Microsoft’s long-awaited Windows Server 2008 delivers advancements in speed, security and management, but its virtualization and network-access control features come up short.
In our testing of Windows Server 2008 gold code — the product officially launches on Wednesday — we found that Microsoft has made a number of improvements to its flagship server operating system.
For example, new server administrative role schemes boost security, the Server Manager program improves manageability, Internet Information Server (IIS) Web management functionality is revamped, Active Directory is easier to control, and Windows Terminal Services has been redesigned. Windows Server 2008 is also significantly faster than Windows Server 2003, especially when client machines are running Vista.
Unfortunately, a highly anticipated feature of Windows Server 2008, the Hyper-V server virtualization tool, is missing. Microsoft includes a beta version of Hyper-V with Windows Server 2008 editions, but it will not release final code until the third quarter of this year.
Also missing is compatibility between non-Windows (and older Windows) clients and Microsoft’s Network Access Protection (NAP) scheme, Microsoft’s version of NAC.
The Microsoft NAP scheme uses client-side ‘health certificates’ to either give or deny clients access to the network An ‘unhealthy’ client is vectored to remediation servers for necessary antivirus updates or security patches (compare NAC products.).
We tested the NAP scheme as implemented in Windows Server 2008 and found that it works as long as the client is running Windows XP or Vista. (See sidebar.) But it won’t let clients running any other brand of operating system have access to its protected resources, thus hampering the potential success of the NAP scheme, because all client types must be vetted for NAC to work effectively.
Rethinking server roles
Microsoft wants administrators of Windows Server 2008 editions (it will ship in the usual flavors of Standard, Enterprise, Data Center and Itanium-specific code) to think of the server as playing certain roles. Server roles are aggregated objects that suit commonly thought-of services, such as print services, file sharing, DNS, DHCP, Active Directory Domain Controller and IIS-based Web services. Microsoft has defined 18 roles in all.
There’s even a minimalist installation called Windows Server Core that can run various server roles (such as DNS, DHCP, Active Directory components) but not applications (like SQL Server or IIS dynamic pages). It’s otherwise a scripted host system for headless operations. There’s no GUI front end to a Windows Server Core box, but it is managed by a command line interface (CLI), scripts, remotely via System Manager or other management applications that support Windows Management Instrumentation (WMI), or by Remote Terminal Services. It’s also a potential resource-slimmed substrate for Hyper-V and virtualization architectures.
The services running on any role-based server are partitioned and enabled through Server Manager, Microsoft’s renamed, revamped administrative application — either through its GUI or CLI front end. It’s a vast improvement over the ‘Configure Your Server’ routines found in Windows 2000 and 2003 editions. Once successfully enabled, the roles can be easily changed. The CLI version allows scripted initial or remote role changes for administrators. Server Manager adds an important improvement over prior management applications: it checks application dependencies thoroughly before it effects installation, changes, deletions or other alterations.
We got a nearly immediate taste of higher security these server roles allow when we installed Windows 2008 Server — strong administrative passwords are now required as the default.
Active Directory Certificate Services have been redesigned, and now join with Group Policy settings to allow easier certificate enrollment, discovery and storage. The public-key infrastructure that was formerly very difficult to establish, monitor and maintain in Windows 2003 Server editions has improved dramatically as choices for certificate management (including storage, issuance and certificate vetting) are wider than ever before.
A side benefit is that IPSec encryption can be used with a number of previously unavailable cryptography methods, such as elliptic-curve Diffie-Hellman or Advanced Encryption Standard choices, allowing a simple but heretofore difficult security hole to be patched: Windows 2008 can provide comprehensive network encryption services, network-wide.
In addition to Server Manager, server-based Windows Firewall MMC snap-in helped us configure and manage host based security more easily. Windows Firewall on Windows 2008 Server-based networks can be now controlled by system enforced Group Policy Objects (GPO) within Active Directory. The ability to enforce Windows Firewall settings within an Active Directory domain provides a hierarchically enforced mechanism that thwarts branch office or subsidiary server settings made by local administrators. It’s an iron-fist policy that has teeth, and we really like that.
The GPOs can now define server IP address admittance, allowing servers to simply ignore traffic from all but specific addresses, reducing their attack surface dramatically. Policies for specific routes are inherited by all clients and servers admitted to the Active Directory-controlled network, which then allows possible intruder activity to be more readily discerned from the noise of general traffic.
However, this admittance control alone doesn’t reduce the effects of TCP SYN DOS attacks, but other TCP/IP settings shipping with only Windows Server 2008 can be used to reduce the effect of TCP connection-focused distributed denial-of-service (DoS) attacks.
We tested network I/O performance using both emulated I/O and various traffic/assault tests and found Windows 2008 Server performance has improved — and especially improved when Vista is the client.
Microsoft’s new client and server TCP/IP stacks, encompassing both tcpip.sys and the older Winsock API kit, have been updated. The network interaction stack, NDIS, has also been upgraded from Version 5.6 to 6.0. The TCP/IP stack contains native, rather than emulated IPv6 support. Choosing either IPv4 or IPv6 support is an interchangeable action, and management is identical.
The new stacks also have the ability to dynamically respond to communications latency in network connections as they possess the ability to dynamically change TCP packet window size, which allows a communication channel to be more efficiently stuffed with data.
SMB 2.0, unlike SMB 1, has performance enhancements that are designed to allow greater speed. One of these enhancements allows for larger buffer sizes when both reading and writing files. More open files can also be sustained at a single exercise like a file folder copy, or the number of files open-for-write concurrently.
In our testing we found that under light loads, the effects in terms of speed of tasks like copying folders, streaming media and loading complex Web pages aren’t strongly demonstrated, but the effects under heavy loads, however, favors performance for Vista, strongly. Depending on the mixture of I/O (but pronounced under streaming media and heavy file copying), Vista can be as much as 43% faster than Windows XP SP2 in copying operations and 18% faster in opening concurrent streams.
This also means that there’s a two-class affinity for clients of Windows 2008 Server Editions — Vista and everyone else, including Windows XP SP2, MacOS (we used 10.4.10 and 10.5.2) or other SAMBA clients that use SAMBA 3.0.2+ connection methods. If you have a client with the new stack, you’re more efficient, and, therefore faster under higher loads, but you’re a second-class citizen if your stack isn’t up to date.
Windows Vista supports and is shipped with both SMB 1.0 and SMB 2.0, whereas XP supports only SMB 1.0. Microsoft claims that Vista should be able to obtain better file/folder copy speeds over XP, especially in networks with higher latency. In our lab, higher latency (emulation over Ethernet 10Base-T) or low latency (same network subsegment with Gigabit Ethernet), Vista completed folder copies at least 35% faster, and in one run of tests, 71% faster than Windows XP SP2. As SMB emulation for Apple’s MacOS and most Linux clients are based on Samba, which is also based on SMBv1, these clients were tested and, as expected, showed no improvement in speed when connected to Windows 2008 Enterprise Edition over Windows 2003 Enterprise edition on the same hardware.
Windows Server 2008 also supports TCP/IP processing to be offloaded to supported network cards. In such a relationship, the TCP/IP Offloading Engine (TOE) card doesn’t interrupt any of the CPUs to service TCP/IP traffic and protocol relationship requests, ostensibly speeding up network throughput.
When we swapped from a Broadcom Gigabit Ethernet network interface card to an Intel TOE Gigabit Ethernet NIC, the speed effects become highly demonstrable — even for clients that use older SMB and non-Windows TCP/IP communications stacks (such as Macs and Linux clients/servers).
This change cut CPU utilization (as measured by Perfmon) during our TCP SYN distributed DoS assault test from 48% to 18%, and in our TCP connections test from 61% at peak to 16% at peak. While TOE cards have been around for several years, we haven’t seen the stark differences in performance from them.
We also assaulted the network side of Windows 2008 and IIS7 with a simple test get/post test that emulates a large number of users with get/post requests via http for delivery of static pages. We were able to increase the number of gets (using two independent Gigabit Ethernet connections concurrently) by 32% on the same hardware with Windows 2008 Server over Windows Server 2003.
Increased Web management
We didn’t run a full suite of IIS 7 performance tests as we found bugs in our test tools. But Microsoft has revamped its Web server management application — IIS Manager, removing past administrative obscurities and adding support for multiple site hosting. Web server management can now be performed over HTTP, so that remote administration can be done from a browser, without opening administrative TCP/IP ports on the target server.
IT managers can also delegate IIS controls to local administrators or Web-development teams, if desired. It’s also possible for administrators to ‘surgically’ lock specific files, rather than give blanket access to configuration files or static page configurations, an administrative boon.
And instead of installing all features by default (and having some of them required to be running even if they’re never used), IIS 7 allows administrators to install only necessary modules (there are more than 40 of them). This reduces the attack profile of IIS 7 dramatically.
Web service and application performance and errors are now piped to the WMI, allowing rapid identification of errors, and the ability for monitoring applications to provide triggers (for example instant e-mails) when monitored items fall out of ranges (think Microsoft Systems Center-based and other monitoring applications).
In all, controls for IIS have been almost reborn.
The consolidation of Active Directory services into three distinct groupings — Active Directory Domain Services, AD Certificate Services, and Active Directory Federated Services — gives administrators the ability to use fewer Active Directory components and plug-ins to manage diverse network needs. As an example, Microsoft AD Federated Services improves ‘extranet’ ties between organizations that can manage external system users in a highly definable way for use of files and application services among the organizations.
Terminal Services can now be encrypted with Transport Layer Security so that conversations can’t be captured from network wires and re-assembled. Screen raster size can be huge (Windows Vista and XP only), so that remote desktop sessions no longer need to be scrolled through a viewer-like windows. And Terminal Services can also present applications through http transports that look as though they were running on our desktops as native applications (we used Microsoft Office). Terminal Services configuration is simpler, with more capacity to control printing, as well as the aforementioned encryption methods and raster size, overall.
Comment: [email protected]