Windows Server 2008 One Year On — Hit Or Miss?

magacious writes "Friday marked a year to the day since Microsoft launched Windows Server 2008, but did it have quite the impact the so-called software giant expected, or did it make more of a little squeak than a big bang? Before its arrival on 27 February 2008, it had been five long years since the release of the last major version of Windows Server. In a world that was moving on from simple client/server applications, and with server clouds on the horizon, Windows Server 2003 was looking long in the tooth. After a year of 'Vista' bashing, Microsoft needed its server project to be well received, just to relieve some pressure. After all, this time last year, the panacea of a well-received Windows 7 was still a long way off. So came the new approach: Windows Server 2008."

Anything like 2k3?

[DoktorSeven]

I've never tried 2k8. Does it come with the horrible lockdown of every single thing on the machine when you first bring the system up like 2k3 did, meaning you can't even browse outside of Microsoft's site to get other necessary server bits/programs/etc without doing some obscure fix to open that up (I never could get IE to allow me to go anywhere besides Microsoft unless I did that!)?

That made me laugh -- apparently even Microsoft knows the security on its product is so bad that they have to ship it locked completely down. If they can't even trust their product, why should I?

Re:Anything like 2k3?

[owlstead]

Could somebody please remove the troll status from the parent article? It seems to indicate an honest opinion. Of course, the reply that you *can* have it installed without IE is even more interesting, but this is not a troll.

A "miss" on 2 security features being crippled

2 security features Microsoft has PULLED (port filtering) &/or crippled (for efficiency in HOSTS files) shouldn't be & yet, are.

----

1.) The removal of being able to use 0 as a blocking IP address in a HOSTS file

(vs. 0.0.0.0 or 127.0.0.1, which are bigger, slower on load into the local DNS Cache (as well as slower flushes via ipconfig /flushdns) & also occupy more RAM once loaded, for NO GOOD REASON - 0 blocks as well as the other 2 do, & is smaller + faster!)

In this case, this happened on 12/09/2008 Microsoft "Patch Tuesday" updates, it wasn't LIKE that before then!

E.G.-> Here, using 0 as my blocking IP address in a FULLY normalized (meaning no repeated entries) HOSTS file with nearly 650,000 bad sites blocked in it, I get a 14++mb sized HOSTS file... using 0.0.0.0 it shoots up to 18++mb in size (& even worse using 127.0.0.1, to around the tune of 24++mb in size)... Here? This is SENSELESS bloat creation as the result!

&

2.) The removal of IP Port Filtering GUI controls for it via Local Network Connections properties "ADVANCED" section

(This is up there w/ when MS removed the GUI checkbox after NT 4.0 for IP Forwarding, only, this time, the difference is (and, it's a PAIN) is that it is NOT a single 1 line entry to hack via regedit.exe, but FAR MORE COMPLEX to do by hand)... Port Filtering is a USEFUL & POWERFUL security (& to a degree, speed also) enhancing feature!

Afaik, on THIS case (vs. #1 above)? It has always been that way in VISTA &/or Windows Server 2008... & not just the result of a Patch Tuesday modification.

----

QUESTION: Do ANY of you folks have an answer, a GOOD SOLID TECHNICAL answer, as to WHY these cripplings have been implemented in VISTA, Server 2008, & most likely their descendant, in Windows 7?

See - I posted on Microsoft/Mr. Sinofsky's (?) blog -> http://blogs.msdn.com/e7/archive/2009/02/25/feedback-and-engineering-windows-7.aspx

AND, I have YET to get a SOLID TECHNICAL ANSWER on those things going on in VISTA, Server 2008, & probably Windows 7 as well, that justify doing so...

(They're things I'd really LIKE to get an answer to, as to WHY Microsoft has done the 2 things in my list above, to the above noted versions of Windows)

APK

P.S.=> I found the (imo) rather flimsy reasoning behind WHY the PORT FILTERING gui controls were allegedly removed in Windows VISTA, Server 2008, & Windows 7, after consulting with Mr. Mitch Tulloch ( http://www.windowsnetworking.com/Mitch_Tulloch/ ) ... here tis:

From Chapter 27 of the Vista Resource Kit that explains the rationale for removing the TCP/IP Filtering UI:

----

"Windows XP Service Pack 2 actually has three different firewalling (or network traffic filtering) technologies that you can separately configure, and which have zero
interaction with each other:

Windows Firewall that was first introduced in Service Pack 2

TCP/IP Filtering, which is accessed from the Options tab of the Advanced
TCP/IP Properties sheet for the network connection

IPsec rules and filters, which you can create using the IPsec Security
Policy Management MMC snap-in

On top of this confusion, Windows Server 2003 Service Pack 1 had a fourth network traffic filtering technology that you could use: the Routing and Remote Access Service(RRAS), which supported basic firewall and packet filteringthe problem, of course, is that when more than one of these firewalls is configured on a computer, one firewall can block traffic that another allows"

----

Lame reasoning imo!

I say this, because it is TRIVIAL to create exceptions rules in most any software (or hardware based) firewall generally, & to match that in Port Fil

Re:whats it give us?

Please come to my work and tell the windows admin that. I tried but they switched anyways. Now they get to reboot every 2 days because the SMB shares stop working to the clients and no one can get the their data.

They call me old fashioned because I like to see requirements and testing before I go upgrading. I guess I am just some surly old curmudgeon, trying to perform due-diligence on systems that attach to a production network. hrmph!

Re:No news is good news

Bottom line: It just works. Nice new GPO features, Hyper V is fine, but overall, nothing to get terribly excited about other than the fact that there have been few negative issues.

You're right, there's nothing to get terribly excited about unless you want a more secure server, more control via GPO, improved network performance, Terminal Services Remote App, a FREE hypervisor, read-only domain controllers for branch offices, lightweight and secure "core" installations, IIS7, improved failover clustering, simplified clustering configuration, vastly improved printing support in Terminal Services, improved functionality in certificate services, improved and image-based deployment via Windows Deployment Services, improved performance monitoring, PowerShell, improved TCP/IP v6 functionality, improved DFS functionality, better NFS support, and so on...

By the way, what were those "few negative issues" that you were referring to?

STOP THE PRESSES!

[Hobadee]

Did anyone else read the title as a Windows server had been running for 1 year? That would be impressive uptime for Windows...

Re:Some good, lots bad.

2 security features Microsoft has PULLED (port filtering) &/or crippled (for efficiency in HOSTS files) shouldn't be & yet, are.

----

1.) The removal of being able to use 0 as a blocking IP address in a HOSTS file

(vs. 0.0.0.0 or 127.0.0.1, which are bigger, slower on load into the local DNS Cache (as well as slower flushes via ipconfig /flushdns) & also occupy more RAM once loaded, for NO GOOD REASON - 0 blocks as well as the other 2 do, & is smaller + faster!)

In this case, this happened on 12/09/2008 Microsoft "Patch Tuesday" updates, it wasn't LIKE that before then!

E.G.-> Here, using 0 as my blocking IP address in a FULLY normalized (meaning no repeated entries) HOSTS file with nearly 650,000 bad sites blocked in it, I get a 14++mb sized HOSTS file... using 0.0.0.0 it shoots up to 18++mb in size (& even worse using 127.0.0.1, to around the tune of 24++mb in size)... Here? This is SENSELESS bloat creation as the result!

&

2.) The removal of IP Port Filtering GUI controls for it via Local Network Connections properties "ADVANCED" section

(This is up there w/ when MS removed the GUI checkbox after NT 4.0 for IP Forwarding, only, this time, the difference is (and, it's a PAIN) is that it is NOT a single 1 line entry to hack via regedit.exe, but FAR MORE COMPLEX to do by hand)... Port Filtering is a USEFUL & POWERFUL security (& to a degree, speed also) enhancing feature!

Afaik, on THIS case (vs. #1 above)? It has always been that way in VISTA &/or Windows Server 2008... & not just the result of a Patch Tuesday modification.

----

QUESTION: Do ANY of you folks have an answer, a GOOD SOLID TECHNICAL answer, as to WHY these cripplings have been implemented in VISTA, Server 2008, & most likely their descendant, in Windows 7?

See - I posted on Microsoft/Mr. Sinofsky's (?) blog -> http://blogs.msdn.com/e7/archive/2009/02/25/feedback-and-engineering-windows-7.aspx

AND, I have YET to get a SOLID TECHNICAL ANSWER on those things going on in VISTA, Server 2008, & probably Windows 7 as well, that justify doing so...

(They're things I'd really LIKE to get an answer to, as to WHY Microsoft has done the 2 things in my list above, to the above noted versions of Windows)

APK

P.S.=> I found the (imo) rather flimsy reasoning behind WHY the PORT FILTERING gui controls were allegedly removed in Windows VISTA, Server 2008, & Windows 7, after consulting with Mr. Mitch Tulloch ( http://www.windowsnetworking.com/Mitch_Tulloch/ ) ... here tis:

From Chapter 27 of the Vista Resource Kit that explains the rationale for removing the TCP/IP Filtering UI:

----

"Windows XP Service Pack 2 actually has three different firewalling (or network traffic filtering) technologies that you can separately configure, and which have zero
interaction with each other:

Windows Firewall that was first introduced in Service Pack 2

TCP/IP Filtering, which is accessed from the Options tab of the Advanced
TCP/IP Properties sheet for the network connection

IPsec rules and filters, which you can create using the IPsec Security
Policy Management MMC snap-in

On top of this confusion, Windows Server 2003 Service Pack 1 had a fourth network traffic filtering technology that you could use: the Routing and Remote Access Service(RRAS), which supported basic firewall and packet filteringthe problem, of course, is that when more than one of these firewalls is configured on a computer, one firewall can block traffic that another allows"

----

Lame reasoning imo!

I say this, because it is TRIVIAL to create exceptions rules in most any software (or hardware based) firewall generally, & to match that in Port Fil

Re:Some good, lots bad.

Holy shit you loser fuckwit, would you stop posting the same spam multiple times in any conversation that mentions the word Windows? Learn how to use the right tool for the job, and stop whining.

I don't for these 2 reasons (HOSTS & Port Filt

"2k3 just works. Does anyone have a compelling reason to use 2k8?" - by bdsesq (515351) on Saturday February 28, @12:41PM (#27023705)

I don't & mainly because of these 2 security features Microsoft has PULLED (port filtering) &/or crippled (for efficiency in HOSTS files) shouldn't be & yet, are.

----

1.) The removal of being able to use 0 as a blocking IP address in a HOSTS file

(vs. 0.0.0.0 or 127.0.0.1, which are bigger, slower on load into the local DNS Cache (as well as slower flushes via ipconfig /flushdns) & also occupy more RAM once loaded, for NO GOOD REASON - 0 blocks as well as the other 2 do, & is smaller + faster!)

In this case, this happened on 12/09/2008 Microsoft "Patch Tuesday" updates, it wasn't LIKE that before then!

E.G.-> Here, using 0 as my blocking IP address in a FULLY normalized (meaning no repeated entries) HOSTS file with nearly 650,000 bad sites blocked in it, I get a 14++mb sized HOSTS file... using 0.0.0.0 it shoots up to 18++mb in size (& even worse using 127.0.0.1, to around the tune of 24++mb in size)... Here? This is SENSELESS bloat creation as the result!

&

2.) The removal of IP Port Filtering GUI controls for it via Local Network Connections properties "ADVANCED" section

(This is up there w/ when MS removed the GUI checkbox after NT 4.0 for IP Forwarding, only, this time, the difference is (and, it's a PAIN) is that it is NOT a single 1 line entry to hack via regedit.exe, but FAR MORE COMPLEX to do by hand)... Port Filtering is a USEFUL & POWERFUL security (& to a degree, speed also) enhancing feature!

Afaik, on THIS case (vs. #1 above)? It has always been that way in VISTA &/or Windows Server 2008... & not just the result of a Patch Tuesday modification.

----

QUESTION: Do ANY of you folks have an answer, a GOOD SOLID TECHNICAL answer, as to WHY these cripplings have been implemented in VISTA, Server 2008, & most likely their descendant, in Windows 7?

See - I posted on Microsoft/Mr. Sinofsky's (?) blog -> http://blogs.msdn.com/e7/archive/2009/02/25/feedback-and-engineering-windows-7.aspx

AND, I have YET to get a SOLID TECHNICAL ANSWER on those things going on in VISTA, Server 2008, & probably Windows 7 as well, that justify doing so...

(They're things I'd really LIKE to get an answer to, as to WHY Microsoft has done the 2 things in my list above, to the above noted versions of Windows)

APK

P.S.=> I found the (imo) rather flimsy reasoning behind WHY the PORT FILTERING gui controls were allegedly removed in Windows VISTA, Server 2008, & Windows 7, after consulting with Mr. Mitch Tulloch ( http://www.windowsnetworking.com/Mitch_Tulloch/ ) ... here tis:

From Chapter 27 of the Vista Resource Kit that explains the rationale for removing the TCP/IP Filtering UI:

----

"Windows XP Service Pack 2 actually has three different firewalling (or network traffic filtering) technologies that you can separately configure, and which have zero
interaction with each other:

Windows Firewall that was first introduced in Service Pack 2

TCP/IP Filtering, which is accessed from the Options tab of the Advanced
TCP/IP Properties sheet for the network connection

IPsec rules and filters, which you can create using the IPsec Security
Policy Management MMC snap-in

On top of this confusion, Windows Server 2003 Service Pack 1 had a fourth network traffic filtering technology that you could use: the Routing and Remote Access Service(RRAS), which supported basic firewall and packet filteringthe problem, of course, is that when more than one of these firewalls is configured on a computer, one firewall can block traffic that another

Grow up, quit stalking others, & contribute

You don't own this website. Get over it. I'll do as I please.

APK

P.S.=> Apparently, you're too technically inept in this field to assist in answering why a 0 blocking IP address in a HOSTS file has been removed from Windows VISTA, Windows Server 2008, & Windows 7 most likely as well... especially when its faster, & more memory efficient than 0.0.0.0 or 127.0.0.1 are (which still work in Windows 2000, Windows XP. & Windows Server 2003 just fine, & more efficiently!)

Doing more with less is good engineering, not bloat, & that's what the 0 blocking IP address gives a user of a custom HOSTS file (for both security & speed online, big increases in both)...

Port Filtering being removed is another mistake... it works @ a diff. level of the IP stack drivers-wise than IPSec &/or Software Firewalls do for instance, which aids in layered security since they all work @ diff. levels of the IP stack (thus, you can't take 1 out, & take them ALL out - & it works like putting deadbolts, chain locks, & door handle locks onto a car or home, same idea - layered security: break one, another's STILL in the way (&, what's one of the 1st things spywares/viruses/malwares/rootkits do? DISABLE FIREWALLS + ANTIVIRUS, etc. et al)... apk

Re:I expected more driver support

[fm6]

I have a clue, but I can't share it in a public forum. If I did, I'd lose my job faster than you can say "vaporware litigation". You might try talking to Sun field people and hope for some discreet hints.

Re:I expected more driver support

[fm6]

What exactly do you mean by "out of the box"? There are tons of devices whose Linux drivers haven't found their way into distros yet. You download them from the vendor's web site.

Re:I expected more driver support

[fm6]

Again with the vague pronouncements. What does "guaranteed to have their hardware supported by Windows" mean? That Microsoft includes the drivers on its install discs? By that definition, a lot of widely used hardware is not "supported by Windows".

I know this first hand, because I work for Sun, and a big part of my job is seeing to it that the process for installing drivers is properly documented. We do try to get as many of our drivers as we can onto the Windows server install discs. (Expediting that process is a big reason Sun is now a Microsoft OEM, despite past battles between the two companies.) But there are always new devices that Microsoft hasn't certified yet.

And we have exactly the same relationship with Red Hat and Novell, so they can certify our drivers for inclusion on their Linux distros. And I could be mistaken, but it's my perception that the process goes a little faster with Red Hat and SUSE, because these distros, like all Linux distros, are open source.

So whatever your reasons for preferring Windows to Linux, they should not include "guaranteed hardware support". Red Hat and SUSE are just as good in this department, and arguably a little better.