Microsoft Hones Windows Server

 
 
By eweek  |  Posted 2003-04-24
 
 
 

Microsoft Hones Windows Server


Microsoft Corp.s main goal with is, as usual, to sell more copies of the operating system. Selling anything these days, however, is not a simple proposition.

eWEEK Labs tests show that Microsoft has taken some innovative technologies and wrapped them into a nice interface to a server operating system that is more secure, friendlier to developers, has better performance and can be better integrated into heterogeneous environments than previous versions. If none of this succeeds in selling the new server operating system, Microsofts decision to phase out support for Windows NT 4.0 next year will (the company hopes) spur part of the Windows population to upgrade.

The most obvious difference between Windows Server 2003 and Windows 2000 Server—Microsofts most popular server offering ever—is the formers GUI, which is nearly identical to that of Windows XP.

In fact, a cursory look at Windows Server 2003, launched Wednesday, leads one to believe its just Windows 2000 with a prettier face. Fortunately, the interface doesnt get in the way, and Microsoft has added useful wizards for managing everything from Active Directory migrations to creating trusted .Net components.

Under the covers, however, there are substantial changes.

First of all, the integration of .Net Framework, coupled with .Net configuration wizards, makes Windows Server 2003 an ideal development platform—but only for developers who are going with .Net. Microsoft also has expanded the operating systems Web services capabilities, allowing developers to wrap existing Windows applications into Web services objects that can run in the .Net environment.

As with earlier versions of Windows server operating systems, Windows Server 2003 includes a messaging server, a transaction coordinator and other technologies that more or less align with what application servers do on Unix platforms.

Overall, there are far fewer reasons to upgrade to Windows Server 2003 from Windows 2000 Server than from Windows NT 4.0. The main driver for upgrading from Windows 2000 Server will probably be Windows Server 2003s improved security features. However, IT administrators have spent so much time hardening Windows 2000 Server that they probably will not be compelled to start over again with a brand-new operating system.

Substantially more important are changes to Active Directory. The Microsoft directory is now easier to manage, but the changes to Active Directory will create some compatibility kinks. Windows Server 2003, for example, allows for cross-forest authentication and authorization, which lets users access resources from domains that they are not logged on to. eWEEK Labs sees this as a good way for users to access resources in a shared resource environment, but there will be difficulties in getting these capabilities to work in mixed-mode environments.

Another substantial change is that Microsoft ripped out Internet Information Services 5.0 and replaced it with the all-new IIS 6.0—a faster, more reliable and more secure version of the Microsoft Web server. IIS 6.0 is also better suited than its predecessor as a development platform target.

Lastly, Microsoft has included some excellent media serving capabilities with Windows Media Server 9. The bundle of media services, plus the application server stack, makes Windows Server 2003 a good buy—as long as organizations are committed to the entire stack.

Windows 2003 Server ships in three flavors: Standard Edition, which includes most of the features of the high-end versions but scales only to four processors with 4GB of RAM; Enterprise Edition, which includes 64-bit support and eight-processor capabilities and can address up to 32GB of RAM; and Datacenter Edition, which can support as many as 64 processors and includes Datacenter application capabilities.

Also available is a Web Edition, which is basically a file, print and Web server for single- and dual-processor systems.

Following, eWeek Labs analysts drill down into key areas of the server. —John Taschek

Security


Security

The biggest security enhancement in Windows Server 2003 comes courtesy of the improved security model of IIS (Internet Information Services) —the Web server that has been the source of most of Windows 2000 Servers security woes. However, there are several other changes in Windows Server 2003 that should serve not only to make the Windows server itself more secure, but also to make it easier to secure other network resources.

Microsoft Corp. officials claim that the biggest change in Windows Servers security isnt a new feature so much as a new philosophy. Windows Server 2003 is the first version of the platform to come out since the advent of Microsofts Trustworthy Computing initiative, the results of which mean that Windows Server 2003 will have fewer bugs and security problems, according to Microsoft.

Only time (no more than a year should do it) will tell.

In the meantime, our tests show that one of the most powerful new security features in Windows Server is Software Restriction Policies, which make it possible to prevent unauthorized code from running. In fact, we could prevent all but a few necessary trusted applications from running—very useful for vital servers that carry out specific functions.

The improved Group Policy editing and templates capabilities made it easier to manage advanced security settings across systems or to build multiple profiles for systems.

For example, on our test system with limited software permissions, we could build a policy to temporarily open up applications. This would be useful for updating necessary applications or fixing problems.

Windows Server 2003 also includes Common Language Runtime, which checks for unauthorized code by checking for digital signatures, code origination and changes to code.

The process of defining user and group permissions to objects and folders has also been refined, with more advanced permission options and a new Effective Permissions tab that let us quickly view all permissions allowed (see screen). Also new is a beefed-up version of Internet Connection Firewall found in Windows XP.

Authentication options are improved significantly in this version of Windows Server. With Internet Authentication Server, Windows Server 2003 can function as a RADIUS server, providing greater management of virtual private network and dial-in remote access users. When combined with Windows Server 2003s support for Extensible Authentication Protocol, this will make authentication for wireless users much more effective.

Windows Server 2003 also has more extensive support for secure authentication options, including public-key infrastructure and certificates, as well as technologies such as smart cards (see screen). —Jim Rapoza

Internet Information Services


Internet Information Services

IIS 6.0, included with Windows Server 2003, is a fundamental redesign of the 5.0 version of IIS included with Windows 2000 Server. The new architecture provides greater modularity, speed and configurability, while IIS 6.0s updated management tools make it much easier than before to understand how IIS is configured and to modify the server so it provides only needed functionality.

These changes bring IIS up to par with the good security and design practices of the Unix world and provide compelling reasons to upgrade.

However, with careful administration and use of Microsofts free IIS Lockdown Tool and Urlscan tools, current IIS administrators can gain many of the security benefits IIS 6.0 provides. Lockdown Tool is also built into IIS 6.0s management tools, although Urlscan is not integrated into the product (something we would like to see).

Those who install Windows Server 2003 on a new machine will find IIS 6.0 much more secure out of the box. In fact, the Web server is not even installed by default, a big change from Windows 2000.

We were impressed to see that a default installation really is just a static content Web server—no IIS filters are installed, and no extensions are enabled. This is a huge security step forward, as every extension installed with IIS 5.0 proved to have security flaws after that product shipped, enabling massive worldwide infections of IIS servers.

During tests, turning on selected extensions was simple using a new Web Services Extensions folder in the Application Server Management snap-in (see screen). However, some extensions—such as those for FrontPage 2002 Server or Internet Printing—needed to be enabled or disabled through the Add or Remove Programs icon in the Control Panel. Integrating all IIS configuration settings into the Application Server Management tool would be a welcome future change.

IIS extensions also now run under a new user-level account rather than the system-level LocalSystem account previously used.

However, those who install the IIS 6.0 software on existing Windows servers will lose many of these benefits because the very insecure IIS 5.0 default configuration is preserved when upgrading. In upgrade tests, IIS 6.0 defaulted to an IIS 5.0 compatibility mode that continued to run extensions under the LocalSystem account and left extensions and filters in place.

The IIS service is disabled by default upon upgrades of Windows 2000 systems where the IIS 5.0 Lockdown Tool has not already been installed—a symbolic smack to the head for careless administrators to wake up and use the tools Windows Server 2003 provides to tighten IIS security before re-enabling the service.

IIS uptime and performance have been improved with a new in-kernel HTTP request queue and static and dynamic content cache called http.sys. This approach has proved effective on other platforms; Red Hat Inc.s Red Hat Linux, Sun Microsystems Inc.s Solaris and IBMs AIX all offer in-kernel HTTP page caches.

IIS now stores its configuration in a single XML file called metabase.xml. After enabling a configuration setting that allowed live edits of the file, we opened up the file in Notepad, altered the home directory of a Web site we created and saved the file. The changes were applied automatically. This kind of easy automated site configuration using a single text file is a hallmark of The Apache Software Foundations Apache HTTP Server and a welcome IIS addition. —Timothy Dyck

Active Directory


Active Directory

Active Directory was one of the most significant features added to Windows 2000 Server, but like most new technologies, it had a few annoying limitations that made management somewhat difficult for IT managers. In Windows Server 2003, Microsoft has added several interesting enhancements that should ease management of Active Directories.

On a user interface side, Active Directory management consoles now allow administrators to select multiple objects and modify them at the same time. In tests, we could click on several users and change their attributes with one quick command. In the past, we would have had to do each individually.

Another UI improvement is the addition of drag-and-drop functionality for quickly moving objects within a domain.

One of the most important enhancements made in Active Directory for Windows Server 2003 is the ability to rename a domain without going through the tedious process of demoting and promoting a domain controller with a new name. The domain rename tool (called the netdom command) is a simple command-line utility that we found relatively easy to use during rename processes.

Unfortunately for Exchange administrators, domains that have an Exchange 2000 server present cannot currently be renamed.

Replication has been made a bit more intelligent in Windows Server 2003s Active Directory. In the past, when a change was made to a member of a group, the entire group had to replicate the change. This made replications a traffic nightmare for IT managers with large groups in their Active Directories. In Windows Server 2003, an individual can change without forcing a group replication.

The new Active Directory also supports forest trusts (one-way, two-way and transitive) for Windows Server 2003 forests. The use of these trusts should make it easier for business partners to share and maintain directory data (see screen). —Henry Baltazar

File and Print Services


File and Print Services

File and print services are much easier to configure in Windows Server 2003, with wizard-type tools that stepped us through setup processes in tests.

Chief among the enhanced file and print capabilities is the Shadow Copies of Shared Folders feature. When enabled by the server administrator, this facility saves copies of documents stored on network shares at preset intervals and allows individual users to access these copies from a new tab in the file properties dialog of Windows clients.

The Shadow Copies feature is no replacement for a solid data backup scheme, but it can serve as an effective complement to these systems. In most cases, end users will be able to retrieve a backup version of a document themselves (see screen).

The client software that enables access to Shadow Copies works with the Home and Professional versions of Windows XP, with Windows 2000 Server and Professional (Service Pack 3 and above), and with Windows 98. Also new in Windows Server 2003 is a WebDAV (Web-based Distributed Authoring and Versioning) redirector that enables clients to access files on WebDAV repositories through file system calls—in the same way as previously possible with SMBs or local files.

Along similar lines, Distributed File System functionality has been improved in Windows Server 2003, which can now transparently direct users to the closest available server for accessing files replicated in multiple locations (based on information provided through Active Directory).

For print serving, Windows Server 2003 boasts faster file spooling than Windows 2000 Server. In addition, the operating system ships with 3,800 new print drivers, and drivers are now downloaded automatically when client computers connect to print servers. This will broaden connectivity and help streamline printer installation for the clients that Windows 2003 serves. —Jason Brooks

Development


Development

What keeps Windows in its leadership position is that Microsoft caters to developers with conveniently packaged services, leveraged by refined but not overpriced tools. Those developers, in turn, add value to the Windows platform. The launch of Windows Server 2003, and its associated upgrade of the Visual Studio .Net tool set, maintains the companys focus on enlarging that virtuous circle.

The forthcoming Visual Studio .Net 2003, already available to Microsoft Developer Network subscribers and expected to ship soon after Windows Server 2003, will offer developers ease of access to the server products new features. No one should be surprised, though, to discover that this access paves a path of least resistance that leads to an integrated all-Microsoft solution.

The Standard, Enterprise and Datacenter Editions of the new server, for example, will include Microsofts implementation of Enterprise UDDI (Universal Description, Discovery and Integration) Services for cooperative exchange of Web service capabilities. To an impressive degree, XML Web services and local or network-resident objects will all appear to applications as a single pool of resources. That UDDI implementation depends, however, on Microsofts Active Directory for authentication and authorization. And authentication of remote, Internet-based users relies on Microsofts Passport service.

Development for Windows Server 2003 does lower some of the barriers among the domains of Windows client applications and more generic Web-based tools. For example, Visual Studio .Net 2003 offers automated aids for packaging Windows applications to be distributed and installed, via Internet connections, with minimum end-user skills or effort.

Application development has become a somewhat fragmented field in the last several years; the combination of Visual Studio .Net 2003 and Windows Server 2003 unifies Windows server-side and client development, Web client development, and mobile/pocket client development through the .Net 1.1 family of programming frameworks. —Peter Coffee

Executive Summary


: Windows Server 2003">

Executive Summary: Windows Server 2003

Usability Excellent
Capability Good
Performance Good
Interoperability Fair
Manageability Excellent
Scalability Good
Security Good

Noticeable—but not remarkable—manageability, directory, security and performance improvements are ahead for Windows 2000 Server customers who move to Windows Server 2003. Base pricing starts at $999, plus client access licenses. IIS customers, in particular, will want to investigate the much-improved IIS Web server in this release (Version 6.0). Staying on Windows 2000 Server, however, will be a very reasonable option for many—especially since Windows Server 2003s .Net Framework 1.1 libraries and Web service features are easily installed on Windows 2000. Organizations that didnt find Windows 2000 Server compelling in the first place will likely feel the same about the quite-similar Windows Server 2003. For more information, go to www.microsoft.com/windowsserver2003/default.mspx.

(+) Significantly more secure defaults and permissions on new installations; redesigned IIS offers simpler security configuration, stronger security and faster performance; adds Active Directory cross-forest trusts and domain renames; built-in .Net Framework 1.1 and a UDDI server; Shadow Copies feature allows users to restore their own files from backups.

(-) Many security benefits apply only when the package is installed on a new server, not for upgraded servers; costly compared with free technology alternatives; very little Microsoft support for programmers using languages other than .Net; Shadow Copies feature requires a client-side extension.

EVALUATION SHORT LIST

  • Linux 2.4-based distributions
  • Novell Inc.s NetWare
  • Suns Solaris
  • Microsoft Windows 2000 Server

  • Rocket Fuel