As these requirements have been changing, Microsoft developers have been working in tandem on Windows Vista and Windows Server, code-named Longhorn, which will be called Windows Server 200x as appropriate upon its release.
With the recent release of Windows Vista and Longhorn Server Beta 2, the teams have split again, and the Longhorn Server group is adding a few new features and then focusing on performance and reliability as the release date draws closer.
You're probably curious about what Longhorn Server brings to the table. In this preview, I'll discuss the more significant changes to the operating system architecture and then follow up on the newest features in this release. Finally, I'll take a look at the tentative release schedule and give some final thoughts on the viability of this major revision to Windows on the server.
The biggest changes
Unlike the transition from Windows 2000 Server to Windows Server 2003, which was a fairly minor "point-style" update, Longhorn Server is a radical revision to the core code base that makes up the Windows Server product. Longhorn Server shares quite a bit of fundamental code with Windows Vista, which was a product derived directly from the techniques of the Secure Development Model -- a sea change in programming methodologies at Microsoft that puts secure code at the forefront of all activity. Thus, a lot of new features and enhancements you will see in the product are a result of a more secure code base and an increased focus on system integrity and reliability.
The most radical changes to Longhorn Server include Server Core and the new Internet Information Services 7.0.
Server Core
Longhorn Server Core flips the notion of a Windows server on its head by removing the user interface, the extra services and everything else that makes a Windows server tick and only including the most fundamental core services required for a machine to run Longhorn Server.
Management is done through the command line or through an unattended configuration file. According to Microsoft, "Server Core is designed for use in organizations that either have many servers, some of which need only to perform dedicated tasks but with outstanding stability, or in environments where high security requirements require a minimal attack surface on the server." Accordingly, there are limited roles that core servers can perform. They are:
-- DHCP server
-- DNS server
-- File server, including the file replication service, the distributed file system (DFS), distributed file system replication (DFSR), the network file system and single instance storage (SIS)
-- Domain controller, including a read-only domain controller (which will be covered later in this article)
-- Active Directory Application Mode server
Additionally, Server Core machines can participate in Microsoft clusters, use network load balancing, host Unix applications, encrypt their drives with BitLocker and be monitored and managed through Simple Network Management Protocol.
Most administrators will find placing Server Core machines in branch offices to perform domain controller functions to be an excellent use of slightly older hardware that might otherwise be discarded. The smaller footprint of Server Core allows the operating system to do more with less system resources, and the reduced attack surface and stability make it an excellent choice for an appliance-like machine.
IIS improvements
The venerable Microsoft Web server has undergone quite a bit of revision in Longhorn Server. IIS 7 is, for the first time, fully extensible and fully componentized -- you only install what you want, so the service is lighter, more responsive and less vulnerable to attack. The administrative interface for IIS has also been completely redesigned. Key improvements include the following:
-- Newly rearchitected componentized structure. For the first time in IIS history, administrators exercise complete control over exactly what pieces of IIS are installed and running at any given time. You can run the exact services you required -- no more, no less. This is of course more secure, not to mention easier to manage and better performing.
-- Flexible extensibility model. IIS 7 allows developers to access a brand-new set of application programming interfaces (API) that can interact with the IIS core directly, making module development and customization much easier than it ever has been. Developers can even hook into the configuration, scripting, event-logging and administration areas of IIS, which opens a lot of doors for enterprising administrators and third-party software vendors to extend IIS' capabilities sooner rather than later.
-- Simplified configuration and application deployment. Configuration can be accomplished entirely through XML files. Central IIS configuration can be spread across multiple files, allowing many sites and applications hosted by the same server to have independent but still easily managed configurations. One of Microsoft's favorite demos of IIS 7 involves setting up a Web farm with identically configured machines. As new members of the farm are brought online, the administrator simply uses XCopy and moves existing configuration files over to the new server, and in a matter of seconds, the IIS setup on the new machine is identical to that on the existing machines. This is perhaps the best change in IIS 7.
-- Delegated management. Much like Active Directory allows an administrator to assign permissions to perform certain functions to other users, IIS administrators can delegate control of some functions to other people, like site owners.
-- Efficient administration. IIS Manager has been completely redesigned and is joined by a new command-line administration utility, appcmd.exe. Figure 1 shows the new administrative console for managing IIS.
Networking improvements
The Longhorn server team has made a special effort at improving network performance and efficiency in Beta 2. For the first time, there is a dual-IP layer architecture for native IPv4 and IPv6 support together, simultaneously. (If you've ever configured IPv4 and IPv6 on a Windows Server 2003 machine, you'll know what a pain it is to get them to interoperate without falling all over each other.)
Communications security is enhanced through better IPsec integration throughout the various pieces of the TCP/IP stack. Hardware is used more efficiently and robustly to speed up performance of network transmissions, intelligent tuning and optimization algorithms run regularly to ensure efficient communication, and APIs to the network stack are more directly exposed, making it easier for developers to interact with the stack. Let's take a look at some of the improvements in what the team is calling the next-generation TCP/IP Stack.
TCP/IP stack enhancements
One improvement to the TCP/IP stack is the autotuning TCP window size: Longhorn Server can automatically tune the size of the receive window by each individual connection, increasing the efficiency of large data transfers between machines on the same network. Microsoft quotes the following example: "On a 10 Gigabit Ethernet network, packet size can be negotiated up to 6MB in size." I was unable to replicate this in my testing, but that may well be due to limitations in my equipment more than a faulty software implementation.
The dead gateway detection algorithm present in Windows Server 2003 has been slightly improved in the Beta 2 release. Windows now tries every so often to send TCP traffic through what it thinks to be a dead gateway. If the transmission doesn't error out, then Windows automatically changes the default gateway to the previously detected dead gateway, which is now live.
And Longhorn Server supports offloading network-processing functions from the CPU itself to the processing circuitry on the network interface card (NIC), freeing up the CPU to manage other processes.
There are also improvements to network scaling. For example, in previous versions of Windows Server, one NIC was associated with a single physical processor. However, with the right network card, Longhorn Server supports scaling NICs and their associated traffic among multiple CPUs -- a feature called receive-side scaling -- permitting much higher amounts of traffic to be received by one NIC on a highly loaded server. This should benefit multiprocessor servers in particular because more scale can be added simply by adding processors or NICs and not by adding entirely new servers.
Changes to terminal services
Network applications are growing in popularity with each passing week. Longhorn Server sees more work in the Terminal Services/Remote Desktop area than might have been expected, and some of the new capabilities are very welcome improvements. Aside from three brand-new features, the team worked on improving the core processes that make Terminal Services tick, including single sign-on to TS sessions, monitor spanning and high-resolution support for sessions, integration with the Windows System Resource Manager to better monitor performance and resource usage, and themes that make TS sessions seamless to the client.
There are three key new features added in the Longhorn Server release. The first is Terminal Services Remote Programs. Like the functionality offered by Citrix MetaFrame years ago, Longhorn Server will support out-of-the-box the ability to define programs to be run directly from a TS-enabled server but be integrated within the local copy of Windows, adding an independent Taskbar button, resizable application window areas, Alt-Tab switching functionality and more.
Users will have no idea that their application is hosted elsewhere, except for the occasional slow response because of network latency or server overload. It's also simple to enable this functionality: administrators create .rdp files, which are text-based profiles of a TS connection that the client reads and uses to configure an Remote Desktop Protocol (RDP) session for that particular program.
Next, there's the Terminal Services Gateway. This feature allows users to access Terminal Services-hosted applications from a Web portal anywhere on the Internet, secured via an encrypted HTTPS channel. The gateway can send connections through firewalls and correctly navigate Network Address Translation situations that stymied the use of this technology before.
This saves corporations from having to deploy Virtual Private Network access to remote users for the sole purpose of accessing a Terminal Services machine; plus, since the data is sent over HTTPS, almost anyone can access the sessions, even at locations where the RDP is blocked by the firewall. Administrators can set connection authorization policies, or CAPs, that define user groups that are permitted to access TS through the TS Gateway machine.
Finally, in conjunction with the Remote Programs feature I just discussed, we also see in Longhorn Server the TS Web Access feature, which lets administrators publicly display available TS Remote Programs on a Web page. Users can browse the list for the application they want to run, click on it and then be seamlessly embedded in the application -- using all the features of TS Remote Programs -- while retaining the ability to launch other programs from the same Web Access site.
The service is smart enough to know that multiple programs launched by the same user should reside in the same Terminal Services session, making resource management a bit simpler, and you can even integrate TS Web Access within SharePoint sites using an included Web Part.
Active Directory: Read-only domain controllers
Longhorn Server introduces the concept of a read-only domain controller (RODC), which is great for branch offices and other locations where the machines hosting the domain controller role aren't able to be physically protected in the same way as a machine in datacenter might be. RODCs hold a read-only copy of Active Directory, which allows for the immediate benefits of faster log-ons and quicker authentication turnaround times for other network resources, as well as for long-term security benefits. No attacker can create changes in an easily accessible DC in a branch office that will then replicate up to the main tree at the corporate office, since the DC is read-only.
The RODC can also cache the credentials of branch-office users and, with just one contact to a regular, writeable domain controller up the tree, can directly service users' log-on requests. However, this caching is left off by default in the Password Replication Policy.
Security improvements
Security problems have plagued Microsoft since the Windows inception, but only in the past few years, as more people have become connected, have those flaws been heavily exploited by malcontents. Some of the vulnerabilities in products that we see on so-called Patch Tuesdays are the results of poor design decisions. These types of flaws are the ones Microsoft is hoping to stamp out in the release of Longhorn Server.
You'll see quite a bit of change to the architecture of services in Windows Server 200x, including increasing the number of layers required to get to the kernel, segmenting services to reduce buffer overflows and reducing the size of the high-risk, privileged layers to make the attack surface smaller.
While fundamentally changing the design of the operating system, the Longhorn Server team has also included several features designed to eliminate security breaches and malware infestations, as well as capabilities meant to protect corporate data from leakage and interception. Let's take a look at some of the improvements currently in Beta 2.
Operating system file protection
A new feature currently known as "operating system file protection" ensures the integrity of the boot process for your servers. Longhorn Server creates a validation key based on the kernel file in use, a specific hardware abstraction layer (HAL) for your system and drivers that start at boot time. If these files change after the key is created, the operating system will detect the changes at the next subsequent boot-up and halt the process so you can repair the problem.
Operating system file protection also extends to each binary image that resides of the disk drive. Operating system file protection in this mode consists of a file system filter driver that reads every page that is loaded into memory, checking its hashes and validating any image that attempts to load itself into a protected process, which are often the most sensitive to elevation attacks.
These hashes are stored in a specific system catalog, or in an X.509 certificate embedded within a secure file on the drive. If any of these tests result in failure, operating system file protection will halt the process to keep your machine secure. This is active protection against problematic malware.
BitLocker
The need for drive encryption has been a popular topic in a lot of security channels lately. In both Windows Vista and Longhorn Server, Microsoft has risen to the call by developing a feature called BitLocker. BitLocker is designed especially for scenarios where a thief may gain physical access to a hard drive. Without encryption, the hacker could simply boot another operating system or run a hacking tool and access files, completely bypassing the NTFS file-system permissions.
The Encrypting File System (EFS) in Windows 2000 Server and Windows Server 2003 went a step further, actually scrambling bits on the drive, but the keys to decrypt the files weren't as protected as they should have been. With BitLocker, the keys are stored within either a Trusted Platform Module chip on your system or a USB flash drive that you insert upon boot-up.
BitLocker is certainly complete: When enabled, the feature encrypts the entire Windows volume, including both user data and system files, the hibernation file, the page file and temporary files. The boot process itself is also protected by BitLocker -- it creates a hash based on the properties of individual boot files, so if one is modified and replaced by, for example, a Trojan horse file, BitLocker will catch the problem and prevent the boot. It's definitely a step up from the limitations of EFS and a significant improvement to system security over unencrypted drives.
Device installation control
Another security problem plaguing business everywhere is the proliferation of the Universal Serial Bus drive. No matter how secure you set your permissions on your file servers, no matter how good your document destruction capabilities are, and no matter what sort of internal controls you have on "eyes-only" documentation, a user can simply pop a thumb drive into any open USB port and copy data, completely bypassing your physical security.
These drives often contain very sensitive information that ideally should never leave the corporate campus, but they're just often found on lost keychains, inside computer bags left unattended in an airport lounge or in some equally dangerous location. The problem is significant enough that some business have taken to disabling USB ports by pouring hot glue into the actual ports. Effective, certainly, but also messy.
In Longhorn Server, an administrator will have the ability to block all new device installs, including USB thumb drives, external hard drives and other new devices. You can simply deploy a machine and allow no new devices to be installed. You'll also be able to set exceptions based on device class or device ID -- for example, to allow keyboards and mice to be added, but nothing else. Or you can allow specific device IDs, in case you've approved a certain brand of product to be installed, but no others. This is all configurable via Group Policy, and these policies are set at the computer level.
Windows Firewall with Advanced Security
The Windows Firewall version included with Windows Server 2003 Service Pack 1 was exactly the same as that included in Windows XP SP2. Microsoft bundled that firewall with Service Pack 1 as a stopgap measure -- deploy this firewall now so you will be protected, the company said, and we will work to improve the firewall in the next version of Windows.
That time is now here. The new Windows Firewall with Advanced Security combines firewall and IPsec management into one convenient MMC snap-in, which is shown in Figure 2.
The firewall engine itself has been rearchitected to reduce conflict and coordination overhead between filtering and IPsec. More rules functionality has been enabled, and you can specify explicit security requirements such as authentication and encryption very easily. Settings can be configured on a per-AD computer or user group basis.
Outbound filtering has been enabled; there was nothing but internal filtering in the previous version of Windows Firewall. And finally, profile support has been improved as well -- on a per-computer basis, there is now a profile for when a machine is connected to a domain, a profile for a private network connection and a profile for a public network connection, such as a wireless hot spot. Policies can be imported and exported easily, making management of multiple computers' firewall configuration consistent and simple.
Network Access Protection
Viruses and malware are often stopped by software defenses that run within a user's session, but the ultimate protection would be if they never even got access to the network. In Longhorn Server, Microsoft has created a system whereby computers are examined against a baseline set by the administrator, and if a machine doesn't stack up in any way against that baseline, that system can be prevented from accessing the network -- quarantined, as it were, from the healthy systems until such time as the user is able to fix his broken machine. This functionality is called Network Access Protection (NAP).
NAP can be broken down into key components:
-- Health policy validation: Validation is the process of examining a machine attempting to connect to the network and checking it against certain criteria that an administrator sets.
-- Health policy compliance: Compliance policies can be set so that managed computers that fail the validation process can be automatically updated or fixed via Systems Management Server or some other management software.
-- Limited access: Limiting access can be the enforcement mechanism for NAP. It's possible to run NAP in monitoring-only mode, which logs the compliance and validation state of computers connecting to the network, but in active mode, computers that fail validations are put into a limited-access area of the network, which typically blocks almost all network access and restricts traffic to a set of specially hardened servers that contain the tools most commonly needed to get machines up to snuff.
Keep in mind that NAP is only a platform by which these checks can be made -- pieces of the puzzle are still needed after deploying Longhorn Server, including system health agents (SHA) and system health validators (SHV) that ensure that checks and validations are made on each client machine. Windows Vista will ship with default SHAs and SHVs that can be customized.
Manageability improvements
Servers are only effective if the administrator configures them properly. Windows Server products have traditionally been fairly simple to operate, but in Longhorn Server, there are many improvements to the initial setup and configuration experience. Much of these details are still being worked out, and these elements may change as we draw nearer to the anticipated release date, but let's take a look anyway and see what Longhorn Server Beta 2 has to offer in terms of manageability enhancements.
Server Manager
Server Manager is a one-stop shop for viewing information on a server, looking at its stability and integrity, managing installed roles and troubleshooting configuration issues that may arise. Server Manager replaces the Configure Your Server, Manage Your Server and Security Configuration Wizard interfaces. Take a look at Figure 3, which shows the interface:
Windows Deployment Services
Many an administrator have come to love Remote Installation Services (RIS), the add-on to Windows 2000 Server and Windows Server 2003 that streamed an installation of client and server operating systems over the network and provided the ability to customize installations and set them off with just a few keystrokes.
In Longhorn Server, Microsoft has radically revised RIS and renamed it Windows Deployment Services (WDS). WDS still works using preboot execution environment and trivial file transfer protocol (TFTP) to an operating system, but it includes Windows PE, a graphical front end to the installation process that replaces the ugly, less functional, text-based, blue-screen setup phase that has plagued corporate Windows since NT 3.0. WDS is still being actively developed by Microsoft, so there is more to come on this technology.
Performance and reliability upgrades
Among the other enhancements in Longhorn Server, there will be work done to improve overall system reliability and performance. For example, to view processes in previous versions of Windows Server, you had two basic tools, both of which were virtually unchanged from release to release -- the Task Manager and the Performance Monitor. In Longhorn Server, these tools have been combined into a single interface, called the Performance Diagnostics Console, to make it easier to view statistics and alerts about how well your machine is handling its duties. See Figure 4 for details.
The Resource View is a simpler, but more powerful, view of how certain processes and services, among other metrics, are using the available resources on your machine. The Reliability Monitor shows a detailed view of exactly what events are occurring on a regular or intermittent basis to degrade the stability of your server. For example, you can see problems and degradations based on software installation activity, application failures, hardware missteps, Windows failures and other, uncategorized problems.
The Reliability Monitor generates a "stability index," which is a painfully arbitrary number supposedly representin on a scale of 1 to 10 how pristine your system is. Unfortunately, the index needs recalibration before release, because the result of its computations shows that Windows simply decays over a period of 30 days with no appreciable activity -- something that either defends the old adage of Windows Rot or smacks of beta-quality releases.
There will be other improvements before Longhorn Server releases, but at this point in the development cycle, the team is focused on becoming "feature complete." By Beta 3, intense work on reliability and performance will begin.
Analysis and conclusion
Longhorn Server presents an interesting set of features that will result in tangible benefits for many administrators. The Server Core version of the product is perhaps the most useful new edition of Windows on the server in quite a while, and it's appropriate for use in many situations where rock-solid servers are required.
If your server farms host network-intensive applications, you'll find the changes to the TCP/IP stack and other network performance improvements tantalizing, and hardware assistance now makes network scaling much more cost-effective by requiring fewer physical servers than before. Of course, security is of paramount importance, and NAP alone is worth investing in Longhorn Server when it's released. Management capabilities are improved as well.
When can you expect the product to arrive? Beta 2, as you know, was released at the end of May. Microsoft expects to deliver Beta 3 by the end of this calendar year, and the current projections are that Longhorn Server will be released to manufacturing sometime in the second half of 2007. (It will likely be in the fourth quarter.)
At this point, Longhorn Server is shaping up to be a compelling release. Assuming performance and reliability continues to improve, once released, it will definitely be worth deploying during your standard upgrade cycle.
Jonathan Hassell is an author, consultant and speaker on a variety of IT topics. His published works include RADIUS, Hardening Windows, Using Windows Small Business Server 2003 and Learning Windows Server 2003. His work appears regularly in such periodicals as Windows IT Pro magazine, PC Pro and TechNet Magazine. He also speaks worldwide on topics, ranging from networking and security to Windows administration. He is currently an editor for Apress LLC, a publishing company specializing in books for programmers and IT professionals.