of inherited ACLs and changes to them.
The default storage limit for message queuing has been changed to 1 gigabyte (GB). If you choose to have a storage limit of more than 1 GB, you can change the storage limit setting in Microsoft Management Console (MMC) on the General tab of Message Queuing Properties.
This version of Windows Server 2003 SP2 includes an update that enables you to simplify the creation and maintenance of Internet Protocol security (IPsec) policy. This update enables you to use an IPsec "Simple Policy". For most environments, the installation of this update allows you to reduce the number of IPsec filters that are required for a Server Isolation deployment or for a Domain Isolation deployment. You can reduce the number of IPsec filters from many hundreds of filters to only two filters. For more information about this update for Windows Server 2003 and Windows XP, see article 914841 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkID=69286 ).
Group Policy support for non-broadcasting networks and Wi-Fi Protected Access 2 (WPA2) settings has been added to the Windows wireless client in Windows Server 2003 SP2. This update allows the Windows wireless client to accept additional wireless Group Policy configuration options. These new settings include support for WPA2 parameters and non-broadcast networks.
The Windows wireless client now supports WPA2, which enables you to take advantage of high levels of standards-based connection and encryption security. New security features include:
Non-broadcast network profiles are now marked with a flag to improve the security of the Windows wireless client.
Windows will not automatically connect to a peer-to-peer network, even if it has been automatically saved in the preferred network list. You must manually connect to a peer-to-peer network profile.
Starting with this version of Windows Server 2003 with SP2, Remote Installation Services is replaced by Windows Deployment Services. You can use Windows Deployment Services to set up new computers through a network-based installation without having to be physically present at each computer and without having to install directly from DVD media. For more information about Windows Deployment Services, see the Windows Deployment Services Update Step-by-Step Guide (http://go.microsoft.com/fwlink/?LinkID=69289 ).
With Windows Vista we've improved the security of the platform dramatically, because Windows Vista and Longhorn server share the same code base they will also share some of the security features. If we look at server hardening we can talk about how we segmented the services, boot process and binary image protection, device installation control and Windows Firewall with advanced Security.
Part 3: Internet Information Services 7.0 Part 2: Windows PowerShell Part 1: Server Management Improvements
This week I was preparing for my TechNet evening session about longhorn server and I was looking at what we have done with the Internet Information Services 7.0. It's more than just a webserver , it's an easy to manage, deploy and extend platform.
Talking about IIS 7.0 to a IT Pro audience we have to mention the following improvements:
Lets have a look in detail what those improvements mean:
Say goodbye against the metabase and enjoy the easy to understand and well structured webconfig.config and applicationhost.config XML files. The config files share the same syntax of the ASP.Net configuration files, in fact the configuration of both can coexist in the same file. With IIS 7.0 we can now store the web.config file within the same location of the application or site content. Welcome to a world of Xcopy, just use the Xcopy tool to copy the configuration, content and applications from site to other web servers.
It's easy to change the configuration of the sites,applications , just go to the configuration properties in the config file. For example you can go to the <sites> section, scroll to the site you want to change and for example the bindings from port 80 to 81.
Another improvement many admin's will love is the delegated administration. You will be able to specify which configuration items can be changed. Open the IIS manager and go to feature delegation. There you can select which item you want and set the rights to Read Only, Read-Write or just inherit the settings. You are able to define the security for all sites or create security settings site by site. Another tool to change to configuration of an IIS Web server is appcmd.exe. This tool can also be used to delegate the administration. Here’s how you unlock the custom errors configuration for all sites:
appcmd unlock config –commitPath:APPHOST –section:httpErrors
The next step in admin delegation is to define which user can administrate the website.
Note that configuration locking alone can’t secure your configuration system – you need to ACL configuration files appropriately. Locking and file ACL’s together make a complete configuration security story.
This is a great feature that many administrators and developers will love.
In the previous section I briefly mentioned the IIS 7 manager. The complete new IIS Manager offers a new, more efficient tool for managing the web server. It provides support for both IIS and ASP.NET configuration settings.
IIS7 supports a new command line tool for administering the server. This powerful utility makes it easy to read and write configuration values, and access site and application pool state information, all from the command prompt
With the built-in diagnostics and tracing tools troubleshooting has never been easier.
One of the most important features which helps improve IIS7 troubleshooting support is the Runtime Status and Control API (RSCA), which is designed to give detailed runtime information about the server from deep within IIS7. With RSCA, it is possible to inspect and manage various entities including sites, application pools.
IIS7’s Automatic Failed Request Trace Logging feature enables the server administrator to define error conditions for IIS to look out for. Error conditions can range from “slow” or “hung” requests, to the familiar status codes IIS sends back during error conditions like “Server 500 Error”. Once configured, if IIS7 detects an error conditions, it can automatically log detailed trace events of everything that happened during the request which led up to the error.
Instead of seeing a terse error code, you’ll now see detailed information about the request, what potential issues may have caused the error, and how to fix it.
IIS has been designed to let you decide which feature you want to install. We have modularized the WebServer with up to 40 modules that can be individually installed. This also means that we can dramatically reduce the attack surface and lowering the footprint requirements.
Because of this modularity we can deploy different servers for different roles. It will also facilitate the ability to the community to build and deploy new features.
IIS 7 is a great web-platform and is already available for Windows Vista. You want to have more in depth information about IIS 7 go check the IIS.Net website.
Previous Blogposts in this series:
Part 2: Windows PowerShell Part 1: Server Management Improvements
A few weeks ago Paul Loonen Architect @ Avanade delivered a Funcast about MIIS and how he could provision an AD from SQL database.
User lifecycle management using Microsoft Identity Integration Server (MIIS) is demonstrated. As such, HR information that is stored in SQL Server database will be used to manage user and group information in Microsoft Active Directory, including the provisioning and de-provisioning of such objects. It will be shown that all of this can be accomplished using a minimum of effort by leveraging the tools delivered with the MIIS platform.
Here is the recorded webcast.
This week I have done a TechNet evening about Longhorn server and one of the attendees Steve Rosa made a really good and complete wrap up of what I have been talking about during this two hour session.
Steve is new in the blogosphere he started blogging back in February and will focus on Microsoft infrastructure products, Citrix, VmWare and other things.
Keep us informed Steve.
Read the TechNet Evening wrap up
Gunter Staes will be delivering the next Funcast sessions in his BI The Mac-Guyver Techniques:
In this webcast, we introduce Microsoft SQL Server 2005 Reporting Services. You will understand the report life cycle, and see how to create, publish, manage, and deliver reports using the new tools and features in SQL Server 2005 Reporting Services. You'll also discover tips and tricks for creating interactive reports & the integration with SharePoint.
When: 14/3 from 16:00 - 16:40
This webcast shows how to use Microsoft SQL Server 2005 Analysis Services and Microsoft Office Excel 2007 to build an enterprise-level data analysis solution. We show you how to develop server-side business rules and unified views of business data for one version of the truth, while at the same time providing end users with simple, self-service flexibility user experience in Excel. All this to make accurate decisions quickly.
When: 21/3 from 16:00 - 16:40
IT-Talks organizes a UG meeting about Windows Vista deployment.
Wat: Windows Vista Deployment up closeWaar: Zaal Classics HarelbekeWanneer: Zaterdag 10 MaartProgramma:
Go ahead and check their website to be a member of this UG and to join the next event.
This week Gunter Staes delivered his second Funcast - about SQL Server Analysis Services.
The next session will be held on February 28th - BI - The Mac-Guyver Techniques : SQL Server Reporting Services
The registration for this session is not live yet but as soon as you can register I will post it on this blog.
Watch this cool video on how our Windows Mobile platform can be customized.
http://www.youtube.com/watch?v=EpP1_79rhQ8
With Outlook 2007 you don't have to open Word or Excel to view an attachment in a mail. But you can use the built-in previewers.
Foxit PDF preview handler released a pdf previewer which works with Outlook 2007 running on Windows Vista.
Download Foxit PDF Preview