Embed Size (px)
Citation preview
Windows Server 2003:Advanced administration and Troubleshooting, or:”How to make your Kung-Fu stronger”
Morgan Simonsen
Ementor
What Will We Cover?
• Tips and tricks for managing Windows
Server 2003
• Improvements in Service Pack 2
• Security tidbits
• Important tools
Level 300
• Experience managing Windows Server
2003
• Networking experience
Helpful Experience
Administering W2K3 Server: Tools
• Support Tools• Resource Kit Tools• Group Policy Management Console• Sysinternals• PowerShell/Scripting
demonstrationSysinternals Tools“My Kung-Fu is stronger than your Kung-Fu”
Process ExplorerProcess MonitorAccessEnumAutoRuns
Administering W2K3 Server: Scripting
• CMD
• VBScript/JScript
• PowerShell
W2K3 Server Well Kept Secrets
• Access Based Enumeration
• Diskpart kung-fu
• Replmon.exe/repadmin.exe
• User Profile Hive Cleanup Service
WINDOWS SERVER 2003 SP2 IMPROVEMENTS
MMC 3.0Start Pages
Consistent UI & Structure• Views• Start Pages• Richer Snap-ins
Improved Usability
Improved Reliability
Easier Development
Shipped with WS03R2
Goals
List View with Roll-Ups
MMC .0List View with Preview
Pane
Utility Improvements
> DCDiag.exe /x /xsl:file.xsl or .xslt
> ICacls c:\windows\* /save AclFile /T
> MSConfig.exe
Plus – New Cluster Service Event ID 1239
XMLLite New XML API• Part of Vista Beta 2 SDK• Parser native in SP2
Goals of XMLLite• Separate, independent DLL• Adhere’s to XML 1.0 standard• Easy to use• High performance
Usage Scenarios• Document format (Office 2007)• Business Transactions• Standard XML Scnearios
Security Features• Per Port Firewall Authentication
–Currently WS03 Windows Firewall supports an authenticated IPSec bypass feature. However, once past the firewall, it is possible to jump to and compromise other applications behind the firewall.
–Instead of only exempting authenticated IPSec traffic from the entire firewall, it will now be possible to exempt authenticated traffic for a particular port or application exception
• IPsec Filter Management–Simple IPSec Policy Update
• Significantly Reduces IPsec filter set• Fallback to clear is 500ms
Wi-Fi Protected Access 2• Current Server 2003 SP1 / XP64 Wireless Group Policy does not support WPA2
• WPA2 Enterprise using IEEE 802.1X authentication and WPA2 Personal using a preshared key (PSK)
•Uses Advanced Encryption Standard (AES)
•Use of Pairwise Master Key (PMK) caching and opportunistic PMK caching
Windows Deployment Services
Deliver Great “in-the-box” provisioning solutionDeliver components to enable custom solutionPlug in model for PXE Server extensibilityUnify on single image format – WIMImprove management experience Provide migration and co-existence path from RIS
Goals Scenarios
Windows Deployment Services
New machine deployment
End-to-end solution for clean installs PXE Boot of WinPE
Custom deployment solution or recovery envrionment Extensibility Points
Scalable PXE server built on a unified architecture
Goals Scenarios
WDS Client
WDS Client
Setup application runs within WinPE
Special mode of Windows Vista• Image Based Setup (IBS)• Logic to communicate with WDS
server• Drives the client setup experience
(unique to WDS)
Regional and Language options• May be configured at setup
Automated using unattend.xml
Transition from RIS
Transition
WDS: Modes of Operation
LegacyWDS Binaries but RIS functionalityRISETUP and RIPREPManagement through RIS utilities
Best of BothWinPE and OSChooserRISETUP, RIPREP and WIMMGMT of new: WDS MMC / CLIMGMT of legacy: RIS utilities
MixedNo RIS functionalityWinPE onlyWIM onlyMGMT through WDS MMC / CLI
Native
Longhorn Server Only
Windows Server 2003
Only
Scalability Networking Pack
ChallengesTo Faster
Networking
Increasing processor loadsExcessive context switchingLack of effective scalingMemory overhead and latency
Scalable Networking
Pack
Reduces packet processingOffloads network processingShares network processing
TCP Chimney Offload
TOE-CapableNetwork Adaptor
Applications
TCP
Intermediate Protocols
Switch
NDIS
NDIS miniport driver
Tcpip.sys
Data Transfer Interfaces
Sta
te U
pdat
e In
terf
aces
Network APIs
TCP Chimney
Received Side ScalingProcessors
Network Card
NDIS 5.1 allows for only a single deferred Procedure Call
Doesn’t scale well for Multiprocessor/multi-core systems under heavy workloads
DPE In SP2 an adaptor is not associated with a single processor
NDIS 5.2 and RSS is supported
Allows for more traffic to be processed
DPE
NetDMA Support• Offloads processing of memory-to-
memory transfers• Without NetDMA
–Processor is heavily invoiced in moving data from NIC buffers to application buffers
• With NetDMA–DMA engine and transfers are managed–Minimizes CPU processing of data transfers from NIC buffers to application buffers
Customer Driven Improvements
Virtualization SQL Server 2005
Message Queuing
Improves the performance under high APIC access rate for Windows Server 2003 running as a guest operating system under Windows Virtualization
Under workloads with high kernel time, some due to network traffic
Fixes Winsock issue that caused system wide dispatch locks
Search Microsoft.com for SAPSales
Default storage limit changed to 1 GB
MSMQ v3.0 may be set too high for certain customers which may experience problems which appear due to low available memory
SECURITY
10 ways to make your network secure:1. Defense-in-depth
2. Defense-in-depth
3. Defense-in-depth
4. Defense-in-depth
5. Defense-in-depth
6. Defense-in-depth
7. Defense-in-depth
8. Defense-in-depth
9. Defense-in-depth
10. Defense-in-depth
Tips for greater security
• Never run as local administrator
• Anti-Virus does not protect against a
directed attack
Security Configuration Wizard (SCW)
• Part of SP1
• Developed to make defense-in-depth
easier
• Integrates with Group Policy
• Should be run on all Windows 2003
servers
demonstrationCreating a security policy using SCW
Domain isolation
• Another part of defense-in-depth
• IPSec policies control communication on
internal network
• Enforced by Group Policy
• Easy and cheap to implement
Wireless Security
• W2K3 Server has easy to use RADIUS
server (IAS)
• Group Policy deplyment of Wireless
policies (WPA2)
Private Key Infrastructure
• Run your own Certificate Authority!• W2K3 Server supports 4 different
configurations:–Root AD integrated (Enterprise Root CA)–Subordinate AD integrated (Enterprise Subordinate CA)–Stand-alone Root CA–Stand-alone Subordinate CA
Private Key Infrastructure - continued
• Group Policy supports auto-enrollement
for certificates for users and computers
• Trust hierarchy established through
Group Policy
• CRLs published to AD and IIS ++
demonstrationInstalling your own Certificate Authority(Brian Comar; eat your heart out!)
RDP Security
• RDP protocol does not protect password
• SP1 introduces TLS for RDP
• Very easy to implement
demonstrationConfiguring Windows Server 2003 for secure Remote Desktop Connections
Secure through Group Policy
• Microsoft have security guides for almost
all server products
• Includes Group Policy security templates
specifically desgined for product
• Easy to implement, gives good baseline
for security configuration
Miscellaneous tips to make your servers run better
• Disable unnecessary mappings in RDP
• Set RDP timeouts for admin accounts
• Remove unnecessary services
• DNS Scavenging
