Longhorn: Long on Security?
Let's face it, Microsoft is a lighting rod when it comes to security. In past weeks, it's drawn fire from McAfee and the European Union, among others, over closing the Vista kernel. Furthermore, the first Vista exploit was made public on Dec. 22, just three weeks after the OS's general release.
One bright spot for Redmond is Windows Longhorn Server, a ground-up redesign of the Windows kernel. Longhorn has a real focus on increased security, as well as simplified management and improved performance. To find out just how significant a change Microsoft's next-generation server OS will be for the enterprise, we brought a beta version of the code into our Syracuse University Real-World Labs® and tried out the new security features.
After weeks of hammering, picking and probing, we walked away impressed. As Microsoft promised, Longhorn offers significant security improvements in the areas of setup and configuration, OS modularity and client health detection, plus an enhanced firewall and a new IP stack.
More subtly, you'll find the kind of attention to security details that Microsoft products have lacked in the past. Take, for example, the best little feature that you may never even notice: While the Initial Configuration tasks wizard is running, the server cannot be accessed through the network. Touches like this bode well. On a larger scale, Longhorn incorporates Microsoft's NAP (Network Access Protection) technology to provide added safeguards for remote-access connections.
Unfortunately, the best technological innovation in Longhorn, namely NAP, requires changes to existing desktops, which we're always loath to recommend. At a minimum, taking full advantage of Longhorn Server will mean an upgrade to existing XP installations or a migration to Vista--something most organizations, particularly those with a mix of client OSs, will find hard to swallow. Assuming Vista's presence is a nonstarter.
In addition, IT will have to invest in education: Given the alerts generated by NAP, administrators run the risk of tearing their hair out as tighter restrictions on the network force more users to perform remedial actions. IT must adjust its business plan and set internal expectations accordingly. It may well be that the full return on a Longhorn upgrade will only be realized as endpoints are upgraded.
Triple-play Protection
With NAP, Longhorn goes beyond Server 2003's Network Access Quarantine Control--which offered added protection only to remote-access connections--to protect all VPN-, DHCP- and IPsec-based communications.
In a nutshell, NAP provides three functions needed to protect the enterprise from rogue clients: Network restriction limits access to clients that are in compliance with corporate security policies. Rogue clients are quarantined for further remediation. NAP also provides IT with network-policy validation for required patches, current antivirus signatures and proper firewall configuration settings.
Finally, NAP takes measures to remediate the client. Network access control--where, if a client fails the health-check policies, administrators can update them automatically to compliant levels--requires client-management software, such as Microsoft SMS (Systems Management Server). A monitoring-only configuration is also supported that would allow noncompliant clients access to some network resources while administrators remediate compliance levels at a later time. For an overview of NAP, see "Microsoft NAP Architecture Summary," below.
To enable NAP, endpoints need a NAP Client agent, included with Vista and Longhorn, and currently in beta tests for XP. The process is a little more complex for NAP servers, which must be running NAP Administration Server, a System Health Validator, a Health Policy, a Health Certificate Server, a Remediation Server and a Policy Server.
The good news is that NAP is hardly hype. On our test network of two Longhorn servers, we were able to configure an Authorization Policy that restricted VPN access to clients that had Windows Firewall enabled. Clients that failed to comply with our Authorization Policy were directed to a Web page on our restricted-access remediation server, which notified users that their connections had failed and provided information on how to conform with the policy--in this case, by enabling the desktop firewall. Obviously, this is a simple test, but we believe network administrators will be able to tailor the System Health Validators and Authorization Policies to their environments. For much more on NAP, see "The Plot Thickens".
Continue Reading This Story...
Advanced Security
Although the current focus in the data security world is on endpoints, network-based firewalls are still the first line of defense. To that end, Microsoft builds on its inbound-only firewall, released in Server 2003 SP1, with Longhorn's new Windows Firewall. Our tests showed that Windows Firewall sports a number of security advancements but is weighed down by a daunting--and at times redundant--interface.
The advanced security brings firewall enhancements that include profile-based management, support for filtering on incoming and outgoing traffic, the new MMC (Microsoft Management Console) snap-in for management, and IPsec management and firewall filtering integrated in a common interface.
Filtering of incoming and outgoing traffic is a handy new feature. By default, all inbound traffic is blocked unless it matches a configured rule or is a response to a request of a computer within the network. This firewall behavior is a good start and will be useful in stopping worms and some viruses. Our tests showed that rules can be configured for the usual fields--source and destination IP addresses, Active Directory accounts and groups, source and destination TCP and UDP ports, ICMP and ICMP for IPv6 traffic by type and code, and services.
We found profile-based management especially helpful for simplifying secure-device configuration. Administrators are presented with three basic profiles--domain, private and public--each used in different types of networks. Domain is used to specify the behavior of clients when connected to a network that contains the domain controller of a client's domain. Private is for clients connected to networks located behind a router, as in a home or small-office network. Public is for clients directly connected to the Internet.
Included with the profiles are default inbound and outbound rules. Although the interface was intimidating--and could boggle first-time users--Microsoft has eased setup of the firewall configuration through the inclusion of a Getting Started section in the management interface.
Ipsec Integration Rules
To prevent eavesdropping and data tampering, Microsoft built IPsec into Longhorn. The implementation is thorough and includes an easy-to-use configuration interface. Although no IPsec rules are configured by default, the provided wizard made it simple enough to generate any of five rule types: isolation, authentication exemption, server-to-server, tunnel or custom. Isolation rules are used to restrict connections based on authentication criteria, such as domain membership or health status. Authentication exemption rules can be used to exempt individual computers from IPsec restrictions. Server-to-server rules authenticate connections between specific endpoints, while tunnel rules authenticate connections between gateway computers.
Managing inbound and outbound policies was made easier by the Firewall Management interface, which provides a complete description of policies, while rules are grouped by service and network profile. When we set out to create a new policy, the New Connection Security Rule Wizard gave us the option to create a rule based on a program, port or predefined service, or a customized rule. Policies created in the MMC can easily be imported or exported. In addition, all new functions can be managed through Active Directory-based Group Policy objects.
One of the biggest challenges in firewall configuration is ensuring rules are defined correctly, to allow the right access to the right people. On this point, Longhorn does an admirable job. We configured an outbound rule, for example, to ensure compliance with what any IT organization knows to be common sense: Never browse the Internet from the server console. Our rule simply blocked Internet Explorer (Iexplore.exe) from accessing the Internet. If you include this rule in a Group Policy, the browser would be restricted organizationwide.
We also set up inbound rules to restrict access to remote desktops based on the connection being secured/encrypted. Both rules performed as expected and blocked the intended traffic. Finally, we configured an IPsec policy that required all computers communicating with the test server within the Domain profile to authenticate with a Computer Certificate issued from the Active Directory domain Certificate Authority.
Now for the bad. Microsoft includes two firewall interfaces in the beta version: The firewall with advanced security can be accessed through the new MMC snap-in, the Administrative Tools shortcut, through Group Policy objects and through the Local Security Policy. We didn't see the need for an additional Windows XP SP2-like firewall interface that can be accessed through the Control Panel and the Server Manager interface. We suspect that the old firewall interface will be removed in future Longhorn versions. Furthermore, though the new firewall can be managed through the Local Security Policy window, existing firewall rules were not displayed.
TCP/IP Stack Overhaul
Probably the biggest change that Longhorn brings at the network layer is a redesigned TCP/IP stack that should install more easily, improve network performance and reduce the memory footprint. The new stack, which Microsoft is calling the Next Generation TCP/IP Stack, includes a dual-layer IP architecture for IPv4 and IPv6 as well as improved autotuning of TCP/IP settings.
The dual-IP-layer architecture means IPv4 and IPv6 implementations share common Transport and Framing layers--no more having to install IPv6 as a separate stack. In fact, the Longhorn IP stack defaults to IPv6, although this did not cause any IPv4 connectivity problems in our testing. However, unlike in previous versions of Windows Server, IPv6 cannot be uninstalled from the OS--shops that have no intention of deploying IPv6 and want to disable the feature will be forced to modify the registry. Fortunately, Microsoft has provided documentation on the needed registry edit and allowed for selective disabling of IPv6 features.
The new Longhorn Server TCP/IP stack is configured to autotune TCP window size by individual connection. Microsoft claims Receive Window autotuning will enable TCP window scaling to 16 MB. This autotuning capability should increase the efficiency of data transfers over high-speed network connections.
Microsoft also has introduced native TCP "chimney" off-loading, which will be a huge benefit for companies using IP-based storage or looking to adopt 10 Gigabit Ethernet in the future. With TCP chimney off-loading, Longhorn improves network performance by moving networking tasks on to the network adapter (see "Longhorn: The Storage View").
Tyler Lawton is a sysadmin for Syracuse University in its network and systems management department. Write to him at [email protected].
Longhorn: The Storage View
Longhorn's next generation TCP/IP Stack will be welcomed by storage managers everywhere. In particular, native TCP "chimney" off-loading has been a long time coming and will be a huge benefit for companies using IP-based storage or looking to adopt 10 Gigabit Ethernet.
Chimney (TCP) off-loading is a technology co-developed by Microsoft and Alacritech that lets the OS pass TCP/IP processing on to an accelerated device like an iSCSI host bus adapter, so that CPU cycles aren't wasted on such a mundane task. This improves general network performance, but really does a bang-up job of reducing processor overhead on transfer-intensive tasks for IP-based storage protocols like iSER, iWarp, iSCSI and the like.
As for 10GigE, storage transfers over 1-Gbps Ethernet can use as much as 5 percent of a processor's capacity, which means that transfers over 10GigE could suck up 50 percent of a processor's capacity. This is purely conjecture at this point, but even a fivefold increase in overhead for storage processing would be unacceptable.
Likewise intriguing from both a storage and a security perspective is Microsoft's new BitLocker technology, which offers USB-key-based full-disk data encryption; see our initial take on BitLocker at nwc.com/ channels/ security/ show Article. jhtml? article ID= 193500189.
Longhorn is also designed to be virtualization-ready, with a new Windows hypervisor that will support multiple virtual machines on systems using processors with Intel VT or AMD-V chip-assist technology. Finally, the base OS will be able to operate in a "core mode," designed to provide a low-overhead platform with kernel and device support and reserve the maximum amount of system resources to the VMs themselves. -- Steven Hill
Longhorn: Up and Running
In our tests, installation time ran about 45 minutes. After installing Longhorn, we were presented with a new interface, titled Initial Configuration Tasks, that let us complete three major subsections of basic setup tasks.
The first section included setting the administrator password (required), configuring networking settings, and setting server name and domain information. In section two, we enabled and configured Windows update along with downloading and installing current updates. The final area is where you to add server roles and OS features, configure remote desktop access and enable a Windows XP-like firewall interface.