Mark Minasi's Windows Networking Tech Page
Issue #74 December 2008

Document copyright 2008 Mark Minasi; please see below for info on subscribing, unsubscribing or copying portions of this text.

What's Inside

  • News
    • Our Two-Day Vista Support and Server 2008 seminars coming to Parsippany NEXT WEDNESDAY/THURSDAY
    • The Server 2008 Seminar is Now a 15-CD Audio Set
  • Tech Section
    • Should You Upgrade to Windows Server 2008?  (Part 2)
  • Conferences
  • Bring a Seminar to Your Site
  • To Subscribe, Unsubscribe, Read Old Newsletters or Change Your Email Address

News

Hi all —

In the last newsletter, I started looking at the question "Server 2008:  Upgrade or Not?"  Continuing in that vein, guest contributor Rhonda Layfield offers a very useful little summary of some of 2008's big pluses.

2008 Server and Vista Classes Coming to Parsippany NEXT WEDNESDAY/THURSDAY

As you know, in the past year and a half Microsoft has released the Workstation and Server versions of Windows 6 — Vista and Server 2008 — and even if you've not implemented them yet, we all know that Resistance Is Futile and so you'll eventually need to know how to plan to fit them into your IT structure, get 'em rolled out, and then maintain and troubleshoot them... so why not learn now?  (Okay, actually, you might not decide to upgrade, as I discuss later in this newsletter, but that's another story, right?)

Of course, you could download a small mountain of white papers (mostly written based on late betas and thus are only partially correct), and spend a few weeks testing it to discover the hundreds of changes that 2008 and Vista bring... or you could come spend a couple of days with me. In my Vista Support and Server 2008 classes, I'll tell you and show you what's changed in Windows — the good, the bad, the wonderful and the awful ... with a chuckle or two thrown in. Please consider joining me for the two-day Vista class, the two-day Server 2008 class, or both. I'll be in Parsippany, NJ next Wednesday/Thursday (December 10/11) to do the Server 2008 class. Find out more about the Server class here, and get schedule information here. Thanks!

The Server 2008 Seminar is Now a 15-CD Audio Set

I'll keep it short and sweet:  at this point I've taught the Server 2008 seminar in a few dozen locations and three countries, so it's time to offer it as a far-less-expensive-than-hiring-me-to-present-it audio learning series.  I want everyone to be able to afford this set, so I've priced it the same as I did our Server 2000 audio set eight years ago.  I've also posted online a free 18 minute sample from the Hyper-V coverage that I hope you'll like whether you buy the set or not.  More info at http://www.minasi.com/2008class/audio/, I hope you find it a convenient and entertaining way to get the ins and outs of 2008!

Tech Section

Should You Upgrade to Windows Server 2008?  (Part 2)

In a previous newsletter, I started looking at why you might or might not decide to move to Windows Server 2008.  This month, I'm very fortunate to be able to offer some more information along that line, this time courtesy of my guest contributor Rhonda Layfield. 

Recently a client asked Rhonda for a nice, compact distillation of many of the performance-and security-oriented pluses of Server 2008, so she looked around the Web and found that while many pages discussed Server 2008's benefits, they all tended to be, um,  sort of long, so she painstakingly worked through dozens of documents, took what she learned from them and boiled it down to a table of just a few pages. I liked it and asked her if it'd be all right to share it with all of you, and she kindly agreed.

In the following table, you'll see that Rhonda's focused on two things:  what Server 2008 includes to improve Windows performance, and how Server 2008 makes securing your network easier. I think you'll find this useful and want to thank Rhonda for letting me include it here.  Rhonda, take it away...

Feature

Quick Fact

Technical Details

Performance

 

 

64-bit processors and Memory

More RAM is supported

  A 32-bit processor can only access upto 4 GB of RAM. 64-bit processors can directly access 18,000,000,000 GB. This is especially critical for Domain Controllers (DCs). DCs attempt to cache the entire Active Directory as soon as they are up and running. If AD is too big then accessing information from disk is much slower than if the entire AD was cached into memory. This is a huge performance enhancement. Please see the “Active Directory Performance for 64-bit Versions of Windows Server 2008” (URL is listed at the end of this table) white paper.

Exchange 2007

No 32-bit

  Exchange 2007 is not supported to run on 32-bit architecture. Must be run on 64-bit machines.

Server 2008

Last 32-bit OS

  Microsoft has stated that Windows Server 2008 is the last server operating system that will run on 32-bit architecture.

Group Policies

Enhanced Group Policy Features

  Security settings are stored in group policies (GP) and must be kept in sync between all Domain Controllers (DCs). The group policies are stored in a folder called Sysvol which is replicated amongst all DCs. 2008 offers a much faster, scalable and more reliable replication engine called Distributed File System Replication or "DFS-R" rather than the older "File Replication Service" (FRS) engine. The domain mode must be elevated to 2008 Native level for DFS-R to replicate Sysvol. DFS-R can replicate changes only to group policies where FRS replicates the entire GP, FRS had no way to replicate just the changes. Remote Differential Compression (RDC) allows files to be created locally without consuming any network bandwidth at all.

  Printer Deployment using GPO’s can now use Active Directory group association vs. previously only users or workstations were allowed.

  More efficient group policy storage. The ADM files are no longer stored within the GPO (this is a big one). This greatly reduces the size of Sysvol.

  GPO-based power management (please see the Windows Server 2008 Power Savings paper).

SMB 2.0

Used to map drives to servers or workstations

  On-the-wire-encryption for Vista and Server 2008. With XP/2003 moving encrypted files across the network keeps them encrypted at the source and destination, but transfers them across the wire unencrypted.

  2.5-3.3x speed improvement over WAN lines (understands round trip delays of data packets and how to handle them).

  Only works between Server 2008 and Server 2008, or Server 2008 and Vista.  This is a tremendous improvement in file copying and a valuable point for field sites that won’t get their own server.

  More resistant to NetBIOS attacks.

New TCP/IP stack

More robust and reliable

  Native IPv6 support allowing US government-related organizations to meet the government mandate that all future datacomm equipment be IPv6-capable.

  New TCP receive-side window sizing algorithm provides faster performance across the network.

  Microsoft Firewall settings are loaded prior to the TCP/IP stack sending or receiving data. This keeps the TCP/IP stack protected during the loading of the operating system.

Event Viewer

Store events

  The new event viewer can forward events to a central storage location. This only works between Server 2008 and Server 2008 or Vista. You choose which events will be stored.

Previous Versions

Automatic feature allowing recovery of corrupt or deleted documents

  Previous Versions in the past were only available by connecting to a server through a shared folder and accessing the previous versions of files and folders. Now you can access previous versions of documents and folders in Windows Explorer. This allows recovering a document that may have  become corrupt or was deleted. Previous Versions is a component of the Volume Shadow Copy service.

Complete PC Backup

New backup utility

  Image based backup tool allows for bare-metal restores of dead servers.

Hyper-V

Virtualization software

  Hyper-V is the new software that allows creating virtual machines.

Deployment Tools

Windows Deployment Service

  Windows Server 2008 allows multicasting of operating system images so they can be deployed faster and consume less bandwidth.

Password Policies

Fine Grained

  You can enforce different password restrictions (i.e. password length, complexity, history) based on AD groups.

DNS “GlobalNames”

DNS-based alternative to WINS

  Allows you to associate single-label names (ie "server44" rather than "server44.bigfirm.com") with particular Fully Qualified Domain Names or FQDNs.

Remote Desktop Protocol (RDP)

Remote control protocol

  MUCH faster, more reliable and secure remote connectivity.

Windows Remote Management Protocol

Assists RDP

  More secure protocol for remote management.


 

Windows Remote Shell

Remote Control Protocol

  Very low bandwidth utilized when remotely controlling a Server or Workstation and on a par with Unix/Linux's secure shell (SSH) -- remote command-line control.

Terminal Services

Improved feature set

  Gateway - Much faster SSL-based secure connection from a remote location to a desktop or TS behind a firewall.

  New Remote Applications deploy applications quickly.

  EasyPrint - allows you to print to any local printer (from a Vista box).

Security

 

   

Driver Signing

X64 requires all drivers to be signed

  Kernel mode drivers must be signed. The kernel is the lowest-level, most central part of a computer operating system and one of the first pieces of code to load when the machine boots. PatchGuard protects the kernel from malicious malware.

BitLocker  2008 & Vista

Drive Encryption

  Allows entire hard drives to be encrypted. Great for laptop computers that may have sensitive data in the event that they are stolen, or servers located in branch offices that are not completely physically secure. Removing a Bitlocker encrypted drive and putting it into another machine in an attempt to access the data will NOT work.

Kerberos offers AES encryption

New, secure encryption algorithm

  Kerberos has used RC4-HMAC for its encryption, an algorithm that has been attacked in some circumstances.  2008 offers the option of shifting to the as-yet-uncracked AES encryption algorithm.

LM Hashes

No longer stored

  LM hashes of passwords were incredibly easy to crack – Not storing the LM hashes reduces hackers ability to crack passwords.

Services

Hardened

  Each service now runs under it’s own security identifier (SID) so tracking and controlling what each service does is possible. Services can be granted permissions  to resources needed by the service.  In the past, many services would run under the context of Local Service or Network Service BUT then all services running under that context would have the same level of access to resources whether they were needed or not. Being able to restrict access at the service level greatly increases security and auditing capabilities.  

Session Isolation

More secure

  Isolates kernel operations and default services (Session 0) away from users and other apps (Session 1, Session 2 etc) to reduce the ability of  a hacker to maliciously attack the operating system.

Patchguard

Kernel Patch Protection

  Makes installing rootkits harder. Rootkits are the worse type of virus to infect a machine, they are practically untraceable.

User Account Control (UAC)

Notifies you that code is being run which requires administrative functionality.

  When an administrative user logs onto a Vista or Server 2008 machine they receive two tokens – think of it like this: they get one token for Clark Kent that is a standard user token that has no special abilities and another for Superman who of course has abilities far beyond that of a standard user. Most of the time when the user is working in email, word, excel and surfing the internet they are doing it as Clark but if they attempt to perform an action that requires Administrative capabilities a UAC dialog box appears notifying the user that something is requiring that the administrative token be used.  That “something” could be a virus that is attempting to infect their machine or some badly written application. The point to UAC is to make administrators aware of when their Superman token is being used and if they didn’t initiate the action themselves they are made aware that “something” did.

Read Only Domain Controllers (RODCs)

Store only a portion of AD user account information

  RODCs allow an administrator to choose which user accounts are stored locally. These are great for branch offices that only have a few users who log onto to the domain instead of storing the entire AD with 50,000 user accounts. If the RODC was compromised the only accounts that a hacker could get would be the handful of accounts at that branch office NOT the entire Active Directory.

Integrity Levels (ILs)

More secure

  ILs allow another level of permissions aside from the NTFS and shared folder permissions.

Manifests

Make UAC more usable

  Manifests work in conjunction with UAC – a manifest is built into an .exe and can be instructed to use the Administrative token and not the standard user token. A UAC prompt will be presented.

Hardware Data Execution Prevention (DEP) X64

Guards against buffer overflows

  Buffer overflows are security vulnerabilities. DEP is offered in both software and hardware flavors. Hardware DEP is much more robust.

Secure Socket Tunneling Protocol

NEW VPN Protocol

  SSL-based VPN protocol which is much more secure.

Transaction Based NTFS

Transactions can be chained

  Transactions can be chained. For example you have 3 patches to install P1, P2 and P3. P2 depends on P1 installing prior to itself being installed and P3 depends on both P1 and P2 being installed successfully. If P2 (for whatever reason) did not install successfully when P3 begins to install it realizes that P2 has not been installed and therefore removes the partially installed P2 and P1. This helps to prevent system failures due to incompletely-applied patches.

Additional reading:

 v  AD scales better on 64-bit

http://www.microsoft.com/downloads/details.aspx?FamilyID=52E7C3BD-570A-475C-96E0-316DC821E3E7&displaylang=en

 v  Kernel address space limitations can limit server capacity on 32-bit.

      http://support.microsoft.com/kb/294418

 v  Understanding the Business Benefits Associated with 64-Bit Windows Server

 http://download.microsoft.com/download/d/8/0/d803e620-2977-4df3-90bd-6d263bb9cb59/Understanding%20the%20Business%20Benefits%20Associated%20with%20x86%2064-bit%20Windows%20Server.pdf

v  Windows Server 2008 Power Savings

http://download.microsoft.com/download/4/5/9/459033a1-6ee2-45b3-ae76-a2dd1da3e81b/Windows_Server_2008_Power_Savings.docx

 

Bring Mark to Your Site to Teach

I'm keeping busy doing Server 2008 and Vista seminars and writing, but I've still got time to visit your firm.  In just two days, I'll make your current NT techies into 2008, Vista, security, XP, Active Directory or 2003 experts.  (And better yet they won't have to sit through any Redmondian propaganda.)  To join the large educational, pharmaceutical, agricultural, aerospace, utility, banking, government, telecommunication, law enforcement, publishing, transportation, military and other organizations that I've assisted, either take a peek at the course outlines at www.minasi.com/presentations.htm, mail our assistant Jean Snead at Assistant@Minasi.com, or call her at (757) 426-1431 (only between 1-5 Eastern time, weekdays, please).

Until Next Month...

Have a quiet and safe month. 

Please share this newsletter; I hope that it is a useful source of Windows technical information.  Please forward it to any associates who might find it helpful, and accept my thanks.  We are now at over 45,000 subscribers and I hope to use this to get information to every one of my readers. Many, many thanks to the readers who have mailed me to offer suggestions, errata, and those kind reviews.  As always, I'm at http://www.minasi.com/gethelp and please join us at the Forum with technical questions at www.minasi.com/forum.  Thanks for letting me visit with you, and take care. 

To Subscribe/Unsubscribe, Read Old Newsletters or Change Your Email Address

To subscribe, visit http://www.minasi.com/nwsreg.htm. To change e-mail or other info, link to http://www.minasi.com/edit-newsletter-record.htm.  To unsubscribe, link to http://www.minasi.com/unsubs.htm. Visit the Archives at http://www.minasi.com/archive.htm. Please do not reply to this mail; for comments, please link to http://www.minasi.com/gethelp.

All contents copyright 2008 Mark Minasi. You are encouraged to quote this material, SO LONG as you include this entire document; thanks.