Documente Academic
Documente Profesional
Documente Cultură
Daniel Petri
MVP, Senior IT Consultant www.petri.co.il daniel@petri.co.il
Server Core Overview Server Core Supported Roles and Features Server Core Management Options Windows Firewall with Advanced Security Server and Domain Isolation Network Access Protection Group Policy Enhancements
Windows Server is frequently deployed to support a single role or a fixed workload However, you must deploy and service all of Windows Server, along with tons of functions, features, files, services and other binaries that are probably not needed for the specific function of that server.
Reduced maintenance Because the Server Core installation option installs only what is required to have a manageable server for the specific roles, less maintenance is required than on a full installation of Windows Server 2008. Reduced attack surface Because Server Core installations are minimal, there are fewer applications running on the server, which decreases the attack surface.
Reduced management Because fewer applications and services are installed on a server running the Server Core installation, there is less to manage. Less disk space required A Server Core installation requires only about 1 GB of disk space to install and approximately 2 GB for operations after the installation.
Active Directory Domain Services (AD DS) Active Directory Lightweight Directory Services (AD
LDS) DHCP server DNS server File services (including DFSR and FRS) Printer Services Streaming Media Services Windows Server Virtualization IIS 7.0 Hyper-V
Failover Clustering
Multipath I/O Removable Storage Management
Automated Installation Kit (WAIK) tools to create unattend files Hardware requirements are based upon your own server tuning for best performance.
Remotely using
MMC snap-in Controlling computer must be Server 2008 or Vista
Configure keyboard Set time and time zone Configure the UI Change password Check machine name Set IP address Check the firewall Add to domain Check and install roles Convert to a DC Configure roles Backup the system Monitor performance
Network card
configuration Change device drivers Check event logs Manage certificates Licensing Security
Combined firewall and IPSec management New management tools Windows Firewall with
Advanced Security MMC snap-in Reduces conflicts and coordination overhead between technologies Firewall rules become more intelligent Specify security requirements such as authentication and encryption Specify Active Directory computer or user groups
Outbound filtering
consumers Simplified protection policy reduces management overhead Fully integrated into Group Policies and Local Policies
Server and Domain Isolation creates a layer of end-to-end protection that can greatly reduce the risk of costly malicious attacks and unauthorized access to your networked resources. SDI is based on IPSec and GPO. Enables you to dynamically segment your Windows environment into more secure and isolated logical networks. SDI allows you to limit access to only authenticated and authorized users.
The problem:
One of the most time-consuming challenges that administrators face is ensuring that computers that connect to private network assets are up to date and meet health policy requirements. This complex task is commonly referred to as maintaining computer health. Failure to keep computers that connect to the network up to date is one of the most common ways to jeopardize the integrity of a network.
The solution:
Network Access Protection for Windows Server 2008, Windows Vista and Windows XP SP3 provides components and an application programming interface (API) set that help administrators enforce compliance with health policies for network access or communication.
Note:
Network Access Protection is not designed to secure a network from malicious users. It is designed to help administrators maintain the health of the computers on the network, which in turns helps maintain the networks overall integrity.
Policy Servers
e.g. Microsoft System Center, Forefront or 3rd party
Remediation Servers
WSUS, System Center, 3rd party
Restricted Network
Policy compliant
5
1 2 3
Client requests access to network and presents current health state DHCP, VPN or Switch/Router relays health status to Microsoft Network Policy Server (RADIUS) Network Policy Server (NPS) validates against IT-defined health policy If not policy compliant, client is put in a restricted VLAN and given access to fix up resources to download patches, configurations, signatures (Repeat 1 - 4)
Corporate Network
Group Policy Preference (which is basically PolicyMaker integrated into the GPO Editor)
Group Policy Preferences allow administrators to configure and deploy Windows and application settings that were previously unavailable using Group Policy. You can also manage Group Policy Preferences from a Windows Vista Service Pack 1 computer by installing the Remote Server Administration Tools (RSAT), which included the updated version of GPMC.
Some of the benefits of using Group Policy Preferences in your environment: Improving IT Productivity Reducing Need for Logon Scripts Limiting Configuration Errors Enhancing End-User Satisfaction Minimizing Image Maintenance Reducing Overall Image Count
The Client-Side Extensions for GP Preferences are included in Windows Server 2008, and down-level versions will be available as a separate download for: Windows XP Service Pack 2 and above Windows Vista RTM and above Windows Server 2003 SP1 and above
Windows Server 2008 is the most secure platform ever developed by Microsoft, allowing administrators superior control over their environments and of services running on the servers.
Daniel Petri
dpetri@johnbryce.co.il www.petri.co.il
2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.