1. Virtualization
Although it will not be available with the initial launch of Server 2008, Microsoft's Hyper-V
hypervisor-based virtualization technology promises to be a star attraction of Server 2008 for many
organisations.
Although some 75 percent of large
businesses have started using virtualization, only an estimated 10
percent of servers out are running virtual machines. This means the market is still immature. For
Windows shops, virtualization using Server 2008 will be a relatively low-cost and low-risk way to dip a
toe in the water.
At the moment, Hyper-V lacks the virtualized infrastructure support virtualization market leader VMware
can provide. Roy Illsley, senior research analyst at U.K.-based Butler Group, noted that Microsoft is
not as far behind as many people seem to think, however. "Don't forget Microsoft's System Center, which
is a fully integrated management suite and which includes VM Manager. Obviously it only works in a
Wintel environment, but if you have Server 2008 and System Center, you have a pretty compelling
proposition.
"What Microsoft is doing by embedding virtualization technology in Server 2008 is a bit like embedding
Internet Explorer into Windows," said Illsley. "This is an obvious attempt to get a foothold into the
virtualization market."
At launch, Microsoft is unlikely to have a similar product to VMware's highly popular VMotion (which
enables administrators to move virtual machines from one physical server to another while they are
running), but such a product is bound to available soon after.
2. Server Core
Many server administrators, especially those used to working in a Linux environment, instinctively
dislike having to install a large, feature-packed operating system to run a particular specialized
server. Server 2008 offers a Server Core installation, which provides the minimum installation required
to carry out a specific server role, such as for a DHCP, DNS or print server. From a security
standpoint, this is attractive. Fewer applications and services on the sever make for a smaller attack
surface. In theory, there should also be less maintenance and management with fewer patches to install,
and the whole server could take up as little as 3Gb of disk space according to Microsoft. This comes at
a price — there's no upgrade path back to a "normal" version of Server 2008 short of a reinstall. In
fact there is no GUI at all — everything is done from the command line.
3. IIS
IIS 7, the Web server bundled with Server 2008, is a big upgrade from the previous version. "There are
significant changes in terms of security and the overall implementation which make this version very
attractive," said Barb Goldworm, president and chief analyst at Boulder, Colorado-based Focus
Consulting. One new feature getting a lot of attention is the ability to delegate administration of
servers (and sites) to site admins while restricting their privileges.
4. Role-based installation Role-based installation is a less extreme version of Server Core. Although
it was included in 2003, it is far more comprehensive in this version. The concept is that rather than
configuring a full server install for a particular role by uninstalling unnecessary components (and
installing needed extras), you simply specify the role the server is to play, and Windows will install
what's necessary — nothing more. This makes it easy for anyone to provision a particular server without
increasing the attack surface by including unwanted components that will not do anything except present
a security risk.
5. Read Only Domain Controllers (RODC)
It's hardly news that branch offices often lack skilled IT staff to administer their servers, but they
also face another, less talked about problem. While corporate data centers are often physically
secured, servers at branch offices rarely have the same physical security protecting them. This makes
them a convenient launch pad for attacks back to the main corporate servers. RODC provides a way to
make an Active Directory database read-only. Thus, any mischief carried out at the branch office cannot
propagate its way back to poison the Active Directory system as a whole. It also reduces traffic on WAN
links.
6. Enhanced terminal services
Terminal services has been beefed up in Server 2008 in a number of ways. TS RemoteApp enables remote
users to access a centralized application (rather than an entire desktop) that appears to be running on
the local computer's hard drive. These apps can be accessed via a Web portal or directly by double-
clicking on a correctly configured icon on the local machine. TS Gateway secures sessions, which are
then tunnelled over https, so users don't need to use a VPN to use RemoteApps securely over the
Internet. Local printing has also been made significantly easier.
7. Network Access Protection
Microsoft's system for ensuring that clients connecting to Server 2008 are patched, running a firewall
and in compliance with corporate security policies — and that those that are not can be remediated — is
useful. However, similar functionality has been and remains available from third parties.
8. Bitlocker
System drive encryption can be a sensible security measure for servers located in remote branch offices
or anywhere where the physical security of the server is sub-optimal. Bitlocker encryption protects
data if the server is physically removed or booted from removable media into a different operating
system that might otherwise give an intruder access to data which is protected in a Windows
environment. Again, similar functionality is available from third-party vendors.
9. Windows PowerShell
Microsoft's new(ish) command line shell and scripting language has proved popular with some server
administrators, especially those used to working in Linux environments. Included in Server 2008,
PowerShell can make some jobs quicker and easier to perform than going through the GUI. Although it
might seem like a step backward in terms of user friendly operation, it's one of those features that
once you've gotten used to it, you'll never want to give up.
10. Better security
We've already mentioned various security features built into Server 2008, such as the ability to reduce
attack surfaces by running minimal installations, and specific features like BitLocker and NAP.
Numerous other little touches make Server 2008 more secure than its predecessors. An example is Address
Space Load Randomization — a feature also present in Vista — which makes it more difficult for
attackers to carry out buffer overflow attacks on a system by changing the location of various system
services each time a system is run. Since many attacks rely on the ability to call particular services
by jumping to particular locations, address space randomization can make these attacks much less likely
to succeed.
It's clear that with Server 2008 Microsoft is treading the familiar path of adding features to the
operating system that third parties have previously been providing as separate products. As far as the
core server product is concerned, much is new. Just because some technologies have been available
elsewhere doesn't mean they've actually been implemented. Having them as part of the operating system
can be very convenient, indeed.
0 comments:
Post a Comment