微软TechEd2007模板.ppt

1、Windows Server 2008 Scenarios,SVR307,Understand key scenarios for Windows Server 2008,Learn which roles and features enable each scenario,See technologies in action that bring value in each scenario,Session Objectives And Agenda,Remote Infrastructure,Anywhere Application Access,Server Management,Web

2、 and Applications Platform,Security and Policy Enforcement,Server Virtualization,High Availability,Windows Server 2008 Scenarios,Scenario: Server Management,Key Technologies Server Core Server Manager Windows PowerShell Goals Reduce management and servicing needs, while improving reliability and sec

3、urity Configure local server through a single interface Add / remove server roles and features more securely and reliably View status and perform local management tasks from a single tool Automate administration of multiple servers with task-based scripting language Accelerate script authoring, test

4、ing and debugging Perform server management through multiple data stores,Server Core,Security, TCP/IP, File Systems, RPC,plus other Core Server Sub-Systems,GUI, CLR, Shell, IE, OE, etc.,File / Print,DHCP,DNS,AD / LDS,Virtualization,New minimal installation option with only “core” components No GUI i

5、nterface Subset of server roles and features available Manage remotely as you would any server,IIS / WMS,Server Core,Server Manager,Product Installation,Initial Configuration,Server Manager,New Command-line shell & Scripting Language,Resources,Improves productivity & control Accelerates automation o

6、f system admin Works with existing scripts Ships with Windows Server 2008 Easy for non-programmers Role management in future versions,TechNet Script Center MyITF Newsgroup and Web Forum Team Blog and Channel 9 Books from MS Press, Manning, OReilly, Sapien etc.,Partners,Windows PowerShell,Scenario: W

7、eb & Applications Platform,Key Technologies Internet Information Services 7.0 .NET Framework 3.0 Windows Media Services Windows SharePoint Services Goals Efficiently manage Web server, Web applications and Web services. Deploy and configure Web applications and services across server farms quickly C

8、reate customized Web platform that is faster, more secure and more reliable Improve performance & scalability of Web applications and services Achieve fine control and visibility into utilization of key OS resources,IIS 7.0 Overview,IIS 7,Streamlined installation means reduced attack surface,Simplif

9、ied administration through variety of tools,Customization and extensibility through .NET,Xcopy deployment and shared configuration,Event logging and tracing for faster troubleshooting,Application and health management for Web services,Managing Your Web with IIS 7.0,Arsenal of Admin Tools,Delegated M

10、anagement,Secure Remote Management,Shared Config for Web Farms,IIS7,IIS7,IIS7,Site Owner,Delegation,XCopy Deploy,Administrator,Internet,Manage Remotely,Secure HTTPS,SharedConfig,Shared App Hosting,UNC,Web Farm,App,WSS,Centralized Configuration replicates data across server farms Two-Tier administrat

11、ion model Improved Backup and Recovery support Multi-Stage Recycle Bin ASP.NET Forms authentication integration Non-windows based systems,Windows SharePoint Services 3.0,Scenario: Remote Infrastructure,Technologies Active Directory Read-Only Domain Controller Administrative Role Separation Restartab

12、le Active Directory SYSVOL replication using DFS BitLocker Drive Encryption NetIO Goals Improve the efficiency of remote office server deployment and administration Mitigate physical security risks in remote offices Improve the efficiency of WAN communications,Read-Only Domain Controller,Impact of s

13、tolen DC to the Active Directory reduced By default, no users/computers passwords stored on RODC Read-only Partial Attribute Set can prevent application credentials from replicating to RODC Reduced attack surface to the Active Directory for a compromised DC Read-only state with unidirectional replic

14、ation for AD and FRS/DFSR Each RODC has its own KDC KrbTGT account to provide cryptographic key separation Delegated DCPROMO reduces need for DA to TS into RODC RODCs are workstation accounts Not members of Enterprise-DC or Domain-DC groups Very limited rights to write in Directory,Enhanced Security

15、 for remote office DCs,Branch,Hub,Read Only DC,How RODC Works,Windows Server 2008 DC,1,2,3,4,5,6,6,1,2,3,4,5,6,User logs on and authenticates,RODC: Looks in DB: I dont have the users secrets,Forwards Request to Windows Server 2008 DC,Windows Server 2008 DC authenticates request,Returns authenticatio

16、n response and TGT back to the RODC,RODC gives TGT to User and RODC will cache credentials,RODC,Read-Only Domain Controller,No accounts cached (default) Pro: Most secure, still provides fast authentication and policy processing. Con: No offline access for anyone. WAN required for Logon Most accounts

17、 cached Pro: Ease of password management. Intended for customers who care most about manageability improvements of RODC and not security. Con: More passwords potentially exposed to RODC Few accounts (branch-specific accounts) cached Pro: Enables offline access for those that need it, and maximizes s

18、ecurity for other Con: Fine grained administration is new task Need to map computers per branch Requires watching Auth2 attribute list to manually identify accounts, or use MIIS to automate.,Password replication policy management models,Read-Only Domain Controller,Threat mitigation,Hub Admin perspec

19、tive,Attacker perspective,Active Directory (AD),Administrative Role Separation Provides a new “local administrator” level of access per RODC Prevents accidental AD modifications by machine administrators Does not prevent “local administrator” from maliciously modifying the local DB Stop/Start the AD

20、 Directory Services without reboot Reduce DC downtime for offline operations Keep other services running while DC offline Acts like a member server while DC offline SYSVOL replication using DFS-R Greater scalability and reliability Bandwidth utilization reduction through RDC,Additional remote infras

21、tructure improvements,BitLocker Drive Encryption,Group Policy allows central encryption policy and provides Branch Office protection Provides data protection, even when the system is in unauthorized hands or is running a different or exploiting Operating System Uses a v1.2 TPM or USB flash drive for

22、 key storage,Full Volume Encryption Key (FVEK),Encryption Policy,Key New Networking Features,Receive Window Autotuning,Windows Filtering Platform,Receive Side Scaling,Policy-based Quality of Service,Automatically senses network environment and adjusts key performance settings Allows increase of the

23、size of the TCP/IP send / receive window,Provides filtering capability at all layers of the TCP/IP protocol stack Integrates and provides support for next-generation firewall features,Previous Windows operating systems limits receive protocol processing to single CPU RSS resolves this issue by allow

24、ing network load from a network adapter to be balanced across multiple CPUs,Prioritize or manage the sending rate for outgoing network traffic Both DSCP marking and throttling can be used together to manage traffic effectively,The Receive Window Limitation,Maximum Throughput (Mpbs),RTT ms,64 KB,128

25、KB,256 KB,512 KB,Scenario: Anywhere Application Access,Key Technologies Terminal Services Gateway Terminal Services Remote Programs Terminal Services Web Access Goals Provide anywhere access to business applications over the Internet Remove risk of data loss from laptops by using secure remote acces

26、s to applications and data located centrally Reduce management costs by removing the need for application servers at distributed locations Provide secure access to terminal services without needing to enable full network access via VPN or other mechanisms. Consolidate existing terminal servers using

27、 x64 technology,Terminal Services in Windows Server 2008,Two key areas of focus in Windows Server 2008 Improving the platform & enabling partner value add Improve out of the box experience for less complex scenarios,External Firewall,Internal Firewall,Internet,Perimeter Network,Corporate Network,Rem

28、ote/ Mobile User,Terminal Services Gateway,Tunnels RDP over HTTPs,Strips off RDP / HTTPs,Terminal Servers and other RDP Hosts,RDP traffic passed to TS,Internet,Terminal Services Gateway,Terminal Services RemoteApp,Terminal Server,Run server-based applications locally Centrally manage applications Ze

29、ro footprint client installation,RDP 6.0client required,Scenario: Security & Policy Enforcement,Key Technologies Network Access Services Internet Protocol security (IPsec) System Health Validator / System Health Agent Health Certificate Server Wireless Mangement Goals Check health and verify complia

30、nce for roaming or visiting laptops and home computers Simplify system and software updates and application installation Enhance wireless network security with improved network authentication and encryption,WLAN Management GP,Todays Challenges Wireless Clients Use Different Configuration Utilities L

31、imited Central Management Of Wireless Configuration Throughout An Organization Result: Provisioning Wireless Clients Is Costly And Time-consuming Solution Group Policy or Command-Line Provisioning of Wireless Clients Deployment simplified Support for mixed wireless security environments Separation o

32、f wired 802.1x and wireless services Granular manageability and extensibility supported User experience improved Can Leverage Investment in Active Directory for Granular Targeting Can Limit Connection to Authorized Networks Only,Network Access Protection,Policy-driven access,1,MSFT Network Policy Se

33、rver,3,Policy compliant,DHCP, VPN Switch/Router,2,Windows Vista Client,5,Not policy compliant,4,Enhanced Security All communications are authenticated, authorized & healthy Defense-in-depth on your terms with DHCP, VPN, IPsec, 802.1X Policy-based access that IT Pros can set and control,Customer Bene

34、fits,Network Access Protection,NAP Core Components,Client SHA System Health agents check client state QA Coordinates SHA/EC EC Method of enforcement Remediation Server Serves up patches, AV signatures, etc.,Network Policy Server QS evaluates client health SHV evaluates SHA answer System Health Serve

35、r Provides SHV,NPS Policy Server (RADIUS),Quarantine Server (QS),Client,Quarantine Agent (QA),Health policy,Updates,Health Statements,Network Access Requests,System Health Servers,Remediation Servers,Health Certificate,802.1x Switches Policy Firewalls SSL VPN Gateways Certificate Servers,(SHA) MS SH

36、A, SMS,System Health Validator,(EC) (DHCP, IPsec, 802.1X, VPN),(SHA) 3rd Parties,(EC) 3rd Party EAP VPNs,Scenario: Security & Policy Enforcement,Key Technologies Active Directory Domain Services Active Directory Certificate Services Active Directory Federation Service Active Directory Rights Managem

37、ent Services Goals Securely extend and protect information and applications to business partners Reduce the risk of unauthorized access through strong authentication Reduce the number of user accounts and repositories that need to be managed Securely manage user accounts and information outside the

38、datacenter,Enterprise PKI (PKIView) Now a Microsoft Management Console snap-in Support for Unicode characters,Online Certificate Status Protocol (OSCP) Online Responders Responder Arrays,Network Device Enrollment Service Microsofts implementation of the Simple Certificate Enrollment Protocol (SCEP)

39、Enhances security of communications by using IPsec,Web Enrollment Removed previous ActiveX enrollment control - XEnroll.dll Enhanced new COM enrollment control - CertEnroll.dll,AD Certificate Services / PKI Features,Information Author,The Recipient,AD RMS protects access to an organizations digital

40、files AD RMS in Windows Server 2008 includes several new features Improved installation and administration experience Self-enrollment of the ADRMS cluster Integration with ADFederation Services New administrative roles,RMS Server,SQL,AD,AD Rights Management Services,Scenario: Server Virtualization,K

41、ey Technologies Windows Server Virtualization Server Core Goals Server Consolidation maximize hardware utilization and consolidate workloads to reduce costs Development and Test create more flexible environments that reduce costs and improve lifecycle management Business Continuity Management elimin

42、ate impact of downtime and enable disaster recovery abilities Dynamic Datacenter - create a more agile infrastructure with new management capabilities to move virtual machines without impact,Server Virtualization Scenarios,Test and Development,Business Continuity Management,Dynamic Datacenter,Production Server Consolidation,Virtualization Technologies,Windows Server Virtualization,Server Virtualization,Presentation Virtualization,Application Virtualization,Desktop Virtualization,Management,Virtualization Stack,Windows Server Virtualization: Architecture,Par