Windows Tip Sheet
The Defensive Network
A new feature in the upcoming Longhorn Server will allow admins to quarantine computers with inadequate security.
Keeping on the "preparing for Longhorn Server" theme from last month
(see "
Getting
Ready for Longhorn"), I want to suggest another way in which you
can begin preparing
now for the eventual release of Windows Server 2007
or whatever it winds up being called.
One of the cool new features of Longhorn is network access protection. Essentially,
network computers will run a "Health Agent" (which Microsoft will
be providing for WinXP as well as Vista), which is responsible for inventorying
some basic parts of a client computer -- antivirus software status, patch levels
and so forth. In today's world, that information would be analyzed for
incoming remote access connections to determine how much of the network, if
any, the connection would be able to access. For example, a client with out-of-date
antivirus software might only have access to the virus definitions server, allowing
them to update their computer, but not be able to access anything else.
Longhorn will extend that capability to include all network access,
including wired and wireless computers on the corporate network. If someone
shows up with their laptop after a month of traveling, it's possible they'll
be way behind on patches and virus definitions -- making them a potential threat
to the network. Longhorn will be able to quarantine them, providing access
only to a virtual network containing update services. Once they're updated and
a virus scan shows they're clean, Longhorn could let them on the rest of the
network.
This sort of capability requires some significant planning, a lot of which
you can do now. Start by thinking about the criteria you'd apply to client
computers: Antivirus software? Patch levels? Latest versions of particular applications?
That kind of thing. Start rearranging your network so that critical update services
are located on a dedicated network segment or virtual LAN so that quarantined
users can simply be given access to that portion of your network in order to
obtain the updates they need. Keep in mind that the update servers will be exposed
to less-than-healthy client computers, so they'll need extra protections:
Local firewalls and antivirus software, for example, can help protect them better.
Move any unrelated services to other servers, so that the "update services"
machines are dedicated to that task; that way you won't be exposing any
sensitive services to potentially unhealthy clients.
Getting prepared in this fashion will make your existing environment just a
bit more secure, but it'll prepare you for a much more secure experience once
Longhorn ships. And by preparing and planning now, you'll be able to
take advantage once Longhorn is available.
About the Author
Don Jones is a multiple-year recipient of Microsoft’s MVP Award, and is Curriculum Director for IT Pro Content for video training company Pluralsight. Don is also a co-founder and President of PowerShell.org, a community dedicated to Microsoft’s Windows PowerShell technology. Don has more than two decades of experience in the IT industry, and specializes in the Microsoft business technology platform. He’s the author of more than 50 technology books, an accomplished IT journalist, and a sought-after speaker and instructor at conferences worldwide. Reach Don on Twitter at @concentratedDon, or on Facebook at Facebook.com/ConcentratedDon.