Vista for Network Admins: What's In It for You?
The hobbyist press is atwitter over the eyecandy, but for network pros there's more to Vista than meets the eye. And more to look out for than you might think.
Like it or not, Microsoft Vista is coming. Eventually. As a network administrator there's certainly no compelling reason to rush to implement it in your organization until the early adopters – and that generally means home users – have had a chance to discover the hard way the most obvious security flaws that the new software is bound to have. The new OS may have been designed from the ground up with security in mind, but the fact is that no-one knows what vulnerabilities are waiting to be discovered. The only safe operating system is a patched, tried and tested one – not a shiny new one.
Sooner or later, though, you'll be managing a network of Vista clients – if only because support for Windows 2000 and XP will eventually come to an end – just as it has for Windows 98 and ME. So what is there to look forward to in Vista, from a network administrator's perspective?
One attraction of Vista might be faster network speeds if you're operating a high bandwidth network. That's thanks to what Microsoft calls Vista's Next Generation TCP/IP stack. This new stack supports TCP Receive Window auto tuning – a feature which continuously determines the optimal size for the incoming data buffer and adjusts it accordingly – in theory increasing network performance for congested networks. In high bandwidth, high latency networks, where TCP connections utilize a large TCP Receive Window, Compound TCP (CTCP)in the new TCP/IP stack also increases the data sent at one time. CTCP and TCP Receive Window auto tuning together can, according to Microsoft, produce substantial performance gains. The company quotes internal test figures suggesting large file backup times can be reduced by almost half for a 1 Gbps connection with a 50ms round trip time.
The new TCP/IP stack also incorporates what Microsoft calls the Windows Filtering Platform, which provides properly documented access to the TCP/IP packet processing path. This will open the way for third party vendors to design new types of firewall and anti-virus products, including firewalls with dynamic configuration using application-based policies.
A word of caution, though: the TCP/IP stack in Vista appears to be completely fresh code. As far as security is concerned this is very bad news indeed. The beta releases of Vista have revealed that the stack is still buggy, with some researchers saying security bugs fixed years ago in previous Microsoft stacks have reappeared in Vista. Most of these bugs should be fixed before the code goes gold, but it's inevitable that many will not.
Talking of policies, Vista incorporates policy based Quality of Service for domain-wide management of bandwidth on a Longhorn network. Essentially, administrators can use Group Policy to prioritize or throttle outbound network traffic by marking packet for routers to prioritize, or have Vista throttle the amount of outbound traffic sent, based on groups of users, the application generating the traffic, or source or destination IP address, TCP or UDP port number.
Although any new OS presents security headaches, Vista does have some interesting network security features built-in – such as Network Access Protection, which is incorporated into the Longhorn Windows Server product. NAP effectively enables administrators to specify what client health products, such as anti-virus signatures and security patches, must be applied and running on a client before it can access a Longhorn network. Any client which does not meet with policy requirements is connected to a restricted part of the network where the correct patches or virus signatures can be downloaded and applied, before connecting to the network in the normal way.
Security has also been made easier to manage with the new Windows Firewall, which is now a network-aware application. This means that you can create a profile for each network category, with each profile containing different firewall policies. So you can specify that incoming traffic is allowed to a certain application when the computer is connected to domain networks, or that file and print sharing and peer to peer discovery is allowed on a private network, but much stricter firewall policies apply when the computer is connected to a public network. This is particularly useful for laptop users who may be connecting to a variety of different networks with varying degrees of security while they travel, but who need to able to use their computers fully when they are within the corporate environment. A network-aware firewall may well reduce the temptation for users to disable their firewall when they find they can't access the data they need on the corporate network, and then leave it disabled when they are in more high risk environments.
Another interesting security feature which will be available in Vista Enterprise and Ultimate editions is Internet Explorer 7 Protected Mode. Explorer has long been a source of vulnerabilities, but IE7 Protected Mode is intended to address some web browsing issues by withholding rights needed to silently install programs or modify sensitive system data by restricting the ability to write to any local machine zone resources other than temporary Internet files. This does make a user's computer less vulnerable in theory, but it remains to be seen to what extent attackers will find alternative vulnerabilities which make browsing as hazardous in the future as it can be now.
Telecommuters typically use a VPN to connect to the corporate network when working from home, but there are circumstances in which it is possible for an attacker to use the VPN to route traffic into the corporate network. Vista aims to avoid this through multiple IP routing compartments, using separate routing tables for each set of network adapters and logon sessions simultaneously, while keeping the compartments separate from each other.
Wireless networks have long been a security headache for administrators managing a fleet of laptops, but Vista includes new Group Policy settings so that you can configure policies for wireless client behavior en mass. For example, you can specify that wireless laptops can only connect to secured networks, or just to specific wireless networks. And since these setting are made via Group Policy, the end-user can be prevented from changing these settings.
There are also four other features in Vista which will only be available in the Vista Enterprise edition (and Ultimate edition – but this is not volume licensed), which is only available to companies on Microsoft's Software Assurance licensing program. The most desirable of these for large corporations, according to analyst Gartner Group, is the Multi-language User Interface (MUI) Language Pack, which enables multinational companies to create a single image that includes all UI languages. Without this it would be necessary to have a separate Windows image for each language, which increases deployment complexity and costs.
The other three features in the Enterprise Edition are Windows Bitlocker Drive Encryption – which secures data on a disk in case the computer is lost or stolen, Virtual PC Express, which allows another version of Windows to be run in a virtual machine, and Subsystem for Unix applications, which enables users to run Unix applications. Some of these capabilities, such as disk encryption, can be purchased through third party vendors, but the MUI language pack functionality can not.
If Vista does ship in early 2007 then it's unlikely that you are going to want to begin deploying it for till mid-2008 at the earliest. But if you haven't begun experimenting with the beta versions that Microsoft has made available then it's probably wise to start familiarizing yourself with some of the new features as soon as possible. Next year is one of preparation. The one after that could be very busy indeed.