WINDOWS 7

Integrating Windows 7 and Windows 2008 R2

Alan Maddison

With the pending release of Windows 7, Microsoft has created an OS that far surpasses its earlier client operating systems, including Windows Vista and Windows XP, in both features and functionality. This fact alone is a compelling enough reason why organizations should upgrade; based on industry reports, it seems that many companies intend to do just that.

However, enterprises looking to maximize their return on investment are looking not only at the benefits of Windows 7, but also at the benefits to be gained from deploying Windows 7 together with Windows Server 2008 R2. The combination of Microsoft's latest desktop and server OSes can benefit any organization. From an administrator's perspective, this pairing raises some questions: Are there any pitfalls to be concerned about? What are some of the benefits of integrating Windows 7 and Windows Server 2008 R2?

At the simplest level, Windows 7 and Windows Server 2008 R2 integration will be seamless and require little or no effort. However, to take advantage of some key features made possible by the combination of the two, you will need to take some time to understand the requirements and the impact of implementing the technology. Here's a look at some of those key features and what this may mean to the typical systems administrator.
There are a number of key integration points to focus on in order to get the most from a rollout.

Security

Microsoft continues to make inroads in improving PC and server security, and this is particularly true with its latest OS releases. Perhaps the most significant technology from a security perspective (not to mention the management and networking benefits) is DirectAccess.

While DirectAccess will almost certainly prove to be the most complex to integrate, not least of all because it creates the possibility that your existing remote access solutions will be completely displaced, it does have some major benefits. These include the ability to integrate with Network Access Protection (NAP) to check that the remote machine complies with corporate security policies; the ability to apply application updates; and the ability to deploy software under Group Policy even when the user is not logged on.

The DirectAccess client connects automatically using an automatic protocol selection, which allows for seamless connectivity without requiring user intervention. For example, it can use IPsec tunnels if it can connect to the correct ports on the DirectAccess server. Alternatively, it supports a new protocol called IP-HTTPS, which allows tunneling of the IP packets over an SSL connection.

DirectAccess requires a Windows Server 2008 R2 DirectAccess server in your perimeter network and either Windows 7 Enterprise Edition or Ultimate Edition deployed on the client. Depending upon the number of remote users, their location and your adoption policy, you could potentially end up with a significant DirectAccess infrastructure, so be prepared to plan carefully. DirectAccess also relies on public key infrastructure (PKI) certificates for both the user and computer to ensure end-to-end encryption and authentication; make sure you incorporate these requirements. Finally, although DirectAccess is also based on IPv6, it supports translation from IPv4 networks.

BranchCache

BranchCache is another technology that can significantly impact your network. Many of you will have experienced the problems associated with branch offices that have limited or heavily utilized wide area network (WAN) connections. A typical solution has been to buy a third-party WAN accelerator, but this tends to stretch already limited budgets and can't be justified for smaller offices.

The introduction of BranchCache provides an efficient and cost-effective solution that caches data to optimize WAN traffic. BranchCache has two modes of operation: distributed and hosted cache mode. In distributed mode the cache is actually maintained across client (Windows 7) machines. In hosted cache mode an on-site Windows 2008 R2 server is responsible for hosting the cache.

Because distributed caching is limited in that it requires clients to be on the same subnet, you will usually consider hosted cache mode first. On the client side you need either Windows 7 Ultimate Edition or Enterprise Edition, with BranchCache enabled and firewall exceptions created. This can be done using Group Policy. Note that files smaller than 64KB will not be cached.

AppLocker

Also new is Applocker, the long-awaited replacement for Software Restriction Policies (SRPs). If you have ever used SRPs you know that they were cumbersome and lacked granularity and flexibility. AppLocker constitutes a huge stride forward and provides a robust and flexible method for managing user access to applications. Because AppLocker provides the ability to control a wide variety of file types, including executables, scripts, installers and .DLLs, it's quite an effective security tool.

However, while you will almost certainly want to control AppLocker using Group Policy, if you are not familiar with or have never used SRPs, you will want to test AppLocker thoroughly on a local machine using the Local Security Policy.

AppLocker's default behavior is to block all programs and scripts not explicitly allowed that can create major problems if you make a mistake. An additional testing safeguard to consider is the AppID service, which needs to be running on the Windows 7 machine in order for AppLocker policies to apply. By keeping the service startup type of the AppID set to "manual," you can easily fix mistakes by simply restarting the test machine.

When ready to deploy, use a dedicated Group Policy Object (GPO) for AppLocker and don't combine it with SRPs -- the two should never be part of the same GPO. Finally, be aware that if you implement AppLocker and are not currently using SRPs, users will likely struggle to adapt, resulting in a temporary increase in calls to the help desk. For more help with implementing AppLocker, consult the Microsoft AppLocker Step-by-Step Guide.

BitLocker

Continuing in the same vein of improvements in management and security, Microsoft has improved BitLocker with the concept of BitLocker To Go, which allows you to encrypt removable media such as USB drives and thumb drives. This is a significant enhancement that has many positive implications, particularly as it relates to protection of intellectual property and data privacy laws.

This technology is best controlled through Group Policy; you should save the encryption keys within Active Directory to ensure that you always have control of the encrypted data. More information is available at the Microsoft BitLocker Drive Encryption Step-by-Step Guide for Windows 7.

Virtualization

Virtualization is here, and is a key part of Windows 7 and Windows Server 2008 R2. While a lot of attention has been given to the Windows 7 Windows XP Mode (which is a copy of Microsoft's Virtual PC with a Windows XP virtual machine built in), that technology is targeted at small to midsize businesses, not the enterprise.

The real virtualization benefits come from different technologies. Remote Desktop Services (RDS), the next generation of the venerable Terminal Services, was introduced with Windows Server 2008 R2.

RDS provides a much more seamless remote end-user experience, which is important in the growing hosted desktop space. And Windows 7 takes this one step further with the concept of RemoteApp and Desktop Connections. These capabilities provide a dynamic feed for remote applications and can be accessed through the Start menu, just as they would a locally installed application. Windows Server 2008 R2 and Windows 7 also use RDP 7, which further enhances the capabilities of a virtualized application or desktop by supporting Aero Glass, audio input to support VoIP in remote sessions and enhanced bitmap acceleration.

Power Conservation

Finally, in support of the ever growing number of green initiatives within IT, Microsoft has introduced some power-management improvements in Windows 7. All of these enhancements can be deployed and managed centrally, via Group Policy, using Windows Server 2008 R2. While larger organizations could see some large numbers in terms of reducing costs associated with power consumption, don't forget about your users. As should be the case with all changes to a user's desktop or laptop environment, proceed with care -- unless you want your help desk swamped with calls.

There's a lot to like about the Windows 7 and Windows Server 2008 R2 operating systems by themselves. Together, their new features provide an opportunity to make fundamental changes in how effectively and efficiently IT is run; and more easily, too -- at least until the next upgrade.

For more information on some of the features discussed in this article, check out these links:

DirectAccess
BranchCache
AppLocker
BitLocker

_Alan Maddison is a 15-year IT veteran who is currently a senior consultant with SBS, a division of Brocade. You can reach him atamaddison@sbsplanet.com._