Tải bản đầy đủ - 0 (trang)
Chapter 1. Introducing Windows Server 2008

Chapter 1. Introducing Windows Server 2008

Tải bản đầy đủ - 0trang

infamoussecurityproblemsassociatedwiththebundled

Windows2000webserver,InternetInformationServices(IIS),

castanominouscloudoverthethoughtthatWindowscould

everbeaviableInternet-facingenterpriseOS.Giventhatmany

sawMicrosoftas"bettingthecompany"onawebservices

initiativecalled.NET,itwascriticalthatMicrosoftsavefaceand

doitrightthenexttime.Itwasn'ttoolate,butcustomerswere

veryconcernedaboutthenumeroussecurityvulnerabilitiesand

thelackofaconvenientpatchmanagementsystemtoapply

correctionstothosevulnerabilities.Thingshadtochange.

Fromstageleft,enterWindowsServer2003.What

distinguishedthereleaseotherthanalongernameandathreeyeardifferenceinreleasedates?Security,primarily.Windows

Server2003camemoresecureoutoftheboxandwasheavily

influencedbythemonth-longhaltofnewdevelopmentinMarch

2002,referredtobyMicrosoftasthebeginningofthe

TrustworthyComputingInitiative,whereinalldevelopersand

productmanagersdidnothingbutreviewexistingsourcecode

forsecurityflawsandattendtrainingonnewbestpracticesfor

writingsecurecode.Performancewasalsoimprovedinthe

WindowsServer2003release,focuswasputonmakingthe

operatingsystemscalable,andingeneralenterprise

administrationwasmademoreefficientandeasiertoautomate.

MicrosoftalsoupdatedsomebundledsoftwareviatheWindows

Server2003R2release,makingitmorestraightforwardto

manageidentitiesoverdifferentdirectoryservicesandsecurity

boundaries,distributefilesandreplicatedirectorystructures

amongmanyservers,andmore.

Butasalways,nosoftwareisperfect,andthere'salwaysroom

forimprovement.Asbusinessrequirementshavechanged,

MicrosoftdevelopersworkedintandemonWindowsVistaand

thenextreleaseofWindowsontheserver.WhenWindowsVista

wasreleasedtomanufacturing,theteamssplitagain,andthe

WindowsServer2008groupaddedafewnewfeaturesandthen

focusedonperformanceandreliabilityuntiltherelease.



1.1.TheBiggestChanges

UnlikethetransitionfromWindows2000ServertoWindows

Server2003,whichwasafairlyminor"point"-styleupdate,

WindowsServer2008isaradicalrevisiontothecorecodebase

thatmakesuptheWindowsServerproduct.WindowsServer

2008sharesquiteabitoffundamentalcodewithWindows

Vista,whichwasaproductderiveddirectlyfromthetechniques

ofthesecuredevelopmentmodel(SDM)—seachangein

programmingmethodologiesatMicrosoftthatputssecurecode

attheforefrontofallactivity.Thus,alotofnewfeaturesand

enhancementsyouwillseeintheproductarearesultofamore

securecodebaseandanincreasedfocusonsystemintegrity

andreliability.

ThemostradicalchangestoWindowsServer2008include

ServerCoreandthenewInternetInformationServices7.0.



1.1.1.ServerCore

ServerCoreisaminimalinstallationoptionforWindowsServer

2008thatcontainsonlyasubsetofexecutablefilesandserver

roles.Managementisdonethroughthecommandlineor

throughanunattendedconfigurationfile.Accordingto

Microsoft:

ServerCoreisdesignedforuseinorganizationsthateither

havemanyservers,someofwhichneedonlytoperform

dedicatedtasksbutwithoutstandingstability,orin

environmentswherehighsecurityrequirementsrequirea

minimalattacksurfaceontheserver.

Accordingly,therearelimitedrolesthatCoreserverscan

perform.Theyare:

DynamicHostConfigurationProtocol(DHCP)server

DomainNameSystem(DNS)server



Fileserver,includingthefilereplicationservice,the

DistributedFileSystem(DFS),DistributedFileSystem

Replication(DFSR),thenetworkfilesystem,andsingle

instancestorage(SIS)

Printservices

Domaincontroller,includingaread-onlydomaincontroller

ActiveDirectoryLightweightDirectoryServices(ADLDS)

server

WindowsServerVirtualization

IIS,althoughonlywithaportionofitsnormalabilities—

namelyonlystaticHTMLhosting,andnodynamicweb

applicationsupport

WindowsMediaServices(WMS)

Additionally,ServerCoremachinescanparticipateinMicrosoft

clusters,usenetworkloadbalancing,hostUnixapplications,

encrypttheirdriveswithBitlocker,beremotelymanagedusing

WindowsPowerShellonaclientmachine,andbemonitored

throughSimpleNetworkManagementProtocol,orSNMP.

MostadministratorswillfindplacingServerCoremachinesin

branchofficestoperformdomaincontrollerfunctionsisan

excellentuseofslightlyolderhardwarethatmightotherwisebe

discarded.ThesmallerfootprintofServerCoreallowstheOSto

domorewithfewersystemresources,andthereducedattack

surfaceandstabilitymakeitanexcellentchoiceforan

appliance-likemachine.Plus,withabranchoffice,youcan

combineServerCorewiththeabilitytodeployaread-only

domaincontrollerandencrypteverythingwithBitLocker,giving

youagreat,lightweight,andsecuresolution.



1.1.2.IISImprovements

ThevenerableMicrosoftwebserverhasundergonequiteabitof



revisioninWindowsServer2008.IIS7is,forthefirsttime,

fullyextensibleandfullycomponentized—youonlyinstallwhat

youwant,sotheserviceislighter,moreresponsive,andless

vulnerabletoattack.TheadministrativeinterfaceforIIShas

alsobeencompletelyredesigned.Keyimprovementsinclude:

Newlyrearchitectedcomponentizedstructure

ForthefirsttimeinIIShistory,administratorsexercise

completecontroloverexactlywhatpiecesofIISare

installedandrunningatanygiventime.Youcanrunthe

exactservicesyourequire—nomore,noless.Thisisof

coursemoresecure,nottomentioneasiertomanageand

betterperforming.



Flexibleextensibilitymodel

IIS7allowsdeveloperstoaccessabrand-newsetofAPIs

thatcaninteractwiththeIIScoredirectly,makingmodule

developmentandcustomizationmucheasierthanitever

hasbeen.Developerscanevenhookintotheconfiguration,

scripting,eventlogging,andadministrationareasofIIS,

whichopensalotofdoorsforenterprisingadministrators

andthird-partysoftwarevendorstoextendIIS'capabilities

soonerratherthanlater.



Simplifiedconfigurationandapplicationdeployment

ConfigurationcanbeaccomplishedentirelythroughXML

files.CentralIISconfigurationcanbespreadacrossmultiple

files,allowingmanysitesandapplicationshostedbythe

sameservertohaveindependentbutstilleasilymanaged

configurations.OneofMicrosoft'sfavoritedemosofIIS7is

settingupawebfarmwithidenticallyconfiguredmachines;

asnewmembersofthefarmarebroughtonline,the

administratorsimplyusesXCOPYandmovesexisting



configurationfilesovertothenewserver,andinamatterof

seconds,theIISsetuponthenewmachineisidenticalto

thatontheexistingmachines.Thisisperhapsthemost

meaningful,andmostwelcome,changeinIIS7.



Delegatedmanagement

MuchlikeActiveDirectoryallowsadministratorstoassign

permissionstoperformcertainadministrativefunctionsto

otherusers,IISadministratorscandelegatecontrolofsome

functionstootherpeople,likesiteowners.



Efficientadministration

IISManagerhasbeencompletelyredesignedandisjoined

byanewcommand-lineadministrationutility,appcmd.exe.



Chapter1.IntroducingWindowsServer

2008

ItallstartedwithWindowsNT,Microsoft'sfirstseriousentry

intothenetworkservermarket.Versions3.1and3.5of

WindowsNTdidn'tgarnerverymuchattentioninaNetWaredominatedworldbecausetheyweresluggishandrefusedto

playwellwithothers.AlongcameWindowsNT4.0,whichused

thenewWindows95interface(revolutionaryonlytothosewho

didn'trecognizeApple'sMacintoshOSuserinterface)toputa

friendlierfaceonsomesimpleyetfundamentalarchitectural

improvements.Withversion4.0,largerorganizationssawthat

Microsoftwasseriousaboutenteringtheenterprisecomputing

market,eveniftheproductcurrentlybeingofferedwasstill

limitedinscalabilityandavailability.Forone,Microsoftmade

concessionstoNetWareusers,givingthemaneasywayto

integratewithanewNTnetwork.Thecompanyalsoincludeda

revisedsecurityfeatureset,includingfinelygrainedpermissions

anddomains,whichsignifiedthatMicrosoftconsidered

enterprisecomputinganimportantpartofWindows.

Afterarecordsixandone-halfservicepacks,NT4.0is

consideredbysometobethemoststableoperatingsystem

evertocomeoutofRedmond.However,despitethat,most

administratorswithUnixexperiencerequiredanOSmore

credibleinanenterpriseenvironment—onethatcouldcompare

totheenormousUnixmachinesthatpenetratedthatmarket

longagoandhadunquestionablyoccupiediteversince.It

wasn'tuntilFebruary2000,whenWindows2000Serverwas

released,thatthesecallswereanswered.Windows2000wasa

completerevisionofNT4.0andwasdesignedwithstabilityand

scalabilityasfirstpriorities.

However,somethingwasstilllacking.SunandIBMincluded

applicationserversoftwareanddeveloper-centriccapabilities

withtheirindustrial-strengthoperatingsystems,Solarisand

AIX.Windows2000lackedthisfunctionality.Inaddition,the



infamoussecurityproblemsassociatedwiththebundled

Windows2000webserver,InternetInformationServices(IIS),

castanominouscloudoverthethoughtthatWindowscould

everbeaviableInternet-facingenterpriseOS.Giventhatmany

sawMicrosoftas"bettingthecompany"onawebservices

initiativecalled.NET,itwascriticalthatMicrosoftsavefaceand

doitrightthenexttime.Itwasn'ttoolate,butcustomerswere

veryconcernedaboutthenumeroussecurityvulnerabilitiesand

thelackofaconvenientpatchmanagementsystemtoapply

correctionstothosevulnerabilities.Thingshadtochange.

Fromstageleft,enterWindowsServer2003.What

distinguishedthereleaseotherthanalongernameandathreeyeardifferenceinreleasedates?Security,primarily.Windows

Server2003camemoresecureoutoftheboxandwasheavily

influencedbythemonth-longhaltofnewdevelopmentinMarch

2002,referredtobyMicrosoftasthebeginningofthe

TrustworthyComputingInitiative,whereinalldevelopersand

productmanagersdidnothingbutreviewexistingsourcecode

forsecurityflawsandattendtrainingonnewbestpracticesfor

writingsecurecode.Performancewasalsoimprovedinthe

WindowsServer2003release,focuswasputonmakingthe

operatingsystemscalable,andingeneralenterprise

administrationwasmademoreefficientandeasiertoautomate.

MicrosoftalsoupdatedsomebundledsoftwareviatheWindows

Server2003R2release,makingitmorestraightforwardto

manageidentitiesoverdifferentdirectoryservicesandsecurity

boundaries,distributefilesandreplicatedirectorystructures

amongmanyservers,andmore.

Butasalways,nosoftwareisperfect,andthere'salwaysroom

forimprovement.Asbusinessrequirementshavechanged,

MicrosoftdevelopersworkedintandemonWindowsVistaand

thenextreleaseofWindowsontheserver.WhenWindowsVista

wasreleasedtomanufacturing,theteamssplitagain,andthe

WindowsServer2008groupaddedafewnewfeaturesandthen

focusedonperformanceandreliabilityuntiltherelease.



1.1.TheBiggestChanges

UnlikethetransitionfromWindows2000ServertoWindows

Server2003,whichwasafairlyminor"point"-styleupdate,

WindowsServer2008isaradicalrevisiontothecorecodebase

thatmakesuptheWindowsServerproduct.WindowsServer

2008sharesquiteabitoffundamentalcodewithWindows

Vista,whichwasaproductderiveddirectlyfromthetechniques

ofthesecuredevelopmentmodel(SDM)—seachangein

programmingmethodologiesatMicrosoftthatputssecurecode

attheforefrontofallactivity.Thus,alotofnewfeaturesand

enhancementsyouwillseeintheproductarearesultofamore

securecodebaseandanincreasedfocusonsystemintegrity

andreliability.

ThemostradicalchangestoWindowsServer2008include

ServerCoreandthenewInternetInformationServices7.0.



1.1.1.ServerCore

ServerCoreisaminimalinstallationoptionforWindowsServer

2008thatcontainsonlyasubsetofexecutablefilesandserver

roles.Managementisdonethroughthecommandlineor

throughanunattendedconfigurationfile.Accordingto

Microsoft:

ServerCoreisdesignedforuseinorganizationsthateither

havemanyservers,someofwhichneedonlytoperform

dedicatedtasksbutwithoutstandingstability,orin

environmentswherehighsecurityrequirementsrequirea

minimalattacksurfaceontheserver.

Accordingly,therearelimitedrolesthatCoreserverscan

perform.Theyare:

DynamicHostConfigurationProtocol(DHCP)server

DomainNameSystem(DNS)server



Fileserver,includingthefilereplicationservice,the

DistributedFileSystem(DFS),DistributedFileSystem

Replication(DFSR),thenetworkfilesystem,andsingle

instancestorage(SIS)

Printservices

Domaincontroller,includingaread-onlydomaincontroller

ActiveDirectoryLightweightDirectoryServices(ADLDS)

server

WindowsServerVirtualization

IIS,althoughonlywithaportionofitsnormalabilities—

namelyonlystaticHTMLhosting,andnodynamicweb

applicationsupport

WindowsMediaServices(WMS)

Additionally,ServerCoremachinescanparticipateinMicrosoft

clusters,usenetworkloadbalancing,hostUnixapplications,

encrypttheirdriveswithBitlocker,beremotelymanagedusing

WindowsPowerShellonaclientmachine,andbemonitored

throughSimpleNetworkManagementProtocol,orSNMP.

MostadministratorswillfindplacingServerCoremachinesin

branchofficestoperformdomaincontrollerfunctionsisan

excellentuseofslightlyolderhardwarethatmightotherwisebe

discarded.ThesmallerfootprintofServerCoreallowstheOSto

domorewithfewersystemresources,andthereducedattack

surfaceandstabilitymakeitanexcellentchoiceforan

appliance-likemachine.Plus,withabranchoffice,youcan

combineServerCorewiththeabilitytodeployaread-only

domaincontrollerandencrypteverythingwithBitLocker,giving

youagreat,lightweight,andsecuresolution.



1.1.2.IISImprovements

ThevenerableMicrosoftwebserverhasundergonequiteabitof



revisioninWindowsServer2008.IIS7is,forthefirsttime,

fullyextensibleandfullycomponentized—youonlyinstallwhat

youwant,sotheserviceislighter,moreresponsive,andless

vulnerabletoattack.TheadministrativeinterfaceforIIShas

alsobeencompletelyredesigned.Keyimprovementsinclude:

Newlyrearchitectedcomponentizedstructure

ForthefirsttimeinIIShistory,administratorsexercise

completecontroloverexactlywhatpiecesofIISare

installedandrunningatanygiventime.Youcanrunthe

exactservicesyourequire—nomore,noless.Thisisof

coursemoresecure,nottomentioneasiertomanageand

betterperforming.



Flexibleextensibilitymodel

IIS7allowsdeveloperstoaccessabrand-newsetofAPIs

thatcaninteractwiththeIIScoredirectly,makingmodule

developmentandcustomizationmucheasierthanitever

hasbeen.Developerscanevenhookintotheconfiguration,

scripting,eventlogging,andadministrationareasofIIS,

whichopensalotofdoorsforenterprisingadministrators

andthird-partysoftwarevendorstoextendIIS'capabilities

soonerratherthanlater.



Simplifiedconfigurationandapplicationdeployment

ConfigurationcanbeaccomplishedentirelythroughXML

files.CentralIISconfigurationcanbespreadacrossmultiple

files,allowingmanysitesandapplicationshostedbythe

sameservertohaveindependentbutstilleasilymanaged

configurations.OneofMicrosoft'sfavoritedemosofIIS7is

settingupawebfarmwithidenticallyconfiguredmachines;

asnewmembersofthefarmarebroughtonline,the

administratorsimplyusesXCOPYandmovesexisting



configurationfilesovertothenewserver,andinamatterof

seconds,theIISsetuponthenewmachineisidenticalto

thatontheexistingmachines.Thisisperhapsthemost

meaningful,andmostwelcome,changeinIIS7.



Delegatedmanagement

MuchlikeActiveDirectoryallowsadministratorstoassign

permissionstoperformcertainadministrativefunctionsto

otherusers,IISadministratorscandelegatecontrolofsome

functionstootherpeople,likesiteowners.



Efficientadministration

IISManagerhasbeencompletelyredesignedandisjoined

byanewcommand-lineadministrationutility,appcmd.exe.



Tài liệu bạn tìm kiếm đã sẵn sàng tải về

Chapter 1. Introducing Windows Server 2008

Tải bản đầy đủ ngay(0 tr)

×