31 Jan 2011

Top 10 Reasons to Upgrade

It has been a long time since we have seen a new version of Windows Server. It is hard to believe that it has been five years since Windows Server 2003 was released. Well this year we can stop waiting. Windows Server 2008 went RTM this month and now we all have access to the final bits. It has been a long time coming and Microsoft has put a great amount of work into Windows Server 2008 to make it the best Windows ever.

Thousands of changes have been made in Windows Server 2008 compared to Windows Server 2003. Some are very small, but some are quite significant. But the question on everyone's mind is what does Windows Server 2008 provide to make it a worthwhile upgrade? That is the focus in this article.

There are far too many changes for me to cover in a single article, so I have selected those features and capabilities that I think make Windows Server 2008 a worthwhile upgrade. Other people will look at the changes in Windows Server 2008 and think that I should have mentioned some of the other changes. That is fair, but here I am going to talk about the big changes, the changes that will make your life better and hopefully also make your users happier.

Here is my list of what I think makes Windows Server 2008 great and a worthwhile upgrade from Windows Server 2003:

  • Server Manager and the Advanced Event Viewer
  • Server Core
  • Terminal Services Gateway
  • Terminal Services RemoteApps
  • Native IPv6 support
  • Read Only Domain Controllers
  • Hyper-V
  • Network Access Protection (NAP)
  • Secure Sockets Tunneling Protocol (SSTP)
  • The Windows Advanced Firewall and Policy-based QoS

Server Manager and the Advanced Event Viewer

Windows Server 2008 includes an entirely new management interface known as the Server Manager. The Server Manager is a one stop shop for configuring, managing, and monitoring the server. This is not like the Server Manager's you might have used in the past; this one actually works and its one that you will use everyday when managing your Windows Server 2008 machines.


Figure 1

In the Server Manager, you can install Server Roles (such as DNS, DHCP, Active Directory) and Role services (such as Terminal Services Gateway and RRAS). When the Server Roles and Role Services are installed, the MMC consoles for these services are installed in the Server Manager. You no longer need to create your own custom MMCs!

The Server Manager also exposes the new and improved Event Viewer. This is not your father's old event viewer with just System, Security and Application nodes. Windows Server 2008 Event Viewer provides you with Event Logs you can use. There are the usual Windows Event Logs: Application, Security, and System. But now you have the ability to see Events for all applications and services installed on the computer. In addition, you can create Custom Views of the Event Logs, so that you can create your own containers for Events based on filters that you choose.


Figure 2

One of the new Event Log features that I like the most is the ability to Subscribe to Events on other machines on the network. This allows you to collect Event Log data from other machines, based on filters that you provide. In this way, you can configure filters for Critical Events for the most important servers on your network. While lacking the sophistication of a full fledged monitoring solution like System Center Operations Manager, it is a very nice built in monitoring solution for those companies that do not want to shell out for SCOM.

Server Core

Windows Server 2008 can be installed in one of two ways: full installation or server core. The Server Core installation installs a subset of binaries that are required to get the core operating system running. No optional services are installed or enabled. There is no user interface other than the command line. There is no Windows Explorer shell, and all configuration must be done locally at the command line, or remotely using the MMC console or the new Windows Remote Shell (WinRS) remote management application (similar to SSH).

The goal of server core is not to make it more difficult to manage (although it is to a certain extent, because many tasks must be done from the command line and cannot be done remotely from an MMC console). The actual goal of Server Core is to reduce the overall attack surface and to reduce the number of updates required on the server. Since most of the Windows security updates often involve services and applications that you do not even use (like Windows Media Player or Internet Explorer) on a server, you do not need to update these components. And with the greatly reduced number of applications and services that run on server core, the attack surface is definitely reduced.

Server core runs a limited number of Server Roles, so you have to make sure that the server role you are interested in is supported by a server core installation. Also, some of the Server Roles are not fully supported, such as the Web Server role. Server Core does not support .NET managed code, and therefore you will not be able to run the IIS console as a remote MMC. This creates a serious management headache because all IIS configuration on a server core machine must be done at the command line using appcmd.exe. If you are an Apache admin, you will be quite happy. If you are a part time IIS admin, you will probably want to wait on server core.

Server core is definitely a step in the right direction. However, at this time I would consider it a 1.0 release. I am sure the goals of server core were to reduce the attack surface and reduce update requirements, not to make it hard to manage. I expect future updates to Windows Server 2008 will make it easier to manage and allow it to live up to full expectations.

Terminal Services Gateway

One of the impediments to fully deploying Terminal Services for remote access users was the fact that a great many administrators did not trust the authentication sequence and the level of encryption of the RDP tunnels. Another problem encountered was the fact that many firewalls at remote locations did not allow outbound TCP 3389. Microsoft has solved these problems by introducing Terminal Services Gateway in Windows Server 2008.

Terminal Services Gateway is a type of SSL VPN, in the same way that RPC/HTTP for Outlook access to Exchange Server is an SSL VPN. The SSL VPN type is that of an application protocol proxy. Terminal Services Gateway works with the RDP 6.0+ client to allow encapsulated RDP connections to the TS Gateway computer.

The RDP client actually encapsulates the RDP protocol in two other protocols. First, the RDP protocol is encapsulated in an RPC header, and then it is encapsulated a second time using an encrypted HTTP header (SSL). The protocol used to connect to the TS Gateway is actually RDP/RPC/HTTP. Microsoft most likely did this so that they could use the existing RPC/HTTP code they already had for their RPC/HTTP proxy. When the connection reaches the TS Gateway machine, the TS Gateway removes the RPC and HTTP headers and forwards the RDP connections to the appropriate Terminal Server or Remote Desktop computer.

The figure below shows the interface for creating a Connection Authorization Policy or CAP. CAPs are used to determine which users can access resources through this TS Gateway computer. The dialog box in the figure shows the configuration interface for binding a certificate to the TS Gateway site so that secure SSL connections are allowed.


Figure 3

Terminal Services Gateway also supports Smart Card authentication and you also have the option to enforce NAP client access controls. Terminal Services Gateway is definitely one of the major reasons to upgrade to Windows Server 2008.

Terminal Services RemoteApps

The goal of every security admin is to reach least privilege for every user. That is especially true for remote access connections. Security admins like myself lose sleep at night thinking about providing full remote desktop connections to non-administrative users. All it takes is the compromise of one user's credentials by a dedicated hacker and that hacker has a full desktop environment under his control to compromise your network. That is a scary thought.

But do your users really need full access to a desktop? Or do they only need access to the applications on the desktop? Most likely, they just need access to the applications and data. In that case, Windows Server 2008 provides you with a solution called Terminal Services RemoteApp. Terminal Services RemoteApp allows you to provide access only to specific applications over the RDP channel. In that way, users cannot get into trouble with a full desktop, and if a hacker compromises that user's credentials, all the hacker has is an application, which has a much lower attack surface than a full desktop.

TS RemoteApps is very flexible. You can control which apps the users can access and how they access the apps on their own computers. TS Remote Apps together with TS Gateway make the Windows Server 2008 Terminal Server a must have for any company interested in a secure RDP based remote access solution.

The figure below shows the main page in the TS RemoteApp Manager console. Setting up TS RemoteApps is quite easy and you will be up and running in very little time.


Figure 4

The figure below shows the icon on the user's desktop that will launch the RemoteApp. In the Properties dialog box you can see that the link is configured to start an .rdp file that allows specific access to the application.


Figure 5

Native IPv6 support

Windows Server 2008 is the first version of Windows Server that has native IPv6 support as part of a single IP stack. In previous versions of Windows before Vista, IPv6 support was done in parallel with IPv4, and there was no integrated support for IPv6 included in network infrastructure services such as DNS and DHCP. That is no longer the case and now IPv6 is tightly woven into the Windows Server 2008 networking stack and infrastructure services.

In the figure below you can see that the Windows Server 2008 DNS now supports IPv6. You can create Quad A (AAAA) records and you can also create IPv6 reverse lookup zones.


Figure 6

The DHCP service has also been updated to support IPv6. In the figure below you can see that I have created a DHCP scope for Unique Local addresses.


Figure 7

The figure below shows that you can configure network interfaces to use static IPv6 addresses, or have them use DHCP to obtain IP addressing information.


Figure 8

Windows Server 2008 RRAS servers acting as routers can be configured as IPv6 routers and provide information in the routing advertisement messages regarding what prefix information clients can use, and whether or not they should use stateful addressing information from DHCP servers as well.

Windows Server 2008 also supports IPv6 transition technologies, such as ISATAP, 6to4 and Teredo. Any Windows Server 2008 computer can be configured as an ISATAP router by using the Netsh command line interface.

Read Only Domain Controllers

With the proliferation of branch offices in many organizations, many recognized the problem regarding authentication. Branch offices are often provisioned with a domain controller that users can authenticate to a local DC rather than having to go over a slow, or even downed, WAN link, which could cause authentication failures and inability to access even local resources.

The solution was to put domain controllers in the branch offices. While this solved the initial problem of authentication, it introduced a security problem. Since most branch offices do not have the same level of IT expertise as the main office, and most definitely do not have the same level of physical security as the main office, the branch office domain controller became a very weak link in the entire Active Directory infrastructure. Changes made by inexpert users at the branch office could have effects throughout the organization and if the DC at the branch office was stolen, it could potentially compromise all accounts in the organization.

The Windows Server 2008 solution is the Read Only Domain Controller (RODC). An RODC contains a read only copy of the Active Directory database, and the only account information stored on the RODC are for accounts at the branch office. Since no changes to the Active Directory can be made on an RODC, there is no fear that an inexpert user will make adverse changes to the Active Directory. And since there are typically no administrative users at the branch office, there is relatively little risk that the RODC at the branch office will contain admin users accounts that could be compromised in the event that the RODC is stolen.

RODCs can also be configured to cache only certain accounts. And in the event that the RODC is stolen, a list of cached user accounts on the RODC is available to the Active Directory admin at the main office. This allows the Active Directory admin to disable or reset the credentials on these accounts from the main office.

Hyper-V

Hyper-V is the Windows Server 2008 hypervisor that allows you to run virtual machines on Windows Server 2008 computers. Hyper-V replaces Virtual Server 2005 and is an integrated part of the operating system, which comes to you at no additional cost. The final bits for Hyper-V are not yet available, so I am going to reserve judgment on Hyper-V at this time. But, from what I have seen so far, I am very impressed with what they have done with Windows Server Virtualization. If you are looking for a no cost virtualization solution, then an upgrade to Windows Server 2008 is a good choice for you.

Network Access Protection (NAP)

Network Access Protection allows you to control access from all computers who connect to your network. According to Microsoft, Network Access Protection (NAP) is not so much a security methodology as it is a client health mechanism. NAP allows you to create policies that set a minimum state of client health before that computer is allowed to connect to other computers on the network.

NAP depends on a Windows Server 2008 infrastructure. You will need a Windows Server 2008 Network Policy Server to store your health policies. There are several ways you can control access to the network: IPsec restrictions, DHCP restrictions, 801.x restrictions and VPN restrictions. Hosts that do not meet the security configuration requirements are not allowed on the network using any of these methods. However, NAP does allow you to create quarantine networks that the non-compliant hosts can connect to in order to remediate themselves. Once the NAP client software detects that the machine is in compliance, it can send that information to the NAP server side components which will then inform the NAP client that it is OK to connect to the network.

NAP is an extremely powerful method for access control to your network, and it is something that we have been waiting for since it was announced sometime in late 2003, early 2004. While it took almost five years to get NAP to us, it has been well worth the wait. Many network admins consider NAP the primary reason for upgrading to Windows Server 2008. I would have a hard time arguing with these admins.

Secure Socket Tunneling Protocol (SSTP)

The Secure Socket Tunneling Protocol (SSTP) is a true SSL VPN. What I mean by "true" SSL VPN is that SSTP provides full network level VPN access to the corporate network in the same way that the PPTP and L2TP/IPSec protocols provide. However, the advantage with SSTP is that unlike PPTP and L2TP/IPSec, you do not have to worry about firewalls blocking outbound access to your SSTP connections.

SSTP is essentially PPP/SSL. Because the PPP connections are wrapped in a secure HTTP header (SSL), SSTP can pass through any firewall or Web proxy device that allows outbound SSL. No longer will you have to field calls from users at hotels and conference centers who complain that the firewalls in their locations will not allow them to VPN into the network. Another nice thing about SSTP is that you do not have to allow outbound access to SSTP connections just because you allow outbound SSL. There is a value in the CONNECT header that you can configure on your ISA Firewall or other application layer inspection firewall that will allow you to block SSTP connections while allowing other SSL connections.

SSTP is going to make your life a lot easier for remote access VPN connections. I would upgrade to Windows Server 2008 just for SSTP access.


Figure 9

Windows Advanced Firewall and Policy Based QoS

Windows Vista users will recognize the Windows Advanced Firewall. Now you get the same benefits Vista users have with Windows Server 2008. What is even better is that you can use Group Policy in Windows Server 2008 comprehensive centralized management of the Windows Advanced Firewall. If you have not used the Vista firewall yet, you are in for a treat. The Windows Advanced Firewall included with Vista and Windows Server 2008 allows you fine tuned inbound and outbound access control. The outbound access control was the missing piece with the Windows XP firewall. Now you have control on outbound connections so that if you detected on your firewalls that hosts are infected with a worm aimed at a certain port or collection of ports, you can block those ports on each host centrally through group policy.

The figure below shows the New Inbound Rule Wizard. The Wizard, which you can use in the Group Policy Management console, allows you to very easily configure inbound rules. There is also an outbound rule wizard that allows you to block outbound connections, you can control based on UDP or TCP ports, ICMP message types, or you can block on a per-application basis.


Figure 10

One of the most impressive features of the Windows Firewall is how it has simplified the creation of IPsec policies. In the past, setting up IPsec policies was a bit of a hit or miss situation. You would go through the wizards and hope that you had everything set up right. That is no longer the case with Windows Advanced Firewall. The figure below shows the easy to use New Connection Security Rule Wizard that makes it a simple affair to create IPsec domain isolation policies, authentication exemption policies, server to server IPsec connections and IPsec tunnels. The Windows Advanced Firewall has changed setting up IPsec policies from a dreaded event to something I actually look forward to doing. Give it a try, I think you'll like it.


Figure 11

Another major improvement in Windows Server 2008 is centralized QoS policy management through Group Policy. Previous versions of Windows included a QoS feature, but since it really was not based on standards, not many people (if anyone) every used it. Windows Server 2008 changes the game by introducing a new Policy-based QoS feature that you will actually be able to use right out of the box.

There are two ways you can implement QoS polices – you can hard code throughput values or you can take advantage of Differentiated Services Code Point (DSCP) values that are configured on your network routers. DSCP is an industry standard method for implementing QoS on corporate networks. However, even if you do not have DSCP enabled routers, or even if you do not use DSCP, you can still set policies so that the local hosts enforce bandwidth controls on TCP or UDP ports, or on specific applications.

The figure below shows a QoS policy that throttles the SMTP protocol on destination port TCP 25. You can select which hosts this policy applies to. For example, you would not want to throttle your SMTP server, but for hosts on your network, you might want to limit the rate of their SMTP traffic. In this way, you can control how much spam infected computers can send before you discover that the machines have been exploited.


Figure 12

No comments:

Post a Comment