Ian Hameroff : IPsec

Article Alert: Policy-Driven Network Access with Windows Server 2008

ianhamer — Sun, 16 Mar 2008 04:41:35 GMT

While it has been nearly three months since I moved from the role as product manager for Windows Server networking to the Exchange Server team, I still get the occasional opportunity to strut my old networking stuff.

One such example is a recent article I co-authored with Amith Krishnan (product manager for Network Access Protection) on creating a policy-driven network access solution using a bunch of the new features of Windows Server 2008. The article -- entitled Policy-Driven Network Access with Windows Server 2008 -- appears in the March edition of Microsoft's TechNet Magazine.

Here's the article synopsis:

How do you allow network access to those who need it without sacrificing security? See how new technologies in Windows Server 2008, such as Windows Firewall with Advanced Security and Network Access Protection, let you implement a policy-based approach to help you achieve this goal.

Unfortunately, the online version of article doesn't offer you the opportunity to make comments on the article. So, please feel free to post your thoughts or feedback to this blog posting.

Okay, back to Exchange for me. I'm currently completely week 2 of 3 on the road doing focus groups around our future plans for Exchange Server. Good stuff; albeit exhausting to be traveling across the US, Asia (currently in Tokyo) and then Europe. Yahoo!

-- hama

Test Drive Server and Domain Isolation!

ianhamer — Mon, 03 Dec 2007 22:26:50 GMT

Yes.

I agree that it took us long enough to get this thing posted since I first mentioned it back in February.

Nevertheless, you can now download the kick ass Server and Domain Isolation demo/lab that Microsoft MVP and Virtualization and Security Guru Ronald Beekelaar built for us:

Server and Domain Isolation Demo

This kit includes everything you need to test drive a Server and Domain Isolation deployment on Windows Server 2003 and Windows XP.

Wait!

Did I say WS03 and XP?

Yes. But, don't fret.

We're working with Ron to get an updated version of the demo that highlights all the great stuff we've done in Windows Vista and Windows Server 2008. This version (no pressure Ron!) should hit the streets around the RTM/Launch of WS08. Stay tuned!

Okay, back to describing the one you now have at your disposal: You'll find 5 pre-configured VHDs and some great documentation that will step you through both basic and advanced S&DI scenarios. Ron's done a great job with visualizations that help tell the story and explain the data flows, etc. when trying out the different scenarios (like the "Start Page" shown below).

All you'll need to do to run the demo is download Virtual PC 2007 (or use an existing Virtual Server or Virtual PC installation) which you can get for free from http://www.microsoft.com/virtualpc.

After you've been wowed by the great stuff you can do with S&DI (which is an out of the box security solution with WS03, XP and Win2K, and WS08 and WinVista), visit our TechNet Server and Domain Isolation site at http://www.microsoft.com/sdisolation to learn more, review customer case studies, and download deployment guidance.

Have fun!

-- hama

Broadcom Takes IPsec to Task (Offload That Is)!

ianhamer — Thu, 08 Nov 2007 05:49:03 GMT

Our friends over at Broadcom announced on Tuesday (November 6th) a new super cool, 65nm Gigabit Ethernet controller that will incorporate support for Window Vista's IPsec Task Offload functionality!

As my boss' boss said in the press release:

"Thanks to Broadcom's inclusion of IPsec task offload support, our mutual customers will have even greater flexibility when implementing the IPsec features of Windows Vista and Windows Server® 2008," said Mike Schutz, Director of Security and Access Product Management at Microsoft. "By easing any potential performance tradeoffs, these latest NetXtreme security features will help further the adoption of such advanced Microsoft Windows security solutions as Server and Domain Isolation and Network Access Protection."

Effectively, with IPsec task offload support, many of the CPU intensive work required for hashing packets or encryption (if you're using the encryption options) can be moved to the NIC. This frees up the many CPU(s) for more interesting tasks, like running applications or surfing the web for stuff.

This means there'll be one less reason to not consider using IPsec as the great network security tool I've written about for sometime now!

-- hama

Greetings from the Future (Or, At Least GMT+8)

ianhamer — Sat, 15 Sep 2007 06:41:31 GMT

It's the Saturday following my week here in Kuala Lumpur (aka KL) and TechEd 2007 SEA (aka South East Asia). The week was a good time, and it was great to connect with the local 'softies, MVPs, partners, and of course, the regional customers.

I delivered two sessions, both basically repeats of my sessions at TechEd 2007 USA:

Implementing the IPsec Simple Policy Update for Windows XP and Windows Server 2003
Enabling Policy-Driven Network Access

The second of the two was based on my TLC interactive theater session by the same name. However, I re-worked the slides and introduce a pretty neat demo.

The demo illustrates a few of the Policy-Driven Network Access features of Windows Server 2008 and Windows Vista. In particular, Network Access Protection (using IPsec enforcement), and the Windows Firewall with Advanced Security.

Here's a snap-shot of my demo environment:

The actual physical setup included two laptops and simple switch. My trusty ThinkPad T60p booted the client side (Windows Vista Enterprise) off of my second hard disk in the UltraBay, and my Acer Ferrari ran the three Windows Server 2008 servers as VMs via Virtual Server 2005 R2 SP1. I'm looking forward to trying these out on Windows Server virtualization!

I had also planned on showing our Secure Wireless LAN solution (aka using the built in 802.1X supplicant in Windows Vista, the WS08 Network Policy Server/RADIUS, and EAP-TLS), but the Linksys wireless access point I brought along was only rated for 120V/60Hz. This certainly a disappointment. I mean, no offense to our friends at Cisco, but come on! Almost every piece of technology I own can handle, at the very least 100-240V. Well, thanks to a local colleague, I was able to re-work the demo with a borrowed switch.

The demo was a bit of a re-work of the Security and Policy Enforcement demo I showed at WinHEC. I cut the bits about how AD Rights Management Services integrates with MOSS, blah blah, and focused more on the network controls. Like being able to perform network layer authentications using health (aka NAP Health Certifications) and User credentials (via the Windows Firewall with Advanced Security's "Allow if Secure" filters in conjunction with Connection Security Rules). I plan on expanding the demo even further to include a few more bells and whistles (and a little more time spent on the back-end policy creation).

I'll be speaking to an SBS User Group in Singapore on Tuesday, and I hope to re-run the demo there with these additional bells and whistles.

To close: We had our company meeting on September 6th. This happened to coincide with flight from Seattle to Singapore. Nevertheless, I attempted to get into the spirit of the Company Meeting, by wearing the bright orange (wow!) long sleeved T-shirt our entire team had planned on showing off at the big show, but for me on the airplane:

You can almost see the flag from the Windows Server 2008 logo on my left arm. I attempted to capture the whole of the sleeve by flexing it a bit while using my Palm Treo 750's built-in camera to snap the shot. At the same time, I was trying to avoid making it looking I was trying to show off my "guns" (even though I have been working out at the Pro Club and it would be nice if you did notice!). Talk about team pride!

-- hama

Brand Spanking New Server and Domain Isolation Case Study

ianhamer — Tue, 19 Jun 2007 00:03:51 GMT

Hot off the presses, we've just published a brand spanking new customer case study about how the City of Sapporo (Japan) implemented a Server and Domain Isolation solution.

Here's a link to the case study (which you can also find with several case studies on our our Server and Domain Isolation TechNet site):

Major Japanese Municipal Principal Government Achieves Security Compliance at Nil Cost

Here's a little bit about what you'll learn:

In 2004, the local government of the City of Sapporo, Japan, established a security policy to define and control how the city maintained its information assets. With 12,000 users working in almost 870 departments and limited enforcement resources available in the form of staff and operational procedures, policy compliance proved difficult to achieve. By implementing a Server and Domain Isolation solution based on Microsoft Windows Internet Protocol Security (IPsec) and Active Directory, the City of Sapporo was able to implement cost-effective end-point authentication to dynamically segment its Windows environment into more secure and isolated logical networks, without requiring costly changes to its network infrastructure or applications. The solution has improved information security and reduced the risk of unauthorized access to confidential data on the organization’s Intranet.

What's neat?

They did all this on Windows Server 2003, Windows XP and Windows 2000.

Does that mean there's nothing in Windows Vista or Windows Server 2008 that you should be interested?

Not true.

With Windows Vista and Windows Server 2008, we make deploying a solution like the one outlined in the above case study easier to configure, deploy and maintain. Neat stuff!

And, they've also laid a foundation that can be used to help enforce network access once Windows Server 2008 ships and introduces Network Access Protection.

Enjoy!

-- hama

Tech·Ed 2007 - Day 5: IPsecapalooza 2007 (recap)

ianhamer — Fri, 08 Jun 2007 22:53:32 GMT

Day 5 (which was yesterday) was rough one. I'd been fighting a cold for most of my visit here in FLA, and it came back to haunt me during my last session Thursday afternoon.

I did a spiel about how you can simplify your Windows XP and Windows Server 2003 based Server and Domain Isolation deployments with the nearly a year old Simple Policy Update. Although it started off well, my energy level did slump a little bit towards then end, which likely explains this comment from one participation:

"speaker was to [sic] mono toned and was hard to keep focused."

Yup, I was a bit out of it, but I do appreciate all the feedback and the decent evaluation scores. Next time, I'll be sure to chug my Emergenc-C before coming down to TechEd 2008 (or whatever conference).

Nonetheless, we discussed why you should even think about IPsec to help address all that craziness today's world of networking has brought on. I did a quick demo of Server and Domain Isolation, and closed with a bunch of stuff on the Simple Policy Update.

After the session, I did about a 30 minute stretch at the booth and went back to the hotel to rest.

Before I left, I was notified by one of my "booth babes" (it might have been Sean (again)) that my Server and Domain Isolation collateral had the wrong URL (i.e. a typo) on the front side:

Ugh.

Good news, the link on the backside (http://www.microsoft.com/sdisolation) does work. Or you can just click on this one.

Changing subjects for one moment: I'm at the Yellow TLC (a near-ghost town) with less than 10 minutes left before the show floor closes. We're almost done with TechEd 2007!

-- hama

Tech·Ed 2007 - Day 4.5: Tolly Group White Paper Published!

ianhamer — Thu, 07 Jun 2007 19:56:29 GMT

So, I've talked a lot about this white paper that the Tolly Group published in my Networking Session on Tuesday. Well, it is now up and ready for download from our TechNet Networking site!

Here's the direct link:

Enhanced Network Performance with Microsoft Windows Vista and Windows Server 2008

Here's a little excerpt to tantalize your interest:

"Just upgrading client PCs to Microsoft's Windows Vista can yield throughput and time-to-completion improvements of up to 2.5X over Windows XP. Complete migration of servers to Windows Server 2008 can yield throughput and time-to-completion improvements of up to 3.5X over Windows XP/Windows Server 2003."

Don't forget to check out the recent article that John Fontana published that talks about this report:

Microsoft-sponsored study says Vista improves TCP/IP performance

Okay, time to prep for my afternoon session on the IPsec Simple Policy Update for Windows XP and Windows Server 2003.

-- hama

Tech·Ed 2007 - Day 4: TLC Fun! (Recap)

ianhamer — Thu, 07 Jun 2007 17:42:45 GMT

Once more, I'm plagued by horrifically poor bandwidth on the hotel network.

After having dinner with Sean (aka Seanv6) at the Bahama Breeze, and dodging some hardcore downpours with lots of loud thunder and nearby lightening to boot, I returned to my humble temporary abode to check email, surf for interesting tidbits to kick-off my Thursday afternoon IPsec session with, and -- YIKES! -- discover 89 kbps download rates.

I normally travel with one of them Linksys Wireless-G Travel Routers, which provides a bit of wireless freedom even if the hotel doesn't offer such. Turns out that the hotel has both wired (including a "bank pen like attached CAT-5 cable -- see picture below) and wireless.

I went through every possible iteration of connectivity options, and actually discovered that my private WLAN yielded better transfer rates than being plugged in directly on the hotel's copper, or using their WLAN.

Amazing!

Sean shared similar frustration, and we both wondered why a conference town like Orlando doesn't have more than "two-cans with string" type network access to the "Internets".

This morning was a little bit better:

Anyhow.

Yesterday afternoon I delivered my "Enabling Policy-Driven Network Access" TLC Interactive Theater session (formerly known as Chalk Talks), to a great audience. The session was (more or less) a mini-breakout, and it appeared to be well received. We talked about a long list of built-in Windows Server 2008 and Windows Vista network security functionality that can help you embrace more policy-driven network access.

The topics included:

Windows Firewall with Advanced Security (aka the new Windows Firewall)
IPsec enhancements
Server and Domain Isolation
Secure Wireless LAN
Network Access Protection

If you attended the session, but would like a copy of the presentation deck (which is not up on CommNet) please contact me.

We also had a little fun yesterday with the Virtual TechEd Security Track folks. Brian Seitz shot a video of (approx. 10 minutes) me and Rodrigo (our MVP) talking about Server and Domain Isolation on the show floor, and Rodrigo's experience deploying the solution at his university in Brazil.

Check it out:

Video: Ian Hameroff at TechEd

You can see more cool stuff like this up on Brian's blog at: http://brianseitz.spaces.live.com.

For fans of my session from the Tuesday (SRV310 - Deploying High Performance and Scalable Networking with Windows Server 2008), here's an article that talks about the Tolly Group performance report that will be posted to MSCOM very shortly (I promise!) that John Fontana from Network World posted yesterday afternoon:

Microsoft-sponsored study says Vista improves TCP/IP performance

Okay, time to get sorted and over to The O.C.C.C.! I have one more session this afternoon SEC309 - Implementing the IPsec Simple Policy Update for Microsoft Windows Server 2003 and Windows XP. Here's the abstract:

Common IPsec-based scenarios, like Server and Domain Isolation, require the configuration of an IPsec policy that contains rules for protected and permitted traffic. For some enterprise deployments, the IPsec policy rules can require hundreds of IP filter definitions that must be maintained over time. The Simple Policy Update for Microsoft Windows XP and Windows Server 2003 changes the behavior of IPsec negotiation so that the IPsec policy rules can be simplified, in some cases drastically reducing the number of required IP filters and their ongoing maintenance. This session dives into what these changes are and how they can be applied to both existing and new deployments of Server and Domain Isolation.

Don't forget to stop by the show floor (aka the Yellow TLC) and say hello!

-- hama

Tech·Ed 2007 - Day 2: Opening Day

ianhamer — Mon, 04 Jun 2007 19:23:00 GMT

So. I started my day out battling a non-late night out based headache ("yeah, right Hameroff" -- no, seriously, I hit the hay around 10:30p) and then confused by the TechEd 2007 shuttle buses. I'll explain the latter more.

At 9:30a-ish, I stood in front of my hotel for the #2 shuttle bus to arrive. My new friend -- who I call "the dude sitting in the beach chair outside the front door of the hotel on his cell phone and half reading a novel of some sorts" -- let me know that the next bus was moments away.

First, the #9 when by and about 5 minutes later my bus arrived. We made one more stop at the hotel adjacent to mine, and then (I assumed) we were off to the convention center. Well, we continued past the South O.C.C.C. (where TechEd is based), confusing most on the bus. I thought that we were going to take a different entrance than we did on Sunday, but that theory was shot dead as we sat in the left hand turning lane, waiting for the light to change so we could turn into the West building of the O.C.C.C. Just as I was about to leap up and say, "hey, wrong building dude!" we pulled up to a sign outside of the West building that read "TechEd 2007 Keynote -- Hall D."

Even with this obvious clue, just about everyone got off the bus. Two of us asked the driver if he was going to South building next, and we stayed on for the rest of the right.

Exciting, eh?

Today's edition of the show was a great way to start off TechEd '07. The booth had some decent traffic through the day (with the normal ups and downs in crowd sizes). Our expert booth staff spoke with customers and partners about our network solutions, and even took time out to reach expo floor characters like Sean Siler did in the picture below:

We also had a visit from Ron Beekelaar (MVP and creator of our Server and Domain Isolation demo), and we chatted about the next generation of the demo kit to include Windows Vista and eventually Windows Server 2008.

Rodrigo, our MVP booth staffer, was a bit surprised by the limited knowledge of the power of Server and Domain Isolation. But, it's great that we have this new demo to increase awareness.

Okay, time to head out the Contemporary Hotel on the Disney World campus for dinner with the crew. More to come tomorrow!

-- hama

Windows Server 2008 Network Security Webcast

ianhamer — Sat, 26 May 2007 01:07:37 GMT

The next few days in the US is Memorial Day weekend, also known as the unofficial start to summer. The means there will be plenty of barbeques, parties, and a Monday off.

Well, if you find yourself without something to done during this extended weekend, why not checkout this 90 minute TechNet webcast Amith Krishnan (NAP product manager) and I recorded back on May 17th:

TechNet Webcast: Windows Server 2008: Advancing Network Security (Level 300)

Here's the abstract of what was covered:

Among the long list of enhancements and innovations coming in Windows Server 2008 are a number of networking advancements and policy-driven network security features. In this webcast, we discuss the next generation of networking features in Windows Server 2008 and the network security solution scenarios these features enable. We examine the new Windows Firewall with Advanced Security, Server and Domain Isolation, and Network Access Protection (NAP). Discover how you can use these new networking innovations to provide your users with a more secure, reliable, and cost-effective connection experience.

We answered a bunch of questions on the call, but happy to answer any more you might have after watching the replay.

Enjoy, and have a great extended weekend!

-- hama

Using Server Isolation to Protect Your KMS Servers

ianhamer — Tue, 01 May 2007 20:01:37 GMT

Did you know that you can use a targeted IPsec-based Isolation solution to help reduce the risk of unauthorized access to your Key Management Service (KMS) Servers?

Yup. It's true. This is a great example of using "Server Isolation" as a means to add granular network access controls and end-to-end host authentication to critical services and applications. Think of it as a mini-virtual network that doesn't require any mucking around with your switches or router ACLs.

Like Domain Isolation, it leverages IPsec policies and credentials managed and distributed via Active Directory.

Well, let's cut to the chase...here a link to the IT Pro white paper that includes step-by-step guidance on using "Server Isolation with IPsec and Active Directory to secure access to KMS hosts, and provides step-by-step guidance for deploying such a solution on Windows Vista, Windows Server “Longhorn” or Windows Server 2003."

Using Server Isolation to Protect the Key Management Service (KMS)

If you've been curious about how IPsec-based solution scenarios -- like Server and Domain Isolation -- can work in your organizations, but were concerned about the wider scale impact to your network, solution scenarios like the one outline in the aforementioned white paper are a great place to start. Service Isolation of your KMS servers offers you a way to get your "hands dirty" with IPsec, deliver immediate value, while not "biting off more than you're ready to chew."

Joint IPv6 White Paper Scales to 256-Bit Length Addresses

ianhamer — Tue, 01 May 2007 07:46:06 GMT

Okay, that was a little bit sensational, if not an outright fib.

What's no joke is a newly published joint white paper Juniper Networks and Microsoft have co-developed to talk about deploying end-to-end IPv6 scenarios.

Heck, we felt that whole end-to-end bit was such a good thing we named the white paper after it (which you can find here):

Enabling the Next Generation of Networking with End-to-End IPv6

In addition to us lackeys from the product groups, we had folks from the US Federal/public sector teams at both Juniper and Microsoft collaborate on this paper to ensure it spoke to the requirements that you folks in the federal agencies and related industries are facing as you seek to deploy IPv6.

Hey, how are those deployments going, by the way?

Here's a sampling of the white paper brought to you by way of the infamous executive summary:

As connectivity converges and develops ubiquity many devices are added to the Internet. This trend has created projections of address shortages. Internet Protocol version 6 (IPv6) has promised a solution to this issue. In this paper, Microsoft and Juniper combine their leading networking knowledge to show customers how to adopt IPv6 technology. The paper first looks at the changing expectations of IPv6 with the growth of IPv6-enabled applications like Microsoft Windows Meeting Space in Windows Vista. Next the paper discusses the relationship of each component in an IPv6 implementation. The paper closes with some suggestions on functionality, equipment and deployment scenarios that highlight key aspects of a robust end-to-end IPv6 transition.

As the summary mentions, the white paper covers off a bunch of flexible deployment strategies that leverage transitional technologies baked into Windows Vista and Windows Server "Longhorn" to full blown dual-stacking Juniper gear working in concert with the native IPv6 support in the aforementioned Windows releases (like the graphic below illustrates).

STOP THE PRESSES! DID YOU ACTUALLY THINK YOU'D GET AWAY WITHOUT GETTING AN IPsec PITCH? SUCKER!

I'll admit the above was a bit silly, if not juvenile, but this is the little fun I get to have blogging offline while drinking horrific coffee cruising at 35,000 ft en route to Los Angeles to support the big joint Forefront/System Center launch on Wednesday.

Well, back to the IPsec pitch. As you all know, my day job is minding the Internet protocols suite in Windows Server. Since there are way too many to count on the knurled fingers of the guy siting next to me (yeah, this dude was chewing and picking at his nails for a good 30 minutes until we took off and the engine noise lulled him to sleep), we primarily focus on a few key ones that enable our major networking scenarios (like Server and Domain Isolation and NAP which uses IPsec).

I happen to think IPv6 migration is a pretty significant scenario that can also benefit from the cost-effective end-point authentication features of IPsec (as it was originally intended and realized with IPv6). I also happen to know that IPsec can potentially introduce a full list of interoperability challenges that you may not wish to tackle. We're trying to work out how to strike the right balance between true end-to-end host authentication (not just at the network on ramps) while still preserving the network management and optimization features you've deployed are will consider deploying (say, WAN optimization).

Well, it's important to look to the larger challenges (and risks) you are looking to address and we could certainly use your feedback to make sure we drive the right set of features into the platform and through our partner eco-system. I'm not going to reiterate the IPsec makes IPv6 better pitch, since I already blogged on this many times. Instead, I ask you to share your thoughts about how you think IPsec can help make your future IPv6 work more secure and scalable.

Well, time to close up since we're about to land at LAX. Hope to see you at the launch event on Wednesday!

WinServer "Longhorn" B3: This time it's "Ready, Set, (Download), and Evaluate!"

ianhamer — Thu, 26 Apr 2007 04:01:00 GMT

That's right Windows Server "Longhorn" fans, Beta 3 is ready for your evaluation!

Simply visit http://www.microsoft.com/getbeta3, and you're halfway there to trying out the first major public preview of our next generation of Windows Server.

As our press release touts:

"[With] Beta 3, customers will see new features and enhancements that include stronger security, better performance, new server roles and features, and additional server management and remote administration tools."

What that translates to is, well, a lot of new features and functionality that are ready for "tire kicking."

Heck, we even provided a little cheat sheet to help you zero in on some of the key new features:

New and improved features in Beta 3 include the following:

Windows PowerShell is now included in the product.

Active Directory Federation Services improvements allow customers to implement new policies and make it easier to set up a relationship between trusted partners.

The Server Core installation option now comes with additional roles and enhanced functionality, such as print services and Active Directory Lightweight Directory Services.

The Server Manager console includes additional remote administration tools to provide a more integrated management environment.

Windows Firewall with Advanced Security, now on by default, provides a persistent and more secure environment beginning at installation.

NAP is integrated with Microsoft Update and Windows Update to enable administrators to decide which updates are critical and set policies accordingly. It also has a new administrative interface for simplified setup, scalability and better performance.

Hey, there are two key features of mine on that list! NAP and the Windows Firewall with Advanced Security.

Now, there's been enough written about that NAP thingy, so I'll concentrate on the Windows Firewall instead. You didn't misread the bullet above -- we have switched it on by default to help further the defense-in-depth security controls for Windows Server as well as help reduce attack surface area right out of the gate.

We started down this road with the "Post -Setup Security Update" feature in Windows Server 2003 Service Pack 1 that switched on the newly added Windows Firewall right after install so you could safely venture on to the Internet to retrieve latest updates without increasing the risk of an unpatched vuln being exploited over the network. As you might recall, this feature was described as follows:

"Windows Firewall provides network protection after install while users update their system with the latest patches using the new Post-Setup Security Updates feature.

[Post-Setup Security Updates was] designed to protect the server from the risk of infection between the time the server is first started and the application of the most recent security updates are applied from Windows Update. If Windows Firewall is enabled and the administrator did not explicitly enable Windows Firewall using an unattended-setup script or Group Policy, Post-Setup Security Updates opens the first time an administrator logs on."

The team has been working diligently to test all the major Windows Server scenarios/workloads/roles/etc under this new "on by default" model to ensure we were able to map out the key IP service ports and related communication parameters. We've also done some neat stuff with Server Manager feature (cool stuff!) to help apply the appropriate firewall policies per the role(s)/workload(s) you enable.

I strongly encourage you to check this feature out, and learn about how this default to on works with the applications you run on top of Windows Server!

Well, my battery is just about to die (I'm at SFO getting ready to head back to SEA from the Gartner Symposium/ITxpo event here this week -- more on that later), so I better stop here so I can get this thing posted!

WinServer 2003 SP2 Comes Alive!

ianhamer — Wed, 14 Mar 2007 02:35:19 GMT

So. Yes. Okay. I'm a Peter Frampton fan. And, when I learned that our planned release of Windows Server 2003 Service Pack 2 (SP2) had, well, released today, it made me think of Frampton's "Frampton Comes Alive!" album from 1976.

Why?

I don't know.

Seriously.

I did happen to go to Plattsburgh State University (of New York) where several of the tracks were recorded (well before my tenure there). Maybe that's it.

Moving on to the business at hand.

WS03SP2 includes a bunch of stuff related to networking, including the following features:

Scalable Networking Pack (TCP Chimney Offload, Receive-side Scaling and NetDMA)
IPsec Simple Policy Update (aka Improved IPsec filter management) for making Server and Domain Isolation deployments easier with WS03 and XP
Wi-Fi Protected Access 2 (WPA2) support for XP x64 and WS03
Enabling ‘Firewall Per Port’ Authentication which means "Firewall per port authentication secures traffic between the Extranet environment and internal assets that are protected via IPsec Domain Isolation."

And, there's a whole lot more that makes Server Pack 2 worth a good look and eventual deployment.

"So, how do I get it?"

It's already available off of Windows Update/Microsoft Update. At first (as pictured below) it was placed under the High-priority updates, but it is now a "Software, Optional".

Nevertheless, we'll be making this an automatic update in the a few months, much like we did with Windows Server 2003 SP1 and XP SP2.

You can also visit the official SP2 site on TechNet and find all different versions of the SP for WS03 and XP x64 Edition:

http://www.microsoft.com/technet/windowsserver/sp2.mspx

The above link includes links the downloads (regular and ISO flavors), overview docs, like the overview and what's new in SP2, and deployment guidance. There's also a great "Top 10 Reasons to Install" which happens to feature two of my favorites as #3 and #4:

Download SP2 and start evaluating. Especially since the WDS features will help you get Windows Vista deployed and, well, heck, it's got a lot of networking goodness to keep you happy while we finish up Windows Server "Longhorn".

Keep Unsecured Machines Off Your Network (A WinIT Pro Podcast)

ianhamer — Mon, 26 Feb 2007 23:26:00 GMT

A couple of weeks ago, I had the opportunity to sit down with Karen Forster of Windows IT Pro magazine to record a podcast about a whole slew of things related to our network security solutions (aka policy-driven network access solutions):

Keep Unsecured Machines Off Your Network: Microsoft Talks About Policy-Driven Network Access Solutions

Here's the synopsis Karen wrote to describe our 20 minute chat:

Imagine your network protecting itself by preventing unsecured devices from accessing your resources. Microsoft is now providing technology that ensures every device that connects to your network has up-to-date security protection (e.g., current patches, anti-virus and anti-spyware). You can keep machines that are not compliant with your security policies off your network with Network Access Control (NAC) technologies for Longhorn Server and Windows Vista. Karen Forster discusses Microsoft's recent announcements about NAC, as well as Network Access Protection (NAP), with Microsoft's Ian Hameroff. Learn how NAC and NAP work and what technologies are involved, as well as what third-party products are poised to work with these technologies, in this exclusive interview.

The chat covers things like Server and Domain Isolation and Network Access Protection, as well as Bill and Craig's keynote from RSA 2007.

Since the recording of the podcast, we've taken a big leap forward in our internal deployment of NAP (aka "The Pilot"). We're now up and running across very large (10s of thousands clients) swaths of our network here in Redmond and MSIT is already seeing benefit from the policy-enforcement mechanisms.

For example, I attempted to shutdown my antivirus real-time scanner service and was immediately dinged by NAP:

As soon as I restarted the service, I was deemed healthy and carried on with no issues. The neat thing with the fact the NAP agent is built into Windows Vista (we're running Windows Vista Enterprise) is I did not need to install any software or anything. In fact, I didn't even know that the "switch had been thrown" until my manager sent out a note stating such.

Anyhow, checkout this podcast and let me know if you have any questions!