Windows Tip Sheet

The Defensive Network

A new feature in the upcoming Longhorn Server will allow admins to quarantine computers with inadequate security.

Keeping on the "preparing for Longhorn Server" theme from last month (see "Getting Ready for Longhorn"), I want to suggest another way in which you can begin preparing now for the eventual release of Windows Server 2007 or whatever it winds up being called.

One of the cool new features of Longhorn is network access protection. Essentially, network computers will run a "Health Agent" (which Microsoft will be providing for WinXP as well as Vista), which is responsible for inventorying some basic parts of a client computer -- antivirus software status, patch levels and so forth. In today's world, that information would be analyzed for incoming remote access connections to determine how much of the network, if any, the connection would be able to access. For example, a client with out-of-date antivirus software might only have access to the virus definitions server, allowing them to update their computer, but not be able to access anything else.

Longhorn will extend that capability to include all network access, including wired and wireless computers on the corporate network. If someone shows up with their laptop after a month of traveling, it's possible they'll be way behind on patches and virus definitions -- making them a potential threat to the network. Longhorn will be able to quarantine them, providing access only to a virtual network containing update services. Once they're updated and a virus scan shows they're clean, Longhorn could let them on the rest of the network.

This sort of capability requires some significant planning, a lot of which you can do now. Start by thinking about the criteria you'd apply to client computers: Antivirus software? Patch levels? Latest versions of particular applications? That kind of thing. Start rearranging your network so that critical update services are located on a dedicated network segment or virtual LAN so that quarantined users can simply be given access to that portion of your network in order to obtain the updates they need. Keep in mind that the update servers will be exposed to less-than-healthy client computers, so they'll need extra protections: Local firewalls and antivirus software, for example, can help protect them better. Move any unrelated services to other servers, so that the "update services" machines are dedicated to that task; that way you won't be exposing any sensitive services to potentially unhealthy clients.

Getting prepared in this fashion will make your existing environment just a bit more secure, but it'll prepare you for a much more secure experience once Longhorn ships. And by preparing and planning now, you'll be able to take advantage once Longhorn is available.

About the Author

Don Jones is a multiple-year recipient of Microsoft’s MVP Award, and is an Author/Evangelist for video training company Pluralsight. Don is also a co-founder and President of PowerShell.org, a community dedicated to Microsoft’s Windows PowerShell technology. Don has more than two decades of experience in the IT industry, and specializes in the Microsoft business technology platform. He’s the author of more than 50 technology books, an accomplished IT journalist, and a sought-after speaker and instructor at conferences worldwide. Reach Don on Twitter at @concentratedDon, or on Facebook at Facebook.com/ConcentratedDon.

comments powered by Disqus

SharePoint Watch

Sign up for our newsletter.

I agree to this site's Privacy Policy.