Acronyms Legend

Terminal Services Network Access Protection Internet Information Services 7.0

API Product Scenario: Centralized Application Access Product Scenario: Security and Policy Enforcement Product Scenario: Web & Applications Platform
Application Programming Terminal Services provides access to Windows-based programs from a variety of devices. Terminal Services is Network Access Protection (NAP) is a client health policy creation, enforcement, and remediation technology. A secure, easy-to-manage server platform for developing and reliably hosting Web applications.
Interface enhanced with Terminal Services RemoteApp, Terminal Services Web Access, and Terminal Services Gateway. NAP defines the required configuration and update conditions for a client computer’s operating system and Information Important
CAPs critical software.
Connection Authorization Policies
DHCP Information
Dynamic Host Configuration Bullet User
Protocol Terminal Services Gateway Monitoring Terminal Services Gateway Service
DNS Terminal Services Gateway Policies
Inspect
NAP Capable Client Administration and Diagnostics
Domain Name Service Use Terminal Services Gateway Management to Computer
Failed Request Tracing
Security
view information about active connections from Connection Authorization Policies (CAPs) Detailed Custom Errors
FVEK clients to remote computers on the network CAPs specify user groups that can access TS on NAP Integration Remediate Enforce
Visiting System Health SHA - Declares health (patch state,
Each NAP EC is defined for What went wrong & why
Define rules to capture runtime Reduced surface area - Minimum install by default
the network through TS Gateway server. laptops Agents (SHA) system configuration, etc.)
How to fix it
data only on failures Specify tracing by: User Service

H)
a different type of network
Full Volume Encryption Key through TS Gateway. NAP can be run on the same machine as TS Gateway, or TS Delegated Web site configuration Groups Account

( So
NAP agent - Collects and manages access or communication. Status Code
Resource Access Policies (RAPs) Gateway can be configured to use an existing NAP NAP Agent
HTTP Time Taken for site owners and developers IIS_IUSRS

lt h
Home PCs health information For example, there is a NAP
Resource groups grant users access to multiple infrastructure running elsewhere. NAP

ea

o)
SSL certificates required for TS Gateway and each TS EC for DHCP configuration. Event Verbosity Built-in Group

s/N
Hypertext Transfer Protocol

fH
terminal servers. NAP can control access to a TS Gateway based on a client’s NAP Enforcement NAP EC - Passes the health status to a
server to ensure RDP protocol will be encapsulated in Capable Built-in user and group accounts

to
security update, antivirus, and firewall status.

( Ye
Client (NAP EC) NAP server that is providing the network
IIS Clients

en
IIS Manager and Delegation
HTTPS packets access dedicated to the Web server IUSR

se
tem
Control feature delegation

on
Internet Information Services Terminal Services Runtime State and Control Built-in User Client(s) User Token

Sta

e sp
Manage IIS manager users
Gateway Internal
Roaming
1 Client requests access to network and Manage site & application View real-time server state across: Enhanced Application Pool Isolation

HR
LOB Applications Home Firewall
SoH Response laptops presents current health state administrators Sites & Application Pools

So
1 2 Validate user access YES – Issue Health Certificate,
Application Domains
Line of Business Applications Enable Network Access
NAP Servers Remote Administration Worker Processes Built-in IIS7 request filtering
MMC Mobile
RDP over RPC/HTTPS AD / NAP NO – Remediation Instructions,
Limit Network Access
over HTTP Executing Requests Extensibility Filter requests on the fly based on
Network
Microsoft Management Console Business Policy Server
IPSEC VPN DHCP
SHVs and policy servers can Management Tools Extensible Powerful User Interface Extensibility verb, file extension, size, namespace, Active Directory Firewall
External RD P NAP ES NAP ES NAP ES sequences, and many more
be matched. For example, an Graphical – IIS Manager UI Forest
NAP T e r m p as s e
Extensible, modular architecture – add,
11 12 1

Firewall
10 2

antivirus SHV can be matched

9 3

3 Command Line – appcmd

8 4

i nal d t o remove or replace any built-in module

7 6 5

Network Access Protection RPC/HTTPS removed S e rv A NAP Enforcement Server (NAP ES): HRA – Health Registration VPN 802.1X
to an antivirus signature
policy server.
Script - WMI
Branch er DHCP Managed Code - Microsoft.Web.Administration Schema-based extensibility for configuration
NAT 4 Allows some level of network access Authority Server Server and dynamic data
Network Address Translation
Office Internet DMZ Passes NAP client health status to NPS
Modular
Provides enforcement of network access limitation 2 NAP Servers relay health status to Network Architecture IIS7 configuration system based on distributed XML files that Internet Management
IIS 7.0 and ASP.NET components work seamlessly together as Extensible
NPS DC NAP ECs and NAP ESs are typically matched.
Policy Server (RADIUS) part of the brand new IIS 7.0 Integrated Pipeline Schema
hold the configuration settings for the entire Web server Console
Internet users can access TS RemoteApp NPS Server platform (e.g. IIS, ASP.NET)
Network Policy Server and TS Web Access via TS Gateway
Enable RemoteApp on Terminal
Services: Shared Configuration
Web Server System Health
RAPs Create Allow List (make (with TS Web Access) A Client SHA is matched to a System Health Validator (SHV) Certify declarations made by health agents
Configuration files can be stored on a back-end file server and
applications available to users) Terminal Server Requires IIS 7.0 Validator (SHV) on the server side of the NAP HttpCacheModule referenced from multiple front-end Web servers
Resource Access Policies Specify if application available Role service platform architecture NPS
TS Easy Print redirects all printing-related NAP Administration Restore
RDP work to the user’s local machine – no
via TS Web Access
Intranet
The corresponding SHV can return a Statement of
Health Response to the client, informing it of
3 IsapiFilterModule HttpLoggingModule IIS
7 ApplicationHost.config
server print drivers required. Policy Servers Backup Backup
Remote Desktop Protocol Server sends XPS file to client for printing.
what to do if the SHA is not in the required state
Policies that define
client computer health
Network Policy Server (NPS) validates Provide current system health
ProfileModule StaticFileModule IpRestrictionModule
IIS
7
UN
C Web.config
Wizards Server
SHA
PnP
redirection
of health against IT-defined health policy using Policy state for NPS ProtocolSupport
CustomErrorModule
RequestFiltering
OutputCacheModule Application Files
7
Servers if required Module Module IIS
System Health Agent 5
Same TS Session, multiple NAP client with full
SHV Terminal Services RemoteApp X Resizable RemoteApp programs possible network access 4 If not policy compliant, network access is restricted and client SessionStateModule
Windows If policy compliant, client CgiModule IIS7 enables configuration to be stored in a web.config file in the same directory
System Health Validator RemoteApp programs are accessed remotely through Terminal
Services and appear as if they are running on a user’s local computer.
Y allowed to update with patches, configurations, signatures, etc. Then as the site or application content, which can easily be copied from machine to
Terminal Services Web Access is granted full access to repeat steps 1 – 4 machine Domain Web Server
SoH Supports redirection of local drives and Plug and Play (PnP) devices Remote Desktop
IE Browser
corporate network
Client SHAs and remediation
servers can be matched. For Extensible, modular architecture (40+ Components)
Connection (RDC TS Web Access is a role service in the Terminal Services Xcopy Xcopy Controller
Statement of Health Single sign-on (SSO) can be configured for domain users 6.0) client installed role that allows users to launch remote desktops and Remediation Servers example, an antivirus SHA on the Enhanced ASP.NET integration
TPM Link to RemoteApp program: RDP 6.0 applications through a Web browser. Secure Corporate Install necessary patches, configurations, and client is matched to an antivirus Minimized surface area and patching Site/Application
signature remediation server.
A shortcut on the user’s desktop (includes new Network applications to ensure clients are healthy Improved performance and reliability with new FastCGI module Owner Test Server Production Server
Trusted Platform Module An application on the user’s Start menu
ActiveX) Less administrative overhead to deploy and 10
9
11 12 1
2
3

IIS 7.0 Architecture – Modular Web Server

8 4

Configuration and Deployment

7 6 5

Windows Vista maintain applications

Network Access Limitation Enforcement Methods
TS RemoteApp programs use RDP files: Windows XP SP2 TS Web Access Web page includes a customizable
NAP Client with
limited access IPsec - No health certificate issued to NAP client DHCP Server File Server
Web Part
Terminal Services Install RDP file manually or with MSI
List of programs in Web Part can be customized
802.1X - Limited access policy at the 802.1X access point
MSI installation package can be VPN - IP packet filters applied to the VPN connection Grab Samples from the Get Answers in the
VHD distributed via a Group Policy
Restricted Network
DHCP - Configuration of the IP routing table of the DHCP client via Visit www.IIS.net IIS Team Blogs
DownloadCENTER TechCENTER & Forums
DHCP Options
Virtual Hard Disk
VM BitLocker Federation
Virtual Machine Server
VMK
Volume Master Key
VMM
Virtual Machine Manager
Virtualization Server Manager and Server Backup Server Core & BitLocker Monitoring Server
Product Scenario: Server Virtualization Product Scenario: Server Management Product Scenario: Branch Office Core
VSC
Windows Server 2008 includes Windows Server Virtualization. Windows Server Virtualization is a 64-bit Server Manager provides server configuration and commands for managing roles and features. Server Backup Server Core installation option provides a minimal environment for running specific server roles, reducing
Virtualization Service Consumer feature provides backup and recovery solutions. servicing, management requirements, and the attack surface for those server roles. Windows BitLocker Drive
hypervisor-based virtualization technology that facilitates agility and integrated management of both physical
VSP and virtual components. Encryption protects data by encrypting the entire Windows volume.
Virtualization Service Provider Server Terminal
VSS Manager Services
Volume Shadow Copy Service Server Backup Server Core
WAS Microsoft Managing Server Core
Windows Activation Service System Center Backup/Restore CMD for local command execution Server Core Roles:
WinPE Virtual Machine Manager Microsoft Full Server Perform Manual or Each backup is a full backup, Terminal Server using CMD DHCP, File, Print, AD, AD LDS, Media Terminal TS
Selected Volumes 3
Windows Pre-execution Built on Windows Powershell System Center Application Databases Automatic Backups but takes only the time and space Windows Remote Shell Services, DNS, and Windows Virtualization Services Web Access
of an incremental backup
Manages Virtual Server 2005 R2 and Operations Manager Select application or WMI Gateway
Environment (Windows SharePoint Services) Services
Windows Server 2008 Files/Folders to restore SNMP Manage
to target Server can run a dedicated role or multiple roles
WinRE Monitor Physical
Enables Bare Metal Recovery Production
Copy-on-write Task Scheduler for scheduling jobs/tasks
Physical to Virtual Server Event Logging and Event Forwarding
Windows Recovery Environment Manage Virtualized Server Conversion and Virtual Machines “snapshots” of the disk Optional Features:
Datacenter 4 Restored to target RPC and DCOM for remote MMC support WINS & Failover Clustering
WMI destination Group Policy to centralize configuration Backup & Removable Storage
Windows Management Bare Metal Recovery VSS Snapshot
1 2 Configuring and Deploying Server Core Management & MultiPath IO
1
Instrumentation Parent VM Child VM Boot to WinRE VHD is automatically Netdom.exe - join the machine to a domain BitLocker Drive Encryption
Child VM Child VM (WinPE) mounted for restore Netsh – configure TCP/IP settings SNMP & Telnet Client
WWW WINPE Backup uses Volume Shadow
Copy Service (VSS) technology 1 SCRegEdit.wsf script – configure Windows Update Windows Subsystems Quality Windows Audio/Video
World Wide Web Each VM Supports:
External hard
and enable Remote Desktop Security, TCP/IP, File Experience (qWave) Framework
User Mode

VM Worker drive, DVDs, or Use Files/Folders and

XML Processes More than 32GB
2 network share 2 Backup data to
Backup Storage Application Restore Slmgr.vbs – Product Activation Systems, RPC
CMD
memory target disk
eXtensible Markup Language Applications Applications Applications Locate volumes Wizards to locate data to Dcpromo – use unattend installation file (x86 and x64) Server Core Functionality Includes:
WMI Target Backup Disk restore Ocsetup – add roles/features IPSec
VM Service to restore Block Level Copy File/Folder GUI, CLR, Command Line interface, no GUI Shell,
Provider Oclist – list server roles/features
Shell, IE,
Media, OE,
Etc. no Windows Powershell Windows File Protection
Partitions Support: Application Restore Windows Firewall
Windows Server 2008 x64 Windows Server 2003, Xen-Enabled Non-Hypervisor- VLANs VHD Server Core installation installs only the subset of the binaries required by server roles.
Full Server Recovery VHD Event Log
Kernel Mode

Server (Can be Server Core) Windows Server 2008 x86, Linux Kernel Aware Operating Quarantine 3 Changes Volume Restore Server Core installation requires a clean install.
Windows Server 2008 x64 System NAT Reformat and (Block Level Copy) Performance Monitor counters
Linux Windows Recovery
VSC repartition disks Environment
VSP VSC Hypercall Windows BitLocker Drive Encryption
Hardware
Adapter Scheduled (automatic) backups are not Backup can be saved to single or multiple
Drivers 4
supported for network shares DVDs, local disk, or network shares
Reboot server to
Cleartext BitLocker Disk Configuration
Data
VMBUS

Two partitions are required for BitLocker because pre-startup

VMBUS

Emulation

Server Backup does not support tape

VMBUS

complete restore Accessing a BitLocker-enabled BitLocker Operational Overview authentication and system integrity verification must happen
Windows BitLocker Drive Encryption is a data protection feature outside of the encrypted operating system volume.
Bare Metal Recovery is not supported volume with TPM protection that provides enhanced protection against data theft or exposure
for restoring to different hardware System Partition (green, unencrypted, small, active)
1-Factor TPM-Only Protection Scenario on computers that are lost or stolen.

Data
Windows Operating System Volume (encrypted, blue)
Windows Hypervisor Server Manager Full Volume
Available
Authenticators
Encrypted Drive
BIOS must support reading USB devices in pre-OS environment
AMD-V or Encryption Key
Intel VT Decrypt data
FVEK (FVEK)
USB BitLocker Recovery Password Storage
Virtual Hard Disks TPM Appropriate recovery password storage is vital since the recovery
Ethernet “Designed for Windows” Server Hardware (VHD) Server Manager Functionality using FVEK
TPM + Pin password is needed if BitLocker locks the drive to prevent
Disk Configuring Roles & Features
AMD-V or Intel VT Processor with Data Execution Prevention enabled Install and configure roles and features using TPM + USB tampering.

Encrypted disk sectors

Trusted Protection Domain-Joined Machines
UI or command line TPM + USB + PIN
Server Roles Module (TPM) Use an existing AD DS infrastructure to remotely

VMK
USB (without TPM) used for recovery purposes (or non-TPM
Server role describes primary function View status and events for installed roles store BitLocker recovery passwords
Windows Hypervisor of server – e.g. File Services
computers)
Non-Domain-Joined Machines
Thin layer of software running on the hardware Identify missing/broken configuration for BitLocker assists in mitigating unauthorized data access
Partitions Server Features TPM unseals Store recovery password on physically secured USB drive
Supports creation/deletion of partitions Add/Remove installed roles VMK on lost or stolen computers by: Store recovery password printout in secured location
Each partition is a virtual machine Features provide supporting functions
Uses
Enforces memory access rules to servers – e.g. Failover Clustering Roles/Features Manage and configure roles installed on the Encrypting the entire operating system volume on the Burn recovery password to CD and store in secured location
Each partition has one or more virtual processors Wizards TPM hard disk
Enforces policy for CPU usage server Key
Partitions share hardware resources Servers can support single or multiple roles Checking the integrity of early startup components and startup Migrating Encrypted Drives
Virtual processors are scheduled on real processors Perform Initial Configuration Tasks Sealed VMK configuration data
Software running in partition is called a guest
Enforces ownership of other devices Computer name, Domain membership Windows Server 2008 also supports BitLocker encryption of
Moving a protected OS volume to another TPM-enabled machine
requires using a recovery password from the keyboard or a USB
Roles and features installed by using Server Manager are secure by default. No need Administrator password data volumes. BitLocker encrypts data volumes the same way
flash drive. VMK must be resealed to the new TPM.
to run Security Configuration Wizard following role installation or removal. TPM that it encrypts the operating system volume.
Network connections, Windows Firewall Encrypted Volume

Windows Server 2008 Feature Components

This poster is based on a prerelease version of Windows Server 2008. All information herein is subject to change.
Authors: Martin McClean & Astrid McClean (Microsoft Australia)
© 2007 Microsoft Corporation. Microsoft, Active Directory, ActiveX, BitLocker, IntelliMirror, Internet Explorer, RemoteApp, SharePoint, Windows, Windows PowerShell, Windows Vista, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. All rights reserved. Other trademarks or trade names mentioned herein are the property of their respective owners.