Mark Minasi's Windows Networking Tech Page
Issue #74 December 2008
|
Document copyright 2008 Mark Minasi; please see
below for info on subscribing, unsubscribing or copying portions of
this text.
What's Inside
- News
- Our Two-Day Vista Support and Server 2008 seminars coming to
Parsippany NEXT WEDNESDAY/THURSDAY
- The Server 2008 Seminar is Now a 15-CD Audio Set
- Tech Section
- Should You Upgrade to Windows Server 2008? (Part 2)
- Conferences
- Bring a Seminar to Your Site
- To Subscribe, Unsubscribe, Read Old Newsletters or Change Your Email
Address
News
Hi all —
In the last newsletter, I started looking at the question "Server
2008: Upgrade or Not?" Continuing in that vein, guest
contributor Rhonda Layfield offers a very useful little summary of
some of 2008's big pluses.
2008 Server and Vista Classes Coming to Parsippany NEXT
WEDNESDAY/THURSDAY
As you know, in the past year and a half Microsoft has released
the Workstation and Server versions of Windows 6 — Vista and Server
2008 — and even if you've not implemented them yet, we all know
that Resistance Is Futile and so you'll eventually need to know how to plan to
fit them into your IT structure, get 'em rolled out, and then
maintain and troubleshoot them... so why not learn now? (Okay,
actually, you might not decide to upgrade, as I discuss later
in this newsletter, but that's another story, right?)
Of course, you could download a small mountain of white papers
(mostly written based on late betas and thus are only partially
correct), and spend a few weeks testing it to discover the hundreds
of changes that 2008 and Vista bring... or you could come spend a
couple of days with me. In my Vista Support and Server 2008 classes,
I'll tell you and show you what's changed in Windows — the good, the
bad, the wonderful and the awful ... with a chuckle or two thrown
in. Please consider joining me for the two-day Vista class, the
two-day Server 2008 class, or both. I'll be in Parsippany, NJ next
Wednesday/Thursday (December 10/11) to do the
Server 2008 class. Find out more about the Server class
here, and get
schedule information here. Thanks!
The Server 2008 Seminar is Now a 15-CD Audio Set
I'll keep it short and sweet: at this point I've taught the
Server 2008 seminar in a few dozen locations and three countries, so
it's time to offer it as a
far-less-expensive-than-hiring-me-to-present-it audio learning series. I want
everyone to be able to afford this set, so I've priced it the same
as I did our Server 2000 audio set eight years ago. I've also
posted online a free 18 minute sample from the Hyper-V coverage that
I hope you'll like whether you buy the set or not. More info
at
http://www.minasi.com/2008class/audio/, I hope you find it a
convenient and entertaining way to get the ins and outs of 2008!
Tech Section
Should You Upgrade to Windows Server 2008? (Part 2)
In a previous newsletter, I started looking at why you might or
might not decide to move to Windows Server 2008. This month,
I'm very fortunate to be able to offer some more information along
that line, this time courtesy of my guest contributor Rhonda
Layfield.
Recently a client asked Rhonda for a nice, compact distillation
of many of the performance-and security-oriented pluses of Server
2008, so she looked around the Web and found that while many pages
discussed Server 2008's benefits, they all tended to be, um,
sort of long, so she painstakingly worked through dozens of
documents, took what she learned from them and boiled it down to a
table of just a few pages. I liked it and asked her if it'd be all
right to share it with all of you, and she kindly agreed.
In the following table, you'll see that Rhonda's focused on two
things: what Server 2008 includes to improve Windows
performance, and how Server 2008 makes securing your network easier.
I think you'll find this useful and want to thank Rhonda for letting
me include it here. Rhonda, take it away...
Feature
|
Quick Fact
|
Ø
Technical Details
|
|
|
|
|
|
|
More RAM is
supported |
Ø
A 32-bit processor can only
access upto 4 GB of RAM. 64-bit processors can directly access
18,000,000,000 GB. This is especially critical for Domain Controllers (DCs).
DCs attempt to cache the entire Active Directory as soon as they are up
and running. If AD is too big then accessing information from disk is
much slower than if the entire AD was cached into memory. This is a huge
performance enhancement. Please see the “Active Directory Performance
for 64-bit Versions of Windows Server 2008” (URL is listed at the end of
this table) white paper. |
|
|
No 32-bit |
Ø
Exchange 2007 is not
supported to run on 32-bit architecture. Must be run on 64-bit machines. |
|
|
Last 32-bit OS |
Ø
Microsoft has stated that
Windows Server 2008 is the last server operating system that will run on
32-bit architecture. |
|
|
Enhanced Group Policy Features |
Ø
Security settings
are stored in group policies (GP) and must be kept in sync between all
Domain Controllers (DCs). The group policies are stored in a folder
called Sysvol which is replicated amongst all DCs. 2008 offers a much
faster, scalable and more reliable replication engine called Distributed
File System Replication or "DFS-R" rather than the older "File
Replication Service" (FRS) engine. The domain mode must be elevated to
2008 Native level for DFS-R to replicate Sysvol. DFS-R can replicate
changes only to group policies where FRS replicates the entire GP, FRS
had no way to replicate just the changes. Remote Differential
Compression (RDC) allows files to be created locally without consuming
any network bandwidth at all.
Ø
Printer
Deployment using GPO’s can now use Active Directory group association
vs. previously only users or workstations were allowed.
Ø
More efficient
group policy storage. The ADM files are no longer stored within the GPO
(this is a big one). This greatly reduces the size of Sysvol.
Ø
GPO-based power
management (please see the Windows Server 2008 Power Savings paper). |
|
|
Used to map drives to servers
or workstations |
Ø
On-the-wire-encryption for Vista and Server 2008. With XP/2003 moving
encrypted files across the network keeps them encrypted at the source
and destination, but transfers them across the wire unencrypted.
Ø
2.5-3.3x speed
improvement over WAN lines (understands round trip delays of data
packets and how to handle them).
Ø
Only works
between Server 2008 and Server 2008, or Server 2008 and Vista. This is
a tremendous improvement in file copying and a valuable point for field
sites that won’t get their own server.
Ø
More
resistant to NetBIOS attacks. |
|
|
More robust and reliable |
Ø
Native IPv6
support allowing US government-related organizations to meet the
government mandate that all future datacomm equipment be IPv6-capable.
Ø
New TCP
receive-side window sizing algorithm provides faster performance across
the network.
Ø
Microsoft Firewall settings are loaded prior to the TCP/IP stack sending
or receiving data. This keeps the TCP/IP stack protected during the
loading of the operating system. |
|
|
Store events |
Ø
The new event
viewer can forward events to a central storage location. This only works
between Server 2008 and Server 2008 or Vista. You choose which events
will be stored. |
|
|
Automatic feature allowing
recovery of corrupt or deleted documents |
Ø
Previous Versions
in the past were only available by connecting to a server through a
shared folder and accessing the previous versions of files and folders.
Now you can access previous versions of documents and folders in Windows
Explorer. This allows recovering a document that may have become
corrupt or was deleted. Previous Versions is a component of the Volume
Shadow Copy service. |
|
|
New backup utility |
Ø
Image based
backup tool allows for bare-metal restores of dead servers. |
|
|
Virtualization software |
Ø
Hyper-V is the
new software that allows creating virtual machines. |
|
|
Windows Deployment Service |
Ø
Windows Server
2008 allows multicasting of operating system images so they can be
deployed faster and consume less bandwidth. |
|
|
Fine Grained |
Ø
You can enforce
different password restrictions (i.e. password length, complexity,
history) based on AD groups. |
|
|
DNS-based alternative to WINS |
Ø
Allows you to
associate single-label names (ie "server44" rather than
"server44.bigfirm.com") with particular Fully Qualified Domain Names or
FQDNs. |
|
|
Remote control protocol
|
Ø
MUCH
faster, more reliable and secure remote
connectivity. |
|
|
Assists RDP |
Ø
More
secure protocol for remote management. |
|
Remote Control Protocol |
Ø
Very low
bandwidth utilized when remotely controlling a Server or Workstation and
on a par with Unix/Linux's secure shell (SSH) --
remote command-line control. |
|
|
Improved feature set |
Ø
Gateway - Much faster SSL-based secure connection from a remote location
to a desktop or TS behind a firewall.
Ø
New Remote
Applications deploy applications quickly.
Ø
EasyPrint -
allows you to print to any local printer (from a Vista box). |
|
|
|
Ø
|
|
|
X64 requires
all drivers to be signed |
Ø
Kernel mode drivers must be signed. The kernel is the lowest-level, most
central part of a computer operating system and one of the first pieces
of code to load when the machine boots. PatchGuard protects the kernel
from malicious malware. |
|
|
Drive Encryption |
Ø
Allows entire
hard drives to be encrypted. Great for laptop computers that may have
sensitive data in the event that they are stolen, or servers located in
branch offices that are not completely physically secure. Removing a
Bitlocker encrypted drive and putting it into another machine in an
attempt to access the data will NOT work. |
|
|
New, secure encryption
algorithm |
Ø
Kerberos has used
RC4-HMAC for its encryption, an algorithm that has been attacked in some
circumstances. 2008 offers the option of shifting to the as-yet-uncracked
AES encryption algorithm. |
|
|
No longer stored |
Ø
LM hashes of
passwords were incredibly easy to crack – Not storing the LM hashes
reduces hackers ability to crack passwords. |
|
|
Hardened |
Ø
Each service now
runs under it’s own security identifier (SID) so tracking and
controlling what each service does is possible. Services can be granted
permissions to resources needed by the service. In the past, many
services would run under the context of
Local Service or
Network Service BUT then all services running under that context
would have the same level of access to resources whether they were
needed or not. Being able to restrict access at the service level
greatly increases security and auditing capabilities.
|
|
|
More secure |
Ø
Isolates kernel
operations and default services (Session 0) away from users and other
apps (Session 1, Session 2 etc) to reduce the ability of a hacker to
maliciously attack the operating system. |
|
|
Kernel Patch Protection |
Ø
Makes installing
rootkits harder. Rootkits are the worse type of virus to infect a
machine, they are practically untraceable. |
|
|
Notifies you that code is being
run which requires administrative functionality. |
Ø
When an
administrative user logs onto a Vista or Server 2008 machine they
receive two tokens – think of it like this: they get one token for Clark
Kent that is a standard user token that has no special abilities and
another for Superman who of course has abilities far beyond that of a
standard user. Most of the time when the user is working in email, word,
excel and surfing the internet they are doing it as Clark but if they
attempt to perform an action that requires Administrative capabilities a
UAC dialog box appears notifying the user that something is requiring
that the administrative token be used. That “something” could be a
virus that is attempting to infect their machine or some badly written
application. The point to UAC is to make administrators aware of when
their Superman token is being used and if they didn’t initiate the
action themselves they are made aware that “something” did. |
|
|
Store only a portion of AD user
account information |
Ø
RODCs allow an
administrator to choose which user accounts are stored locally. These
are great for branch offices that only have a few users who log onto to
the domain instead of storing the entire AD with 50,000 user accounts.
If the RODC was compromised the only accounts that a hacker could get
would be the handful of accounts at that branch office NOT the entire
Active Directory. |
|
|
More secure |
Ø
ILs allow another
level of permissions aside from the NTFS and shared folder permissions. |
|
|
Make UAC more usable |
Ø
Manifests work in
conjunction with UAC – a manifest is built into an .exe and can be
instructed to use the Administrative token and not the standard user
token. A UAC prompt will be presented. |
|
|
Guards against buffer overflows |
Ø
Buffer overflows
are security vulnerabilities. DEP is offered in both software and
hardware flavors. Hardware DEP is much more robust. |
|
|
NEW VPN Protocol |
Ø
SSL-based VPN
protocol which is much more secure. |
|
|
Transactions can be chained |
Ø
Transactions can
be chained. For example you have 3 patches to install P1, P2 and P3. P2
depends on P1 installing prior to itself being installed and P3 depends
on both P1 and P2 being installed successfully. If P2 (for whatever
reason) did not install successfully when P3 begins to install it
realizes that P2 has not been installed and therefore removes the
partially installed P2 and P1. This helps to prevent system failures due
to incompletely-applied patches. |
v
AD
scales better on 64-bit
http://www.microsoft.com/downloads/details.aspx?FamilyID=52E7C3BD-570A-475C-96E0-316DC821E3E7&displaylang=en
v
Kernel address space limitations can limit server capacity on 32-bit.
http://support.microsoft.com/kb/294418
v
Understanding the Business Benefits Associated with 64-Bit Windows Server
http://download.microsoft.com/download/d/8/0/d803e620-2977-4df3-90bd-6d263bb9cb59/Understanding%20the%20Business%20Benefits%20Associated%20with%20x86%2064-bit%20Windows%20Server.pdf
v
Windows Server 2008 Power Savings
http://download.microsoft.com/download/4/5/9/459033a1-6ee2-45b3-ae76-a2dd1da3e81b/Windows_Server_2008_Power_Savings.docx
Bring Mark to Your Site to Teach
I'm keeping busy doing Server 2008 and Vista seminars and
writing, but I've still got time to visit your firm. In just two
days, I'll make your current NT techies into 2008, Vista, security, XP, Active Directory
or 2003 experts. (And better yet they won't have to sit through any Redmondian propaganda.) To join the large educational,
pharmaceutical, agricultural, aerospace, utility, banking, government,
telecommunication, law enforcement, publishing, transportation, military and other
organizations that I've assisted, either take a peek at the course
outlines at www.minasi.com/presentations.htm, mail our assistant
Jean Snead at Assistant@Minasi.com, or call her
at (757) 426-1431 (only between 1-5 Eastern time, weekdays,
please).
Until Next Month...
Have a quiet and safe month.
Please share this newsletter; I hope that it is a useful source of
Windows technical information.
Please forward it to any associates who might find it helpful, and accept
my thanks. We are now at over 45,000 subscribers and I hope to use
this to get information to every one of my readers. Many, many thanks to the readers who have mailed me to offer suggestions,
errata, and those kind reviews. As always, I'm at http://www.minasi.com/gethelp and
please join us at the Forum with technical questions at www.minasi.com/forum. Thanks
for letting me visit with you, and take care.
To Subscribe/Unsubscribe, Read Old Newsletters or Change Your Email
Address
To subscribe, visit http://www.minasi.com/nwsreg.htm.
To change e-mail or other info, link to http://www.minasi.com/edit-newsletter-record.htm.
To unsubscribe, link to http://www.minasi.com/unsubs.htm.
Visit the Archives at http://www.minasi.com/archive.htm.
Please do not reply to this mail; for comments, please link to http://www.minasi.com/gethelp.
All contents copyright 2008 Mark Minasi. You are encouraged to quote
this material, SO LONG as you include this entire document;
thanks. |