Planning for Longhorn's harvest

Last week, Microsoft announced it was pushing back the release date of Windows Server 2008, which originally was set for late this year. Chief Operating Officer Kevin Turner revealed at the company's annual partner conference that the new ship date is Feb. 27, 2008.Perhaps it's just as well because now agencies will have more time to prepare.The upgrade ' code named Longhorn ' has been five years in the making, and it will not be unusual if government agencies wait a few more years to adopt the operating system. As with previous versions, Windows Server 2008 will be rolled out across government in a cautious manner. It's not that the upgrade will be a particularly arduous one, but agencies will approach it with trepidation nonetheless.'Upgrades will be a very careful process,' said James Rankin, technology specialist at CDW Government. 'That's just the nature of the beast ' you want to make sure all your ducks are in a row.' Nonetheless, when agencies adopt the new software, they will enjoy many new features.'There are a number of interesting things being done around Windows Server 2008,' said Jackson Shaw, senior manager of product management at Quest Software, which offers tools for migrating older platforms to newer ones. Systems administrators will have tools to enhance security while at the same time offering their users more flexibility.And although the final release will not be out for another seven months, those features are substantial enough for agencies to start thinking about how to put them to use.Windows Server 2008 has many new capabilities, but perhaps the most important new features for the federal market center on security and remote access, said Javier Vasquez, infrastructure architect at Microsoft's federal unit.One of the chief new features is something called network access protection. NAP 'makes the decision whether the machine should be allowed on the network or not,' Vasquez said.Run from Windows Server 2008, NAP checks each computer that logs on to a network ' wirelessly, by cable or even via a virtual private network ' and ensures that it is healthy. Does the computer have a firewall? Does it have the latest patches installed? Does it have anti-spyware and antivirus software? If the computer lacks any of those elements or they are not up-to-date, it is not allowed on the network. If the computer is found to be unfit or poised to cause danger, NAP will try to fix the problems.Most systems administrators keep their client computers up-to-date, but NAP will help in cases where, say, an employee takes a laptop PC home, connects to his or her home network and subsequently has malware installed. When he or she plugs the PC back into the agency's network, NAP can quarantine it before it does any damage. NAP can also authorize guest machines, such as for a contractor who needs Internet access for a day, Vasquez said.In addition to the conditions specified by Microsoft of what constitutes a healthy computer, third-party vendors and even agencies themselves can insert checkpoints of their own. 'I know agencies have shown some interest in doing their own creative things with determining whether or not a client is healthy,' said Rhys Zeimer, a technology specialist at Microsoft.'Basically, NAP is a lightweight version of Network Access Control,' Rankin said, referring to a new technology developed to more tightly control network access. NAC allows a wider range of clients and configurations, but most implementations come with a hefty price tag.'NAP appears as though it would be lightweight, but it is still a'positive step forward for someone who just needs lightweight access control. This is something that lots of government organizations want,' Rankin said.Best of all, NAP can help agencies meet requirements set by the Office of Management and Budget. Earlier this year, OMB mandated that agencies use standard configurations for their Windows Vista desktop PCs to help ensure security. 'NAP is a way to have that enforcement,' Vasquez said.Another key feature for federal agencies is improved remote access, Vasquez said. Agencies are looking for more flexibility in computer services as they grapple with issues of teleworking and continuity of operations. With the new features of Windows Server 2008, users outside the network are able to log in and get data and even applications from their desktop computers.Microsoft already offers many of those capabilities. With Exchange Server, for instance, users can access e-mail, contacts and calendar items via a Web browser. And by using a Remote Desktop Protocol client within a network, users can call up another computer entirely.With Windows Server 2008, RDP is available to users outside the network and without a virtual private network, Vasquez said. A client resides on the user's computer that, when clicked, can bring up the entire desktop of another computer in a window, including start button, file directories and links to all the applications. The user works in that window as though it is another computer.Such a setup ' when allowed by the systems administrator ' would let someone use their work computer easily from home or anywhere else an RDP client could be downloaded. For those who do not need the entire desktop experience, Windows Server 2008 also lets users access only selected programs. Word, PowerPoint, Excel or any other application that could run on a terminal server could be brought up and run remotely.'Applications appear to be running on the local machine but are actually run remotely,' Vasquez said.Although Vasquez identified remote services and NAP as the features of most interest to federal agencies, a number of others could also be of interest, including read-only domain controllers, virtualization and server cores.Read-only domain controllers got particularly high marks from Shaw. Services that can run on top of Windows Server and log users on to the network contain users' passwords, which can present a vulnerability, especially in small branch offices. An organization would want to place a domain controller on-site even at a small branch office so that if the wide-area network goes down, users could still log on to the local-area network. But having that valuable information at a site with little administrative help could be a danger.'If someone were to walk into an office, unplug the domain controller and take it home, pull the drive and start using some cracking technology, the enterprise could be compromised,' Shaw said. For starters, everyone in the organization would have to be issued a new password.Read-only domain controllers work around this problem by not storing any passwords. Instead, when a user logs in, the controller caches the password so if the WAN goes down, the individual can continue to work. Should the read-only domain controller be stolen, only the users who have logged in at that location will need new passwords. 'So you substantially reduce your administrative overhead,' Vasquez said.Another valuable feature is virtualization. 'If it does work as advertised, virtualization could be a tremendously useful feature,' Rankin said. A single server could run multiple copies of the operating system software along with applications. An agency could buy more robust, stand-alone virtualization software from companies such as VMWare, but the built-in virtualization could come in handy in many cases.Another feature, called Server Core, lets an administrator install a minimal copy of Windows with only the core binaries needed to run the operating system and its designated job. This version of Windows has no graphical user interface ' it only has a basic command line. Server Core exists for preselected roles, such as running Active Directory, a Domain Name System or Dynamic Host Configuration Protocol on a server. The minimal configuration keeps potential security vulnerabilities to a minimum and ensures that performance is not hampered by irrelevant services.The one downside of this approach is that Server Core does not operate PowerShell, the newly released shell environment for Windows. PowerShell requires the .NET framework, which in turns relies on graphical interfaces that are not part of the Server Core foundation, Zeimer said. This means administrators who use Server Core will miss out on the ability to do advanced scripting.In fact, this lack of PowerShell in Server Core is something to keep in mind. 'Customers want to make sure that the features that they think they are getting in Windows Server 2008 are not dependent' on owning other Microsoft products, Shaw said. For instance, to get NAP to work, you're best off if all the clients logging on to the network run Vista. Vista supports NAP out of the box, but you need to download a client from Microsoft for Windows XP to enjoy the protection. And users of older versions of Windows and those who use non-Windows operating systems might have to wait for third parties to develop clients.'There are dependencies,' Shaw said.