It’s not always easy to wade through the broad messaging and identify how a product might benefit a specific industry. This is by no means a definitive list. I have not addressed advances in IIS, for example, because I’m not a web guy. I also dropped a few items just to make the list digestible in one sitting. These are simple examples of new functionality in Windows Server 2008 that I hope will directly benefit customers in schools and Universities.
In no particular order –
If you manage computer labs you are already quite familiar with the technology. Classrooms and computer labs often get re-imaged once a year, semester, month, sometimes even weekly. Copying an image from an SMB share using a standard unicast session just won’t cut it for deployments of 50-500 machines at a time.
This will be the first release of Windows Server to natively provide a solution to multicast deployment of Windows images (WIM). The implementation provides methods for machines to join existing multicast sessions, to schedule jobs at a certain time, or when a fixed number of machines are ready and online.
Particularly in k-12 environments where students have accounts with limited privileges and are not ready to memorize 8 character passwords, this is valuable. It often makes sense for young people to have shorter passwords and restricted access, while the adults are held to more rigid security guidelines but given more privileges on the network. Note – somewhere, someone is making a crack about adults being just as bad as children.
In Server 2008 Active Directory, it is possible to configure different password and account lockout policies for different sets of users in a domain. This has been a frequently requested feature even in higher education where due to the public access nature of the environment, administrative accounts should be required to follow very stringent guidelines.
3. Server Core
Unfortunately our schools do not often get the funding they deserve. Access to newer hardware is a limiting factor with many schools, some are choosing to look at options such as VECD as a method of squeezing the last few drops of value out of old workstations that originally shipped with Win98. Server hardware is no different. Schools need solutions that allow them to take advantage of the security advances in Windows Server 2008 on their existing hardware.
Server core is not a “version” of Windows such as Web, Standard, or Enterprise. Core is a method of installation that includes only the components of Windows necessary to support a few key workloads. File Server, Print Server, DNS, DHCP, Domain Controller, IIS, Streaming Media, and Virtualization are all currently supported roles. By removing all but the necessary components, the number of hotfixes applicable to the OS is significantly reduced, the attack surface is much smaller, and you can get better performance out of older hardware while still maintaining a consistent platform for management across the enterprise.
Imagine your business having 10,000 new workstations show up on your network once a year and you have no control over them whatsoever. You have no rights to prevent them from accessing resources or from going to bad places on the Internet. You have no rights to install anything on them or enforce best practice configurations. Yet, you must support them and provide a high quality of service, and you can bet you will be blamed if anything goes wrong. This is not that unusual in higher education.
NAP provides some relief. With NAP you can define basic security policies and a client on the desktop (integrated in Vista, available for XP) provides real time checking and enforcement of 4 basic principles. Leave your firewall on, use antivirus, use antispyware, and patch your machine. Enforcement is provided through flexible mechanisms and can be delivered as a policy but more likely for faculty and students you would have participants manually opt-in to some form of a “clean network” program. The difference between NAP and other tools with similar functionality is the integration with Windows to do real time checking, all the time, and to integrate with applications for remediation. There are already myths about NAP that I am encountering when speaking to Universities and schools.
Its very seldom that I meet a IT Pro in Education and find they are not doing anything at all with Terminal Services. The implementation may be just for remote administration, or it may be a full blown application sharing platform with very advanced 3rd party enhancements. Especially in the last 5-6 years, Terminal Services has become a popular host for synthetic computer labs. The scenario is very simple – imagine you are a single parent taking night classes and you finally get a chance to get caught up on your machine project, only to find it requires you to run a simulation in the computer lab? On the other hand, if you can even get your hands on an old laptop and a dial-in connection you can connect to a TS session where you can run applications as if you were on campus.
Server 2008 provides enhancements to make this scenario more mature and much more affordable than it has been. Session broker provides better balancing of new connections to a server farm. RemoteApp provides the ability to publish applications via a web interface, and TS Gateway can tunnel connections over SSL to ensure your traffic is secured. There is also a new printing solution so if you have a local printer attached to your workstation, your TS applications can print to it without having to manage difficult driver installation and compatibility issues. These scenarios probably sound familiar but in the past cost a small fortune to implement.
Picture a school building in a small town, do they have a datacenter? Are the computers always locked away and managed only by IT Pros? Not always. Often these machines are locked in to a closet or office but not entirely secured, and often basic administration like changing tapes and the occasional reboot is performed by an information worker.
It is much easier to provide security over these machines in Server 2008. With BitLocker, you can ensure that the disk is not readable in some other device should someone decide to pull it and take it home. With a Read Only Domain Controller, your server can provide an authentication point at that remote network endpoint but any “write” actions such as a password change would actually go back to your central domain controllers. This also allows for a local administrative account to perform basic administrative tasks without needing to have additional domain privileges. Finally, through new Group Policy options you can eliminate any new device installations such as USB keys that may contain hidden, malicious utilities and only allow devices which have been whitelisted as approved hardware.
Finally, I’ll point out that virtualization becoming a component of the operating system and the performance enhancements that are coming with the hypervisor technology and hardware assisted virtualization enable great value to institutions. When the virtualization features ship, interesting scenarios such as virtual 1-1 student machine initiatives, virtual computer labs, virtual development labs, hardware consolidation for more effective power utilization and avoidance of temperature issues in small datacenters, and sharing of hardware resources across departments, all become a more affordable reality.