You are on page 1of 17

http://technet.microsoft.com/en-us/library/cc507851.

aspx
Enterprise Networin! with "in#ows $ista
%ublishe#: &eptember '( )00' * +p#ate#: ,ctober 5( )00'
-icrosoft "in#ows $ista inclu#es si!nificantly impro.e# networin! technolo!y to enhance
en#-user pro#ucti.ity( simplify a#ministration( an# increase security. /his #ocument pro.i#es
a hi!h-le.el o.er.iew of "in#ows $ista enterprise networin! technolo!ies. /his article #oes
not #iscuss consumer networin! scenarios.
On This Page
Next-0eneration Networin! 1nno.ations in "in#ows $ista
&impler 2onnecti.ity
3#.ance# En#-to-En# &ecurity
0reater -ana!eability
"orl#-4ea#y &calability
&ummary
Next-Generation Networking Innovations in Windows Vista
2onnectin! users to resources an# content in a secure( simple( an# mana!eable way is critical
to the success an# health of any or!ani5ation. +sers expect their #ata to be accessible
where.er they are( whether they are in their office( at home( at a wireless hotspot( or tra.elin!
abroa#. 3#ministrators are challen!e# with pro.i#in! more a#.ance# networin! ser.ices(
inclu#in! $oice o.er 1% 6$o1%7 an# multime#ia streamin! at a hi!h 8uality of ser.ice.
3##itionally( corporate or !o.ernment re!ulations may re8uire stron!er security measures to
be institute# to protect #ata from unauthori5e# access.
"in#ows $ista represents the lar!est set of networin! inno.ations since "in#ows 95( an#
pro.i#es enhancements in many areas to help mae access to networ resources seamless an#
more secure while eepin! confi!uration an# mana!ement efforts to a minimum. "in#ows
$ista pro.i#es an enhance# networin! experience for both the 1/ a#ministrator( who is
responsible for the security( maintenance( an# #eployment of networe# resources( an# the
en#-user( who expects a rich( seamless( an# #epen#able networin! experience.
Next-Generation TCP/IP Stack
"in#ows $ista inclu#es an up#ate# implementation of the /2%/1% stac nown as the Next-
0eneration /2%/1% stac. /he Next-0eneration /2%/1% stac has inno.ati.e impro.ements to
/2%/1% functionality( which a##ress se.eral of to#ay:s top networin! issues:
0reater performance an# throu!hput
4ecei.e "in#ow 3uto-/unin!
2ompoun# /2%
E2N support
4ich 3%1s for networ pacet inspection
Greater Performance and Throgh!t
-aximi5in! networ utili5ation re8uires complex tunin! of /2%/1% confi!uration settin!s.
"in#ows $ista eliminates the nee# to manually tune /2%/1% settin!s by #etectin! networ
con#itions an# automatically optimi5in! performance. ,n hi!h-loss networs( such as
wireless networs( "in#ows $ista can better reco.er from sin!le an# multiple pacet losses.
"in#ows $ista can #ynamically increase or #ecrease the /2% 4ecei.e "in#ow to fully utili5e
the capacity of a connection; users transferrin! files across a hi!h-spee#/hi!h-latency "3N or
#ownloa#in! files from the 1nternet shoul# notice faster transfer times. "ith "in#ows $ista(
all users can ha.e the best possible networ performance( without nee#in! to un#erstan#
a#.ance# /2%/1% settin!s.
"eceive Window #to-Tning
/he /2% 4ecei.e "in#ow si5e is the amount of bytes that a recei.in! host allows a sen#in!
host to sen# at one time on a /2% connection. /o correctly #etermine the .alue of the
optimum /2% 4ecei.e "in#ow si5e for a connection base# on the current con#itions of the
networ( the Next-0eneration /2%/1% stac supports /2% 4ecei.e "in#ow 3uto-/unin!.
/2% 4ecei.e "in#ow 3uto-/unin! continually #etermines the optimal /2% 4ecei.e "in#ow
si5e on a per-connection basis by measurin! the ban#wi#th-#elay pro#uct 6the ban#wi#th
multiplie# by the latency of the connection7 an# the application retrie.e rate( an#
automatically a#<usts the maximum /2% 4ecei.e "in#ow si5e on an on!oin! basis. "ith
better throu!hput between /2% peers( the utili5ation of networ ban#wi#th increases #urin!
#ata transfer. /he o.erall utili5ation of the networ will be better optimi5e#( main! the use of
=uality of &er.ice 6=o&7 more important for networs that are operatin! at or near capacity.
>or more information( see the ?%olicy-base# =uality of &er.ice? section of this #ocument.
Com!ond TCP
>or /2% connections with a lar!e /2% 4ecei.e "in#ow si5e an# a lar!e ban#wi#th-#elay
pro#uct 6the ban#wi#th multiplie# by the latency of the connection7( 2ompoun# /2% 62/2%7
in the Next-0eneration /2%/1% stac a!!ressi.ely increases the amount of #ata sent at one
time by monitorin! the ban#wi#th-#elay pro#uct( #elay .ariations( an# pacet losses. 2/2%
also ensures that its beha.ior #oes not ne!ati.ely impact other /2% connections. 1n testin!
performe# internally at -icrosoft( lar!e file bacup times were re#uce# by almost half for a 1
0i!abit-per-secon# connection with a 50-millisecon# roun#-trip time. 2onnections with a
lar!er ban#wi#th-#elay pro#uct can ha.e e.en better performance. /2% 4ecei.e "in#ow
3uto-/unin! optimi5es recei.er-si#e throu!hput an# 2/2% optimi5es sen#er-si#e throu!hput.
@y worin! to!ether( they can increase lin utili5ation an# pro#uce substantial performance
!ains for lar!e ban#wi#th-#elay connections. >or more information( see %erformance
Enhancements in the Next-0eneration /2%/1% &tac.
$CN S!!ort
"hen a /2% se!ment is lost( /2% assumes that the se!ment was lost #ue to con!estion at a
router an# performs con!estion control( which #ramatically lowers the /2% sen#erABCs
transmission rate. "ith Explicit 2on!estion Notification 6E2N7 support on both /2% peers
an# in the routin! infrastructure( routers experiencin! con!estion mar the pacets as they
forwar# them. /2% peers recei.in! mare# pacets lower their transmission rate to ease
con!estion an# pre.ent se!ment losses. Detectin! con!estion before pacet losses are
incurre# increases the o.erall throu!hput between /2% peers. 4elease 2an#i#ate 1 of
"in#ows $ista supports E2N but it is #isable# by #efault. >or more information( see
%erformance Enhancements in the Next-0eneration /2%/1% &tac.
"ich #PIs for Network Packet Ins!ection
/he "in#ows >ilterin! %latform 6">%7 is a new architecture in the Next-0eneration /2%/1%
&tac that pro.i#es 3%1s so that thir#-party software #e.elopers can participate in the filterin!
#ecisions that tae place at se.eral layers in the /2%/1% protocol stac. /he platform also
pro.i#es support for next-!eneration firewall features such as authenticate# communication
an# #ynamic firewall confi!uration base# on an application:s use of the "in#ows &ocets 3%1
6application-base# policy7. 1n#epen#ent software .en#ors 61&$s7 can more easily create
firewalls( anti-.irus software( an# other types of networ applications an# ser.ices. /he
"in#ows >irewall an# 1nternet %rotocol security 61%sec7 in "in#ows $ista an# "in#ows
&er.er 2o#e Name ?Eon!horn? use the ">% 3%1.
>or more information( see "in#ows >ilterin! %latform.
#dditiona% Networking Innovations
"in#ows $ista also inclu#es the followin! a##itional inno.ations to a##ress to#ayABCs top
networin! issues:
Effortless 2onnecti.ity
3#.ance# En#-to-En# &ecurity
0reater -ana!eability
"orl#-4ea#y &calability
$ffort%ess Connectivit&
1t can be challen!in! to access networ resources an# connections 6often with #ifferent
firewall settin!s7( an# users may ha.e #ifficulty resol.in! connecti.ity problems. 3s a result(
users place more calls to support centers( increasin! support costs an# user frustration. /he
new user interface in "in#ows $ista pro.i#es a !reater user experience by pro.i#in! an
interface which !raphically #isplays the connecti.ity status of the computer( helps #ia!nose
an# resol.e connecti.ity issues( an# easily explore networ resources.
#dvanced $nd-to-$nd Secrit&
3#ministrators can use the up#ate# "in#ows >irewall with 3#.ance# &ecurity to create
networ filterin! rules or re8uire computer authentication or encryption of networ #ata an#
help protect the internal networ from clients #eeme# unhealthy usin! the Networ 3ccess
%rotection 6N3%7 capability in "in#ows &er.er ABFEon!horn.AB &ecurity enhancements in
"in#ows $ista also impro.e the security of .irtual pri.ate networs 6$%Ns7 an# tae
a#.anta!e of the latest impro.ements to wireless security.
Greater 'anagea(i%it&
@usiness nee#s re8uire more networ ser.ices an# en#-user expectations of 8uality an#
reliability !row each #ay. 1/ #epartments within or!ani5ations are re8uire# to pro.i#e
a##itional networ functionality( such as wireless networin! an# multime#ia streamin!(
while maintainin! a hi!h stan#ar# of security( reliability( an# ser.ice le.els to the
or!ani5ation. "in#ows $ista helps re#uce the a#ministrati.e bur#en by pro.i#in! !reater
mana!eability for networin! ser.ices( inclu#in! the ability to mana!e the confi!uration of
firewall policies an# wireless networin! .ia 0roup %olicy or comman#-line scriptin!( as well
as ban#wi#th prioriti5ation an# throttlin! throu!h policy-base# =uality of &er.ice.
Wor%d-"ead& Sca%a(i%it&
-any or!ani5ations are runnin! out of public 1%.G a##resses because each computer( networ
#e.ice( an# mobile #e.ice that is #irectly connecte# to the 1nternet re8uires a uni8ue public
1%.G a##ress. /his situation has force# networ a#ministrators to implement incon.enient
woraroun#s( such as Networ 3##ress /ranslation 6N3/7 #e.ices( which re8uire
a#ministration effort an# can cause application incompatibilities. "in#ows $ista nati.ely
supports 1%.' to help alle.iate these issues. Eiewise( as a##itional networ ser.ices
inclu#in! hi!her-throu!hput applications an# encryption are use#( there can be a bottlenec at
the 2%+ for processin! networ pacets. "in#ows $ista supports har#ware offloa#
capabilities of networ a#apters to pro.i#e better performance an# scalability.
/he sections that follow #iscuss "in#ows $ista:s focus on creatin! a reliable networ an#
seamless user experience base# on simplifie# user-centric networin!( a#.ance# security( an#
impro.e# mana!eability an# scalability.
/op of pa!e
Sim!%er Connectivit&
/o#ayABCs user is more mobile than e.er before( switchin! from the corporate networ to
the home networ an# e.en connectin! to hotspots at coffee shops an# airports. +sers want
their networ experience to be as seamless an# reliable as possible( an# "in#ows $ista
pro.i#es such an experience. "in#ows $ista has many features to eep the user connecte#
an# pro#ucti.e:
Networ 2enter( an easy-to-use interface !raphically showin! the connection status of
the computer
3 simple wi5ar# to create or <oin networs
"in#ows %eer-to-%eer Networin! platform support for collaboration
Networ #ia!nostics to easily troubleshoot an# resol.e connecti.ity issues
Networ Eocation 3wareness 3%1s to pro.i#e applications with information on
chan!es to networ connecti.ity
Network Center
"in#ows $istaABCs Networ 2enter( shown in >i!ure 1( pro.i#es a clear .iew of the current
connection status( a.ailable wireless networs( a networ map to show surroun#in! networ
resources on a home or unmana!e# networ( an# easy metho#s to create or <oin a#-hoc
wireless networs. Dia!nostic tools built into Networ 2enter simplify troubleshootin!
connecti.ity problems an# users can browse networ resources by startin! the new Networ
Explorer.
)igre *+ Networ 2enter
Sim!%e Network Creation
"ith "in#ows $ista( settin! up a networ amon! multiple %2s an# #e.ices such as printers
an# wireless access points is simpler an# more intuiti.e. /he Networ &etup "i5ar# easily
an# automatically i#entifies supporte# networ #e.ices an# creates connections to the
networ. "ith #e.ices that support "in#ows 2onnect Now( users can sa.e networ settin!s to
a portable +&@ flash #ri.e to mae a##in! a##itional supporte# computers an# #e.ices 8uic
an# easy. &imply insert a +&@ flash #ri.e into a computer or #e.ice( an# it rea#ies itself to
<oin the networ.
Windows Peer-to-Peer Networking P%atform
%eer-to-%eer 6%)%7 communication an# collaboration is becomin! more essential than e.er to
or!ani5ational pro#ucti.ity an# success. %)% networin! enables #irect client-to-client
communication( pro.i#in! faster #ata transmission an# offerin! !reater flexibility such as
#eployment on #isconnecte# or a#-hoc networs. &ome of the ey tar!et applications inclu#e
inter-personal communication( content #istribution( an# home/office pro#ucti.ity. Het( there
are many obstacles to o.ercome in this area. >or instance( a networ is not always
a.ailableABIyou cannot share a file with your team members in meetin! rooms or cafJK
without a networ. %ro<ectin! information is another challen!e. 3 pro<ector is not always
a.ailable( or e.en if you ha.e a pro<ector( some #ocuments may not pro<ect well.
"in#ows $ista offers a comprehensi.e set of facilities supportin! %)% application
#e.elopment with the "in#ows %eer-to-%eer Networin! platform. 1t enables the #isco.ery of
en#points for communication an# collaboration o.er the 1nternet usin! the %eer Name
4esolution %rotocol 6%N4%7( an# o.er the local subnet usin! %eople Near -e 6%N-7
technolo!y. "in#ows $ista also supports in.itin! users to acti.ities an# establishin! en#-to-
en# application sessions.
Windows 'eeting S!ace
"in#ows -eetin! &pace( the new collaboration feature in "in#ows $ista( is a simple( yet
powerful tool that enables face-to-face collaboration amon! small !roups of "in#ows $ista
users at anytime an# anywhere. 1t is built entirely on the "in#ows %eer-to-%eer Networin!
platform within "in#ows $ista. "hether the user is main! a presentation or re.isin! a
sprea#sheet( "in#ows -eetin! &pace can help by enablin! peer collaboration for as few as
two or as many as 10 people. 2onnections are establishe# 8uicly( easily( an# more securely.
,ne person simply initiates a session in "in#ows -eetin! &pace( which then allows
#esi!nate# users to share the same .iew of an application an# to collaborate with each other in
real time.
"in#ows -eetin! &pace can connect users either throu!h an alrea#y existin! networ or by
automatically creatin! an a# hoc wireless networ. 3n a# hoc wireless networ is perfect for
collaboration when participants #o not ha.e access to a networ infrastructureABIfor example(
in a coffee shop or airport which #oes not ha.e a wireless networ. +sin! "in#ows -eetin!
&pace on an a# hoc wireless networ opens up a ran!e of new an# more flexible collaboration
possibilities an# #oes not re8uire any networin! expertise on the part of the en# user.
Network ,iagnostics )ramework
/he Networ Dia!nostics >ramewor can help users troubleshoot many common connecti.ity
problems without re8uirin! a call to the support center. >or example( if a networ cable
becomes unplu!!e#( "in#ows $ista can fully #ia!nose the problem an# instruct the user to
reconnect the cable. 1f the computer cannot connect to the wireless networ( "in#ows $ista in
most situations can i#entify the reason an# lea# the user in resol.in! the issue. "hen unable
to connect to a networ resource( the user is presente# with clear #ia!nosis an# repair options
rather than error messa!es which can be #ifficult to un#erstan#. 1f "in#ows $ista can repair
the issue automatically( it will; if not( the user is #irecte# to perform simple steps to correct
the problem without ha.in! to call for support.
4icher #ia!nostic information is also recor#e# in the E.ent $iewer. >or example( the wireless
E3N #ia!nostics #escribes information abut the wireless en.ironment( inclu#in! networs in
ran!e( number of wireless access points in ran!e per wireless &er.ice &et 1#entifier 6&&1D7(
information about the connection process an# which phase of the connection attempt faile#(
an# the #ia!nostics results inclu#in! su!!este# repairs. /hese e.ent recor#s can be use# by
support professionals within or!ani5ations to perform further troubleshootin! when networ
#ia!nostics were either unable to resol.e the problem or if the steps were beyon# what the
userABCs ri!hts allow.
/he e.ent lo!s can si!nificantly shorten the time nee#e# to resol.e wireless connection
problems( resultin! in the re#uce# cost of support calls an# !reater user satisfaction an#
pro#ucti.ity. >or example( >i!ure ) tells the user exactly why access to a networ resource is
una.ailable. "hile the user may not be able to correct the problem( the help #es now has
enou!h information to correct the problem 8uicly. 3##itionally( these e.ent lo! entries can
be automatically collecte# by networ a#ministrators usin! -icrosoft ,perations -ana!er or
other central mana!ement tools an# analy5e# for tren#s an# infrastructure #esi!n chan!es.
/he wireless #ia!nostics in "in#ows $ista is extensible for .en#ors to a## #ia!nostics
capabilities for wireless protocols that are not nati.ely supporte#.
)igre -+ Networ Dia!nostics
Network #wareness
-any applications connect to the 1nternet to loo for up#ates( #ownloa# real-time
information( an# facilitate collaboration between users. Lowe.er( creatin! applications that
can automatically a#apt to chan!in! networ con#itions has been #ifficult for #e.elopers.
Networ 3wareness 3%1s enable applications to sense chan!es to the networ to which the
computer is connecte#( such as placin! a laptop into stan#by mo#e at wor an# then openin!
it at a wireless hotspot. /his enables "in#ows $ista to alert applications of networ chan!es(
an# these applications can then beha.e #ifferently to pro.i#e a seamless experience.
"in#ows $ista i#entifies an# remembers each of the networs to which it connects. Networ
3wareness 3%1s then allow applications to 8uery for characteristics of each of these networs(
inclu#in!:
Connectivity . 3 networ may be #isconnecte#( it may pro.i#e access to only the local
networ( or it may pro.i#e access to the local networ an# the 1nternet.
Connections . "in#ows $ista may be connecte# to a networ by one of more
connections 6such as networ a#apters7. Networ 3wareness 3%1s enable applications
to #etermine the connections that "in#ows $ista is currently usin! to connect to a
!i.en networ.
Category . Each networ is assi!ne# a cate!ory in "in#ows $ista that i#entifies the
type of networ it is. &ome of "in#ows $ista settin!s will chan!e base# upon the
cate!ory of the networ to which it is connecte#. >or example( "in#ows >irewall with
3#.ance# &ecurity enforces #ifferent policies base# upon the cate!ory of the networ
to which "in#ows $ista is currently connecte#.
/here are three cate!ories of networs in "in#ows $ista:
Domain . >or this cate!ory( "in#ows $ista will automatically i#entify networs on
which "in#ows $ista can access an 3cti.e DirectoryMN #irectory ser.ice #omain
controller for the #omain to which the computer is <oine#. No other networs can be
place# in this cate!ory.
Public . ,ther than #omain networs( all networs are cate!ori5e# as public. Networs
that ha.e #irect connections to the 1nternet or are in public places( such as airports an#
coffee shops( shoul# be left public.
Private . 3 networ will only be cate!ori5e# as pri.ate if a user or application
i#entifies the networ as pri.ate. ,nly networs locate# behin# a pri.ate !ateway
#e.ice that is actin! as a firewall shoul# be i#entifie# as pri.ate networs. +sers will
liely want to i#entify their home or small business networs as pri.ate.
"hen a user connects to a networ that is not part of the #omain cate!ory( "in#ows $ista
ass the user to i#entify the networ as either public or pri.ate. /he user must be a local
a#ministrator of the computer to i#entify the networ as pri.ate. "hen the type of networ to
which the computer is connecte# is i#entifie#( "in#ows $ista is able to mo#ify its
confi!uration( such as firewall an# file sharin! settin!s( for the specifie# networ cate!ory.
/op of pa!e
#dvanced $nd-to-$nd Secrit&
3s the nee# for enterprises to share #ata within an# outsi#e their or!ani5ations increases( so
#oes the re8uirement for !reater security. "in#ows $ista pro.i#es enhance# networ security
features that are comprehensi.e yet easy to confi!ure. Networ security in "in#ows $ista is
enable# in a layere# approach( inclu#in!:
%rotectin! the networ from unhealthy computers with Networ 3ccess %rotection
@locin! specific traffic from accessin! or lea.in! computers( as well as isolatin!
computers from unauthenticate# access with the "in#ows >irewall with 3#.ance#
&ecurity
+sin! stron!er wireless authentication an# encryption protocols
Network #ccess Protection
-any or!ani5ations ha.e been impacte# by .iruses or worms that entere# their pri.ate
networs from a mobile laptop an# 8uicly infecte# other computers. "in#ows $ista supports
Networ 3ccess %rotection 6N3%7 to re#uce the riss of connectin! unhealthy computers to
or!ani5ation networs #irectly or across a $%N connection. "ith a "in#ows &er.er
?Eon!horn?-base# N3% infrastructure( if a computer runnin! "in#ows $ista lacs current
security up#ates( .irus si!natures( or otherwise fails to meet the re8uirements for a healthy
computer( N3% blocs the computer from ha.in! full access to the or!ani5ation networ. 1f a
computer fails to meet the health re8uirements( it will be connecte# to a restricte# networ to
#ownloa# an# install the up#ates or anti.irus si!natures or mae confi!uration chan!es that
are re8uire# to comply with the health re8uirements. "ithin minutes( a potentially .ulnerable
computer can be up#ate# an# then !rante# limite# access to the or!ani5ation networ. >or
more information about N3%( see http://www.microsoft.com/nap.
Windows )irewa%% with #dvanced Secrit&
/he "in#ows >irewall with 3#.ance# &ecurity helps your business face the challen!es of
mo#ern networin! by pro.i#in! a scalable solution that is ti!htly inte!rate# with existin!
security technolo!ies such as 1%sec an# Networ 3ccess %rotection.
/o help a##ress these challen!es( "in#ows >irewall with 3#.ance# &ecurity offers the
followin! benefits:
Reduces the risk of network security threats. "in#ows >irewall with 3#.ance#
&ecurity re#uces the attac surface of a computer( pro.i#in! an a##itional layer to the
#efense-in-#epth mo#el. 4e#ucin! the attac surface of a computer increases
mana!eability an# #ecreases the lielihoo# of a successful attac. 1nte!ration with
N3% also helps ensure that client computers remain compliant with system health
re8uirements.
Safeguards sensitive data and intellectual property. "ith its inte!ration with 1%sec(
"in#ows >irewall with 3#.ance# &ecurity pro.i#es a simple way to enforce
authenticate#( en#-to-en# networ communications( pro.i#in! scalable( tiere# access
to truste# networ resources an#/or protectin! the confi#entiality an# inte!rity of #ata.
Extends the value of existing investments. "in#ows >irewall with 3#.ance# &ecurity
is a host-base# firewall that is inclu#e# with "in#ows $ista an# "in#ows &er.er
ABFEon!horn.AB @ecause it ti!htly inte!rates with 3cti.e Directory an# 0roup
%olicy( "in#ows >irewall with 3#.ance# &ecurity is also #esi!ne# to complement
existin! thir#-party networ security solutions throu!h a scriptable 3%1.
/his powerful layer of security can be mana!e# .ia 0roup %olicy or comman# line scriptin!
to pro.i#e a simple way to #eploy inboun# or outboun# filterin! an# traffic protection rules
that limit access by specific users( computers( or applications while pro.i#in! the
a#ministrator with an extremely !ranular le.el of control. 1%sec can re8uest or re8uire
authentication by user( computer( an#/or health certificate 6inte!ratin! with N3%7 to pro.i#e a
richer( scenario-base# security policy. /his enables "in#ows $ista to fit perfectly into &er.er
an# Domain 1solation policies set within an or!ani5ation.
Server and ,omain Iso%ation
1n an 3cti.e Directory-base# networ( you can lo!ically isolate #omain an# ser.er resources
to limit access to authenticate# an# authori5e# computers( as shown in >i!ure O. >or example(
you can create a lo!ical networ insi#e the existin! physical networ where computers share a
common set of re8uirements for secure communications. Each computer in this lo!ically
isolate# networ must pro.i#e authentication cre#entials to other computers in the isolate#
networ in or#er to establish connecti.ity.
)igre .+ Eo!ical 1solation of Domain an# &er.er 4esources
/his isolation pre.ents unauthori5e# computers an# pro!rams from !ainin! access to
resources inappropriately. 4e8uests from computers that are not part of the isolate# networ
are i!nore#. &er.er an# Domain 1solation can help protect specific hi!h-.alue ser.ers an# #ata
as well as protect mana!e# computers from unmana!e# or ro!ue computers an# users.
Hou can use two types of isolation to protect a networ:
Domain Isolation . /o isolate a #omain( you use 3cti.e Directory #omain membership
to ensure that #omain-member computers accept only authenticate# an# secure#
communications from other #omain-member computers. /he isolate# networ consists
of only computers that are part of the #omain. Domain 1solation uses 1%sec policy to
pro.i#e protection for traffic sent between #omain members( inclu#in! all client an#
ser.er computers.
Server Isolation . &er.er 1solation wors lie Domain 1solation. 1n &er.er 1solation(
only specific #omain-<oine# ser.ers or applications are confi!ure# to re8uire 1%sec
policy to accept authenticate# communications from other #omain-member computers(
whereas Domain 1solation re8uires authenticate# communications for all #omain-
member computers. >or example( you mi!ht confi!ure Domain 1solation to protect a
#atabase ser.er from unauthori5e# connections from computers outsi#e the #omain(
then further isolate these hi!h-.alue# ser.ers from all users except within a specific
!ropu.
Hou can enforce &er.er an# Domain 1solation throu!h 0roup %olicy by confi!urin! 1%sec
settin!s on local computers that are enforce# by "in#ows >irewall with 3#.ance# &ecurity.
>or more information about &er.er an# Domain 1solation( see
http://www.microsoft.com/s#isolation.
Network-#ware )irewa%% Po%icies
/he "in#ows >irewall with 3#.ance# &ecurity is an example of a networ-aware application.
/he a#ministrator can create a profile for each networ cate!ory( with each profile containin!
#ifferent firewall policies. >or example( the "in#ows >irewall can automatically allow
incomin! traffic for a specific #estop mana!ement tool when the computer is on a #omain
networ but bloc that traffic when the computer is connecte# to a public or pri.ate networ.
1n this way( Networ 3wareness can pro.i#e flexibility on your or!ani5ation networ without
sacrificin! security when mobile users tra.el. /he Networ 3wareness 3%1s complement the
robust an# flexible filterin! built into "in#ows >irewall with 3#.ance# &ecurity( which lets
you filter pro!rams( ser.ices( or ports for specific 1% a##ress scopes( interfaces types( users(
!roups( computers( an# le.els of protectionABIall base# on the networ cate!ory for the
networ the computer is connecte# to. 3 public networ profile shoul# ha.e stricter firewall
policies to protect a!ainst unauthori5e# access. 3 pri.ate networ profile( on the other han#(
may ha.e less restricti.e firewall policies to allow file an# print sharin!( peer-to-peer
#isco.ery( an# connecti.ity with "in#ows 2onnect Now #e.ices. >i!ure G shows the
"in#ows >irewall with 3#.ance# &ecurity interface an# the profiles for the three #ifferent
networ cate!ories.
)igre /+ "in#ows >irewall with 3#.ance# &ecurity
Wire%ess Sing%e Sign On
/he #eployment of wireless networs has promote# the use of Eayer ) networ
authentication( such as 1EEE 80).1P( to ensure that only an authenticate# user or #e.ice is
allowe# on the protecte# networ an# that their #ata is secure at the ra#io transmission le.el.
/he wireless &in!le &i!n ,n feature executes Eayer ) networ authentication at the
appropriate time for a !i.en networ security confi!uration( while at the same time
seamlessly inte!ratin! with the user:s "in#ows lo!on experience.
3#ministrators can use 0roup %olicy or comman#-line scriptin! to #eploy wireless &in!le
&i!n ,n profiles to client machines. ,nce a &in!le &i!n ,n profile is confi!ure#( wireless
networ authentication will prece#e the "in#ows lo!on. /his feature enables scenarios such
as 0roup %olicy up#ates( lo!on scripts( an# wireless #omain <oins( which re8uire networ
connecti.ity prior to user lo!on.
Wire%ess Secrit&
"in#ows $ista has wi#e support for the latest wireless security protocols an# stan#ar#s(
inclu#in!:
Extensible 3uthentication %rotocol -- /ransport Eayer &ecurity 6E3%-/E&7
%rotecte# Extensible 3uthentication %rotocol -- /E& 6%E3%-/E&7
%E3% -- -icrosoft 2hallen!e Lan#shae 3uthentication %rotocol .ersion ) 6%E3%-
-&-2L3% .)7
"i->i %rotecte# 3ccess ) 6"%3)7 6Enterprise an# %ersonal7
"i->i %rotecte# 3ccess 6"%37 6Enterprise an# %ersonal7
"ire# E8ui.alent %ri.acy 6"E%7
/his broa# support ensures interoperability between "in#ows $ista an# almost any wireless
infrastructure. %ersonal networs at home or in small businesses can also be more secure
throu!h "%3)-%ersonal an# "%3-%ersonal usin! a pre-share# ey. /he capabilities of the
wireless networ a#apter are examine# by "in#ows $ista an# the most secure protocol is
chosen by #efault when connectin! to or creatin! wireless networs. "ireless security in
"in#ows $ista is also extensible. +sin! the E3%Lost framewor( "in#ows $ista is able to
support custom authentication mechanisms #efine# by a har#ware .en#or or by an
or!ani5ation.
"in#ows $istaABCs wireless networin! inclu#es many impro.ements to the beha.ior of the
wireless client to miti!ate common wireless attacs. /he client will automatically connect
only to networs that the user or networ a#ministrator has explicitly re8ueste# or i#entifie#
as preferre# networs. /he client also pro.i#es a warnin! if the user is about to initiate a
connection to an unsecure# networ. 3##itionally( the client will acti.ely probe for fewer
preferre# networs an# only if instructe# to #o so by the user.
/op of pa!e
Greater 'anagea(i%it&
-ana!eability is a critical factor in pro.i#in! appropriate le.els of ser.ice an# ensurin!
security measures are enforce# while re#ucin! operations costs. "in#ows $ista has been
#esi!ne# to support hi!h le.els of mana!eability to help re#uce the cost of #eployin! wireless
networs an# pro.i#in! 8uality of ser.ice for applications or en#-users.
/he importance of networin! an# mobility has encoura!e# many or!ani5ations to #eploy
wireless networs so that employees can maintain connecti.ity #urin! meetin!s throu!hout
their office buil#in!( campus( or public hotspots. "ireless networs offer si!nificant benefits(
inclu#in! increase# pro#ucti.ity( but they can intro#uce security riss an# a#ministration
complications.
"in#ows $ista inclu#es a nati.e wireless networin! architecture 6Nati.e "i->i7 as part of its
core networin! support. /his pro.i#es many benefits( inclu#in! flexible #eployment across
many har#ware bran#s an# mo#els( similar user experiences re!ar#less of the har#ware( an#
more reliable thir#-party wireless a#apter #ri.ers.
3lthou!h wireless networs can be protecte# with authentication an# encryption(
implementin! that security can be so #ifficult that a#ministrators often lea.e such critical
layers of security out of their networs. "in#ows $istaABCs wireless features can be
mana!e# .ia 0roup %olicy or comman#-line scriptin! to easily #eploy confi!uration settin!s
an# security re8uirements across the entire or!ani5ation. 1n a##ition( as there are more
re8uirements to exten# networin! ser.ices to inclu#e $oice o.er 1% 6$o1%7 an# multime#ia
streamin!( it is important to be able to pro.i#e a metho# to control an# prioriti5e out!oin! an#
incomin! traffic to computers on the networ. %olicy-base# =uality of &er.ice enables the
a#ministrator to mana!e the amount of ban#wi#th that applications use.
Configring and ,e!%o&ing Wire%ess Network Settings with Gro! Po%ic&
"in#ows $ista inclu#es new 0roup %olicy settin!s that enable a#ministrators to confi!ure
policies for wireless client beha.ior. 1n a##ition( "in#ows $ista inclu#es a comman#-line
interface that enables full mana!ement of wireless networs from the comman# prompt or
throu!h scriptin!.
+sin! the 0roup %olicy snap-in for the -icrosoft -ana!ement 2onsole 6--27(
a#ministrators can #efine how wireless clients connect to( an# operate on( wireless networs.
>or example( a company may #efine a policy that re8uires all wireless connections to use a
certain security confi!uration( that all connections must be limite# to a certain wireless
networ( or that the connection can only be ma#e to secure# networs. @ecause these settin!s
are ma#e .ia 0roup %olicy( the en#-user can be pre.ente# from chan!in! these settin!s.
"in#ows $ista inclu#es an enhance# networ comman#-line interface 6the Netsh tool7 that
enables automation an# scriptin! to assist in confi!urin! wireless networ connections. +sin!
the comman#-line interface( a#ministrators can .erify( chan!e( or remo.e the clientABCs
wireless networ confi!uration profiles. /hese profiles can also be exporte# to an# importe#
from other computers to expe#ite pro.isionin! of multiple computers. >i!ure 5 shows a
"ireless Networ 0roup %olicy bein! create# for a wireless networ confi!uration.
)igre 0+ 2reatin! a New "ireless Networ %olicy
Po%ic&-(ased 1a%it& of Service
%olicy-base# =uality of &er.ice in "in#ows $ista enables #omain-wi#e mana!ement of how
computers utili5e networ ban#wi#th. /his technolo!y can sol.e networ problems an#
enable scenarios such as:
Ensurin! business critical applications an# traffic !et nee#e# priority. >or example( a
custom line-of-business application re8uires priority o.er normal networ traffic.
2ustomi5in! ban#wi#th re8uirements for !roups of users an# machines. >or example(
sales an# maretin! re8uire prioriti5e# use of a line-of-business application.
Enablin! real-time traffic by prioriti5in! applications for hi!her priority( such as $o1%.
-inimi5in! the impact of latency-insensiti.e traffic throu!h prioriti5ation an#
throttlin!. >or example( bacup #ata transfers can cause con!estion.
Networ 8uality can #iminish because hi!h-ban#wi#th applications ten# to consume all
a.ailable ban#wi#th( an# applications are not written to !i.e central ban#wi#th control to 1/
a#ministrators. 3##in! more ban#wi#th #oes not usually sol.e these problems. 1nstea#(
a##in! more ban#wi#th only lea#s to applications consumin! the newly a.ailable capacity. 1/
a#ministrators nee# a central means to control an# allocate ban#wi#th resources base# on the
nee#s of their business.
%olicy-base# =uality of &er.ice enables the a#ministrator to utili5e current ban#wi#th more
efficiently by enablin! flexible an# centrally-confi!urable ban#wi#th mana!ement throu!h
=uality of &er.ice policies easily .ia 0roup %olicy. "ith %olicy-base# =uality of &er.ice( the
a#ministrator can prioriti5e an#/or throttle outboun# networ traffic without re8uirin!
applications to be mo#ifie# for %olicy-base# =uality of &er.ice support. %olicies can either
mar outboun# traffic with a Differentiate# &er.ices 2o#e %oint 6D&2%7 .alue for routers to
prioriti5e or ha.e "in#ows $ista throttle the amount of outboun# traffic sent( re!ar#less of
the router confi!uration. 3 combination of both techni8ues pro.i#es the a#ministrator with
e.en !reater flexibility. /he policies can be base# on a mix of any of these con#itions:
0roups of users or machines 63cti.e Directory container( such as an #omain( site( or
,+7
&en#in! application
&ource or #estination 1% a##ress 6inclu#in! networ prefix len!th notation( such as
19).1'8.1.0/)G7
&ource or #estination /2% or +D% port number
>i!ure ' shows how a policy can be easily create#.
)igre 2+ 2reatin! a =uality of &er.ice %olicy
>or more information about "in#ows $ista an# %olicy-base# =uality of &er.ice( see =uality
of &er.ice in "in#ows &er.er ?Eon!horn? an# "in#ows $ista at
http://www.microsoft.com/#ownloa#s/#etails.aspxQfamilyi#R0)O0e0)5-95G9-G00b-807e-
97e8a0cb970O.
/op of pa!e
Wor%d-"ead& Sca%a(i%it&
3s or!ani5ations !row( they may become concerne# about potential scalability issues when
supportin! their networ. >or example( they may be!in runnin! out of a.ailable 1% a##resses.
-any or!ani5ations utili5e Networ 3##ress /ranslation 6N3/7 mechanisms to pro.i#e a
lar!er set of pri.ate 1%.G a##resses to their internal networ( but N3/s re8uire a##itional
mana!ement( an# they can pro.i#e their own set of connecti.ity issues with applications
which #o not support them. "hile or!ani5ations may be intereste# in pro.i#in! a##itional
networ ser.ices such as 1%sec( they may also be concerne# about the impact on 2%+ loa#.
"in#ows $ista a##resses networ scalability concerns by supportin! 1%.' an# har#ware
offloa# capabilities.
Com!rehensive IPv2 S!!ort
/o sol.e problems with limite# public 1%.G a##resses( many !o.ernments( 1nternet &er.ice
%ro.i#ers 61&%s7( an# other or!ani5ations are transitionin! to 1%.'( the next .ersion of the
networ protocol that #ri.es the 1nternet. "in#ows $ista supports both 1%.G an# 1%.'
to!ether throu!h a #ual 1% layer architecture. 1%.' it is enable# by #efault without any
a##itional steps necessary by the a#ministrator( an# the #ual 1% layer support enables you to
!ra#ually mi!rate usin! 1%.' transition technolo!ies that can tunnel 1%.' traffic across a
pri.ate 1%.G networ or the 1%.G 1nternet. "in#ows $ista nati.ely supports %oint-to-%oint
%rotocol for 1%.' 6%%%.'7 an# Eayer /wo /unnelin! %rotocol 6E)/%7/1%sec $%Ns( enablin!
remote access users to tae a#.anta!e of the benefits of 1%.' networs. 1%.' pro.i#es the
followin! benefits for /2%/1%-base# networin! connecti.ity:
Ear!e a##ress space /he 1)8-bit a##ress space for 1%.' pro.i#es ample room to
pro.i#e e.ery #e.ice on the present an# foreseeable future 1nternet with a !lobally
reachable a##ress.
Efficient routin! "ith a streamline# 1%.' hea#er an# 1%.' a##ressin! that supports
hierarchical routin! infrastructures( 1%.' routers on the 1nternet can forwar# 1%.'
traffic faster than their 1%.G counterparts.
Ease of confi!uration 1%.' hosts can confi!ure themsel.es by either interactin! with a
Dynamic Lost 2onfi!uration %rotocol for 1%.' 6DL2%.'7 ser.er or by interactin!
with their local router an# usin! stateless a##ress autoconfi!uration.
Enhance# security /he 1%.' stan#ar#s sol.e some of the security issues of 1%.G by
pro.i#in! better protection a!ainst a##ress an# port scannin! attacs an# by re8uirin!
that all 1%.' implementations support 1%sec for crypto!raphic protection of 1%.'
traffic.
1%.G an# 1%.' are supporte# nati.ely within the sin!le Next 0eneration /2%/1% stac.
3pplications that are written solely for 1%.G will still function as expecte#. 3pplications
pro.i#e# with "in#ows $ista ha.e been up#ate# to support the newer "in#ows &ocets
functions that are in#epen#ent of 1%.G or 1%.'. 1n "in#ows $ista( applications an# ser.ices
that support both 1%.G an# 1%.' will by #efault prefer the use of 1%.' o.er 1%.G. /his
beha.ior can be confi!ure# by the a#ministrator.
/o ease the transition to 1%.'( "in#ows $ista supports the /ere#o 1%.' transition technolo!y(
which performs N3/ tra.ersal for 1%.' traffic. /ere#o pro.i#es connecti.ity for ser.er or
peer-base# applications runnin! on computers that are locate# behin# N3/s( without ha.in!
to mo#ify applications or confi!ure N3/s. 1n 4elease 2an#i#ate 1 of "in#ows $ista( /ere#o
is enable# by #efault but inacti.e. 1n or#er to become acti.e( a user must either install an
application that nee#s to use /ere#o( or choose to chan!e firewall settin!s to allow an
application to use /ere#o. >or more information about /ere#o( see +sin! 1%.' an# /ere#o at
http://www.microsoft.com/technet/pro#technol/winxppro/e.aluate/ip.'Stere#o.mspx.
3ardware Off%oad and "eceive-side Sca%ing
"in#ows $ista pro.i#es support for offloa#in! networ traffic processin! to speciali5e#
networ a#apters. New offloa# capabilities intro#uce# with "in#ows $ista inclu#e 1%.' an#
/2% 2himney offloa#. /hese architectural inno.ations pro.i#e# in "in#ows $ista optimi5e
performance an# networ throu!hput to achie.e the performance an# operational !ains ma#e
possible by to#ayABCs hi!h-spee# networs. +tili5in! compatible networ a#apter har#ware
can remo.e bottlenecs relate# to networ pacet processin! such as 2%+ o.erhea# an#
a.ailable memory ban#wi#th without re8uirin! chan!es to existin! applications or networ
mana!ement tools. /he networ stac within "in#ows $ista also supports 4ecei.e-si#e
&calin!( which #ynamically balances inboun# networ connections so the loa# can be share#
across multiple processors or cores( re#ucin! potential bottlenecs in processin! networ
traffic.
/op of pa!e
Smmar&
"in#ows $ista represents the most si!nificant up#ate to "in#ows networin! since "in#ows
95 an# users will fin# it easier to tae a#.anta!e of wire# an# wireless networs as they
tra.el. "ith the new auto-tunin! /2%/1% stac( file transfers will be faster than before.
Enterprises will appreciate the re#uce# security riss( inclu#in! impro.e# protection from
threats intro#uce# by mobile an# wireless users. &ystems a#ministrators will fin# "in#ows
$ista easier to mana!e ban#wi#th with the ability to create !ranular security policies for
networ traffic as well as =uality of &er.ice for mission-critical applications. /hese new
features in "in#ows $ista let you #o more with your networ infrastructure while minimi5in!
a#ministration time an# maximi5in! en#-user pro#ucti.ity. >or more information on
whatABCs new in "in#ows $ista networin!( please see
http://www.microsoft.com/technet/itsolutions/networ/e.aluate/newSnetwor.mspx.
/op of pa!e
K )009 -icrosoft 2orporation. 3ll ri!hts reser.e#. /erms of +se * /ra#emars * %ri.acy
&tatement

You might also like