See the following resources for more information:
What's New in Internet Information Services 6.0 at http://www.microsoft.com/windowsserver2003/evaluation/overview/technologies/iis.mspx
What's New in Security for Windows XP at http://www.microsoft.com/windowsxp/pro/techinfo/planning/security/whatsnew/
PKI Enhancements in Windows XP Professional and Windows .NET Server at http://www.microsoft.com/windowsxp/pro/techinfo/planning/pkiwinxp/
Data protection and recovery in Windows XP at http://www.microsoft.com/windowsxp/pro/techinfo/administration/recovery/
Securing Mobile Computers with Windows XP Professional at http://www.microsoft.com/windowsxp/pro/techinfo/administration/mobile/
Wireless 802.11 Security with Windows XP at http://www.microsoft.com/WindowsXP/pro/techinfo/administration/wirelesssecurity/
Institute of Electrical and Electronics Engineers at http://www.ieee.org/
This chapter is a technical description of the networking and communications enhancements in the Windows Server 2003 family ”improvements that make networks easier to set up, configure, and deploy. It explains how you can take advantage of improved network connectivity, changes to protocols, and better network device support. For example, mobile users in particular have new options for connecting to the network, such as being able to use the Windows Server 2003 family to gain secure Internet access via wireless or Ethernet connections while waiting in an airport. And now infrared-enabled cellular phones can be used just like any other modem to create a network connection.
With Windows Server 2003, IT professionals have more options, and more flexible options, for managing networking infrastructure, through new capabilities such as configuring secure access to a wireless LAN, specifying Group Policy settings to control networking features for certain types of users, and creating a Connection Manager profile that lets traveling users select the optimal VPN server, depending on their location. These are just .a few of the many new capabilities described in this chapter.
The following sections describe the enhancements that make Windows Server 2003 easier to set up, configure, and deploy:
Network Diagnostics Features
Network Location Awareness
Wireless LAN Enhancements
Routing and Remote Access Service Enhancements
Connection Manager Enhancements
Network diagnostics features were added to the Windows Server 2003 family to support diagnosing network problems, as
Network Diagnostics Web page.
The Network Diagnostics Web page can be
Netsh Diag commands.
A new Netsh helper DLL provides commands in the Netsh Diag context to enable you to view
Repair menu option for network connections.
Sometimes a computer's network configuration can be in a state that prohibits network communication, but the configuration can still be repaired through a set of common procedures, such as renewing the IP address configuration and Domain Name System (DNS)
Support tab for network connections.
The Status dialog box for each network connection in the Network Connections folder now includes a Support tab. From this tab, TCP/IP configuration information is displayed. The Support tab includes a Repair button, which is equivalent to the Repair context menu option on the network connection.
Networking tab for Task Manager.
Task Manager now includes a Networking tab, shown in Figure 6-1, that displays real-time networking metrics for each network adapter in the system. This tab can provide a quick look at how the network is performing.
Updated Netdiag.exe command-line network diagnostics tool.
The support tools provided on the Windows Server 2003 family product CD-ROM include Netdiag.exe, an enhanced version of the diagnostics tool provided in the Microsoft Windows 2000 Resource Kit. To install the support tools, run the file Support.msi from the Support\Tools folder on the Windows Server 2003 family product CD-ROM.
Menu option to enable remote access logging.
A new Diagnostics tab has been added to the Remote Access Preferences dialog box in the Network Connections folder to globally enable, view, and clear logging for remote access connections. To view the Remote Access Preferences dialog box, choose Remote Access Preferences from the Advanced menu in the Network Connections folder.
Network location awareness allows computers running the Windows Server 2003 family to detect information about the network to which the computer is attached. This allows for seamless configuration of the network stack for that location. This information is also made available through a Windows Sockets API, allowing applications to retrieve information about the current network or be notified when network information changes.
Components in the Windows Server 2003 family also use the network location to provide appropriate services. For example, the new Group Policy settings to enable or disable the Internet Connection Sharing (ICS), Internet Connection Firewall (ICF), and Network Bridge features are network location “aware; they apply to the computer only when it's connected to the network on which the settings were obtained. For example, if a laptop computer receives a Group Policy setting to disable these features while connected to a corporate network, when the computer is connected to a home network, the
Several features and enhancements have been added to the Windows Server 2003 family to improve the experience in deploying wireless LANs, including automatic key management and
Enhanced Ethernet and wireless security (IEEE 802.1X Support).
Previously, wireless networking lacked an easy-to-deploy security solution with a key management system. Microsoft and several wireless LAN and PC vendors worked with the IEEE to define IEEE 802.1X, a standard for port-based network access control that applies to both Ethernet and wireless LANs. Microsoft implemented IEEE 802.1X support in Windows XP and worked with wireless LAN
Wireless zero configuration.
In conjunction with the wireless network adapter, the Windows Server 2003 family can choose from available wireless networks to configure connections to preferred networks without user intervention. Settings for a specific wireless network can be saved and automatically used the
Wireless roaming support.
Windows 2000 included enhancements for detecting the availability of a network and acting appropriately. These enhancements have been extended and supplemented in the Windows Server 2003 family to support the transitional nature of a wireless network. Features added in the Windows Server 2003 family include renewing the DHCP configuration upon reassociation, reauthentication when necessary, and choosing from multiple configuration options based on the network to which the computer is connected.
Wireless Monitor snap-in.
The Windows Server 2003 family includes a new Wireless Monitor snap-in, which can be used to view wireless access point (AP) or wireless client configuration and statistical information.
Password-based authentication for secure wireless connections.
The Windows Server 2003 family includes support for Protected Extensible Authentication Protocol (PEAP) for wireless network connections. With PEAP, you can use a password-based authentication method to securely authenticate wireless connections. PEAP creates an encrypted channel before the authentication process occurs. Therefore, password-based authentication exchanges are not subject to offline dictionary attacks. The Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2) is now available as an EAP authentication type. PEAP with the EAP version of MS-CHAP v2 allows you to have secure wireless authentication without having to deploy a certificate infrastructure, also known as a public key infrastructure (PKI), and without having to install certificates on each wireless client. The Windows Server 2003 family Remote Authentication Dial-In User Service (RADIUS) server, known as the Internet Authentication Service (IAS), has also been enhanced to support PEAP.
Group Policy extension for wireless network policies.
A new Wireless Network (IEEE 802.11) Policies Group Policy extension allows you to configure wireless network settings that are part of Group Policy for Computer Configuration. Wireless network settings include the list of preferred networks, Wired Equivalent Privacy (WEP) settings, and IEEE 802.1X settings. These settings are downloaded to domain
Unauthenticated access for wireless LAN connections.
Both the Windows Server 2003 family wireless client and IAS support unauthenticated wireless connections. In this case, Extensible Authentication Protocol with Transport Level Security (EAP-TLS) is used to perform one-way authentication of the IAS server certificate, and the wireless client does not send a user name or user credentials. To enable unauthenticated access for wireless
With these enhancements, the following scenarios are possible:
A mobile user is in an airport and can gain secure Internet access via wireless or Ethernet connectivity.
An administrator can use these enhancements to configure secure access to a wireless LAN. The administrator might also require certificates deployed via
An administrator can use these features to configure authenticated and authorized access to wire-based Ethernet LANs without requiring data encryption.
The following enhancements to the Routing and Remote Access service have been made in the Windows Server 2003 family:
Snap-in and Setup Wizard enhancements.
The Routing And Remote Access Server Setup Wizard has been modified to make it easier to initially configure the Routing and Remote Access service (see Figure 6-2). The Routing And Remote Access snap-in has been modified to make it easier to configure server settings after the initial configuration.
Improved configuration for EAP-TLS properties.
The Smart Card Or Other Certificate Properties dialog box has been improved to allow the configuration of multiple RADIUS servers and multiple root certification authorities. This provides seamless connectivity with multiple wired or wireless networks or large networks that use multiple RADIUS servers. You can access the Smart Card Or Other Certificate Properties dialog box by selecting the Smart Card Or Other Certificate EAP type on the Authentication tab from the properties of a LAN connection in the Network Connections folder and then clicking Properties.
NetBIOS over TCP/IP name resolution proxy.
A new NetBIOS over TCP/IP (NetBT) proxy is built into the Routing and Remote Access service to allow remote access clients connecting to a network consisting of one or multiple subnets with a single router (the remote access computer running a member of the Windows Server 2003 family) to resolve
Manage Your Server and Routing and Remote Access service integration.
This feature provides an integrated method to configure the NAT/Basic Firewall component of the Routing and Remote Access service using Manage Your Server. With this feature, an IT administrator can configure a Windows .NET family server and the Routing and Remote Access service NAT/Basic Firewall component during the same setup procedure.
Ability to enable the Routing and Remote Access service internal interface as a Network Address Translation private interface.
For a computer running Windows 2000 Server that is providing remote access to a private intranet and is acting as a Network Address Translator (NAT) to provide access to the Internet, there is no way to provide Internet access to connected remote access clients. Computers running a member of the Windows Server 2003 family now allow you to add the Internal interface as a private interface to the Network Address Translation component of the Routing and Remote Access service. This allows connected remote access clients to access the Internet.
This feature provides the ability to use the Point-to-Point Protocol over Ethernet (PPPoE) for demand-dial connections (also known as dial-on-demand connections). Demand-dial connections are used by the Routing and Remote Access service to make point-to-point connections between LANs over which packets are routed. You can access this feature by selecting the Connect Using PPP Over Ethernet (PPPoE) option in the Connection Type dialog box of the Demand-Dial Interface Wizard. By allowing PPPoE as a connection type for demand-dial connections, a small business can use the NAT/Basic Firewall component of the Routing and Remote Access service and the business's broadband Internet connection to connect its office to the Internet.
Improvements in default behavior for Internal and Internet interfaces.
To prevent possible problems with resolving the name of the VPN server and accessing services running on the VPN server, the Routing and Remote Access service by default disables dynamic DNS registration for the Internal interface and disables both dynamic DNS and NetBT for the interface identified in the Routing And Remote Access Server Setup Wizard as the Internet interface.
VPN connection limit for Windows Server 2003, Web Edition.
For the Web Edition, the number of allowed VPN connections is one VPN connection (either PPTP-based or Layer 2 Tunneling Protocol [L2TP] “based). This is the same limitation that exists for Windows XP Professional and Windows XP Home Edition. To support more than one VPN connection, you must use Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; or Windows Server 2003, Datacenter Edition.
NAT and firewall integration.
The NAT/Basic Firewall component of the Routing and Remote Access service has been enhanced to support a basic firewall using the same technology as that used by the Internet Connection Firewall feature provided with Windows XP. This feature allows you to protect the public interface of a computer running a member of the Windows Server 2003 family that is using a NAT to enable access to the Internet. By using a NAT, the computers on the private network are protected because the NAT computer does not forward traffic from the Internet unless a private network client
L2TP/IPSec NAT traversal.
With Windows 2000, Internet Key Exchange (IKE) and Encapsulating Security Payload (ESP) traffic is not able to traverse a NAT, because if the NAT
NLB support for L2TP/IPSec traffic.
In Windows 2000, the Network Load Balancing (NLB) service did not have the capability to manage IPSec security associations (SAs) among multiple servers. If a server in the cluster became unavailable, the SAs managed by that cluster were orphaned and eventually timed out. This
Preshared key configuration for L2TP/IPSec connections.
The Windows Server 2003 family supports both computer certificates and a preshared key as authentication
Windows XP and the Windows Server 2003 family remote access VPN clients also support preshared key authentication. You can enable preshared key authentication and configure a preshared key from IPSec settings on the Security tab on the properties of a VPN connection in Network Connections. Preshared key authentication is also supported for Windows Server 2003 family router-to-router VPN connections. You can enable preshared key authentication and configure a preshared key for demand-dial interfaces from IPSec settings on the Security tab from the properties of a demand-dial interface in the Routing And Remote Access snap-in.
The following enhancements to Connection Manager and the Connection Manager Administrator Kit have been made in the Windows Server 2003 family:
Connection Manager Favorites.
The Connection Manager Favorites feature lets users eliminate repetitive configuration of Connection Manager properties when switching between common dialing locations. This feature provides a method for storing and easily accessing settings and is used in the following scenario:
Automatic Proxy Configuration.
The Automatic Proxy Configuration feature provides the ability to create a Connection Manager profile to ensure that the user's computer has appropriate access to both internal and external resources during a connection to a corporate network. This feature requires the use of Internet Explorer 4.0 or later. For example, a business user's home computer is configured to browse the Internet without any proxy settings. This configuration can cause a problem when the user connects to a corporate network. An IT administrator can create a Connection Manager profile that provides the appropriate proxy settings for use whenever the user is connected to the corporate network.
Client log files.
This feature provides the ability to
Support for VPN server selection.
With the enhanced Connection Manager Administration Kit provided with the Windows Server 2003 family, a Connection Manager profile can be created that allows users to select a Virtual Private Network (VPN) server to use when connecting to the corporation's network. This enables VPN connectivity in the following scenarios:
A company has offices worldwide with VPN servers in many of these locations. An IT administrator can create a Connection Manager profile that allows a traveling user to select the VPN server that best meets their connection needs at the time of the connection attempt.
A corporate VPN server is taken off line for maintenance. During this time frame, users can select a different VPN server with which to connect.
Connection Manager Administration Kit Wizard im
The Connection Manager Administration Kit (CMAK) has expanded the wizard functionality, including improved dialog boxes and the ability to perform most advanced customization
Preshared key configuration.
This feature allows an IT administrator to create a connection manager profile using CMAK that contains the preshared key of the VPN server for use in authenticating L2TP/IPSec connections.
Route management for simultaneous intranet and Internet access for VPN connections.
Before Windows XP and the Windows Server 2003 family, a Microsoft VPN client automatically created a default route that sent all default route traffic through the VPN tunnel. Although this allows a VPN client to access its organization's intranet, the client can access Internet resources only while the VPN connection is active if Internet access is available through the VPN connection to the organization's intranet. The new Connection Manager support in Windows XP and the Windows Server 2003 family allows for the following:
When the VPN connection is made, the default route isn't changed; instead, specific routes for organization intranet locations are added to the routing table of the VPN client. This allows simultaneous access to intranet (using the specific routes) and Internet (using the default route) resources without having to pass Internet traffic through the organization's intranet. The Connection Manager Administration Kit allows you to configure specific routes as part of the connection manager profile distributed to VPN users. You can also specify a URL that contains the current set of organization intranet routes or additional routes beyond those configured in the profile.