News

Getting Manageable

• By Greg Shields
• 01/01/2008

This is the fourth installment of a five-part series by contributing editor Greg Shields, which has been taking a hard look at Microsoft's upcoming Windows Server 2008 operating system, also commonly known as "Longhorn." The series has been evaluating the product's new technical features in order to weigh their usefulness to IT admins, as well as how it might affect a range of other core Microsoft server and desktop products. This month takes a look at the advantages of Longhorn's updated firewall technology. Click here to see last month's installment.

There's a lot to be excited about with the Windows Firewall with Advanced Security in Windows Server 2008. While much of the technology's core functionality is actually part of the Windows Vista release, Server 2008 adds some much-needed new features that improve its centralized management. Specifically, Server 2008's upgrades to Group Policy add new skins and more wizards that make the process of configuring host firewalls all around your network easier.

Not Exactly New
Let's take a look at what's not exactly new. Server 2008's firewall includes all of Vista's functionality for enhancing a system's security posture, but now it has the same for servers in the data center.

First up is the addition of outbound filtering to the types of traffic the firewall can manage. This additional capability allows for the management of traffic both in and out of the firewall. It's designed to help prevent the local computer from connecting to others over particular ports or protocols. If you're concerned about a particular application or service communicating with other computers, such as BitTorrent or peer-to-peer file-sharing apps, outbound filtering lets you specifically prevent that traffic from exiting your servers.

Another feature Server 2008 shares with Windows Vista is the addition of a third firewall profile. Windows XP provided only two firewall profiles: the Domain profile when connected to an Active Directory domain, and the Standard profile when not. Vista and Server 2008 rename one of the profiles, while adding a third one to the mix. The Domain profile stays the same, while the Standard profile is renamed to the Public profile.

The Private profile is new. This profile is intended to provide a configuration for situations that aren't within the protected domain and yet aren't fully unprotected, either. If you think of the Public profile as for unprotected "coffee shop" environments, think of the Private profile for semi-protected environments like in partner company networks or home networks.

Because most servers rarely move between network environments, these new profiles will likely be of limited use. However, their configuration is the same between Vista and Server 2008. So setting up the firewall for the desktops can also protect servers at the same time.

Great Group Policy
Where all of this truly shines is in Server 2008's new configuration screens for Group Policy. With earlier operating systems, the Group Policy configurations for configuring the Windows Firewall were difficult to understand and use. Configured as Administrative Templates, individual program and port exceptions were entered into the Group Policy Object by hand using a complicated syntax that could easily cause errors. Due to this steep learning curve, many admins elected to simply disable the firewall rather than learn its complexities.

Server 2008 streamlines the learning curve by moving the firewalls' Group Policy configuration out of Administrative Tasks and into Security Settings. There, under its own node, Firewall settings are configured through a convenient graphical interface. Each of the three profiles, as well as connection security rules and firewall rules, get their own wizard. When creating new inbound or outbound rules, the wizard also includes a set of predefined rules that quickly secure common needs like File and Printer Sharing or Remote Administration.

Special Configurations
Combining Windows Vista with Server 2008 also improves the configuration and management of server and domain isolation environments. These special configurations are designed to help protect the insides of a business network from infiltration by outside computers. They can also be used to add network rules that further protect data within highly sensitive computers from access by unauthorized personnel.

[This article is based on pre-release information, which may change prior to the full release -Ed.]