Monitoring Disk Usage in Windows Server

Hard disk controllers and disk drives  are the two primary components of the disk subsystem. The two objects which gauge hard disk performance are Physical and Logical Disk. Despite the disk subsystem becoming more an powerful, they are still the most common performance bottleneck as their speeds are exponentially slower than other system resources.

In the Windows Server Resource Monitor’s Disk tab, in Windows Server 2008 R2 the physical and logical disk counters are enabled by default . The Disk section in Resource Monitor, shown below,  gives a decent high-level overview of the current combined physical and logical disk activity. For more fine-grained monitoring of the disk activity, you should consider using the Performance Monitor component with the desired counters in the Physical Disk and Logical Disk sections.

Monitor Disk Usage

Monitoring using the Physical and Logical Disk objects comes with a small price however as each object uses a small amount of system resources  when they are used for monitoring. As such, they should be disabled unless you are using them for monitoring purposes.

The most useful  counters to monitor the disk subsystem are the % Disk Time and Avg. Disk Queue Length counters.

  • % Disk Time  monitors the time that  a certain physical or logical drive uses in servicing the read and write requests.
  • Avg. Disk Queue Length counts the number of requests which have not yet been serviced on the physical or logical drive. The Avg. Disk Queue Length is an interval average and therefore is a numerical representation of the number of delays the disk drive is having. In general, if the delay is often higher than 2, the disks are inadequate to service the system workload and  performance may be compromised.

Installing Windows Server Backup

Despite the Windows Server Backup being listed in Administrative Tools, the Windows Server Backup feature will still need to be installed. The easiest way to install Windows Backup tools is by using Add Features in the Server Manager. For Windows Server Core installations, installing with PowerShell is the preferred method.

Installing Windows Server Backup with Server Manager

On every edition of Windows Server 2008 R2, except for Server Core installations, the Windows Server Backup feature can be installed using Server Manager. To install the Windows Server Backup feature, perform the following steps:

  1. Log on to  Windows Server 2008 using an account with admin privileges.
  2. Hit Start, click All Programs, then click Administrative Tools, and select the Server Manager.
  3. On the tree panel, select the node named Features.
  4. Select  Add Features link in the tasks panel.
  5. After the Add Features Wizard has opened,  select the plus sign beside Windows Server Backup Features. Check both boxes to make sure that the commandline tools are also installed. Click Next to continue.
  6. Review the summary on the Confirm Installation Selections page and then click Install.
  7. The installation has now been performed, on the Installation Results page review the installation results, and then click Close.

Installing Windows Server Backup with Windows PowerShell Server Manager

Often, admins may elect to use  PowerShell  to manage a server and for installing roles, role services, or other features. When a feature or role is installed using PowerShell ServerManager module, all features, role services, and role dependencies are added as well. To install Windows Server Backup features, including  Windows Server Backup PowerShell cmdlets with  PowerShell, follow the below steps:

  1. Log on to  Windows Server 2008 using an account with admin privileges.
  2. Hit Start, click All Programs, then click Accessories, and click the PowerShell folder to display the application shortcuts.
  3. Right-click PowerShell and then select Run As Administrator, if the User Account Control window opens, just click Continue to open PowerShell.
  4. Type cd \ and hit Enter.
  5. Type in Import-Module ServerManager and hit Enter.
  6. Type in Add-WindowsFeature Backup-Tools and hit Enter. Once the installation has complete, the results will shown  in the window.
  7. Type in Get-WindowsFeature |More and hit Enter to generate a listing of the installed roles, role services, as well as features. Review the list to make sure that both the Windows Server Backup and Windows Server Backup command-line tools have been installed.
  8. Type in  exit in the PowerShell window and hit Enter.

Installing Windows Server Backup on Server Core Installations

On a Windows  Server Core installation, if the Windows Server Backup feature isn’t already installed, it may be installed by following the below steps:

  1. Log on to  Windows Server Core using an account with admin privileges.
  2. In Command Prompt  type in cd \ and hit Enter.
  3. Type Start /w ocsetup.exe WindowsServerBackup and hit Enter.
  4. Log on to a different Windows Server Enterprise Edition system with an admin account on the local system as well as on the Windows Server Core system (assuming  both systems are part of the same domain and also that the Windows  Server Core system is able to access other resources on the network from the Windows Server Core system).
  5. Select Start > All Programs > Administrative Tools > Windows Server Backup.
  6. In the Actions panel, select Connect to Another Computer and the Computer Chooser window will open.
  7. Select  Another Computer, type the name of the Windows Server Core system, and hit OK.
  8. If you are able to connect to the Windows Server Core system, the installation will have been successful. If the connection should fail, either the Windows Server Core firewall is blocking  the connection or Windows Server Backup has not been successfully installed.

Monitoring Processor (CPU) Usage in Windows Server

To analyze the processor (CPU) utilization of your system you should focus on  two counters - % Processor Time and Interrupts/sec.  % Processor Time shows the percentage of overall CPU utilization. If there is more than one  processor  on a system, a counter for each one is shown as well as the total (combined) value counter. If % Processor Time averages a usage rate of over 50% for extended durations, you should first review other system counters to try and identify  processes which may be improperly using the processing resource or alternatively consider upgrading the processor. Consistent CPU utilization around the 50% range does not necessarily impair performance, however, the average processor utilization goes beyond 65%  performance will almost certainly be impaired. If the system has multiple processors installed, you should use the % Total Processor Time counter to determine the average usage of all processors.

Interrupts/sec is useful for providing an overall  guide of processor health. This counter indicates the number of device interrupts which the processor  is handling per second. Similar to the Page Faults/sec counter  this counter can show very high numbers (well into the thousands) without there being a significantly performance drag.

In general, conditions which could indicate a processor bottleneck include the below:

  • “Average of % Processor Time” is consistently beyond 60%–70%. Additionally, spikes which frequently occur frequently of 90% or greater can also indicate a bottleneck even if the average is below  60%–70%.
  • “Maximum of % Processor Time” is consistently beyond 90%.
  • “Average of the System Performance Counter; Context Switches/second” is consistently beyond 20,000.
  • “System Performance Counter; Processor Queue Length” is consistently higher than two.


Monitor Windows Server System Memory and Pagefile Usage

Available memory is usually the most common source for performance issues on a Windows Server installation. Fortunately, however, it is an easy metric to measure since there are several counters in the memory object which can help troubleshoot memory issues. Most notable there are, two very important counters which provide a reasonably accurate overview of memory pressures, namely Page Faults/sec and Pages/sec memory. Just using these two memory counters alone can highlight if the system is correctly configured and experiencing memory issues. The below are the counters necessary to monitor memory and pagefile usage.

  • Committed Bytes – monitors the amount of memory (in bytes) which has been allocated by the various processes. As this increases above available memory so does the pagefile size  since paging has increased.
  • Pages/sec – Shows the number of pages which are read from or written to the disk.
  • Pages Output/sec – Shows the virtual memory pages written to the pagefile per second which can help to identify paging as a bottleneck.
  • Page Faults/sec – Reports both the soft and the hard faults.
  • Working Set,_Total – Shows the amount of virtual memory which is actually being used.
  • %pagefile in use - Shows the percentage of the paging file which is actually being used which can be used to check if the Windows pagefile is a potential bottleneck. If this consistently remains above 50% or 75% you should consider increasing the pagefile size or alternatively moving the pagefile to a another disk.


Windows Server Core Installation

Server Core Prerequisites

Before installing Server Core you will need the following:

  • The original Windows Server 2008 or 2008 R2  installation media.
  • If you are using Windows Server 2008 you will need a  valid product key (installation can be completed on Windows Server 2008 R2 without a product key).
  • A machine for the  clean Server Core installation (note that there is currently no upgrade option for Server Core – only a new clean installation is available).
  • There is no way to upgrade from a . Only a clean installation is supported.
  • There is no way to upgrade from a Server Core installation to a full installation of Windows Server 2008. If you need the Windows® user interface or a server role that is not supported in a Server Core installation, you will need to install a full installation of Windows Server 2008.

Note that the only option for installing Server Core is a new clean installation, it is not possible to upgrade from a  full installation of Windows Server 2008 to a Server Core installation nor is it possible  to upgrade from any previous version of Windows Server  to  Server Core.

Installation Method 1 – Manually Install Server Core.

Follow the below procedure to install  Server Core:

  1. Insert the  Windows Server 2008 installation media in the DVD drive.
  2. The auto-run dialog will appear, click Install Now.
  3. Follow the stepped instructions  to complete the Server Core Setup.
  4. When Setup has completed, hit   CTRL+ALT+DELETE, click Other User, then type Administrator with a blank password, and hit ENTER. You will then be prompted to create a password for the Administrator account, and the installation will then be complete.

In Windows Server 2008 R2the setup procedure no longer prompts you for a product key.

Windows Server File Level Security

Files on Windows Server are only as secure as their permissions. Thus, it is essential to know that Windows Server 2008 R2 does not give the Everyone group full control over NTFS-level and share-level. Additionally, important   system files and directories are secured to prevent  unauthorized access. This is a definite improvement over previous versions of Windows Server, but  a solid understanding of file-level security is still  important to fully ensure the security of files on Windows Server.

Understanding NT File System (NTFS) Security

Windows Server 2008 R2 ships with the latest revision of NTFS (NT File System). Each object which is referenced in NTFS, including files and folders, is marked by an ACE (access control entry) that physically limits the users that can access a resource. NTFS permissions use this concept to control the read, write, and other access type permissions on files. File servers should avail of NTFS-level permissions, and all directories should have their file-level permissions examined to ascertain if there are holes in the NTFS permission set. Modifying NTFS permissions in Windows Server 2008 R2 is a simple process; simply follow the below steps:

  1. Right-click the file or folder to which the security will be applied, and select Properties.
  2. Click the Security tab.
  3. Click  Advanced.
  4. Click  Change Permissions .
  5. Uncheck   Include Inheritable Permissions from This Object’s Parent .
  6. When prompted about the use of parent permissions click Remove.
  7. When in the Advanced dialog box, click Add to grant access to the users and/or groups  who require access to the files or folders.
  8. Check  Replace All Child Object Permissions with Inheritable Permissions from This Object checkbox. Click OK.
  9. When prompted regarding replacing security on child objects, hit Yes to replace the child object security.
  10. Click OK, and finally click OK again to close Properties.

Share-Level Security Versus NTFS Security

Previous versions of Windows Server security used share-level permissions that were independently set. Continues…

Windows Intune Review

Windows Intune is a new product from Microsoft which is designed for system admins to manage and secure PC’s across an enterprise.

Windows Server administrators have numerous tools to manage a network of Servers (for example security patches etc  can be managed in-house using WSUS), however for the managing individual PC’s spread across multiple locations in the  enterprise.

Intune is a cloud based solution, allowing  administrators to logon to the Intune online portal and manage remote PC’s. Note that every remote PC which is being administered from Intune will need to have the Intune client installed.

Intune can performance the below roles:

  • Manage Updates :  Manage the deployment of the Windows OS updates and service packs to remote PCs.
  • Protect PCs from malware : Helps safeguard the enterprises PCs from the latest threats with  centralized protection built using the Microsoft Malware Protection Engine, Microsoft Forefront Endpoint Protection and Microsoft Security Essentials.
  • Proactively monitor PCs : Get alerts on updates and threats to proactively identify and resolve problems PCs.
  • Provide remote assistance : Resolve PC issues using remote assistance.
  • Track hardware and software inventory : Track the hardware and software assets used in the enterprise to efficiently manage your assets, licenses, and compliance.
  • Set global security policies : Centrally manage updates as well as  firewall and malware protection settings across the enterprise even on remote machines outside the corporate network.

Requirements are quite minimal, for client PCs XP or higher is required and for administrators to access the online portal a browser support Silverlight 2 is required.

Getting Started Using Windows Intune

The first screen you are presented with after logging into the Intune online portal is the Overview screen which provides a summary of the PC system status’ across the enterprise.

Windows Intune

Windows Intune Overview Page

Clicking on the Computers link on the left gives a listing of the computers which are being administered using Windows Intune. PCs can also be grouped for the purposes of administration.

Windows Intune

Windows Intune Computers Listing

Selecting one of the computers in the listing provides the full details of the hardware and software specs of the  PC as well as the system updates applied.

Windows Intune

PC System Details

Across the enterprises PCs Intune will show a listing of all the software products installed.

Windows Intune

Listing of Software Installed across all the enterprise’s PCs

From the Intune online portal admins can assign updates for distribution to PC’s connected to Intune. Click on security updates for a listing of all updates for the various Windows OSs on the PC’s connected via Intune.  The patches can be reviewed and the Approved for distribution to PCs.

Windows Intune

Intune provides in-built protection against malware (such as trojans, spyware, rootkits and virsuses) using the Microsoft Malware Protection Engine.  PCs will automatically be protected with no intervention required from the administrator via Intune. In the event an attack is detected the malware engine will attempt to block the attack and report the events on Alerts Overview page of the Intune portal.

Security policies can be set for managed PCs using the Policy Overview page. A security policy allows  you to create new policy settings based on simple template based configurations. The template agent allows administrators to  create standard policies to configure security updates, firewall policies and malware protection.

A common issue for administrators is diagnosing and fixing issues on remote PCs. Windows Intune allows admins to remotely access, diagnose and fix problems on PCs managed by Intune.

The Windows Intune Center which will be installed on client PCs allows the admin to remotely take control of the client desktop (after the client grants permission) via Microsoft Easy Assist.

In addition the PC user will also be able to check the status of Windows Updates and scan their PC or attached storage for malware from their native Windows Intune Center.

Windows Intune Center
Microsoft Windows Intune Center

Overall, Intune is a capable offering from Microsoft. It will offer admins a simple and efficient way to manage a PCs across and enterprise. However the product does still have some shortcomings such as the lack of an ability to manage software application distributions and versioning across managed PCs.

Using Windows Server Update Services – WSUS

Once WSUS has been installed, the organization must decide on how to use WSUS to configure the the updates for the client servers under its control. Organizations which don’t use  Active Directory or group policies will have to manually configure every client server’s settings with the location of the  WSUS server. This can be done either through using a local policy or manually through the Registry settings.

However, in most circumstances the organization will be using Active Directory  and can configure all clients.

Configuring WSUS Clients via Group Policy

A group policy in an  Active Directory environment can be used to configure the Automatic Updates client which is included with all current versions of Windows. In Windows Server 2008 R2 the domain controllers automatically contain the correct Windows Update Group Policy extension, and a group policy can be defined by following the below steps :

  1. Launch Group Policy Management (available at  - Start >All Programs > Administrative Tools > Group Policy Management).
  2. Navigate to the unit in your organization which will have the group policy applied, rightclick  on the name of the  unit, and then select Create a GPO in This Domain, and Link It Here.
  3. Add a name for the new  GPO (there is also an  option to start from the existing settings of a current GPO). Click OK.
  4. Right-click  the your new  GPO and then select Edit to start the Group Policy Management Editor and then expand it to  Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Update.
  5. Double-click on the Configure Automatic Updates setting.
  6. Set the group policy which is to be enabled, and then configure the automatic updating sequence as required. The three options (2, 3, 4)  enable different degrees of client intervention. To enable client-independent installation select option 4 (Auto-download and schedule the install)..
  7. Next, schedule the interval at which  updates will be installed and note that  some updates will require a  reboot.
  8. Select Next Setting for more configuration options.
  9. Click Enabled to set the location of your organization’s WSUS server – it is recommended to enter the  fully qualified domain name of the server. Enter both settings (normally the same server), and then hit OK to save the Group Policy settings. Then click Next Setting. (Note that organizations who elect  to use a custom web IIS website will have to use Port 8530 for client access to WSUS, in which case enter the web location appended with port number, for example, for both settings.
  10. Set the interval at which the  the client will check for updates, and then click Next Setting.
  11. Review all the remaining option settings and configure them as required. Then click OK.
  12. Repeat the above 12 steps  additional organizational units.

Depending on which settings are chosen by the Registry or group policy,  clients which  are managed by WSUS will automatically download updates throughout the day and then install the updates at a specified time.  Client servers which  are configured to use WSUS for updates will not be prompted to configure their Automatic Update settings, which will be  grayed out to avoid  changes from being made. Users without local admin access will not be able to  make any changes to the installation schedule, although local admins users are able to  postpone forced installs.
It is normally considered best practice to  allow servers to control the download and install schedule, but force all clients to do both download and installation automatically.

Windows Server Update Services – Installing WSUS

A major issue with security on Windows Server installations is the difficulty in keeping all servers up to date with the latest security patches and fixes. The Windows Update service which allowed for automatically download and installation of security fixes is really only suitable for smaller enterprises, large enterprises with numerous Windows Server installations do not wish to run the bandwidth and overhead of having each server run its own individual update. Windows Server Update Services (WSUS) is a free download from Microsoft which effectively gives enterprise their own, independent of the Windows Update server. Clients then connect to the central intranet Windows Server Update Services (WSUS) server for all security patches and OS updates.

Windows Server Update Services (WSUS) Requirements

It is optimal to install WSUS on a dedicated server, but it can also be installed on a Windows Server 2008 R2 server that is running other tasks, provided the  server is running Internet Information Services (IIS). The below is the minimum requirements for WSUS:

  • Windows Server 2003 SP1 or higher
  • Background Intelligent Transfer Service (BITS)
  • Internet Information Services (IIS)
  • Windows Internal Database role or, alternatively  SQL Server 2005 (or higher) installed locally or on a remote server
  • .NET Framework 2.0 or higher

Installing WSUS on  Windows Server 2008 R2

WSUS installation is a simple process as it is installed as a server role from Server Manager. The below steps install Windows Server Update Services plus all required components.
To complete the initial installation of WSUS, follow these steps:

  1. Launch the Server Manager.
  2. On the Roles Summary pane, select Add Roles to launch the wizard and click Next.
  3. Select Windows Server Update Services, and then click Next.
  4. Next, the Add Role Services and Features Required for Windows Server Update Services window will prompt you  for additional components to be installed, if necessary. The required components are the  IIS web server and management tools, the Windows Process Activation Service Process Model, and the .NET framework. Once this is complete, click Add Required Role Services to continue and then lick Next.
  5. Read the Introduction to Web Server (IIS) overview (if necessary) and then click Next.
  6. Hit Next to select the default role services to install for IIS.
  7. Read the Introduction to Windows Server Update Services overview(if necessary) and then click Next.
  8. After reading the summary of installation selections,  click Install.
  9. The Server Manager will show “Searching for Updates” and “Downloading” while it connects to the Microsoft’s server and downloads   WSUS. It will also install IIS and the Windows Process Activation Service, if required.
  10. The Windows Server Update Services Setup Wizard will be shown displays as the installation progresses. Click Next.
  11. Read and accept the license agreement for WSUS, and then click Next.
  12. If alerted that Report Viewer 2005 is not installed just click Next to continue with the installation (note that some reports will be unavailable without Report Viewer installed).
  13. Select the Store Updates Locally check box, and then enter a location  to store them. This location needs be sufficient to hold a large number of downloadable patches. Click Next.
  14. Select Install the Windows Internal Database on This Computer, or alternatively, Use an Existing Database Server on a Remote Computer if you wish to use a remote SQL Server.
  15. Select to Use the Existing IIS Web Site and then click Next to continue with the installation.
  16. Review the security settings on the Ready to Install page and then Click Next.
  17. The installation then completes in the Server Manager and, once the Finish button is clicked, the WSUS Configuration Wizard is shown. Review the information and then click Next.
  18. Click Next to sign up to the Microsoft Update Improvement Program.
  19. Select Synchronize from Microsoft Update, and then click Next.
  20. If necessary, configure your proxy server settings  and then click Next.
  21. Click on Start Connecting to save your settings and download update information. This process can  take several minutes. Then click Next.
  22. Select the preferred update language(s), and then click Next.
  23. Select the products which you want to have updates for, and click Next.
  24. Select the classifications of the updates that you wish to  download, and click Next.
  25. Set the schedule that you want WSUS to automatically synchronize with  the Microsoft Update servers or alternatively you can select Synchronize Manually. Click Next.
  26. Make sure that Begin Initial Synchronization is selected, and then click Finish.
  27. Finally, review the installation results, click Close, and then close the Server Manager.

Windows Server Update Services is  administered   from the WSUS MMC which is the main location for all the configuration settings for WSUS and is its only administrative console. WSUS MMC is located  at Administrative Tools > Microsoft Windows Server Update Services 3.0 SP1, or can directly accessed from Server Manager.

Integrated Windows Firewall with Advanced Security in Windows Server 2008 R2

The integrated firewall that is included with Windows Server 2008 R2 vastly improved over previous versions integrated firewall which is turned on
by default. The firewall, which is administered from an MMC snap-in as shown below (that can be accessed at Start>All Programs>Administrative Tools>Windows Firewall with Advanced Security) and provides unprecedented security and control on a server.

Windows Firewall with Advanced Features MMC Snap in

The new  firewall with advanced security is n0w fully integrated into the Server Manager utility and also the Server Roles Wizard. If, for example,  an admin runs the Server Roles Wizard and elects to make the server a file server,   the ports and protocols which are required for file server access are only then opened on the server.

Most Windows Server admins instinctively disable software firewalls on servers, due to the numerous problems with this functionality in the past. This approach is, however,  not recommended in Windows Server 2008 R2  as the product is now tightly integrated with the firewall, and the firewall  provides  a much higher level of security than in previous versions of Windows Server .

Creating Outbound and Inbound   Rules with Windows Firewall

In some instances, when a third-party app isn’t integrated with Server Manager, or when the need arises to  to open specific individual ports, it may be necessary to create firewall rules to ensure individual services to run properly. Both inbound rules (ie addressing traffic coming to the server) and  outbound rules (ie addressing  the server’s outward communication) can be created with the Windows Firewall. These rules can be based on the below factors:

  • Program—A rules which allow  specific program executable access can be created. For example, you could specify that the c:\Program Files\XYZ Program\xyzprogram.exe file has full outbound access when it is running.  Windows Firewall  will then allow any type of connections that are made by that program full access. This is  useful in scenarios where a specific application server uses multiple varied ports, but the overarching  security of  firewall provides is still required.
  • Port—Entering a traditional TCP or UDP port in the Add Rules Wizard is supported which covers the traditional scenarios like the requirement to open  Port 8787 on the server.
  • Predefined—Windows Server also ships with  predefined rules, such as those which allow AD DS, DFS, BITS, HTTP, and numerous more. The advantage to using  these predefined rules is that Microsoft has performed all the work in advance, and it will be  much more straightforward to allow a specific service.
  • Custom—Custom rule types not covered in the other categories can also be created.

For example, the below steps shows how to create  an inbound rule to allow a custom app to use TCP Port 8787 for inbound communication:

  1. Start Windows Firewall MMC (Start > All Programs >Administrative Tools >  Windows Firewall with Advanced Security).
  2. Select  the Inbound Rules node in the node panel.
  3. On the Actions pane, select  New Rule link.
  4. In the Rule Type page on the New Inbound Rule Wizard select Port to create a rule based on the port, and the click Next.
  5. On the Protocol and Ports page  select TCP, and then enter 8787 in the Specific Local Ports field and then Click Next.
  6. Select Allow to enable the connection on the Action page. This Action page of the New Inbound Rule Wizard also enables a  rule to be configured which will only allow a connection   secured using IPSec technologies.
  7. On the Profile page  check all the three check boxes. This will enable an admin to specify that a rule will only apply when connected to specific networks. Then click Next.
  8. Enter a name for the rule, and then click Finish to complete the process.

You should review the rule settings in the Inbound Rules node which will provide a  quick-glance view of the rule settings. You may also include a rule within a rule group – this allows for multiple rules to be bound together for simple on/off application.
Integrated Windows Firewall is now a  vital part of the Windows Server security. The newly added ability to define rules based on factors such as profile, scope, IPSec status, etc positions the Windows Server as an OS with one of the highest  levels of integrated security.