Hands-on: Windows Longhorn Server Beta 2

Radical code revision focuses on security, system integrity and reliability.

1 2 3 4 5 Page 4
Page 4 of 5

Windows Firewall with Advanced Security

The Windows Firewall version included with Windows Server 2003 Service Pack 1 was exactly the same as that included in Windows XP SP2. Microsoft bundled that firewall with Service Pack 1 as a stopgap measure -- deploy this firewall now so you will be protected, the company said, and we will work to improve the firewall in the next version of Windows.

That time is now here. The new Windows Firewall with Advanced Security combines firewall and IPsec management into one convenient MMC snap-in, which is shown in Figure 2.

Figure 2 - Windows Firewall with Advanced Security MMC Snap-In


Figure 2 - Windows Firewall with Advanced Security MMC Snap-In
(Click image to see larger view)


The firewall engine itself has been rearchitected to reduce conflict and coordination overhead between filtering and IPsec. More rules functionality has been enabled, and you can specify explicit security requirements such as authentication and encryption very easily. Settings can be configured on a per-AD computer or user group basis.

Outbound filtering has been enabled; there was nothing but internal filtering in the previous version of Windows Firewall. And finally, profile support has been improved as well -- on a per-computer basis, there is now a profile for when a machine is connected to a domain, a profile for a private network connection and a profile for a public network connection, such as a wireless hot spot. Policies can be imported and exported easily, making management of multiple computers' firewall configuration consistent and simple.

Network Access Protection

Viruses and malware are often stopped by software defenses that run within a user's session, but the ultimate protection would be if they never even got access to the network. In Longhorn Server, Microsoft has created a system whereby computers are examined against a baseline set by the administrator, and if a machine doesn't stack up in any way against that baseline, that system can be prevented from accessing the network -- quarantined, as it were, from the healthy systems until such time as the user is able to fix his broken machine. This functionality is called Network Access Protection (NAP).

NAP can be broken down into key components:

  • Health policy validation: Validation is the process of examining a machine attempting to connect to the network and checking it against certain criteria that an administrator sets.

  • Health policy compliance: Compliance policies can be set so that managed computers that fail the validation process can be automatically updated or fixed via Systems Management Server or some other management software.

  • Limited access: Limiting access can be the enforcement mechanism for NAP. It's possible to run NAP in monitoring-only mode, which logs the compliance and validation state of computers connecting to the network, but in active mode, computers that fail validations are put into a limited-access area of the network, which typically blocks almost all network access and restricts traffic to a set of specially hardened servers that contain the tools most commonly needed to get machines up to snuff.

Keep in mind that NAP is only a platform by which these checks can be made -- pieces of the puzzle are still needed after deploying Longhorn Server, including system health agents (SHA) and system health validators (SHV) that ensure that checks and validations are made on each client machine. Windows Vista will ship with default SHAs and SHVs that can be customized.

Manageability Improvements

Servers are only effective if the administrator configures them properly. Windows Server products have traditionally been fairly simple to operate, but in Longhorn Server, there are many improvements to the initial setup and configuration experience. Much of these details are still being worked out, and these elements may change as we draw nearer to the anticipated release date, but let's take a look anyway and see what Longhorn Server Beta 2 has to offer in terms of manageability enhancements.

Server Manager

Server Manager is a one-stop shop for viewing information on a server, looking at its stability and integrity, managing installed roles and troubleshooting configuration issues that may arise. Server Manager replaces the Configure Your Server, Manage Your Server and Security Configuration Wizard interfaces. Take a look at Figure 3, which shows the interface:

Figure 3 - Server Manager User Interface in Longhorn Server Beta 2


Figure 3 - Server Manager User Interface in Longhorn Server Beta 2
(Click image to see larger view)
1 2 3 4 5 Page 4
Page 4 of 5
7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon