By Paul Rubens
By Paul Rubens
No need to call the homicide squad after you take a look at Windows Server 2008: You won’t find any killer features in this release. But that’s not to say there’s nothing to get excited about. There’s a great deal that’s new, and depending on the set up of your organization, it’s almost certain you’ll find some or all of it extremely valuable.
Any ranking is bound to be subjective, and bearing that in mind, here are what we believe to be the 10 most interesting new features in Windows Server 2008.
Although it will not be available with the initial launch of Server 2008, Microsoft’s Hyper-V hypervisor-based virtualization technology promises to be a star attraction of Server 2008 for many organisations.
Although some 75 percent of large businesses have started using virtualization, only an estimated 10 percent of servers out are running virtual machines. This means the market is still immature. For Windows shops, virtualization using Server 2008 will be a relatively low-cost and low-risk way to dip a toe in the water.
At the moment, Hyper-V lacks the virtualized infrastructure support virtualization market leader VMware can provide. Roy Illsley, senior research analyst at U.K.-based Butler Group, noted that Microsoft is not as far behind as many people seem to think, however. “Don’t forget Microsoft’s System Center, which is a fully integrated management suite and which includes VM Manager. Obviously it only works in a Wintel environment, but if you have Server 2008 and System Center, you have a pretty compelling proposition.
“What Microsoft is doing by embedding virtualization technology in Server 2008 is a bit like embedding Internet Explorer into Windows,” said Illsley. “This is an obvious attempt to get a foothold into the virtualization market.”
At launch, Microsoft is unlikely to have a similar product to VMware’s highly popular VMotion (which enables administrators to move virtual machines from one physical server to another while they are running), but such a product is bound to available soon after.
2. Server Core
Many server administrators, especially those used to working in a Linux environment, instinctively dislike having to install a large, feature-packed operating system to run a particular specialized server. Server 2008 offers a Server Core installation, which provides the minimum installation required to carry out a specific server role, such as for a DHCP, DNS or print server. From a security standpoint, this is attractive. Fewer applications and services on the sever make for a smaller attack surface. In theory, there should also be less maintenance and management with fewer patches to install, and the whole server could take up as little as 3Gb of disk space according to Microsoft. This comes at a price — there’s no upgrade path back to a “normal” version of Server 2008 short of a reinstall. In fact there is no GUI at all — everything is done from the command line.
IIS 7, the Web server bundled with Server 2008, is a big upgrade from the previous version. “There are significant changes in terms of security and the overall implementation which make this version very attractive,” said Barb Goldworm, president and chief analyst at Boulder, Colorado-based Focus Consulting. One new feature getting a lot of attention is the ability to delegate administration of servers (and sites) to site admins while restricting their privileges.
4. Role-based installation Role-based installation is a less extreme version of Server Core. Although it was included in 2003, it is far more comprehensive in this version. The concept is that rather than configuring a full server install for a particular role by uninstalling unnecessary components (and installing needed extras), you simply specify the role the server is to play, and Windows will install what’s necessary — nothing more. This makes it easy for anyone to provision a particular server without increasing the attack surface by including unwanted components that will not do anything except present a security risk.
5. Read Only Domain Controllers (RODC)
It’s hardly news that branch offices often lack skilled IT staff to administer their servers, but they also face another, less talked about problem. While corporate data centers are often physically secured, servers at branch offices rarely have the same physical security protecting them. This makes them a convenient launch pad for attacks back to the main corporate servers. RODC provides a way to make an Active Directory database read-only. Thus, any mischief carried out at the branch office cannot propagate its way back to poison the Active Directory system as a whole. It also reduces traffic on WAN links.
6. Enhanced terminal services
Terminal services has been beefed up in Server 2008 in a number of ways. TS RemoteApp enables remote users to access a centralized application (rather than an entire desktop) that appears to be running on the local computer’s hard drive. These apps can be accessed via a Web portal or directly by double-clicking on a correctly configured icon on the local machine. TS Gateway secures sessions, which are then tunnelled over https, so users don’t need to use a VPN to use RemoteApps securely over the Internet. Local printing has also been made significantly easier.
7. Network Access Protection
Microsoft’s system for ensuring that clients connecting to Server 2008 are patched, running a firewall and in compliance with corporate security policies — and that those that are not can be remediated — is useful. However, similar functionality has been and remains available from third parties.
System drive encryption can be a sensible security measure for servers located in remote branch offices or anywhere where the physical security of the server is sub-optimal. Bitlocker encryption protects data if the server is physically removed or booted from removable media into a different operating system that might otherwise give an intruder access to data which is protected in a Windows environment. Again, similar functionality is available from third-party vendors.
9. Windows PowerShell
10. Better security
We’ve already mentioned various security features built into Server 2008, such as the ability to reduce attack surfaces by running minimal installations, and specific features like BitLocker and NAP. Numerous other little touches make Server 2008 more secure than its predecessors. An example is Address Space Load Randomization — a feature also present in Vista — which makes it more difficult for attackers to carry out buffer overflow attacks on a system by changing the location of various system services each time a system is run. Since many attacks rely on the ability to call particular services by jumping to particular locations, address space randomization can make these attacks much less likely to succeed.
It’s clear that with Server 2008 Microsoft is treading the familiar path of adding features to the operating system that third parties have previously been providing as separate products. As far as the core server product is concerned, much is new. Just because some technologies have been available elsewhere doesn’t mean they’ve actually been implemented. Having them as part of the operating system can be very convenient, indeed.