Ian Hameroff : Server and Domain Isolation

Article Alert: Policy-Driven Network Access with Windows Server 2008

ianhamer — Sun, 16 Mar 2008 04:41:35 GMT

While it has been nearly three months since I moved from the role as product manager for Windows Server networking to the Exchange Server team, I still get the occasional opportunity to strut my old networking stuff.

One such example is a recent article I co-authored with Amith Krishnan (product manager for Network Access Protection) on creating a policy-driven network access solution using a bunch of the new features of Windows Server 2008. The article -- entitled Policy-Driven Network Access with Windows Server 2008 -- appears in the March edition of Microsoft's TechNet Magazine.

Here's the article synopsis:

How do you allow network access to those who need it without sacrificing security? See how new technologies in Windows Server 2008, such as Windows Firewall with Advanced Security and Network Access Protection, let you implement a policy-based approach to help you achieve this goal.

Unfortunately, the online version of article doesn't offer you the opportunity to make comments on the article. So, please feel free to post your thoughts or feedback to this blog posting.

Okay, back to Exchange for me. I'm currently completely week 2 of 3 on the road doing focus groups around our future plans for Exchange Server. Good stuff; albeit exhausting to be traveling across the US, Asia (currently in Tokyo) and then Europe. Yahoo!

-- hama

Test Drive Server and Domain Isolation!

ianhamer — Mon, 03 Dec 2007 22:26:50 GMT

Yes.

I agree that it took us long enough to get this thing posted since I first mentioned it back in February.

Nevertheless, you can now download the kick ass Server and Domain Isolation demo/lab that Microsoft MVP and Virtualization and Security Guru Ronald Beekelaar built for us:

Server and Domain Isolation Demo

This kit includes everything you need to test drive a Server and Domain Isolation deployment on Windows Server 2003 and Windows XP.

Wait!

Did I say WS03 and XP?

Yes. But, don't fret.

We're working with Ron to get an updated version of the demo that highlights all the great stuff we've done in Windows Vista and Windows Server 2008. This version (no pressure Ron!) should hit the streets around the RTM/Launch of WS08. Stay tuned!

Okay, back to describing the one you now have at your disposal: You'll find 5 pre-configured VHDs and some great documentation that will step you through both basic and advanced S&DI scenarios. Ron's done a great job with visualizations that help tell the story and explain the data flows, etc. when trying out the different scenarios (like the "Start Page" shown below).

All you'll need to do to run the demo is download Virtual PC 2007 (or use an existing Virtual Server or Virtual PC installation) which you can get for free from http://www.microsoft.com/virtualpc.

After you've been wowed by the great stuff you can do with S&DI (which is an out of the box security solution with WS03, XP and Win2K, and WS08 and WinVista), visit our TechNet Server and Domain Isolation site at http://www.microsoft.com/sdisolation to learn more, review customer case studies, and download deployment guidance.

Have fun!

-- hama

Broadcom Takes IPsec to Task (Offload That Is)!

ianhamer — Thu, 08 Nov 2007 05:49:03 GMT

Our friends over at Broadcom announced on Tuesday (November 6th) a new super cool, 65nm Gigabit Ethernet controller that will incorporate support for Window Vista's IPsec Task Offload functionality!

As my boss' boss said in the press release:

"Thanks to Broadcom's inclusion of IPsec task offload support, our mutual customers will have even greater flexibility when implementing the IPsec features of Windows Vista and Windows Server® 2008," said Mike Schutz, Director of Security and Access Product Management at Microsoft. "By easing any potential performance tradeoffs, these latest NetXtreme security features will help further the adoption of such advanced Microsoft Windows security solutions as Server and Domain Isolation and Network Access Protection."

Effectively, with IPsec task offload support, many of the CPU intensive work required for hashing packets or encryption (if you're using the encryption options) can be moved to the NIC. This frees up the many CPU(s) for more interesting tasks, like running applications or surfing the web for stuff.

This means there'll be one less reason to not consider using IPsec as the great network security tool I've written about for sometime now!

-- hama

Greetings from the Future (Or, At Least GMT+8)

ianhamer — Sat, 15 Sep 2007 06:41:31 GMT

It's the Saturday following my week here in Kuala Lumpur (aka KL) and TechEd 2007 SEA (aka South East Asia). The week was a good time, and it was great to connect with the local 'softies, MVPs, partners, and of course, the regional customers.

I delivered two sessions, both basically repeats of my sessions at TechEd 2007 USA:

Implementing the IPsec Simple Policy Update for Windows XP and Windows Server 2003
Enabling Policy-Driven Network Access

The second of the two was based on my TLC interactive theater session by the same name. However, I re-worked the slides and introduce a pretty neat demo.

The demo illustrates a few of the Policy-Driven Network Access features of Windows Server 2008 and Windows Vista. In particular, Network Access Protection (using IPsec enforcement), and the Windows Firewall with Advanced Security.

Here's a snap-shot of my demo environment:

The actual physical setup included two laptops and simple switch. My trusty ThinkPad T60p booted the client side (Windows Vista Enterprise) off of my second hard disk in the UltraBay, and my Acer Ferrari ran the three Windows Server 2008 servers as VMs via Virtual Server 2005 R2 SP1. I'm looking forward to trying these out on Windows Server virtualization!

I had also planned on showing our Secure Wireless LAN solution (aka using the built in 802.1X supplicant in Windows Vista, the WS08 Network Policy Server/RADIUS, and EAP-TLS), but the Linksys wireless access point I brought along was only rated for 120V/60Hz. This certainly a disappointment. I mean, no offense to our friends at Cisco, but come on! Almost every piece of technology I own can handle, at the very least 100-240V. Well, thanks to a local colleague, I was able to re-work the demo with a borrowed switch.

The demo was a bit of a re-work of the Security and Policy Enforcement demo I showed at WinHEC. I cut the bits about how AD Rights Management Services integrates with MOSS, blah blah, and focused more on the network controls. Like being able to perform network layer authentications using health (aka NAP Health Certifications) and User credentials (via the Windows Firewall with Advanced Security's "Allow if Secure" filters in conjunction with Connection Security Rules). I plan on expanding the demo even further to include a few more bells and whistles (and a little more time spent on the back-end policy creation).

I'll be speaking to an SBS User Group in Singapore on Tuesday, and I hope to re-run the demo there with these additional bells and whistles.

To close: We had our company meeting on September 6th. This happened to coincide with flight from Seattle to Singapore. Nevertheless, I attempted to get into the spirit of the Company Meeting, by wearing the bright orange (wow!) long sleeved T-shirt our entire team had planned on showing off at the big show, but for me on the airplane:

You can almost see the flag from the Windows Server 2008 logo on my left arm. I attempted to capture the whole of the sleeve by flexing it a bit while using my Palm Treo 750's built-in camera to snap the shot. At the same time, I was trying to avoid making it looking I was trying to show off my "guns" (even though I have been working out at the Pro Club and it would be nice if you did notice!). Talk about team pride!

-- hama

Brand Spanking New Server and Domain Isolation Case Study

ianhamer — Tue, 19 Jun 2007 00:03:51 GMT

Hot off the presses, we've just published a brand spanking new customer case study about how the City of Sapporo (Japan) implemented a Server and Domain Isolation solution.

Here's a link to the case study (which you can also find with several case studies on our our Server and Domain Isolation TechNet site):

Major Japanese Municipal Principal Government Achieves Security Compliance at Nil Cost

Here's a little bit about what you'll learn:

In 2004, the local government of the City of Sapporo, Japan, established a security policy to define and control how the city maintained its information assets. With 12,000 users working in almost 870 departments and limited enforcement resources available in the form of staff and operational procedures, policy compliance proved difficult to achieve. By implementing a Server and Domain Isolation solution based on Microsoft Windows Internet Protocol Security (IPsec) and Active Directory, the City of Sapporo was able to implement cost-effective end-point authentication to dynamically segment its Windows environment into more secure and isolated logical networks, without requiring costly changes to its network infrastructure or applications. The solution has improved information security and reduced the risk of unauthorized access to confidential data on the organization’s Intranet.

What's neat?

They did all this on Windows Server 2003, Windows XP and Windows 2000.

Does that mean there's nothing in Windows Vista or Windows Server 2008 that you should be interested?

Not true.

With Windows Vista and Windows Server 2008, we make deploying a solution like the one outlined in the above case study easier to configure, deploy and maintain. Neat stuff!

And, they've also laid a foundation that can be used to help enforce network access once Windows Server 2008 ships and introduces Network Access Protection.

Enjoy!

-- hama

Tech·Ed 2007 - Day 5: IPsecapalooza 2007 (recap)

ianhamer — Fri, 08 Jun 2007 22:53:32 GMT

Day 5 (which was yesterday) was rough one. I'd been fighting a cold for most of my visit here in FLA, and it came back to haunt me during my last session Thursday afternoon.

I did a spiel about how you can simplify your Windows XP and Windows Server 2003 based Server and Domain Isolation deployments with the nearly a year old Simple Policy Update. Although it started off well, my energy level did slump a little bit towards then end, which likely explains this comment from one participation:

"speaker was to [sic] mono toned and was hard to keep focused."

Yup, I was a bit out of it, but I do appreciate all the feedback and the decent evaluation scores. Next time, I'll be sure to chug my Emergenc-C before coming down to TechEd 2008 (or whatever conference).

Nonetheless, we discussed why you should even think about IPsec to help address all that craziness today's world of networking has brought on. I did a quick demo of Server and Domain Isolation, and closed with a bunch of stuff on the Simple Policy Update.

After the session, I did about a 30 minute stretch at the booth and went back to the hotel to rest.

Before I left, I was notified by one of my "booth babes" (it might have been Sean (again)) that my Server and Domain Isolation collateral had the wrong URL (i.e. a typo) on the front side:

Ugh.

Good news, the link on the backside (http://www.microsoft.com/sdisolation) does work. Or you can just click on this one.

Changing subjects for one moment: I'm at the Yellow TLC (a near-ghost town) with less than 10 minutes left before the show floor closes. We're almost done with TechEd 2007!

-- hama

Tech·Ed 2007 - Day 4: TLC Fun! (Recap)

ianhamer — Thu, 07 Jun 2007 17:42:45 GMT

Once more, I'm plagued by horrifically poor bandwidth on the hotel network.

After having dinner with Sean (aka Seanv6) at the Bahama Breeze, and dodging some hardcore downpours with lots of loud thunder and nearby lightening to boot, I returned to my humble temporary abode to check email, surf for interesting tidbits to kick-off my Thursday afternoon IPsec session with, and -- YIKES! -- discover 89 kbps download rates.

I normally travel with one of them Linksys Wireless-G Travel Routers, which provides a bit of wireless freedom even if the hotel doesn't offer such. Turns out that the hotel has both wired (including a "bank pen like attached CAT-5 cable -- see picture below) and wireless.

I went through every possible iteration of connectivity options, and actually discovered that my private WLAN yielded better transfer rates than being plugged in directly on the hotel's copper, or using their WLAN.

Amazing!

Sean shared similar frustration, and we both wondered why a conference town like Orlando doesn't have more than "two-cans with string" type network access to the "Internets".

This morning was a little bit better:

Anyhow.

Yesterday afternoon I delivered my "Enabling Policy-Driven Network Access" TLC Interactive Theater session (formerly known as Chalk Talks), to a great audience. The session was (more or less) a mini-breakout, and it appeared to be well received. We talked about a long list of built-in Windows Server 2008 and Windows Vista network security functionality that can help you embrace more policy-driven network access.

The topics included:

Windows Firewall with Advanced Security (aka the new Windows Firewall)
IPsec enhancements
Server and Domain Isolation
Secure Wireless LAN
Network Access Protection

If you attended the session, but would like a copy of the presentation deck (which is not up on CommNet) please contact me.

We also had a little fun yesterday with the Virtual TechEd Security Track folks. Brian Seitz shot a video of (approx. 10 minutes) me and Rodrigo (our MVP) talking about Server and Domain Isolation on the show floor, and Rodrigo's experience deploying the solution at his university in Brazil.

Check it out:

Video: Ian Hameroff at TechEd

You can see more cool stuff like this up on Brian's blog at: http://brianseitz.spaces.live.com.

For fans of my session from the Tuesday (SRV310 - Deploying High Performance and Scalable Networking with Windows Server 2008), here's an article that talks about the Tolly Group performance report that will be posted to MSCOM very shortly (I promise!) that John Fontana from Network World posted yesterday afternoon:

Microsoft-sponsored study says Vista improves TCP/IP performance

Okay, time to get sorted and over to The O.C.C.C.! I have one more session this afternoon SEC309 - Implementing the IPsec Simple Policy Update for Microsoft Windows Server 2003 and Windows XP. Here's the abstract:

Common IPsec-based scenarios, like Server and Domain Isolation, require the configuration of an IPsec policy that contains rules for protected and permitted traffic. For some enterprise deployments, the IPsec policy rules can require hundreds of IP filter definitions that must be maintained over time. The Simple Policy Update for Microsoft Windows XP and Windows Server 2003 changes the behavior of IPsec negotiation so that the IPsec policy rules can be simplified, in some cases drastically reducing the number of required IP filters and their ongoing maintenance. This session dives into what these changes are and how they can be applied to both existing and new deployments of Server and Domain Isolation.

Don't forget to stop by the show floor (aka the Yellow TLC) and say hello!

-- hama

Tech·Ed 2007 - Day 2: Opening Day

ianhamer — Mon, 04 Jun 2007 19:23:00 GMT

So. I started my day out battling a non-late night out based headache ("yeah, right Hameroff" -- no, seriously, I hit the hay around 10:30p) and then confused by the TechEd 2007 shuttle buses. I'll explain the latter more.

At 9:30a-ish, I stood in front of my hotel for the #2 shuttle bus to arrive. My new friend -- who I call "the dude sitting in the beach chair outside the front door of the hotel on his cell phone and half reading a novel of some sorts" -- let me know that the next bus was moments away.

First, the #9 when by and about 5 minutes later my bus arrived. We made one more stop at the hotel adjacent to mine, and then (I assumed) we were off to the convention center. Well, we continued past the South O.C.C.C. (where TechEd is based), confusing most on the bus. I thought that we were going to take a different entrance than we did on Sunday, but that theory was shot dead as we sat in the left hand turning lane, waiting for the light to change so we could turn into the West building of the O.C.C.C. Just as I was about to leap up and say, "hey, wrong building dude!" we pulled up to a sign outside of the West building that read "TechEd 2007 Keynote -- Hall D."

Even with this obvious clue, just about everyone got off the bus. Two of us asked the driver if he was going to South building next, and we stayed on for the rest of the right.

Exciting, eh?

Today's edition of the show was a great way to start off TechEd '07. The booth had some decent traffic through the day (with the normal ups and downs in crowd sizes). Our expert booth staff spoke with customers and partners about our network solutions, and even took time out to reach expo floor characters like Sean Siler did in the picture below:

We also had a visit from Ron Beekelaar (MVP and creator of our Server and Domain Isolation demo), and we chatted about the next generation of the demo kit to include Windows Vista and eventually Windows Server 2008.

Rodrigo, our MVP booth staffer, was a bit surprised by the limited knowledge of the power of Server and Domain Isolation. But, it's great that we have this new demo to increase awareness.

Okay, time to head out the Contemporary Hotel on the Disney World campus for dinner with the crew. More to come tomorrow!

-- hama

TechEd 2007 Security Track Goes On-line

ianhamer — Wed, 30 May 2007 02:20:55 GMT

Guess what?

TechEd 2007 is next week!

Yup.

And, to help make your TechEd experience even better, my pals over in the Trustworthy Computing Group have launched a brand new "TechEd Security Track 2007" site off of Microsoft.com. Check it out at: http://www.microsoft.com/security/teched/default.mspx

What's neat is you can listen to me blather on about the BillG keynote at WinHEC, the recent NAP/TNC announcement, and a preview of what to expect at TechEd from the networking and network security folks (like me). Check out my little "In Their Own Words" podcast...I'm the one right between Ali Parker and Mike Howard.

Back here at the Redmond Ranch we're prepping all systems for TechEd and also enjoying 74+ degree weather. And yes, the sky is sunny and the clouds are far and few between. What a day!

Anyhow, I hope to see you at the big show next week! You can find us in the Yellow TLC in the security section.

If the opportunity to meet me isn't thrilling enough, perhaps having a chance to rap with one of our leading network security MVPs, Rodrigo Immaginario from Brazil, is the deal maker. Rodrigo has extensive experience with our Server and Domain Isolation solution, and is working to deploy Network Access Protection (NAP). He's also worked with the full range of new networking functionality in Windows Vista and Windows Server 2008.

-- hama

Windows Server 2008 Network Security Webcast

ianhamer — Sat, 26 May 2007 01:07:37 GMT

The next few days in the US is Memorial Day weekend, also known as the unofficial start to summer. The means there will be plenty of barbeques, parties, and a Monday off.

Well, if you find yourself without something to done during this extended weekend, why not checkout this 90 minute TechNet webcast Amith Krishnan (NAP product manager) and I recorded back on May 17th:

TechNet Webcast: Windows Server 2008: Advancing Network Security (Level 300)

Here's the abstract of what was covered:

Among the long list of enhancements and innovations coming in Windows Server 2008 are a number of networking advancements and policy-driven network security features. In this webcast, we discuss the next generation of networking features in Windows Server 2008 and the network security solution scenarios these features enable. We examine the new Windows Firewall with Advanced Security, Server and Domain Isolation, and Network Access Protection (NAP). Discover how you can use these new networking innovations to provide your users with a more secure, reliable, and cost-effective connection experience.

We answered a bunch of questions on the call, but happy to answer any more you might have after watching the replay.

Enjoy, and have a great extended weekend!

-- hama

Get Your NAP (Step-by-Step) On!

ianhamer — Fri, 27 Apr 2007 20:11:45 GMT

A great thing about reaching the B3 milestone for Windows Server "Longhorn" is all the new (and improved) documentation that we get to publish. One such example is a set of new Network Access Protection (aka NAP) "step-by-step" guides to help you setup and test your favorite NAP scenario.

For your perusal, we have four new guides to match the four flavors of NAP enforcement:

DHCP
VPN
802.1X
IPsec (my personal fav)

This is quite timely -- not only because we just release Beta 3 of Windows Server "Longhorn" -- because just yesterday afternoon I spoke on a panel about securing data in a highly mobile environment as part of the CSO Summit going on here on campus. After the panel chatted about such new and updated data security features like BitLocker and RMS, we switched gears to talk about data in motion.

I was not surprised to see that most people (including CSOs in the communications sector) were mostly concerned about the impact of "guest workers" on their network leading to information compromise and leakage. About 3/4 of the folks in attendance indicated that was their primary motivator for evaling such things as end-point auth and network access control solutions.

When I started to talk about what were doing with NAP and other type solutions (read: Server and Domain Isolation) many wanted to know both what they could do now (like with Server and Domain Isolation -- which is available from Windows 2000 through Windows Server "Longhorn") and how they could "kick the tires"

Well.

These step-by-step guides are a great way to get things rolling. Simply download Beta 3, install our kick arse Virtual PC 2007 (available at no cost) and pick your favorite step-by-step. Clearly the 802.1X scenario will present some challenges since you really can't virtualize a switch (easily).

Check this stuff out and I'd enjoy hearing what you're feedback!

WinServer "Longhorn" B3: This time it's "Ready, Set, (Download), and Evaluate!"

ianhamer — Thu, 26 Apr 2007 04:01:00 GMT

That's right Windows Server "Longhorn" fans, Beta 3 is ready for your evaluation!

Simply visit http://www.microsoft.com/getbeta3, and you're halfway there to trying out the first major public preview of our next generation of Windows Server.

As our press release touts:

"[With] Beta 3, customers will see new features and enhancements that include stronger security, better performance, new server roles and features, and additional server management and remote administration tools."

What that translates to is, well, a lot of new features and functionality that are ready for "tire kicking."

Heck, we even provided a little cheat sheet to help you zero in on some of the key new features:

New and improved features in Beta 3 include the following:

Windows PowerShell is now included in the product.

Active Directory Federation Services improvements allow customers to implement new policies and make it easier to set up a relationship between trusted partners.

The Server Core installation option now comes with additional roles and enhanced functionality, such as print services and Active Directory Lightweight Directory Services.

The Server Manager console includes additional remote administration tools to provide a more integrated management environment.

Windows Firewall with Advanced Security, now on by default, provides a persistent and more secure environment beginning at installation.

NAP is integrated with Microsoft Update and Windows Update to enable administrators to decide which updates are critical and set policies accordingly. It also has a new administrative interface for simplified setup, scalability and better performance.

Hey, there are two key features of mine on that list! NAP and the Windows Firewall with Advanced Security.

Now, there's been enough written about that NAP thingy, so I'll concentrate on the Windows Firewall instead. You didn't misread the bullet above -- we have switched it on by default to help further the defense-in-depth security controls for Windows Server as well as help reduce attack surface area right out of the gate.

We started down this road with the "Post -Setup Security Update" feature in Windows Server 2003 Service Pack 1 that switched on the newly added Windows Firewall right after install so you could safely venture on to the Internet to retrieve latest updates without increasing the risk of an unpatched vuln being exploited over the network. As you might recall, this feature was described as follows:

"Windows Firewall provides network protection after install while users update their system with the latest patches using the new Post-Setup Security Updates feature.

[Post-Setup Security Updates was] designed to protect the server from the risk of infection between the time the server is first started and the application of the most recent security updates are applied from Windows Update. If Windows Firewall is enabled and the administrator did not explicitly enable Windows Firewall using an unattended-setup script or Group Policy, Post-Setup Security Updates opens the first time an administrator logs on."

The team has been working diligently to test all the major Windows Server scenarios/workloads/roles/etc under this new "on by default" model to ensure we were able to map out the key IP service ports and related communication parameters. We've also done some neat stuff with Server Manager feature (cool stuff!) to help apply the appropriate firewall policies per the role(s)/workload(s) you enable.

I strongly encourage you to check this feature out, and learn about how this default to on works with the applications you run on top of Windows Server!

Well, my battery is just about to die (I'm at SFO getting ready to head back to SEA from the Gartner Symposium/ITxpo event here this week -- more on that later), so I better stop here so I can get this thing posted!

WinServer 2003 SP2 Comes Alive!

ianhamer — Wed, 14 Mar 2007 02:35:19 GMT

So. Yes. Okay. I'm a Peter Frampton fan. And, when I learned that our planned release of Windows Server 2003 Service Pack 2 (SP2) had, well, released today, it made me think of Frampton's "Frampton Comes Alive!" album from 1976.

Why?

I don't know.

Seriously.

I did happen to go to Plattsburgh State University (of New York) where several of the tracks were recorded (well before my tenure there). Maybe that's it.

Moving on to the business at hand.

WS03SP2 includes a bunch of stuff related to networking, including the following features:

Scalable Networking Pack (TCP Chimney Offload, Receive-side Scaling and NetDMA)
IPsec Simple Policy Update (aka Improved IPsec filter management) for making Server and Domain Isolation deployments easier with WS03 and XP
Wi-Fi Protected Access 2 (WPA2) support for XP x64 and WS03
Enabling ‘Firewall Per Port’ Authentication which means "Firewall per port authentication secures traffic between the Extranet environment and internal assets that are protected via IPsec Domain Isolation."

And, there's a whole lot more that makes Server Pack 2 worth a good look and eventual deployment.

"So, how do I get it?"

It's already available off of Windows Update/Microsoft Update. At first (as pictured below) it was placed under the High-priority updates, but it is now a "Software, Optional".

Nevertheless, we'll be making this an automatic update in the a few months, much like we did with Windows Server 2003 SP1 and XP SP2.

You can also visit the official SP2 site on TechNet and find all different versions of the SP for WS03 and XP x64 Edition:

http://www.microsoft.com/technet/windowsserver/sp2.mspx

The above link includes links the downloads (regular and ISO flavors), overview docs, like the overview and what's new in SP2, and deployment guidance. There's also a great "Top 10 Reasons to Install" which happens to feature two of my favorites as #3 and #4:

Download SP2 and start evaluating. Especially since the WDS features will help you get Windows Vista deployed and, well, heck, it's got a lot of networking goodness to keep you happy while we finish up Windows Server "Longhorn".

Keep Unsecured Machines Off Your Network (A WinIT Pro Podcast)

ianhamer — Mon, 26 Feb 2007 23:26:00 GMT

A couple of weeks ago, I had the opportunity to sit down with Karen Forster of Windows IT Pro magazine to record a podcast about a whole slew of things related to our network security solutions (aka policy-driven network access solutions):

Keep Unsecured Machines Off Your Network: Microsoft Talks About Policy-Driven Network Access Solutions

Here's the synopsis Karen wrote to describe our 20 minute chat:

Imagine your network protecting itself by preventing unsecured devices from accessing your resources. Microsoft is now providing technology that ensures every device that connects to your network has up-to-date security protection (e.g., current patches, anti-virus and anti-spyware). You can keep machines that are not compliant with your security policies off your network with Network Access Control (NAC) technologies for Longhorn Server and Windows Vista. Karen Forster discusses Microsoft's recent announcements about NAC, as well as Network Access Protection (NAP), with Microsoft's Ian Hameroff. Learn how NAC and NAP work and what technologies are involved, as well as what third-party products are poised to work with these technologies, in this exclusive interview.

The chat covers things like Server and Domain Isolation and Network Access Protection, as well as Bill and Craig's keynote from RSA 2007.

Since the recording of the podcast, we've taken a big leap forward in our internal deployment of NAP (aka "The Pilot"). We're now up and running across very large (10s of thousands clients) swaths of our network here in Redmond and MSIT is already seeing benefit from the policy-enforcement mechanisms.

For example, I attempted to shutdown my antivirus real-time scanner service and was immediately dinged by NAP:

As soon as I restarted the service, I was deemed healthy and carried on with no issues. The neat thing with the fact the NAP agent is built into Windows Vista (we're running Windows Vista Enterprise) is I did not need to install any software or anything. In fact, I didn't even know that the "switch had been thrown" until my manager sent out a note stating such.

Anyhow, checkout this podcast and let me know if you have any questions!

Using ISA Server to Extend Server and Domain Isolation to non-Windows Platforms

ianhamer — Sat, 20 Jan 2007 04:31:56 GMT

One of the biggest pieces of feedback I hear when pitching Server and Domain Isolation to customers (which...btw...is a great first step towards an eventual NAP deployment) is "how will this work with my non-Windows clients?"

I don't like to think about interoperability as a binary thing, that is, Server and Domain Isolation is or is not interoperable with non-Windows hosts. Instead, there's really a range of options for enabling interoperability that include policy exemptions (e.g. don't use IPsec when communicating to or when receiving communications from a host -- like a mainframe) all the way to a "full Domain Isolation citizen" (like it is within the Windows sections of your networks).

In between these are a few different deployment scenarios. These include "hardwiring" configs and settings into the IPsec components on the non-Windows host, such as racoon on certain flavors of Linux, and using manually deployed machine certificates for authentication. Another one of these options uses ISA Server 2006 (or 2004) as an IPsec proxy or gateway to bridgehead communications between the trusted, isolated domain and the non-Windows hosts.

As the above graphic illustrates, this is a great way to extend Server and Domain Isolation functionality to hosts that do not or cannot run IPsec.

Pretty neat, eh?

The good news here (beyond what I've already shared) is we've just published a new technical whitepaper to the Server and Domain Isolation TechNet site that covers this solution across three specific scenarios:

An isolated client needs access to a non-IPsec-enabled server
Non-IPsec client needs access to a server on an IPsec-enabled, isolation domain
Allowing full access to isolated domains for business-critical exceptions

Here's the short description/abstract for the paper:

This white paper details how to use ISA Server as an IPsec gateway or proxy within a Server and Domain Isolation solution, from preparation to installation and configuration, and includes best practices to keep in mind during the process. It is written for enterprise technical decision makers, IT administrators, and architects who want to gain a better understanding of the processes and implementation of ISA Server as an IPsec gateway or proxy to extend Server and Domain Isolation interoperability to non-Windows devices and legacy systems.

For more details on this whitepaper, checkout the following link to the download center:

Using ISA Server to Extend Server and Domain Isolation Interoperability

Don't have ISA Server 2006 yet? No worries, download the trial or the pre-built VHD test drive for Virtual Server.