• Illustration: Windows Roadmap Overview
• Sidebar: NAP Meets NAC
• Illustration: Near-Term Windows Releases

Network protection features planned for Windows Server will be delayed, according to Microsoft’s latest Windows roadmap. A number of features originally planned for a 2005 interim release of Windows Server, code-named R2, will instead be released as part of Windows "Longhorn" Server 18 to 24 months later. The delays will help Microsoft coordinate its network protection efforts with Cisco and could also help Microsoft maintain a regular tempo of Windows Server releases. However, a large cluster of Windows releases in the first half of 2005 could strain execution of Microsoft’s new plan.

For an overview of likely Windows Server releases through 2008, see the illustration "Windows Roadmap Overview".

Windows Server 2003 SP1 Next Up

The next release on the Windows Server roadmap will be the first service pack (SP) for Windows Server 2003. In addition to integration-tested bug and vulnerability fixes, Windows Server 2003 SP1 will incorporate several changes introduced with Windows XP SP2 in Aug. 2004. These include the following:

Data Execution Prevention. Originally called no-execute (NX) support, Data Execution Prevention (DEP) allows the OS running on the latest 32- and 64-bit processors to differentiate between memory locations that contain executable code and those that contain data, reducing the likelihood that a buffer overrun could execute dangerous code.

Tighter security for protocols. The security of Windows' Remote Procedure Call (RPC) and the Distributed Component Object Model (DCOM) has been redesigned. For example, new permission levels have been added to RPC to allow administrators to control which RPC servers are blocked, which are exposed only to the local subnet, and which are exposed to the entire network.

Updated Internet Explorer. Security improvements to Internet Explorer (IE) include prohibiting access to cached scriptable objects: HTML pages can only script their own objects. This blocks attacks on the IE cross-domain security model, stopping scripts from listening to events or content in other frames. For example, a script can no longer capture credit card information from a form.

In addition, the Windows Firewall will be enabled for the first boot on new systems, until the administrator acknowledges that the system has been updated with all required patches. (For more details on security-related changes in Windows XP SP2, see "XP Service Pack Highlights Security Dilemma" on page 3 of the Jan. 2004 Update.)

In addition to security features introduced with Windows XP SP2, several Windows Server 2003 features have been added or improved, including the following:

Security Configuration Wizard. This wizard will help administrators lock down a server based on the server’s role. For example, if a server is to be used primarily as a file and print server, the wizard will disable unnecessary services and block unneeded ports using the Windows Firewall. If the server is destined to be a Web server, a different set of services and ports can be enabled or disabled. The settings created by an administrator using the Security Configuration Wizard can be saved and distributed to servers performing a similar role using Group Policy.

Virtual Private Network Quarantine. Windows Server 2003 SP1 will be able to inspect computers connecting via a virtual private network (VPN) to ensure that they are at the correct level of OS, have the correct level of patches, and have current antivirus software. This capability was previously provided by the Windows Server 2003 Resource Kit but will move into the base server product, providing wider support for the feature.

Windows Support for x64 Processors

Simultaneous with the release of Windows Server 2003 SP1, Microsoft is scheduled to release Windows OSs for the x64 (AMD’s 64-bit architecture) processors. While Microsoft currently supports Intel’s Itanium processors, and preview editions for x64 are available, the release of final x64 editions means customers will have fully supported versions of Windows for the AMD Athlon and Opteron and new Intel Xeon processors.

The underlying architecture of these x64 processors is based on 64-bit extensions to the industry-standard x86 instruction set, allowing today's 32-bit applications to run natively (the Itanium runs them in 32-bit emulation) while new 64-bit applications are executed in 64-bit mode, which processes more data per clock cycle, allows greater access to memory, and speeds numeric calculations.

Windows Server 2003 R2 in 2005

Following Windows Server 2003 SP1 in 2005 will be Windows Server 2003 R2, an interim release that can be installed stand-alone or added to systems running Windows Server 2003 SP1. R2 would be the first interim release in Microsoft’s new Windows Server release cycle, which calls for releases roughly every two years with interim releases like R2 alternating with major releases. Microsoft hopes this cycle will provide customers with more predictable releases and help them manage their server deployments.

As now planned, R2 will include the following:

Simplified branch management. R2 will make it easier for administrators in centralized support locations to manage branch offices that may not have local administrators. These features include improved file replication as well as better management consoles (including a new print manager.)

Streamlined access management. Originally announced in mid-2002 under the code name TrustBridge, streamlined access management enables organizations to establish trust relationships with one another so that users in one organization can access resources in the other with a single sign-on. Users are authenticated by their own organization, and a claim is passed to the partner’s application via Web services. This removes the burden of a user remembering multiple user IDs and passwords, and the cost of maintaining and integrating multiple IDs.

Efficient storage management. R2 will incorporate tools to help administrators configure and manage a storage area network (SAN), control storage utilization, and consolidate data from separate file servers. Additionally, Microsoft will integrate Network File System (NFS) functionality into R2 to provide native access to file servers for Unix and Linux, and will improve storage management tools by integrating separate tools, such as the storage migration tool and others currently in Microsoft’s Services for Unix, into a unified file-system management tool.

Feature pack integration. R2 also provides Microsoft with an opportunity to integrate a number of feature packs, which are currently free, separately installed options for Windows Server 2003. Microsoft’s current plans call for R2 to include Active Directory Application Mode (ADAM), a feature pack that allows programs to use an Active Directory as a repository for custom data that need a different replication cycle than that used by the main directory, or that extends the Active Directory schema. Windows SharePoint Services will also be included with the R2 release.

Longhorn Server

With the release of a service pack in early 2005, the R2 release in the second half of 2005, and the Longhorn client release in 2006, it is unlikely that Microsoft will be able to release a Longhorn Server before 2007.

Because Longhorn Server is farther out on the roadmap, its final feature set is largely unknown. Some features in the Longhorn client, such as support for the WinFX APIs, will certainly be part of Longhorn Server, and depending on how development on the deferred WinFS file system proceeds, there could be some support for WinFS in Longhorn Server.

Longhorn Server will also deliver two features that were originally considered for R2:

Anywhere Access (a code name) is a service that provides access to organizational resources over HTTP, the standard Web protocol, without requiring a VPN connection. Anywhere Access would extend the type of access provided to Outlook users today through MAPI-over-HTTP, which lets users access their e-mail and calendar over Internet protocols.

Network Access Protection (NAP) improves on the existing VPN Quarantine feature of Windows Server 2003 and extends it to LAN connections to ensure that only trusted and secure computers and equipment connect to an organization’s network. The delay is partially the result of Microsoft’s work with Cisco to ensure that both companies’ network access security solutions interoperate. (For more information on the Microsoft and Cisco announcement, see the sidebar "NAP Meets NAC".)

The delay to NAP means customers may want to consider deploying the VPN Quarantine feature that will be part of Windows Server 2003 SP1, even though this technology provides protection only for computers connecting via VPNs, whereas NAP will protect computers connecting by cable, wireless, or VPN connections. Customers should keep in mind that any work done to implement VPN Quarantine will probably not carry forward if and when they deploy NAP.

Microsoft has not provided details about an anticipated update to Terminal Services, code-named Bearpaw, but such changes could be a component of the Anywhere Access feature that will be included in Longhorn Server.

Construction Delays Ahead?

The new Windows Server roadmap calls for a large cluster of releases over the next year. (See the illustration "Near-Term Windows Releases".)

Before the end of 2004, the Windows Server team says it will provide a release candidate for Windows Server 2003 SP1, a beta of Windows Update Server 1.0 (a tool to facilitate the distribution of patches), and a beta of the R2 interim release of Windows Server. In addition, the team will provide an SDK of an edition of Windows Server 2003 targeted toward high-performance computing (HPC).

In the first half of 2005, the team plans to release Windows Server 2003 SP1, Windows Update Server 1.0 (the successor to Software Update Services), and editions of Windows Server 2003 and Windows XP designed for the 64-bit AMD and Intel x86-64 processors, followed in the second half of 2005 with final releases of Windows Server 2003 Compute Cluster edition (the HPC edition), Windows Server 2003 R2, Windows Storage Server 2003 R2, and the second beta for a Longhorn client and server (which will be the first feature-complete beta of Longhorn Server).

Managing all these releases, while still getting out security-related patches and product bug fixes, may strain the resources of the Windows team. Consequently, further feature cuts or delays might be necessary if Microsoft is to hold to its hoped-for two-year release cycle.

Resources

Preliminary information on the Security Configuration Wizard in Windows Server 2003 SP1 is available at www.microsoft.com/windowsserver2003/technologies/security/configwiz/default.mspx.

For a description of VPN Quarantine, see "Supporting Remote Users with Windows Server 2003" on page 3 of the Mar. 2003 Update.

A description of feature packs for Windows Server 2003 is included in "Windows Server Feature Packs" on page 5 of the June 2004 Update.

For background on the Windows Update Service, see "Microsoft Slowly Delivering on Security Promises" on page 3 of the Sept. 2004 Update.

Microsoft’s high-performance edition of Windows is described in "Windows for High Performance Clusters on Tap" on page 6 of the Aug. 2004 Update.

Microsoft’s support for the different 64-bit processors from AMD and Intel is outlined in "AMD 64-Bit Choices to Increase" on page 4 of the May 2004 Update.

Federation and TrustBridge are described in "Identity Management Strategy Updated" on page 3 of the Oct. 2003 Update and "TrustBridge to Simplify Resource Sharing" on page 13 of the Aug. 2002 Update. (Note, however, that Microsoft probably won't update Passport to work with TrustBridge as originally planned.)