Windows Server 2003: Advanced administration and Troubleshooting, or: ”How to make your Kung-Fu stronger” Morgan Simonsen [email protected] Ementor.

Windows Server 2003:Advanced administration and Troubleshooting, or:”How to make your Kung-Fu stronger”

Morgan Simonsen

[email protected]

Ementor

What Will We Cover?

• Tips and tricks for managing Windows

Server 2003

• Improvements in Service Pack 2

• Security tidbits

• Important tools

Level 300

• Experience managing Windows Server

2003

• Networking experience

Helpful Experience

Administering W2K3 Server: Tools

• Support Tools• Resource Kit Tools• Group Policy Management Console• Sysinternals• PowerShell/Scripting

demonstrationSysinternals Tools“My Kung-Fu is stronger than your Kung-Fu”

Process ExplorerProcess MonitorAccessEnumAutoRuns

Administering W2K3 Server: Scripting

• CMD

• VBScript/JScript

• PowerShell

W2K3 Server Well Kept Secrets

• Access Based Enumeration

• Diskpart kung-fu

• Replmon.exe/repadmin.exe

• User Profile Hive Cleanup Service

WINDOWS SERVER 2003 SP2 IMPROVEMENTS

MMC 3.0Start Pages

Consistent UI & Structure• Views• Start Pages• Richer Snap-ins

Improved Usability

Improved Reliability

Easier Development

Shipped with WS03R2

Goals

List View with Roll-Ups

MMC .0List View with Preview

Pane

Utility Improvements

> DCDiag.exe /x /xsl:file.xsl or .xslt

> ICacls c:\windows\* /save AclFile /T

> MSConfig.exe

Plus – New Cluster Service Event ID 1239

XMLLite New XML API• Part of Vista Beta 2 SDK• Parser native in SP2

Goals of XMLLite• Separate, independent DLL• Adhere’s to XML 1.0 standard• Easy to use• High performance

Usage Scenarios• Document format (Office 2007)• Business Transactions• Standard XML Scnearios

Security Features• Per Port Firewall Authentication

–Currently WS03 Windows Firewall supports an authenticated IPSec bypass feature. However, once past the firewall, it is possible to jump to and compromise other applications behind the firewall.

–Instead of only exempting authenticated IPSec traffic from the entire firewall, it will now be possible to exempt authenticated traffic for a particular port or application exception

• IPsec Filter Management–Simple IPSec Policy Update

• Significantly Reduces IPsec filter set• Fallback to clear is 500ms

Wi-Fi Protected Access 2• Current Server 2003 SP1 / XP64 Wireless Group Policy does not support WPA2

• WPA2 Enterprise using IEEE 802.1X authentication and WPA2 Personal using a preshared key (PSK)

•Uses Advanced Encryption Standard (AES)

•Use of Pairwise Master Key (PMK) caching and opportunistic PMK caching

Windows Deployment Services

Deliver Great “in-the-box” provisioning solutionDeliver components to enable custom solutionPlug in model for PXE Server extensibilityUnify on single image format – WIMImprove management experience Provide migration and co-existence path from RIS

Goals Scenarios

Windows Deployment Services

New machine deployment

End-to-end solution for clean installs PXE Boot of WinPE

Custom deployment solution or recovery envrionment Extensibility Points

Scalable PXE server built on a unified architecture

Goals Scenarios

WDS Client

WDS Client

Setup application runs within WinPE

Special mode of Windows Vista• Image Based Setup (IBS)• Logic to communicate with WDS

server• Drives the client setup experience

(unique to WDS)

Regional and Language options• May be configured at setup

Automated using unattend.xml

Transition from RIS

Transition

WDS: Modes of Operation

LegacyWDS Binaries but RIS functionalityRISETUP and RIPREPManagement through RIS utilities

Best of BothWinPE and OSChooserRISETUP, RIPREP and WIMMGMT of new: WDS MMC / CLIMGMT of legacy: RIS utilities

MixedNo RIS functionalityWinPE onlyWIM onlyMGMT through WDS MMC / CLI

Native

Longhorn Server Only

Windows Server 2003

Only

Scalability Networking Pack

ChallengesTo Faster

Networking

Increasing processor loadsExcessive context switchingLack of effective scalingMemory overhead and latency

Scalable Networking

Pack

Reduces packet processingOffloads network processingShares network processing

TCP Chimney Offload

TOE-CapableNetwork Adaptor

Applications

TCP

Intermediate Protocols

Switch

NDIS

NDIS miniport driver

Tcpip.sys

Data Transfer Interfaces

Sta

te U

pdat

e In

terf

aces

Network APIs

TCP Chimney

Received Side ScalingProcessors

Network Card

NDIS 5.1 allows for only a single deferred Procedure Call

Doesn’t scale well for Multiprocessor/multi-core systems under heavy workloads

DPE In SP2 an adaptor is not associated with a single processor

NDIS 5.2 and RSS is supported

Allows for more traffic to be processed

DPE

NetDMA Support• Offloads processing of memory-to-

memory transfers• Without NetDMA

–Processor is heavily invoiced in moving data from NIC buffers to application buffers

• With NetDMA–DMA engine and transfers are managed–Minimizes CPU processing of data transfers from NIC buffers to application buffers

Customer Driven Improvements

Virtualization SQL Server 2005

Message Queuing

Improves the performance under high APIC access rate for Windows Server 2003 running as a guest operating system under Windows Virtualization

Under workloads with high kernel time, some due to network traffic

Fixes Winsock issue that caused system wide dispatch locks

Search Microsoft.com for SAPSales

Default storage limit changed to 1 GB

MSMQ v3.0 may be set too high for certain customers which may experience problems which appear due to low available memory

SECURITY

10 ways to make your network secure:1. Defense-in-depth

2. Defense-in-depth

3. Defense-in-depth

4. Defense-in-depth

5. Defense-in-depth

6. Defense-in-depth

7. Defense-in-depth

8. Defense-in-depth

9. Defense-in-depth

10. Defense-in-depth

Tips for greater security

• Never run as local administrator

• Anti-Virus does not protect against a

directed attack

Security Configuration Wizard (SCW)

• Part of SP1

• Developed to make defense-in-depth

easier

• Integrates with Group Policy

• Should be run on all Windows 2003

servers

demonstrationCreating a security policy using SCW

Domain isolation

• Another part of defense-in-depth

• IPSec policies control communication on

internal network

• Enforced by Group Policy

• Easy and cheap to implement

Wireless Security

• W2K3 Server has easy to use RADIUS

server (IAS)

• Group Policy deplyment of Wireless

policies (WPA2)

Private Key Infrastructure

• Run your own Certificate Authority!• W2K3 Server supports 4 different

configurations:–Root AD integrated (Enterprise Root CA)–Subordinate AD integrated (Enterprise Subordinate CA)–Stand-alone Root CA–Stand-alone Subordinate CA

Private Key Infrastructure - continued

• Group Policy supports auto-enrollement

for certificates for users and computers

• Trust hierarchy established through

Group Policy

• CRLs published to AD and IIS ++

demonstrationInstalling your own Certificate Authority(Brian Comar; eat your heart out!)

RDP Security

• RDP protocol does not protect password

• SP1 introduces TLS for RDP

• Very easy to implement

demonstrationConfiguring Windows Server 2003 for secure Remote Desktop Connections

Secure through Group Policy

• Microsoft have security guides for almost

all server products

• Includes Group Policy security templates

specifically desgined for product

• Easy to implement, gives good baseline

for security configuration

Miscellaneous tips to make your servers run better

• Disable unnecessary mappings in RDP

• Set RDP timeouts for admin accounts

• Remove unnecessary services

• DNS Scavenging