• Support Analyst Programmer
• Project Manager - Permanent...
• Marketing Manager
• Desktop Team Leader
• Project Manager - Telco

Longhorn heads in the right direction

Eric Knorr, Information Age

18/08/2006 12:40:42

By now you've heard all about Vista's delays. Since 2003, we've watched as Vista was kicked, poked, and downsized, with promising stuff such as the revolutionary WinFS file system and Next Generation Secure Computing Base pushed back post-launch. Smaller items continue to fall, such as a PC-to-PC file synchronisation feature that Microsoft dropped in June. It's enough to make you wonder what all the fuss is about, especially when open source and SaaS (software as a service) are emerging as viable alternatives.

We recommend looking past the high-powered Vista UI and press hype -- not to mention the brouhaha surrounding Bill Gates' future plans -- to what enterprises really care about: end-point security; application development; and server, network and directory management. Using all available specs and beta code, our opinion-mongers have reached a startling conclusion: if the current feature sets promised by Longhorn server, the .Net 3.0 stack (formerly known as WinFX), the new Active Directory, and Vista anti-malware arrive intact, they will be nothing less than a boon for IT.

The important bases have been covered, and covered well. Longhorn and Vista may not attract new customers, given the closed-loop nature of Microsoft's increasingly interdependent technologies. The Microsoft base, however, will be stunned to find how closely Redmond has been listening to its needs.

Longhorn: more than hype Microsoft has been managing our expectations of Longhorn like a barker for Barnum & Bailey. What it has lacked in loud music and snarling lions, it has made up for with lavish trade events, platform unveilings, and occasional 800lb gorilla technology.

At last month's Windows Hardware Engineering Conference, the company let loose a herd of Longhorn attractions, including support for upcoming quad-core CPUs from Intel and AMD and a five-star menu of internal features and tools, such as BitLocker drive encryption.

The updated release of Group Policy Manager is not only easier, it's also far more granular in what administrators can control. For example, GP (Group Policy) can now control responses for different severity levels of perceived attacks; it can manage the new Background Intelligent Transfer Service Neighbor Casting feature to basically enable peer-to-peer file sharing inside the safe environment of a domain; and it has far deeper hooks into controlling the end-user experience, even controlling whether users can install specific hardware on their laptops or desktops.

Add all that up, and Longhorn allows an administrator to serve up entirely new capabilities to users, while maintaining even more control of how those features are used. That's a very difficult tightrope to walk.

But wait, there's more! Microsoft also has completely redesigned its TCP/IP stack, now including integrated support for TCP/IPv6 and a rich layer of support APIs for more intelligent network packet management.

This redesign enabled a number of new Windows management capabilities. For one, remote server management and deployment has been significantly improved. Monitoring and patching off-site is backed by better security, improved automation, and updated diagnostics.

User management is made easier across remote sites, with updated support for roaming user profiles and even smaller things such as automatically deployed printer settings. Remote users can even make easier use of Terminal Services because that feature can now be accessed via a secure HTTP call.

Digging a little deeper into application management, Longhorn is the first Windows operating system to offer what amounts to Layer 7 QoS (quality of service) capabilities. This feature is still in its early stages, but Microsoft has taken the right tack, making sure that Longhorn's QoS profiles can filter down through third-party network infrastructure. Don't think application protection; think hi-def voice and video protection, because that's where this feature is really heading.

And we haven't yet waved our barker's hat at security (). In the past, we'd have been pointing at the clown car, but Microsoft has gone to great and obvious lengths to transform a mini-Beetle full of rubber noses into the lion tamer with the flaming hoop. Redmond has cranked up Longhorn's security features at every turn, beginning with its initial deployment lockdown, moving through its design of core server roles and especially its user management.

Longhorn now uses a Unix-like user management scheme that can dictate permissions for a huge variety of user functions via the Group Policy Manager. This not only keeps users in check, it can block any number of Trojans and viruses.

Microsoft's NAP (Network Access Protection) feature is also working in Beta 2. Essentially, the GPM Server communicates with Longhorn's DHCP server. Whenever a new client logs on, GP dictates that a slew of information is conveyed from client to server concerning a number of system states about the client machines.

These are compared with policies set in the GP. If the client comes up wanting, it's quarantined. Only when the client's various system states (antivirus levels, system patches, etc.) have come into compliance, does Longhorn allow appropriate network access.

NAP represents the first of several entirely new features that Microsoft has added to Longhorn. A Unix-style Server Manager is another example, and Microsoft's inclusion of basic virtualisation services as part of the core operating system can have all kinds of new benefits for administrators looking for more flexibility.

Finally, Microsoft has clearly shown that Longhorn represents the basis for a whole new generation of Microsoft server products. Microsoft Office SharePoint Server 2007, for example, is a big step up from what SharePoint Portal Server is today. Microsoft has increased not only the depth of what administrators can accomplish with this platform, it also has increased the speed with which they can accomplish it. And that's just one example.

True, pieces of Longhorn may have slipped. A vivisected WinFS may lie gurgling in a back room somewhere, Vista's PC Sync may have suddenly keeled over dead, and Vista itself may slip again due to its ultraslick, I'm-as-cool-as-OS X display technology. But you've got to give it to Redmond: Longhorn is a slam dunk, a must-have upgrade for practically every Windows systems administrator.

Longhorn's three-ring circus really is a great show. Ring No. 1 covers loads of new collaboration and features options (making CIOs look smarter); Ring No. 2 closes vast numbers of security holes (keeping CIOs out of the hot seat); and Ring No. 3 eases the day-to-day management burden with a lot of attention paid to administration tools (allowing CIOs more time for golf).

Step right up and upgrade, folks, there's nothing to fear -- just read those manuals and don't forget to pay for your tickets.

A .Net progress report

By Jon Udell

Twenty-eight months since my last report on Microsoft's .Net technology suite, it's interesting to see what's changed and what hasn't. The desktop version of the Longhorn OS was renamed Vista, but its release status remains the same: beta. Of the three .Net-oriented "pillars of Longhorn" -- Avalon, Indigo, and WinFS -- two are renamed (Avalon to Windows Presentation Foundation and Indigo to Windows Communication Foundation) but none have shipped, and WinFS has been pushed post-Vista.

What did ship, later in 2005, was a set of products that developers long awaited and eagerly anticipated: Visual Studio 2005, .Net Framework 2.0, and SQL Server 2005. Those releases, however, didn't change the fact that there still is no shipping version of Windows that includes the .Net Common Language Runtime and Framework in the box.

The extent to which Microsoft programmers eat their own dog-food -- that is, use .Net technologies to create their own products -- is a perennial topic that armchair halfbacks hotly debate. In reality, .Net is making steady gains. According to one Microsoft blogger, C and C++ remain the dominant languages in use at the company, but products such as Visual Studio, SQL Server, and BizTalk Server each incorporate millions of lines of managed code -- which was, after all, the primary paradigm shift that .Net represented.

Another sign of .Net's maturation is the legacy it has already created. The developers of a line of clinical data capture tools, for example, tell me they're in no hurry to upgrade from Visual Studio 2003 and Framework 1.1 to VS 2005 and Framework 2.0. The 2005 stuff may be better, they say, but the 2003 platform and tools are productive and reliable.

For such pragmatic developers, the hot new .Net technologies that debuted at the last Professional Developers' Conference -- notably Windows Workflow Foundation and Language Integrated Query, both of which are implemented as extensions to the .Net Framework -- are tactically irrelevant but strategically important. If you're making a bet on .Net, you'd like to know that the best and brightest architects at Microsoft are making the same bet. They are.

The evolution of the .Net platform has, of course, occurred in the context of broader industry-wide change. The Windows Communication Foundation responded to the growing popularity of REST (Representational State Transfer) and POX (plain old XML), agnostically embracing these modes even as it continued to build out top-notch support for advanced WS-* standards. The Windows Presentation Foundation (WPF), however, is not similarly agnostic with respect to AJAX. Some of WPF's technical underpinnings are analogous to, but not interoperable with, native Web technologies such as CSS and Scalable Vector Graphics.

Microsoft argues it was necessary to take a clean-slate approach in order to deeply unify documents, applications, and media. Along similar lines, Microsoft has also announced a portable .Net runtime, WPF/E ("E" for Everywhere), which aims to challenge both Flash and Java on a variety of devices and operating systems.

The client tier is chaotic, even for Microsoft-oriented developers, and no one can yet resolve the rich-vs-reach dilemma in a convincing way. But if you want to use state-of-the-art tools to build rich clients and/or advanced services, Microsoft's current .Net lineup is solid and the pipeline looks impressive.

Locking down end points

By Paul Roberts

All jokes about Microsoft's security initiatives aside, the vast improvement in Vista, from the kernel up, comes on the heels of years of steady progress (and a string of technology acquisitions). No surprise, then, that Jim Allchin, co-president of Microsoft's platforms and services division, listed Vista's security features as one of the main reasons customers should upgrade.

"Microsoft, by and large, did a lot of things right. Vista will make a dramatic difference in the ability of malware to infect and get through, and they've taken measures to profoundly limit the damage of those that do," says Andy Jacquith, an analyst at Yankee Group.

The most significant security change concerns user account privileges. Vista will introduce UAC (User Account Control).This makes limited-access user accounts more functional than in prior editions of Windows, which often required administrative access for even simple, risk-free tasks. UAC will make it much more difficult for viruses and worms to take control of Windows systems by limiting the areas of the operating system they can access. However, there's a potential downside. Reviewers of early beta releases blasted Microsoft for incessant prompts to enter administrator permissions or "OK" their way past security warnings on even simple changes, such as deleting a desktop icon.

Enterprises and consumers alike can benefit from Vista's default firewall, which blocks both inbound and outbound traffic. But its impact may be small, as most enterprises already use a firewall with similar capabilities. More tangible benefits will emerge from an antispyware capability embedded in Vista, known as Windows Defender. That product, based on technology Microsoft purchased with Giant Company Software, has already been well-received in beta releases on the XP platform.

Enterprises will receive antispyware updates via Windows Server Update Services and Windows Update in the same stream as operating system updates. That will surely mean big trouble for stand-alone antispyware companies such as Webroot Software, which pioneered consumer and enterprise antispyware.

As desktop antispyware, antivirus and firewall capabilities spread across Microsoft's huge installed base, they will increase in power when combined with the company's other security products, such as the Antigen e-mail security product or ISA (Internet Security and Acceleration) security gateway. Although details have not yet been announced, Microsoft is working on integrating data feeds from SpyNet -- the network of Windows Defender computers that reports new threats -- as well as Microsoft's Client Protection program, OneCare consumer antivirus service, and other sources. These will be combined with other key pieces of infrastructure, such as Exchange, Active Directory and Group Policy, according to Joe Licari, director of product management at Antigen.

The company's recent purchase of SSL VPN vendor Whale Communications will only strengthen Microsoft's hand as a provider of secure remote access services, says Neil McDonald, an analyst at Gartner.

But in other areas there are disappointments. BitLocker Drive Encryption is a welcome addition in an era when stolen laptops are making national headlines. But BitLocker, which can work with the Trusted Computing Group's Trusted Platform Module silicon, is just one piece of Microsoft's envisioned "Palladium" platform, which promised a secure computing base running parallel to Windows and features such as strong process isolation, secure channels to and from Windows users, and application attestation.

Nonetheless, Vista will be a major step in Microsoft's evolution as a vendor of secure software, and as a software security vendor with a hand in antimalware, identity and access management, messaging security, network access control, as well as group policy and management software.

The new Active Directory

By Paul Venezia

Just as Windows Server 2003 made significant improvements to Active Directory, Longhorn promises to follow suit. When AD was first deployed under Windows 2000, managing a Windows domain became much easier. With Server 2003, Microsoft kicked it up a notch, adding such functionality as group editing, simpler object editing, and a more fluid management interface. But AD was still far from a glowing example of form and function.

Longhorn promises to take the next logical step and then some. Microsoft has been saving up numerous features, fixes and functions to include in the next-generation Windows server platform, and if it delivers, it will be a distinct benefit to any Windows network.

One of the banes of Windows 2000/2003 AD is the relative fragility of DCs (domain controllers). Once functioning and operational, a Windows 2003 DC is generally stable -- but if problems do occur with a specific DC, repairing it has never been a simple task, requiring a server rebuild in many cases. One of the more significant additions to Longhorn is the ability to use dcpromo to repair a domain controller, rather than promoting and demoting a server to that role. In addition, the AD services will be restartable, and will not require a server reboot for fixable problems with the AD core.

Also on the way are RODCs (read-only domain controllers). These are DCs that can perform authentication tasks but defer to another DC, thus providing a safety net for remote sites. An RODC does not store usernames or passwords locally, and provides unidirectional replication from other DCs. In addition, Server Core -- the GUI-less server base -- can provide DNS and DC services, further reducing the footprints of remote DCs.

All this can be dropped into an existing Windows Server 2003 domain, as long as the Primary Domain Controller Flexible Single Master Operation role is on a Longhorn server. There are some other limitations, however, such as support for only one RODC per domain per site, and apparently no support for Microsoft Exchange.

The other biggie in Longhorn AD is Admin Role Separation. Most AD deployments have far too many accounts with Domain Admin privileges. In Longhorn, there will be a local admin role for each RODC with limited admin privileges, preventing accidental domain changes at edge sites from affecting the domain as a whole.

So there's a lot to look forward to -- assuming these features make it all the way to the final press of Longhorn Server. If all this comes to pass, the main beneficiaries will be your domain security, stability and, hopefully, your sanity.