|
|
|
Articles
|
AskAW
|
DirectX
|
ActiveDVD
|
ActiveMac
|
Downloads
|
Forums
|
Hardware News
|
Interviews
|
News
|
MS Games & Hardware
|
Reviews
|
Support Center
|
Windows 2000
|
Windows Me
|
Windows Server 2003
|
Windows Vista
|
Windows XP
|
|
|
|
News Centers
|
Windows/Microsoft
|
DVD
|
Apple/Mac
|
Xbox
|
News Search
|
|
|
|
ActiveXBox
|
Xbox News
|
Box Shots
|
Inside The Xbox
|
Released Titles
|
Announced Titles
|
Screenshots/Videos
|
History Of The Xbox
|
Links
|
Forum
|
FAQ
|
|
|
|
Windows
XP
|
Introduction
|
System Requirements
|
Home Features
|
Pro Features
|
Upgrade Checklists
|
History
|
FAQ
|
Links
|
TopTechTips
|
|
|
|
FAQ's
|
Windows Vista
|
Windows 98/98 SE
|
Windows 2000
|
Windows Me
|
Windows Server 2002
|
Windows "Whistler"
XP
|
Windows CE
|
Internet Explorer
6
|
Internet Explorer
5
|
Xbox
|
Xbox 360
|
DirectX
|
DVD's
|
|
|
|
TopTechTips
|
Registry Tips
|
Windows 95/98
|
Windows 2000
|
Internet Explorer
5
|
Program Tips
|
Easter Eggs
|
Hardware
|
DVD
|
|
|
|
ActiveDVD
|
DVD News
|
DVD Forum
|
Glossary
|
Tips
|
Articles
|
Reviews
|
News Archive
|
Links
|
Drivers
|
|
|
|
Latest Reviews
|
Xbox/Games
|
Football Manager
2006
|
Top Spin 2
|
|
Applications
|
Vista Feb CTP
|
|
Hardware
|
ATI X1900 Graphics
|
Xbox 360
|
|
|
|
Latest Interviews
|
Steve Ballmer
|
Jim Allchin
|
|
|
|
Site News/Info
|
About This Site
|
Affiliates
|
Contact Us
|
Default Home Page
|
Link To Us
|
Links
|
Member Pages
|
News Archive
|
Site Search
|
Awards
|
|
|
|
Credits
©1997/2006, Active Network, Inc. All Rights Reserved.
Layout, & Design by Byron Hinson. Content written by the Active
Network team. Please click
here for full terms of use and restrictions or read our
Privacy Statement.
|
|
|
|
|
Windows
Vista Section
Networking
Windows Vista and Windows Server 2008 include
many new core networking components and enhanced technologies
to improve networking performance, security, reliability, and
manageability.
Protocols and Core Networking Components
-
Next Generation TCP/IP Stack
The Next Generation TCP/IP stack is a complete redesign
of TCP/IP functionality in Windows. One stack supports both
Internet Protocol version 4 (IPv4) and Internet Protocol
version 6 (IPv6) through a dual-layer IP architecture in
which the IPv4 and IPv6 implementations share common transport
and framing layers.
-
Receive Window Auto Tuning
The TCP receive window size is the amount of data that
a TCP receiver allows a TCP sender to send before having
to wait for an acknowledgement. To correctly determine
the value of the maximum receive window size for a connection
based on the current conditions of the network, the
Next Generation TCP/IP stack supports Receive Window
Auto-Tuning. Receive Window Auto-Tuning continually
determines the optimal receive window size on a per-connection
basis by measuring the bandwidth-delay product (the
bandwidth multiplied by the latency of the connection)
and the application retrieve rate, and automatically
adjusts the maximum receive window size on an ongoing
basis.
With better throughput between TCP peers, the utilization
of network bandwidth increases during data transfer.
If all the applications are optimized to receive TCP
data, then the overall utilization of the network can
increase substantially, making the use of Quality of
Service (QoS) more important for networks that are operating
at or near capacity.
-
Compound TCP
Developed by Microsoft Research, Compound TCP (CTCP)
increases throughput for high-speed and long distance
networks by monitoring the bandwidth-delay product,
delay variations, and packet loss. Receive Window Auto
Tuning optimizes receiver-side throughput and CTCP optimizes
sender-side throughput. By working together, they can
increase link utilization and produce substantial performance
gains for large bandwidth-delay product connections.
CTCP is enabled by default for computers running Windows
Server 2008 and disabled by default for computers running
Windows Vista. CTCP may be enabled or disabled via the
netsh
commandline utility:
Enable CTCP:
netsh interface tcp set global
congestionprovider=ctcp
Disable CTCP:
netsh interface tcp set global
congestionprovider=none
-
ECN Support
RFC 3168: Explicit
Congestion Notification (ECN) aids in detecting congestion
before packet losses are incurred and increases the
overall throughput between TCP peers. With ECN support
on both TCP peers and in the routing infrastructure,
routers experiencing congestion mark the packets as
they forward them. TCP peers receiving marked packets
lower their transmission rate to ease congestion and
prevent segment losses. Because ECN uses previously
unused or reserved bits in TCP and IP headers, and some
network devices may discard ECN-marked packets, ECN
is disabled by default in Windows Vista. ECN may be
enabled via netsh to evaluate its effects on your network
environment:
Eenable ECN:
netsh interface tcp set global
ecncapability=enabled
Disable ECN:
netsh interface tcp set global
ecncapability=disabled
-
Enhancements for High-loss Environments
-
RFC 2582:
The NewReno Modification to TCP's Fast Recovery
Algorithm
The NewReno algorithm provides faster throughput
by changing the way that a sender can increase their
sending rate when multiple segments in a window
of data are lost and the sender receives a partial
acknowledgement (an acknowledgement for only part
of the data that has been successfully received).
-
RFC 2883:
An Extension to the Selective Acknowledgement (SACK)
Option for TCP
SACK, defined in
RFC 2018,
allows a receiver to indicate up to four noncontiguous
blocks of received data. RFC 2883 defines an additional
use of the fields in the SACK TCP option to acknowledge
duplicate packets. This allows the receiver of the
TCP segment containing the SACK option to determine
when it has retransmitted a segment unnecessarily
and adjust its behavior to prevent future retransmissions.
The fewer retransmissions that are sent, the better
the overall throughput.
-
RFC 3517:
A Conservative Selective Acknowledgment (SACK)-based
Loss Recovery Algorithm for TCP
The implementation of TCP/IP in Windows Server 2003
and Windows® XP uses SACK information only to determine
which TCP segments have not arrived at the destination.
RFC 3517 defines a method of using SACK information
to perform loss recovery when duplicate acknowledgements
have been received, replacing the fast recovery
algorithm when SACK is enabled on a connection.
The Next Generation TCP/IP stack keeps track of
SACK information on a per-connection basis and monitors
incoming acknowledgements and duplicate acknowledgements
to more quickly recover when multiple segments are
not received at the destination.
-
RFC 4138:
Forward RTO-Recovery (F-RTO): An Algorithm for Detecting
Spurious Retransmission Timeouts with TCP and the
Stream Control Transmission Protocol (SCTP)
Spurious retransmissions of TCP segments can occur
when there is a sudden and temporary increase in
the round-trip time (RTT). For environments that
have sudden and temporary increases in the RTT,
such as when a wireless client roams from one wireless
AP to another, F-RTO prevents unnecessary retransmission
of segments and more quickly returns to its normal
sending rate.
-
Neighbor Unreachability Detection
for IPv4
Neighbor Unreachability Detection is a feature of IPv6
in which a node tracks whether a neighboring node is
reachable, providing better error detection and recovery
when nodes suddenly become unavailable. The Next Generation
TCP/IP stack provides similar error detection and recovery
benefits for IPv4-based communications via support for
Neighbor Unreachability Detection over IPv4.
-
Fail-back Support for Default Gateway
Changes
Dead gateway detection in TCP/IP for Windows XP and
Windows Server 2003 provides a fail-over function, but
not a fail-back function in which a dead gateway is
tried again to determine whether it has become available.
The Next Generation TCP/IP stack provides fail-back
for default gateway changes, potentially providing faster
throughput by sending traffic through the primary default
gateway on the subnet.
-
Changes in PMTU Black Hole Router
Detection
Black hole router detection is disabled by default in
previous versions of Windows because enabling it increases
the maximum number of retransmissions that are performed
for a given segment. However, with increasing use of
firewall rules on routers to drop ICMP traffic, the
Next Generation TCP/IP stack enables PMTU black hole
router detection by default to prevent TCP connections
from terminating.
-
Network Diagnostics Framework Support
The Network Diagnostics Framework is an extensible architecture
that helps users recover from and troubleshoot problems
with network connections. For TCP/IP-based communication,
the Network Diagnostics Framework prompts the user through
a series of options to eliminate possible causes until
the root cause of the problem is identified or all possibilities
are eliminated. Specific TCP/IP-related issues that
the Network Diagnostics Framework can diagnose are the
following:
-
Incorrect IP address
-
Default gateway (router) is not
available
-
Incorrect default gateway
-
Network Basic Input/Output System
(NetBIOS) over TCP/IP (NetBT) name resolution failure
-
Incorrect DNS settings
-
Local port is already being used
-
The DHCP Client service is not
running
-
There is no remote listener
-
The media is disconnected
-
The local port is blocked
-
Low on memory
-
ESTATS Support
The Next Generation TCP/IP Stack supports the "TCP Extended
Statistics MIB" Internet draft (draft-ietf-tsvwg-tcp-mib-extension-08.txt),
which defines extended performance statistics for TCP.
By analyzing ESTATS on a connection, it is possible
to determine whether the performance bottleneck for
a connection is the sending application, the receiving
application, or the network. ESTATS is disabled by default
and can be enabled per connection. With ESTATS, third-party
independent software vendors (ISVs) can create powerful
diagnostics and network throughput analysis applications.
-
New Packet Filtering Model with Windows
Filtering Platform
The Windows Filtering Platform (WFP) is a new architecture
in the Next Generation TCP/IP Stack that provides APIs
so that third-party ISVs can participate in the filtering
decisions that take place at several layers in the TCP/IP
protocol stack and throughout the operating system.
The platform also integrates and provides support for
next-generation firewall features such as authenticated
communication and dynamic firewall configuration based
on applications' use of the Windows Sockets API (application-based
policy). ISVs can create firewalls, anti-virus software,
diagnostic software, and other types of applications
and services. Windows Firewall and IPsec in Windows
Vista and Windows Server 2008 use the WFP API.
-
IPv6 Enhancements
The Next Generation TCP/IP Stack supports the following
enhancements to IPv6:
-
Dual IP stack
-
Enabled by default
IPv6 is installed and enabled by default and may
be configured through the properties of the Internet
Protocol version 6 (TCP/IPv6) component and through
commands in the netsh interface
ipv6 context.
-
GUI-based configuration
Windows Vista and Windows Server 2008 now allows
you to manually configure IPv6 settings through
a set of dialog boxes in the Network Connections
folder, similar to how you can manually configure
IPv4 settings. ***[Insert Pic of Config Dialogs]
-
Teredo enhancements
The Teredo (RFC
4380) client is enabled
but is inactive by default. In order to become active,
a user must either install an application that needs
to use Teredo, or choose to change firewall settings
to allow an application to use Teredo. The Teredo
client uses the 2001::/32 prefix as assigned by
IANA and uses unused bits in the Flags field of
the Teredo address to help prevent address scans
of Teredo addresses. Teredo is enabled for domain
member computers and can now work if there is one
Teredo client behind one or more symmetric network
address translators (NATs). A symmetric NAT maps
the same internal (private) address and port number
to different external (public) addresses and ports,
depending on the external destination address (for
outbound traffic). This new behavior allows Teredo
to work between a larger set of Internet-connected
hosts.
-
Integrated IPsec support
In Windows Vista and Windows Server 2008, IPsec
support for IPv6 traffic is the same as that for
IPv4, including support for Internet Key Exchange
(IKE) and data encryption. The Windows Firewall
with Advanced Security and IP Security Policies
snap-ins now support the configuration of IPsec
policies for IPv6 traffic in the same way as IPv4
traffic.
-
MLDv2
Multicast Listener Discovery version 2 (MLDv2),
specified in
RFC 3810,
provides support for source-specific multicast traffic.
MLDv2 is equivalent to Internet Group Management
Protocol version 3 (IGMPv3) for IPv4.
-
LLMNR
Link-Local Multicast Name Resolution (LLMNR -
draft-ietf-dnsext-mdns-47)
allows IPv6 hosts on a single subnet without a DNS
server to resolve each other's names. This capability
is useful for single-subnet home networks and ad
hoc wireless networks.
-
IPv6 over PPP
The built-in remote access client now supports the
IPv6 Control Protocol (IPV6CP), as defined in
RFC 2472,
to configure IPv6 nodes on a Point-to-Point Protocol
(PPP) link. Native IPv6 traffic can now be sent
over PPP-based connections. For example, IPV6CP
support allows you to connect with an IPv6-based
Internet service provider (ISP) through dial-up
or PPP over Ethernet (PPPoE)-based connections that
might be used for broadband Internet access.
-
Random Interface IDs for IPv6
Addresses
To prevent address scans of IPv6 addresses based
on the known company IDs of network adapter manufacturers,
Windows Vista and Windows Server 2008 by default
generate random interface IDs for non-temporary
autoconfigured IPv6 addresses, including public
and link-local addresses. Windows XP and Windows
Server 2003 use Extended Unique Identifier (EUI)-64-based
interface IDs for autoconfigured IPv6 addresses.
-
DHCPv6 support
Windows Vista and Windows Server 2008 include a
DHCPv6-capable DHCP client that will perform stateful
address autoconfiguration with a DHCPv6 server.
-
Policy-based Quality of Service
In Windows XP and Windows Server 2003, quality of service
(QoS) functionality is made available to applications through
the Generic QoS (GQoS) APIs. Windows Vista and Windows Server
2008 include new facilities to manage network traffic for
both enterprise and home networks.
-
Policy-based QoS for Enterprise Networks
QoS policies allow the prioritization
and management of the sending rate for outgoing network
traffic and can be confined to specific applications,
specific source and destination IP addresses, and specific
source and destination TCP or UDP ports.
-
qWave for Home Networks
Windows Vista supports Quality Windows Audio/Video Experience
(qWave), a collection of QoS-related software modules
that address the network challenges introduced by A/V
applications and wireless networks. The collection of
qWave technologies detect and monitor LAN bandwidth,
discover the QoS capability of the home network, and
provide distributed admission control for fair and consistent
usage of network bandwidth. These technologies enable
advanced A/V streaming techniques so that applications
can dynamically adapt to variable network conditions.
-
Server Message Block 2.0
Server Message Block (SMB), also known as the Common Internet
File System (CIFS), is the file sharing protocol used by
default on Windows-based computers. SMB 2.0 is a new version
of SMB that has been redesigned for today's networking environments
and the needs of the next generation of file servers. SMB
2.0 has the following enhancements:
-
Supports sending multiple SMB commands
within the same packet. This reduces the number of packets
sent between an SMB client and server, a common complaint
against SMB 1.0.
-
Supports much larger buffer sizes
compared to SMB 1.0.
-
Increases the restrictive constants
within the protocol design to allow for scalability.
Examples include an increase in the number of concurrent
open file handles on the server and the number of file
shares that a server can have.
-
Supports durable handles that can
withstand short interruptions in network availability.
-
Supports symbolic links.
-
Http.sys Enhancements
Http.sys, the kernel mode driver that services Hypertext
Transfer Protocol (HTTP) traffic, has received the following
enhancements:
-
HTTP Server API 2.0
HTTP Server API is a kernel-mode HTTP protocol driver
with user-mode APIs available through Httpapi.dll. The
HTTP Server APIs enable a server application to register
HTTP URLs, receive requests, and service responses.
HTTP Server APIs include:
-
Simple-to-use HTTP listener functionality
on Windows with both native and managed Windows
.NET applications.
-
Applications can use the HTTP
Server API to co-exist and share TCP ports with
Internet Information Services (IIS) 6.0. This allows
popular Web traffic TCP ports such as 80 and 443
to be used by both HTTP Server API-based and IIS
6.0 applications simultaneously as long as they
are serving different parts of the URL namespace.
-
A native HTTP stack for computers
running on a Windows operating system that is HTTP/1.1
compliant.
-
New APIs for configuring the HTTP
server: Authentication, Bandwidth Throttling, Logging,
Connection Limits, Server State, 503 Responses,
Request Queues, Response Caching, and SSL Certificate
Binding.
-
Server-side Authentication
Http.sys now performs server side authentication. Previously,
server applications performed their own authentication.
Advantages to Http.sys providing the server-side authentication
include the following:
-
Server applications can run under
lower privileged accounts.
-
Server applications run can under
different accounts, since Http.sys now performs
the Service Principle Name (SPN) authentication
on their behalf.
-
Seamless NTLM authentication handshakes
do not cause a restart of the handshake process.
-
Logging
Http.sys now provides centralized World Wide Web Consortium
(W3C) logging in which a single log file stores the
entries for all the sites of a server application, such
as IIS. Within the centralized log file, site ID fields
identify the site to which the log entries belong.
-
ETW Tracing for HTTP Events
Event Tracing for Windows (ETW) is a capability of Windows
to obtain information about components and events, typically
written to log files. Http.sys supports tracing for
the following categories:
-
HTTP requests and responses
-
SSL and authentication transactions
-
Logging events
-
Connections and connection timers
-
Cache
-
Service or application setup;
setting or deleting properties
-
Activity ID based, including across
other ETW-enabled components
-
Netsh commands for Http.sys
You can now manage configuration settings and control
diagnostics for Http.sys through a set of commands in
the netsh http context. With this new support, you can
do the following at a Windows command prompt:
-
Configure SSL certificate bindings,
URL reservations, IP listen lists, or global timeouts
-
Delete or flush the HTTP cache
or logging buffers
-
Display the Http.sys service or
cache state
-
Performance Counters for Http.sys
Http.sys now has the following performance metric counters
to help you with monitoring, diagnosing, and capacity
planning for Web servers:
-
HTTP Service Counters
-
Number of URIs in the cache, added
since startup, deleted since startup, and number
of cache flushes
-
Cache hits/second and Cache misses/second
-
HTTP Service URL Groups
-
Data send rate, data receive rate,
bytes transferred (sent and received)
-
Maximum number of connections,
connection attempts rate, rate for GET and HEAD
requests, and total number of requests
-
HTTP Service Request Queues
-
Number of requests in queue, age
of oldest requests in queue
-
Rate of request arrivals into
the queue, rate of rejection, total number of rejected
requests, rate of cache hits
With these new performance counters,
HTTP metrics can be viewed in the Diagnostic Console
snap-in or obtained through the Performance Counters
API.
-
WinINet Enhancements
Enhancements to the WinINet API in Windows Vista and Windows
Server 2008 include the following:
-
Support for IPv6 Literals and Scope
IDs
WinINet now supports the use of IPv6 literal addresses
in URLs (RFC
2732) and. the encoding of
the IPv6 scope ID (also known as a zone ID) as part
of the address to allow users to specify the scope for
the IPv6 destination.
-
Support for HTTP Decompression
Prior to Windows Vista and Windows Server 2008, HTTP
requests with content encoding were sent to the application
for processing at their level. WinINet now includes
built-in support for the gzip and deflate content encoding
schemes, reducing data compression/decompression issues
between Web browsers and Web servers while providing
performance gains through reduced Web page download
times.
-
Support for Internationalized Domain
Names
WinINet now conforms to the Internationalized Domain
Names (IDN) standard (RFC
3490) for hostnames when you
use the Unicode versions of the WinINet API. This new
support ensures that applications work correctly with
domain names containing non-ASCII characters without
requiring IDN support within the application.
-
Support for ETW Tracing
Construct traces that span the entire networking stack
and obtain detailed information about WinINet processes
and events to help determine the source of protocol
or application problems.
-
IPv6 support in Web Proxy Auto-Discovery
scripts
Web Proxy Auto-Discovery (WPAD) script helper functions
exposed by WinINet have been updated to include support
for IPv6 addresses and subnet prefixes.
-
WinHTTP Enhancements
Updates to the WinHTTP 5.1 API in Windows Vista and Windows
Server 2008 include the following:
-
Support for Data Uploads Larger than
4 Gigabytes
-
Support for Chunked Transfer Encoding
-
Support for Issuer List Retrieval
for Secure Sockets Layer-based Client Authentication
-
Support for Optional Client Certificate
Requests
-
Support for 4-tuple Connection Information
Indication
-
New Error Codes for SSL Client Authentication
-
IPv6 Support in WPAD Scripts
-
Windows Sockets Enhancements
-
New Winsock APIs
-
WSAConnectByName()
Creates a connection to the specified destination,
given the destination host's name. WSAConnectByName()
takes all the destination addresses returned by
name resolution, all the local addresses, and attempts
connections by using address pairs with the highest
chance of success. An optimal pairing algorithm
provided by the transport determines the order of
the address pairs. WSAConnectByName() ensures a
connection will be established (if possible), in
the minimal amount of time.
-
WSAConnectByList()
Creates a connection to the specified destination,
given a list of destination IP addresses. WSAConnectByList
takes a list of M addresses and the local computer's
N addresses, and tries connecting using up to M
x N address combinations before failing to connect.
-
ETW Tracing for Winsock Events
The following are some of the Winsock events that can
be traced with ETW tracing:
-
Socket creation
-
Bind
-
Connect
-
Accept
-
Send
-
Recv
-
Abort indications
ETW tracing for Winsock events can be enabled
via the Event Viewer snap-in or using the Logman.exe and Tracerpt.exe
tools.
-
Layered Service Provider Enhancements
-
Logging of LSP installation and removal
in the system event log to help determine which applications
are installing LSPs and to troubleshoot failed LSP installations.
To view the events logged in a console window, use the
netsh winsock audit trail
command.
-
New installation API (WSCInstallProviderAndChains)
that software vendors can use to install an LSP into
the Winsock catalog.
-
New facilities to categorize LSPs
and to remove most LSPs from the processing path for
system critical services, increasing system stability
and protecting system critical services from improperly
designed LSPs.
-
Winsock-specific diagnostics module
for the Network Diagnostics Framework that will allow
users to selectively repair the Winsock catalog by removing
only those LSPs that are causing problems.
-
New Kernel Mode Sockets API
The networking architecture of Windows Vista and Windows
Server 2008 include a new interface called Winsock Kernel
(WSK) . WSK is a new transport-independent kernel mode Network
Programming Interface (NPI) for TDI clients. Using WSK,
kernel-mode software modules can perform network communication
using socket-like programming semantics similar to those
supported in the user-mode Windows Sockets 2 API. While
TDI is supported in Windows Vista for backward compatibility,
TDI clients should be updated to use WSK to achieve the
best performance.
- NDIS 6.0
Network Driver Interface Specification (NDIS) specifies
a standard interface between kernel-mode network drivers
and the operating system. NDIS also specifies a standard
interface between layered network drivers, abstracting lower-level
drivers that manage hardware from upper-level drivers, such
as network transports.
NDIS 6.0 includes the following features:
- New Offload Support
- Offload of IPv6 traffic processing.
Offload of IPv4 traffic processing was supported
in NDIS 5.1. NDIS 6.0 adds support for the offload
of IPv6 traffic processing.
- IPv6 Offloading of checksum calculations.
- Large Send Offload version 2
Large Segment Offload (LSO), supported in NDIS 5.1,
offloads the segmentation of TCP data for data blocks
up to 64 Kilobytes (KB) in size. Large Send Offload
version 2 (LSOv2) in NDIS 6.0 can offload the segmentation
of TCP data for data blocks larger than 64 Kilobytes
(KB) in size.
- Support for Lightweight Filter Drivers
In NDIS 6.0, intermediate filter drivers have been replaced
with Lightweight Filter (LWF) drivers that are a combination
of an NDIS intermediate driver and a miniport driver.
LWF drivers have the following advantages:
- Reduced complexity
There is no longer a need to write a separate protocol
and miniport. All of these functions are contained
within a single driver.
- Improved performance.
- A bypass mode allows the LWF
driver to examine only selected control and data
paths.
- Receive-Side Scaling
RSS provides the following benefits:
- Parallel Execution.
Receive packets from a single network adapter can
be processed concurrently on multiple CPUs, while
preserving in-order delivery.
- Dynamic Load Balancing
As system load on the host varies, RSS will rebalance
the network processing load between the processors.
- Cache Locality.
Because packets from a single connection are always
mapped to a specific processor, state for a particular
connection never has to move from one processor's
cache to another processor's cache, thereby eliminating
cache thrashing and also promoting improved performance.
- Send Side Scaling.
Transmission Control Protocol (TCP) is often limited
as to how much data it can send to the remote peer.
The reasons can include the TCP congestion window,
the size of the advertised receive window, or TCP
slow-start. When an application tries to send a
buffer larger than the size of the advertised receive
window, TCP sends part of the data and then waits
for an acknowledgment before sending the balance
of the data. When the TCP acknowledgement arrives,
additional data is sent in the context of the deferred
procedure call (DPC) in which the acknowledgement
is indicated. Thus, scaled receive processing can
also result in scaled transmit processing.
- Secure Hash.
The default generated RSS signature is cryptographically
secure, making it much more difficult for malicious
remote hosts to force the system into an unbalanced
state.
- Network Awareness
The Network Awareness APIs in Windows Vista simplify the
task of creating applications that can automatically adapt
to changing network conditions. The Network Awareness APIs
allow applications to do the following:
- Register with Windows Vista to be
informed when there are changes to the network to which
the computer is connected.
- Query Windows Vista for characteristics
of the currently connected network to determine the
application settings and behavior. Characteristics include
the following:
- Connectivity
A network may be disconnected, it may provide access
to only the local network, or it may provide access
to the local network and the Internet.
- Connections
The computer may be connected to a network by one
or more connections (such as network adapters).
Network Awareness APIs enable applications to determine
the connections that Windows Vista is currently
using to connect to a network.
- Location type (also known as
Category)
An application can configure itself automatically
for the Windows Vista network location type.
- Windows Peer-to-Peer Networking Enhancements
Windows Peer-to-Peer Networking, originally introduced with
the Advanced Networking Pack for Windows XP, is an operating
system platform and API in Windows Vista that allows the
development of peer-to-peer (P2P) applications. Windows
Vista includes the following enhancements to Windows Peer-to-Peer
Networking:
- New and simplified APIs to access
Windows Peer-to-Peer Networking capabilities such as
name resolution, group creation, and security make it
easier to create P2P applications for Windows.
- Peer Name Resolution Protocol (PNRP)
version 2
PNRP v2 in Windows Vista provides a simplified API for
PNRP name publication and resolution and a protocol
that is more scalable and uses less bandwidth than the
original PNRP protocol. PNRP names are now integrated
into the getaddrinfo() Windows Sockets function. To
use PNRP to resolve a name to an IPv6 address, applications
can use the getaddrinfo() function to resolve the Fully
Qualified Domain Name (FQDN) name.prnp.net, in which
name is peer name being resolved. The pnrp.net domain
is a reserved domain in Windows Vista for PNRP name
resolution. The PNRP v2 protocol is incompatible with
the PNRP protocol used by computers running Windows
XP. An update to the Windows Peer-to-Peer Networking
components in Windows XP to support PNRP v2 is currently
available from Microsoft.
- People Near Me
New in Windows Vista, People Near Me allows users to
dynamically discover other users and their registered
People-Near-Me-capable applications on the local subnet,
and to easily invite users into a collaboration activity.
The invitation and its acceptance launches an application
on the invited user's computer and the two applications
can begin participating in a collaboration activity
such as chatting, photo sharing, or game playing. Windows
Meeting Space, a new application included in Windows
Vista, uses People Near Me to allow users to easily
set up virtual conference rooms and view presentations,
share documents, applications, or the desktop. Windows
Peer-to-Peer Networking settings may be configured via
the netsh p2p
context or through Group Policy.
- Windows Firewall
The new Windows Firewall in Windows Vista and Windows Server
2008 contains the following enhancements over the firewall
included in Windows XP and Windows Server 2003:
- Supports filtering of both incoming
and outgoing traffic
- A network administrator can configure
the new Windows Firewall with a set of rules (known
as exceptions for Windows Firewall in Windows XP with
Service Pack 2 and Windows Server 2003 with Service
Pack 1) to block all traffic sent to specific ports,
such as the well-known ports used by virus software,
or to specific addresses containing either sensitive
or undesirable content.
- New Windows Firewall with Advanced
Security Microsoft Management Console (MMC) snap-in
provides wizards for graphical configuration of firewall
rules for inbound and outbound traffic and connection
security rules. For command-line configuration of advanced
settings of the new Windows Firewall, you can use commands
in the netsh advfirewall
context.
- Firewall filtering and Internet Protocol
security (IPsec) protection settings are integrated
to allow you to configure both firewall filtering and
protected traffic rules.
- Advanced configuration for rules
(exceptions)
Configuration options for firewall filtering rules include
three different profiles (domain, public, and private),
source and destination IP addresses, IP protocol number,
source and destination Transmission Control Protocol
(TCP) and User Datagram Protocol (UDP) ports, all or
multiple TCP or UDP ports, specific types of interfaces,
ICMP and ICMP for IPv6 (ICMPv6) traffic by Type and
Code, services, the protection state (protected with
IPsec), edge traversal, and specified users and computers
based on Active Directory accounts.
- IPsec Improvements
Windows Vista and Windows Server 2008 include the following
improvements to Internet Protocol security (IPsec):
- Integrated Firewall and IPsec Configuration
In Windows Vista and Windows Server 2008, Windows Firewall
and IPsec configuration have been combined into a single
tool with the new Windows Firewall with Advanced Security
snap-in, which now controls both traditional firewall
responsibilities (blocking and allowing both inbound
and outbound traffic) and protecting traffic with IPsec.
Additionally, commands within the
netsh advfirewall
context can be used for command line configuration of
both firewall and IPsec behavior. The integration of
Windows Firewall with IPsec provides computers running
Windows Vista or Windows Server 2008 with an authenticating
firewall.
- Simplified IPsec Policy Configuration
New optional negotiation behavior reduces the number
of rules needed for protected traffic exemptions, and
improves the performance of unprotected connections
to hosts by negotiating both clear and protected communications
in parallel, rather than incurring response delays by
using the fallback to clear behavior of Windows XP and
Windows Server 2003.
- Client-to-DC IPsec Protection
Windows Vista and Windows Server 2008 supports securing
traffic between domain members and domain controllers
in the following deployment modes:
- Because of the new negotiation
behavior, you no longer have to configure exemptions
for domain controllers, simplifying IPsec policy
and deployment of IPsec protection in a domain.
- You can configure IPsec policy
in the domain to request protected traffic but not
require it. Domain controllers will protect most
traffic with domain members but allow clear text
for domain joins and other types of traffic.
- You can configure IPsec policy
to require protected traffic for domain controllers.
When a computer running Windows Vista or Windows
Server 2008 attempts to join the domain, the user
is prompted for the user name and password of a
domain user account. IPsec with the domain controller
is negotiated with Windows NT/LAN Manager version
2 (NTLM v2) user credentials for a protected domain
join. This new behavior is only available for domain
member computers running either Windows Vista or
Windows Server 2008 and for domain controllers running
Windows Server 2008.
- Improved Load Balancing and Clustering
Server Support
In Windows Vista and Windows Server 2008, the timeout
for a cluster node failure is substantially reduced.
IPsec is more tightly integrated into the Next Generation
TCP/IP stack and monitors TCP connections for established
security associations (SAs) rather than relying on IPsec
idle timeouts to detect a cluster node failure. If the
TCP connection for an established SA begins retransmitting
segments, IPsec will renegotiate the SAs. The result
is that the failover to a new cluster node happens quickly,
typically in time to keep the application from failing.
- Improved IPsec Authentication
IPsec in Windows XP and Windows Server 2003 supports
the Internet Key Exchange (IKE) and three authentication
methods during main mode negotiations: Kerberos (for
Active Directory domain members), digital certificates,
and preshared key. For all of these authentication methods,
the authentication process is validating the identity
and trustworthiness of a computer, rather than the user
of the computer. IKE only attempts a single authentication
using a single authentication method.
Windows Vista and Windows Server 2008 supports the following
improvements in IPsec authentication:
- Ability to require that IPsec
peers authenticate with a health certificate
A health certificate server issues a health certificate
when a Network Access Protection client proves that
its health state complies with current system health
requirements.
- Ability to specify user-based
or health-based authentication during a second authentication
With support for Authenticated IP (AuthIP), IPsec
in Windows Vista and Windows Server 2008 allows
a second authentication for IPsec-protected communication.
With a second authentication, IPsec in Windows Vista
and Windows Server 2008 can perform an additional
level of authentication. The credentials used during
the second authentication can be based on the following:
- Kerberos credentials of the
logged in user account
- NTLM v2 credentials of the
logged in user account
- A user certificate
- A computer health certificate
For example, you can use the first authentication
and Kerberos credentials to authenticate the
computer and then the second authentication
and a health certificate to validate the computer's
health state. Second authentication can be with
or without the first authentication.
- Multiple authentication methods
are attempted
In Windows XP and Windows Server 2003, you can
select multiple authentication methods in a
preference order for main mode IPsec authentication.
However, only one authentication method is used
for authentication. If the authentication process
for the negotiated authentication method fails,
main mode fails and IPsec protection cannot
be performed. When you select multiple authentication
methods for computers running Windows Vista
or Windows Server 2008, IPsec will attempt multiple
authentication attempts in an effort to perform
mutual authentication. For example, if you specify
that you want to authenticate using computer
certificates with a specific certification authority
(CA) and then Kerberos, the IPsec peer will
attempt Kerberos authentication if the certificate
authentication fails.
- New Cryptographic Support
In response to governmental security requirements and
trends in the security industry to support stronger
cryptography, Windows Vista and Windows Server 2008
support additional key derivation and encryption algorithms.
Windows Vista and Windows Server 2008 support the following
additional algorithms to negotiate the master key material
derived during main mode negotiation:
- Diffie-Hellman (DH) Group 19,
which is an elliptic curve algorithm using a 256-bit
random curve group (NIST identifier P-256)
- DH Group 20, which is an elliptic
curve algorithm using a 384-bit random curve group
(NIST identifier P-384)
These methods are stronger than DH
algorithms supported in Windows XP and Windows Server
2003 with Service Pack 2 and cannot be used for main
mode negotiation with a computer running Windows Server
2003, Windows XP, or Windows 2000.
In addition to the Data Encryption Standard (DES) and
Triple-DES (3DES), Windows Vista and Windows Server
2008 support the following additional algorithms for
encrypting data:
-
Advanced Encryption Standard (AES)
with cipher block chaining (CBC) and a 128-bit key
size (AES 128)
-
AES with CBC and a 192-bit key
size (AES 192)
-
AES with CBC and a 256-bit key
size (AES 256)
These new encryption algorithms cannot
be used for a security association with a computer running
Windows Server 2003, Windows XP, or Windows 2000.
-
Integration with Network Access Protection
With the new Network Access Protection platform, you
can require that IPsec nodes perform a second authentication
with a health certificate, verifying that the IPsec
node meets current system health requirements. A health
certificate server issues a health certificate after
an IPsec peer's health status has been evaluated by
a Network Policy Server (NPS).
-
Additional Configuration Options for
Protected Communication
When you configure a connection security rule with the
new Windows Firewall with Advanced Security snap-in,
you can specify the following additional settings:
-
By application name
This greatly simplifies protected traffic configuration
because the ports used by the application do not
need to be manually configured.
-
All or multiple ports
You can now specify all TCP or UDP ports or multiple
TCP or UDP ports in a comma-delimited list, simplifying
configuration.
-
For all addresses in a numeric
range
You can now specify a range of IP addresses using
a numeric range, such as 10.1.17.23 to 10.1.17.219.
-
For all addresses on the local
subnet
A set of predefined addresses that are dynamically
mapped to the set of addresses defined by your IPv4
address and subnet mask or by your IPv6 local subnet
prefix.
-
For all wireless adapters
You can protect traffic based on the interface type,
which now includes wireless in addition to LAN and
remote access.
-
By Active Directory user or computer
account
You can specify the list of computer or user accounts
or groups that are authorized to initiate protected
communication. For example, this allows you to specify
that traffic to specific servers with sensitive
data must be protected and can only originate from
user accounts that are members of specific Active
Directory security groups.
-
By ICMP or ICMPv6 Type or Code
value
You can specify ICMP or ICMPv6 messages by specifying
the ICMP or ICMPv6 message Type and Code field values.
-
For services you can specify that
the exception applies to any process, only for services,
for a specific service by its service name, or you
can type the short name for the service.
-
Integrated IPv4 and IPv6 Support
IPsec support for IPv6 traffic in Windows XP and Windows
Server 2003 is limited. For example, there is no support
for Internet Key Exchange (IKE) or data encryption.
IPsec security policies, security associations, and
keys must be configured through text files and activated
using the Ipsec6.exe command line tool.
In Windows Vista and Windows Server 2008, IPsec support
for IPv6 traffic is the same as that for IPv4, including
support for IKE and data encryption. Policy settings
for both IPv4 and IPv6 traffic are configured in the
same way using either the Windows Firewall with Advanced
Security or IP Security Policies snap-ins.
-
Extended Events and Performance Monitor
Counters
Windows Vista and Windows Server 2008 include new IPsec
audit-specific events and the text of existing events
has been updated with more useful information. These
improvements will help you troubleshoot failed IPsec
negotiations without having to enable the advanced Oakley
logging capability. IPsec performance counters help
identify performance and networking issues with IPsec-protected
traffic.
-
Network Diagnostics Framework Support
The Network Diagnostics Framework is an extensible architecture
that helps users recover from and troubleshoot problems
with network connections. For a failed IPsec negotiation,
the Network Diagnostics Framework will prompt a user
with an option to identify and correct the problem.
IPsec support for the Network Diagnostics Framework
then attempts to discover the source of the failed connection
and either automatically correct the problem, or, depending
on security considerations, prompt the user to make
the appropriate configuration change.
Wireless and 802.1X-based Wired Connections
Windows Vista and Windows Server 2008 include many enhancements
to support IEEE 802.11 wireless networks and networks that use
authenticating switches.
- IEEE 802.11 Wireless Changes and Enhancements
- Native Wi-Fi Architecture
In Windows XP and Windows Server 2003, the software
infrastructure that supports wireless connections was
built to emulate an Ethernet connection and can only
be extended by supporting additional EAP types for IEEE
802.1X authentication. In Windows Vista and Windows
Server 2008, the software infrastructure for 802.11
wireless connections, called the Native Wi-Fi Architecture,
has been redesigned for the following:
- IEEE 802.11 is now represented
inside of Windows as a media type separate from
IEEE 802.3. This allows independent hardware vendors
(IHVs) more flexibility in supporting advanced features
of IEEE 802.11 networks, such as a larger frame
size than Ethernet.
- New components in the Native
Wi-Fi Architecture perform authentication, authorization,
and management of 802.11 connections, reducing the
burden on IHVs to incorporate these functions into
their wireless network adapter drivers. IHVs develop
a smaller NDIS 6.0 miniport driver that exposes
a native 802.11 interface on its top edge.
- The Native Wi-Fi Architecture
supports APIs to allow ISVs and IHVs the ability
to extend the built-in wireless client for additional
wireless services and custom capabilities. Extensible
components written by ISVs and IHVs can also provide
customized configuration dialog boxes and wizards.
- User Interface Improvements for Wireless
Connections
- Wireless configuration integrated
into new Network and Sharing Center
Connectivity to wireless networks has been integrated
into the new Network and Sharing Center in Windows Vista,
rather than from the properties of a wireless network
adapter. From the Network and Sharing Center, you can
connect to wireless networks, set up a wireless network
that uses a wireless access point or an ad hoc wireless
network, and manage your wireless networks.
- Wireless networks can be configured
for all users or per-user
In the Manage Wireless Networks folder (available from
the Network and Sharing Center), you can now specify
the wireless network profile type. This allows you to
specify that new wireless networks (known as profiles)
apply to all users of the computer or can be configured
to apply to specific users. Per-user wireless profiles
are only connected when the user to which the profile
applies logs in to the computer. Per-user profiles are
disconnected when the user logs off or switches to another
user.
- Extensible wireless UI
Custom wireless configuration dialog boxes or wizards
can be written and added to the built-in Windows wireless
client, allowing the configuration of custom ISV or
IHV wireless features and capabilities.
- Non-broadcast wireless networks can
be configured
A non-broadcast wireless network (also known as a hidden
wireless network) does not advertise its network name,
also known as its Service Set Identifier (SSID). A wireless
access point of a non-broadcast wireless network can
be configured to send Beacon frames with an SSID set
to NULL. This practice is known as using non-broadcast
SSIDs. In Windows XP and Windows Server 2003, you could
not configure a preferred wireless network as non-broadcast,
which sometimes produced confusing behavior when automatically
connecting to preferred wireless networks, some of which
are non-broadcast and some of which are not. In Windows
Vista and Windows Server 2008, you can configure a preferred
wireless network as a non-broadcast network.
- Non-broadcast wireless networks displayed
as "Unnamed Network"
In the list of available wireless networks in the Connect
to a network wizard, non-broadcast networks appear with
the name "Unnamed Network". When you connect to the
non-broadcast wireless network, you will be prompted
to type the non-broadcast wireless network name.
- Prompts user when connecting to unsecured
wireless network
Due to the risks associated with communicating on unsecured
wireless networks, Windows Vista and Windows Server
2008 will now prompt the user when connecting to an
unsecured wireless network and allow them to confirm
the connection attempt.
- Network connection wizard lists the
security methods supported by the wireless network adapter
The Connect to a network wizard in Windows Vista and
Windows Server 2008 retrieves the security capabilities
of the wireless network adapter and allows the user
to select the strongest security method. For example,
if a wireless network adapter supports both Wired Equivalent
Privacy (WEP) and Wi-Fi Protected Access (WPA), the
Connect to a network wizard will allow the user to select
WPA or WEP as the security method.
- Wireless Group Policy Enhancements
Wireless Group Policy settings include the following enhancements:
- WPA2 authentication options
Wireless Group Policy settings in allow the configuration
of WPA2 authentication options; WPA2 (for WPA2 Enterprise)
and WPA2-PSK (for WPA2 Personal).
- Lists of allowed and denied wireless
network names
Wireless Group Policy settings allow you to configure
lists of allowed and denied wireless network names.
With an allow list, you can specify the set of wireless
networks by name (SSID) to which the Windows Vista or
Windows Server 2008 wireless client is allowed to connect.
This is useful for network administrators that want
an organization's laptop computer to connect to a specific
set of wireless networks, which might include the organization's
wireless network and wireless Internet service providers.
With a deny list, you can specify the set of wireless
networks by name to which the wireless client is not
allowed to connect. This is useful to prevent managed
laptop computers from connecting to other wireless networks
that are within range of the organization's wireless
network (such as when an organization occupies a floor
of a building and there are other wireless networks
of other organization on adjoining floors) or to prevent
managed laptop computers from connecting to known unsecured
wireless networks.
- Additional preferred wireless network
settings
The wireless Group Policy settings in Windows Server
2008 allow configuration of the following for preferred
wireless networks:
- Fast roaming settings
Fast roaming is an advanced capability of WPA2 wireless
networks that allow wireless clients to more quickly
roam from one wireless AP to another by using preauthentication
and pairwise master key (PMK) caching. With Windows
Server 2008, you can configure this behavior through
wireless Group Policy settings. With Windows XP
and the Wireless Client Update for Windows XP with
Service Pack 2, you can control this behavior with
registry settings as described in Wi-Fi Protected
Access 2 (WPA2)/Wireless Provisioning Services Information
Element (WPS IE) Update for Windows XP with Service
Pack 2
- Non-broadcast wireless networks
Preferred wireless networks can now be configured
as non-broadcast networks via wireless Group Policy
settings.
- Automatic or manual connection
Preferred wireless networks can now be configured
for automatic or manual connection via wireless
Group Policy settings.
- Changes in Wireless Auto Configuration
Wireless Auto Configuration is a service that dynamically
selects the wireless network to which the computer will
automatically connect, based either on your preferences
or on default settings. This includes automatically selecting
and connecting to a more preferred wireless network when
it becomes available. Windows Vista and Windows Server 2008
include the following changes to Wireless Auto Configuration:
- Change in behavior when there are
no preferred wireless networks available
In Windows XP and Windows Server 2003, if a preferred
wireless network could not be connected and the wireless
client is configured to prevent automatic connection
to wireless networks that are not in the preferred list
(the default), Wireless Auto Configuration creates a
random wireless network name and places the wireless
network adapter in infrastructure mode. However, the
random wireless network does not have a security configuration,
making it possible for a malicious user to connect to
the wireless client using the random wireless network
name.
In Windows Vista and Windows Server 2008, Wireless Auto
Configuration configures the wireless network adapter
with a random name and security configuration consisting
of a 128-bit random encryption key and the strongest
encryption method supported by the wireless network
adapter. This new behavior helps prevent a malicious
user from connecting to the wireless client using the
random wireless network name.
- New support for non-broadcast wireless
networks
In Windows XP and Windows Server 2003, Wireless Auto
Configuration attempts to match configured preferred
wireless networks with wireless networks that are broadcasting
their network name. If none of the available networks
match a preferred wireless network, Wireless Auto Configuration
then sends probe requests to determine if the preferred
networks in the ordered list are non-broadcast networks.
The result of this behavior is that broadcast networks
will be connected to before non-broadcast networks,
even if a non-broadcast network is higher in the preferred
list than a broadcast network. Another result is that
a Windows XP or Windows Server 2003 wireless client
advertises its list of preferred wireless networks when
sending probe requests.
In Windows Vista and Windows Server 2008, you can configure
wireless networks as broadcast (the wireless network
name is included in the Beacon frames sent by the wireless
AP) or non-broadcast (the Beacon frame contains a network
name set to NULL). Wireless Auto Configuration now attempts
to connect the wireless networks in the preferred network
list order, regardless of whether they are broadcast
or non-broadcast. Because the wireless networks are
now explicitly marked as broadcast or non-broadcast,
Windows Vista or Windows Server 2008 wireless clients
only send probe requests for non-broadcast wireless
networks.
- WPA2 Support
Windows Vista and Windows Server 2008 include built-in support
to configure WPA2 authentication options with both the standard
profile (locally configured preferred wireless networks)
and the domain profile with Group Policy settings. WPA2
is a product certification available through the Wi-Fi Alliance
that certifies wireless equipment as being compatible with
the IEEE 802.11i standard. WPA2 in Windows Vista and Windows
Server 2008 supports both Enterprise (IEEE 802.1X authentication)
and Personal (preshared key authentication) modes of operation.
Windows Vista and Windows Server 2008 also include support
for WPA2 for an ad hoc mode wireless network (a wireless
network between wireless clients that does not use a wireless
access point).
- Integration with Network Access Protection
when using 802.1X Authentication
WPA2-Enterprise, WPA-Enterprise, and dynamic WEP connections
that use 802.1X authentication can leverage the Network
Access Protection platform to prevent wireless clients that
do not comply with system health requirements from gaining
unlimited access to an intranet.
- EAPHost Infrastructure
Windows Vista and Windows Server 2008 supports the new EAPHost
infrastructure for easier development of Extensible Authentication
Protocol (EAP) authentication methods for IEEE 802.1X-authenticated
wireless connections.
- New Default EAP Authentication Method
In Windows XP and Windows Server 2003, the default EAP authentication
method for 802.1X-authenticated wireless connections is
EAP-Transport Layer Security (TLS). Although the most secure
form of authentication employing mutual authentication with
digital certificates, EAP-TLS requires a public key infrastructure
(PKI) to distribute, revoke, and renew user and computer
certificates.
In many cases, organizations want to leverage the account
name and password-based authentication infrastructure that
already exists in Active Directory. Therefore, in Windows
Vista and Windows Server 2008, the default EAP authentication
method for 802.1X-authenticated wireless connections has
been changed to Protected EAP-Microsoft Challenge Handshake
Authentication Protocol version 2 (PEAP-MS-CHAP v2). PEAP-MS-CHAP
v2 is a password-based 802.1X authentication method for
wireless connections that only requires computer certificates
to be installed on the Remote Authentication Dial-In User
Service (RADIUS) servers.
- Diagnostics Support for Wireless Connections
Troubleshooting failed wireless connections, although improved
in Windows XP Service Pack 2 and Windows Server 2003 Service
Pack 1, can still be difficult. In Windows Vista and Windows
Server 2008, troubleshooting wireless connections is made
much easier through the following features:
- Wireless connections support the
new Network Diagnostics Framework
The Network Diagnostics Framework is an extensible architecture
that helps users recover from and troubleshoot problems
with network connections. For a failed wireless connection,
the Network Diagnostics Framework will prompt a user
with an option to identify and correct the problem.
Wireless support for the Network Diagnostics Framework
then attempts to discover the source of the failed connection
and either automatically correct the problem, or, depending
on security considerations, prompt the user to make
the appropriate configuration change.
- New information stored in the Windows
event log
For a failed wireless connection attempt, the wireless
components of Windows Vista and Windows Server 2008
record detailed information about the connection attempt
in the Windows event log. These event records can be
used by support professionals within an organization
to perform further troubleshooting when the wireless
diagnostics either could not resolve the problem or
when it could resolve the problem but the problem cannot
be fixed by changing wireless client settings. The information
in the Windows event log can shorten the time needed
to resolve wireless connection support problems. Additionally,
these event log entries can be automatically collected
by network administrator using Microsoft Operations
Manager or other types of central management tools and
analyzed for trends and wireless infrastructure design
changes.
- Information can be sent to Microsoft
for analysis and improvements
Users that experience wireless connection problems will
also be prompted to send the connection information
to Microsoft for analysis through the Windows Error
Reporting (WER) infrastructure. Additionally, successful
diagnostics can be sent to Microsoft through the Software
Quality Metrics (SQM) infrastructure, also known as
the Customer Experience Improvement Program in Windows
XP. In both cases, only wireless network diagnostic
information is sent (no personal information about the
computer or the user). Microsoft will use this information
to identify the top root causes for wireless connection
failures, identify new wireless connection problems
and their causes, and take appropriate actions to either
improve the wireless client software in Windows or work
with wireless vendors to help improve wireless hardware
products.
- Command Line Interface for Configuring
Wireless Settings
Windows Server 2003 or Windows XP does not have a command
line interface that allows you to configure the wireless
settings that are available from the wireless dialog boxes
in the Network Connections folder or through the Wireless
Network (IEEE 802.11) Policies Group Policy settings. Command
line configuration of wireless settings can help deployment
of wireless networks in the following situations:
- Automated script support for wireless
settings without using Group Policy
Wireless Network (IEEE 802.11) Policies Group Policy
settings only apply in an Active Directory domain. For
an environment without Active Directory or a Group Policy
infrastructure, a script that automates the configuration
of wireless connections can be run either manually or
automatically, such as part of the login script.
- Bootstrap of a wireless client onto
the protected organization's wireless network
A wireless client computer that is not a member of the
domain cannot connect to the organization's protected
wireless network. Additionally, a computer cannot join
the domain until it has successfully connected to the
organization's secure wireless network. A command line
script provides a method to connect to the organization's
secure wireless network to join the domain.
In Windows Vista and Windows Server 2008,
you can use Netsh commands in the
netsh wlan context
to do the following:
-
Configure all wireless client settings
in a named profile including general settings (the types
of wireless networks to access), 802.11 settings (SSID,
type of authentication, type of data encryption), and
802.1X authentication settings (EAP types and their
configuration).
-
Specify the list of allowed and denied
wireless network names.
-
Specify the order of preferred wireless
networks.
-
Display a wireless client's configuration.
-
Remove the wireless configuration
from a wireless client.
-
Migrate wireless configuration settings
between wireless clients.
- Network Awareness and Network Profiles
To provide an operating system infrastructure to allow application
developers to more easily develop applications that can
automatically change their behavior based on the currently
attached network and network conditions, the Network Awareness
APIs in Windows Vista and Windows Server 2008 make network
information available to applications and enables them to
easily and effectively adapt to these changing environments.
The Network Awareness APIs allow applications to obtain
up-to-date network information and location change notification.
- Next Generation TCP/IP Stack Enhancements
for Wireless Environments
As described in the "Enhancements for High-loss Environments"
section of this article, the Next Generation TCP/IP stack
includes support for new TCP algorithms that optimize throughput
by recovering from single and multiple packet losses and
detecting spurious retransmissions, which improves performance
in wireless network environments.
- Single Sign On
The deployment of secure wireless technologies has promoted
the use of Layer 2 network authentication, such as IEEE
802.1X, to ensure that only an authenticated user or device
is allowed on the network and that their data is secure
at the radio transmission level. The Single Sign On feature
of Windows Vista and Windows Server 2008 executes 802.1X
authentication at the appropriate time for a given network
security configuration, while simply and seamlessly integrating
with the user's Windows log-on experience. Network administrators
can use Group Policy settings or the new
netsh wlan commands
to configure Single Sign On profiles on wireless client
computers. After a Single Sign On profile is configured,
802.1X authentication will precede the computer logon to
the domain and users are only prompted for credential information
if needed. This feature ensures that the wireless connection
is place prior to the computer domain logon, which enables
scenarios that require network connectivity prior to user
logon such Group Policy updates, execution of login scripts,
and wireless client domain joins.
IEEE 802.1X-based Wired Connectivity Enhancements
In Windows XP and Windows Server 2003, there is limited support
for deployment of 802.1X authentication settings for wired connections
to an authenticating switch. Windows Vista and Windows Server
2008 include the following for easier deployment of 802.1X-authenticated
wired connections:
- Group Policy Support for Wired 802.1X
Settings
For environments that use Active Directory and Group Policy,
Windows Vista and Windows Server 2008 include Group Policy
support for 802.1X authentication settings for wired connections
under Computer Configuration/Windows Settings/Security Settings/Wired
Network (IEEE 802.3) Policies.
- Command-Line Interface for Configuring
Wired 802.1X Settings
For environments that do not use Active Directory or Group
Policy or for domain join scenarios, Windows Vista and Windows
Server 2008 also support a command line interface for configuring
802.1X authentication settings for wired connections. Using
commands in the netsh lan
context, you can do the following:
- Configure all wired client settings
in a named profile including 802.1X authentication settings
(EAP types and their configuration)
- Display a wired client's configuration
- Remove the wired configuration from
a wired client
- Export and import a wired profile
to migrate wired configuration settings between wired
clients
- Integration with Network Access Protection
when using 802.1X Authentication
IEEE 802.1X-authenticated wired connections can leverage
the Network Access Protection platform to prevent wired
clients that do not comply with system health requirements
from gaining unlimited access to a private network. For
more information about the Network Access Protection platform,
see "Network Access Protection (NAP)" in this article.
- EAPHost Infrastructure
For easier development of EAP authentication methods for
IEEE 802.1X-authenticated wired connections, Windows Vista
and Windows Server 2008 supports the new EAPHost infrastructure.
For more information, see "EAPHost Architecture" in this
article.
- Change in 802.1X Service State
In Windows XP and Windows Server 2003, the 802.1X service
was enabled by default but was placed in a passive listening
mode. In Windows Vista, the 802.1X service for wired connections,
known as the Wired AutoConfig service, is disabled by default,
but when enabled operates in an active listening mode. To
obtain an Authentication tab for the properties of a LAN
connection to configure 802.1X settings, you must first
start the Wired AutoConfig service.
Network Infrastructure
Windows Vista and Windows Server 2008 include changes to the
following components and services of network infrastructure:
- Network Policy Server
Network Policy Server (NPS) is the Microsoft implementation
of a Remote Authentication Dial-In User Service (RADIUS)
server and proxy in Windows Server 2008. NPS replaces the
Internet Authentication Service (IAS) in Windows Server
2003. NPS performs all of the functions of IAS in Windows
Server 2003 for VPN and 802.1X-based wireless and wired
connections and performs health evaluation and the granting
of either unlimited or limited access for Network Access
Protection clients. For more information, see "Network Access
Protection" in this article. NPS also supports sending RADIUS
traffic over IPv6, as specified in
RFC 3162.
- New EAPHost Architecture
Windows Vista and Windows Server 2008 include EAPHost, a
new architecture for Extensible Authentication Protocol
(EAP) authentication methods and EAP-based supplicants.
EAPHost provides the following features that are not supported
by the EAP implementation in Windows XP and Windows Server
2003:
- Support for additional EAP methods
- Network Discovery
EAPHost will support network discovery as defined in
the "Identity Hints for EAP" Internet draft (draft-adrangi-eap-network-discovery-13.txt)
-
RFC 3748 compliance
EAPHost will conform to the EAP State Machine and address
a number of security vulnerabilities that have been
specified in RFC 3748. Additionally, EAPHost will support
additional capabilities such as Expanded EAP Types (including
vendor-specific EAP Methods).
- EAP method coexistence
EAPHost allows multiple implementations of the same
EAP method to coexist simultaneously. For example, the
Microsoft version of PEAP and the Cisco Systems, Inc.
version of PEAP can be installed and selected.
- Modular supplicant architecture
In addition to supporting modular EAP methods, EAPHost
also supports a modular supplicant architecture in which
new supplicants can be easily added without having to
replace the entire EAP implementation.
For EAP method vendors, EAPHost provides support
for EAP methods already developed for Windows XP and Windows
Server 2003 and an easier method of developing new EAP methods
for and Windows Vista and Windows Server 2008. Certified EAP
methods can be distributed with Windows Update. EAPHost also
allows better classification of EAP types so that the built-in
802.1X and PPP-based Windows supplicants can use them.
For supplicant method vendors, EAPHost provides support for
modular and pluggable supplicants for new link layers. Because
EAPHost is integrated with NAP, new supplicants do not have
to be NAP-aware. In order to participate in NAP, new supplicants
just need to register a connection identifier and a callback
function that informs the supplicant to reauthenticate.
For network administrators, EAPHost provides availability of
new EAP methods and a more robust and flexible infrastructure
for 802.1X-authentication connections.
- Remote Access and VPN Connection Enhancements
- VPN Enforcement for remote access
VPN connections
The built-in VPN client and Routing and Remote Access
add components to support VPN Enforcement in the NAP
platform. For more information, see "Network Access
Protection" in this article.
- IPv6 support
The built-in remote access client and Routing and Remote
Access now support IPv6 over the Point-to-Point Protocol
(PPP) (PPPv6), defined in
RFC 2472. Native
IPv6 traffic can now be sent over PPP-based connections.
For example, PPPv6 support allows you to connect with
an IPv6-based Internet service provider (ISP) through
dial-up or PPP over Ethernet (PPPoE)-based connections
(used for broadband Internet access). The built-in remote
access client and Routing and Remote Access also support
IPv6-based Layer Two Tunneling Protocol with IPsec (L2TP/IPsec)
VPN connections. Additional IPv6 support includes a
DHCPv6 Relay Agent, IPv6-based static packet filters,
and sending and receiving RADIUS traffic over IPv6.
- A revised connection creation wizard
This new wizard provides a simplified way to configure
dial-up, broadband Internet, VPN, and incoming connections.
- Updated Winlogin support
Allows a third-party access provider to plug in their
connections to automatically create a remote access
connection during the user login.
- Multiple-locale support for the Connection
Manager Administration Kit
Allows Connection Manager profiles to be created on
a server of any locale for installation on a client
of any other locale running Windows Vista or Windows
XP, which simplifies Connection Manager Administration
Kit (CMAK)-based client management.
- Connection Manager clients support
DNS dynamic update
Connection Manager clients now support the registering
of DNS names and IP addresses using DNS dynamic update.
- New Cryptographic Support
L2TP/IPsec-based VPN connections now support the Advanced
Encryption Standard (AES) with 128 and 256-bit keys.
Support for weaker cryptographic algorithms-40 and 56-bit
RC4 for PPTP and DES with MD5 for L2TP/IPsec-has been
removed.
- Support for Network Diagnostics Framework
Client-based connections support basic diagnostics capabilities
with the Network Diagnostics Framework.
- DHCP Enhancements
- Dynamic Host Configuration Protocol
for IPv6 (DHCPv6) support
Dynamic Host Configuration Protocol for IPv6 (DHCPv6)
defined in
RFC 3315, provides
stateful address configuration for IPv6 hosts on a native
IPv6 network.
- Network Access Protection enforcement
support
DHCP Enforcement in the Network Access Protection (NAP)
platform requires a DHCP client to prove its system
health before receiving an address configuration for
unlimited access
Removal of Technologies
Support for the following technologies has been removed from
Windows Vista and Windows Server 2008:
- Bandwidth Allocation Protocol (BAP)
- X.25
- Serial Line Interface Protocol (SLIP)
SLIP-based connections will automatically be updated to
PPP-based connections.
- Asynchronous Transfer Mode (ATM)
- IP over IEEE 1394
- NWLink IPX/SPX/NetBIOS Compatible Transport
Protocol
- Services for Macintosh (SFM)
- Open Shortest Path First (OSPF) routing
protocol component in Routing and Remote Access
- Basic Firewall in Routing and Remote
Access (replaced with Windows Firewall)
- Static IP filter APIs for Routing and
Remote Access (replaced with Windows Filtering Platform
APIs)
Resources:
New Networking Features in Windows Server 2008 and Windows Vista
http://www.microsoft.com/technet/network/evaluate/new_network.mspx
Windows Vista Networking
http://www.microsoft.com/technet/windowsvista/network/default.mspx
Windows Server 2008 Web site
http://www.microsoft.com/windowsserver2008/default.mspx
Microsoft Windows 2000 TCP/IP Implementation
Details
http://www.microsoft.com/technet/network/deploy/depovg/tcpip2k.mspx
Windows Server 2008 Web site
http://www.microsoft.com/windowsserver2008/default.mspx
Connectivity
Return To The Windows Vista Section
|
|
|
|