Keep Calm and Carry On to Windows 10

Paul Griffiths

OK…I admit it. My laptop is still running Windows 7. Don’t get me wrong, I like Windows 7. But it is long overdue that the productivity tool I use daily should really be running the latest offering from those people at Redmond.

I’m not going to blame our corporate IT folk for holding me back, they have to look after everyone in the company and make sure all applications we use are compatible with any new operating system before rolling it out. That is not a trivial task.

When I listen to the customers I meet responding to my question about what version of Windows desktop they’re running, they are generally saying the same thing; “We’re on Windows 7 but migrating to Windows 10 over the next few months.” Yes of course there are organisations who have already updated their desktop environment, and the rate of adoption is growing, but many more have yet to make the move.

But why am I interested to know? There are perhaps a number of reasons why Windows 10 should be the operating system of choice for those organisations who choose to deploy Microsoft products. One of the main reasons can be summed up in a single word, security.

Secure collaboration as standard

It’s not that Windows 7 is insecure, and before you start, I’m not here to host a debate on security or lack thereof for it or any other OS. But Windows 10 supports some key developments that go beyond what was available with its single digit predecessors. One of the main ones is in the area of user collaboration and file sharing. It traditionally uses a protocol called Server Message Block, more commonly abbreviated simply to “SMB”.

Most companies have already refreshed their Microsoft server infrastructure in the data centres so that they’re running Windows Server 2016. When Windows 10 clients connect to Server 2016 fileservers, they automatically use SMB 3.1.1 which is the latest version of the protocol.

“So what?” I hear you say.

Well, back to the “s” word. With SMB 3.1.1 Microsoft included a feature called “Preauthentication Integrity Check”. Yes, it’s a bit of a mouthful, but in simple terms this is a security mechanism that makes sure there is no “man in the middle” between the client and server. This check is made automatically when the client and server start up a conversation. If there is any evidence of tampering between client and server, the connection is reset and the conversation stopped. A sensible approach.

As a WAN optimisation device that provides layer 7 application acceleration, the Riverbed SteelHead is by design, interacting with the client-server conversation. So, no prizes for guessing what might happen if the SteelHead says or does the wrong thing. The alternative to not getting it right, is for a WAN optimisation device to “pass-through” the SMB 3.1.1 traffic which completely defeats the purpose and means both user productivity and WAN bandwidth consumption are negatively affected. There used to be an option for WAN optimisation devices to force the client and server to negotiate down to SMB1 (a much earlier version of the protocol) thereby avoiding the security checks. But that undermines the whole object of security and Microsoft are not only discouraging this down negotiation, they are actively preventing it within these more recent operating systems. And so they should.

Optimized and secure with Riverbed SteelHead

Why is this important from a WAN optimisation point of view? Quite simply because when you look at the top three applications in your network that are benefitting from WAN optimisation, in my experience, SMB is usually there alongside email and HTTP(S). That’s a significant proportion of the WAN traffic and if it’s not being optimised it means your user productivity is suffering and the unoptimized traffic might mean the WAN bandwidth is becoming congested which will in turn affect all other traffic using the links.

But fear ye not, Riverbed’s close collaboration with Microsoft has meant that, as far back as May 2016, our engineering team have ensured SteelHeads running release 9.2 or later comply with the preauthentication integrity check and can provide true layer 7 optimisation of SMB 3.1.1 traffic without compromising the security between client and server. Both signing and encryption are preserved end to end. So as we might say here in Britain, “Keep Calm and Carry on Collaborating!”

If you aren’t sure whether your SteelHeads are configured correctly to give you this benefit, get in touch with your friendly Riverbed representative. It could be as simple as a few clicks.

Comments are closed.