1 (866) 866-2320 Resources Events Blog

Critical Microsoft 2008 Server Application Configurations Top Picks

Blog

Critical Microsoft 2008 Server Application Configurations Top Picks


 

As an administrator, you need to quickly focus in on the most critical Microsoft 2008 Server Application configurations necessary to maintain performance. So we've compiled for you below the top picks, chosen by our customers' Microsoft 2008 Server Application experts, that you should keep your eye on.

So what do you say? Let's hear what are the other critical configuration parameters that have caught your attention, by adding to the comment section at the end of this article, and of course share the wealth with yoursocial network.

1. Virtual Memory

Description

Virtual memory separates a program's view of memory from the system's physical memory, so an operating system decides when and if to store the program's code and data in physical memory and when to store it in a swap file.

Why It's Important

While virtual memory limits are related to physical memory limits, they are derived from different sources. The major advantage of virtual memory is that it allows more processes to execute concurrently than physical memory explicitly allows. At the same time extensive swapping slows down system performance. Thus it is very important to optimize Virtual memory setting in order to bring top performance.

Impact Areas

Performance

Setting Parameter

  • Open System Properties
  • Open Advanced system settings->Advanced->Performance Options ->
  • Go To Virtual Memory -> Change -> Custom Size

Notes

Best practice is to set custom size Initial = Maximum size = (Physical memory size on the server)*1.5 If you have more than one physical disk, moving the page file to a fast drive that doesn't contain your Windows system files is a good idea. 

Using multiple page files split over two or more physical disks is an even better idea, because your disk controller can process multiple requests to read or write data concurrently. But don't make the mistake of creating two or more page files using multiple volumes on a single physical disk. If, for example, you have a single hard disk that contains volumes C, D, and E, splitting the page file over two or more of these volumes, might actually make your computer run more slowly.  

2. System Properties: Processor Scheduling

Description

Windows determines which job (task) should be run on the computer processor at which time. Without scheduling, the processor would give attention to jobs based on when they arrived in the queue, which is usually not optimal. 

As part of the scheduling, the processor gives a priority level to different processes running on the machine.

Why It's Important

Setting this configuration setting appropriately in your environment will improve the overall system performance.

Impact Areas

Performance

Setting Parameter

  • Click Start, click Run, and then type sysdm.cpl in the Run box.
  • In the System Properties dialog box, click the Advanced tab, and then click Settings under Performance.
  • In the Performance Options dialog box, click the Advanced tab, make sure the Background services option is selected under Processor scheduling.

Notes

A preferred option for Processor Scheduling is "Background services". This means that all processes (foreground and background) will get equal amount of processor resources which makes more sense for a host used as a server.  

3. Compress Drive To Save Disk Space

Description

NTFS enables to compress files/volumes in order to save disk space.

Why It's Important

Enabling NTFS compress on hard disk will potentially effect performance of read/write operations and CPU utilization of the server.

Impact Areas

Performance

Setting Parameter

  • Open Computer
  • Right click on the drive letter and select Properties
  • Make sure that Compress drive to save disk space is unchecked.

Notes

For best performance, the Windows directory, supporting files and Database files/directory should not be compressed and the same should be followed for the Programs folder.  

4. Firewall

Description

Windows Firewall is a built-in, host-based, stateful firewall that is included in Windows Server 2008.

Windows Firewall drops incoming traffic that does not correspond to either traffic sent in response to a request of the computer (solicited traffic) or unsolicited traffic that has been specified as allowed (excepted traffic). 

Windows Firewall helps provide protection from malicious users and programs that rely on unsolicited incoming traffic to attack computers. 

In Windows Server 2008, Windows Firewall can also drop outgoing traffic and is configured using the Windows Firewall with Advanced Security snap-in, which integrates rules for both firewall behavior and traffic protection with Internet Protocol security (IPsec).

Why It's Important

Many companies today secure their network using the "hard outer shell / gooey center" approach. What this means is that they create a strong perimeter around their network with firewalls and IPS systems, protecting themselves from malicious attackers on the Internet.

However, if an attacker could penetrate the outer perimeter and gain access to the internal network, there would only be Windows authentication security to stop them from gaining access to the company's most valuable assets - their data.

This is why securing Windows servers with host-based firewalls is required.

Impact Areas

Availability

Functionality

Security

Setting Parameter

  • Click Start
  • Expand Administrative Tools
  • Click Windows Firewall with advanced security 

Notes

Nice article:

How to configure the new Windows Server 2008 advanced firewall MMC snap-in
by David Davis, WindowsNetworking.com

The new features of the Windows Server 2008 Advanced Firewall and how to configure this powerful host-based firewall using the new MMC snap-in  

5. Windows Services

Description

On Microsoft Windows operating systems, a Windows service is a long-running executable that performs specific functions and which is designed not to require user intervention. 

Windows services can be configured to start when the operating system is booted and run in the background as long as Windows is running, or they can be started manually when required. 
They are similar in concept to a Unix daemon. Many appear in the processes list in the Windows Task Manager, most often with a username of SYSTEM, LOCAL SERVICE or NETWORK SERVICE, though not all processes with the SYSTEM username are services. Why It's ImportantDisabling Windows Server 2008 Nonessential Services on a dedicated server will increase server security and performance.Impact AreasPerformance
Security

Setting Parameter

  • Click Start, point to Programs, point to Administrative Tools, and then click Computer Management.
  • Under Computer Management (Local), expand Services and Applications, and then click Services

Notes

Stop or disable any Windows services that are not strictly necessary. Suggested list of services to be disabled:

  • Alerter
  • Computer Browser
  • DHCP Client
  • File Replication
  • Indexing Services
  • Internet Connection Sharing
  • Messenger
  • Network DDE
  • Network DDE DSDM
  • Print Spooler
  • TCP/IP NetBIOS Helper Service
  • Telephony
  • Telnet

6. Remote Desktop

Description

Remote Desktop allows the graphical interface of a remote Windows system to be displayed over a network onto a local system. In addition, keyboard and mouse events on the local system are transmitted to the remote system enabling the local user to perform tasks on the remote system as if they were physically sitting at the remote system. Conversely, resources (such as printers and disk drives) on the local system can be made available to the remote system for the duration of the connection. This remote control can be established in a number of ways, including over wide area networks (WAN), local area networks (LAN) or over the internet.

Terminal Services run in two different modes, Administration and Virtual Session. Remote Desktop for Administration provides full administration functionality to the remote administrator (including access to the console session and visibility of notification messages). Remote Desktop for Administration is the equivalent to working directly at the remote system's console. In virtual session mode the user is subject to some limitations such as the ability to install applications and view console notification messages.

Why It's Important

Over time, applications often see their performance degrade due to poorly written code, sometimes getting stuck in a loop that causes unnecessary load on the CPU.

These applications can also cause memory leaks, where applications do not release needed memory back to the operating system. 

These applications can cause a server to stall, requiring the server to be re-booted. Process recycling was created to solve these problems.

Impact Areas

Performance 

Availability

Setting Parameter

  • Click Start, click Run, and then type sysdm.cpl in the Run box.
  • In the System Properties dialog box, click the Remote Tab
  • Under Remote Desktop Enable Allow Connections.

Notes

There are 3 possible options:

  • Don't Allow connections to this computer
  • Allow connections from computers running any version of remote desktop
  • Allow connections only from computers running Remote Desktop with Network Level Authentication.

Suggested option is #3 (More secure) but if workstations don't support Network Level Authentication option #2 is the only one that is supported.

7. Network Adapter Settings (Speed/Duplex)

Description

These settings define speed and type supported by a network card to establish and operate a network connection. Modern adapters can be configured to negotiate these settings with a switch automatically or fixed values can be set.

Why It's Important

When facing a network connectivity issue, one of the most basic things that you can rule out is any mismatch in the speed and duplex settings between the network card and the switch by hard coding them both to the same configuration. Changing this setting will ensure that the network interface does not auto-negotiate a lower speed or duplex setting, which has been a problem with some enterprise switches.

Impact Areas

Availability

Functionality

Performance

Setting Parameter

  • Open Device Manager.
  • Double-click Network adapters.
  • Right-click the network adapter for which you want to change settings, and then click Properties.
  • On the Advanced tab, change Connection Type (Speed/Duplex Settings).
NotesUse a fixed speed and duplex (1 Gigabit or higher with full duplex) for the network connections.

8. Network Adapter Settings (Tcp/Ip Large Send Offload)

Description

TCP Offload is a networking technology that helps transfer the workload from the CPU to a network adapter during network data transfer. In Windows Server 2008, TCP Offload enables the Windows networking subsystem to offload the processing of a TCP/IP connection to a network adapter that includes special support for TCP/IP offload processing.

Why It's Important

The technology is not stable yet. There are a lot of issues with Windows Drivers and configuration that cause instability.

Impact Areas

Availability

Functionality

Performance

Setting ParameterTo enable TCP Chimney Offload, follow these steps:

  • Use administrative credentials to open a command prompt.
  • At the command prompt, type the following command, and then press ENTER: netsh int tcp set global chimney=enabled

To disable TCP Chimney Offload, follow these steps:

  • Use administrative credentials to open a command prompt.
  • At the command prompt, type the following command, and then press ENTER: netsh int tcp set global chimney=disabled

To determine the current status of TCP Chimney Offload, follow these steps:

  • Use administrative credentials to open a command prompt.
  • At the command prompt, type the following command, and then press ENTER: netsh int tcp show global

Configuring TCP Chimney Offload on the network adapter To enable or disable TCP Chimney Offload, follow these steps:

  • Open Device Manager.
  • Under Network Adapters, double-click the network adapter that you want.
  • On the Advanced tab, click Enabled or Disabled in the box next to the TCP offload entry.

Note: Different manufacturers may use different terms to describe TCP Chimney Offload on the Advanced properties page of the network adapter.

Notes

Best practice is to disable TCP Offload; the technology is not stable yet.

Nice article about TCP Offload:
Information about the TCP Chimney Offload, Receive Side Scaling, and Network Direct Memory Access features in Windows Server 2008
Microsoft Support

9. Network Adapter Settings (IPV4, IPV6)

Description

The TCP/IP stack in Windows Server® 2008 has IPv6 enabled by default. IPv6 connectivity is preferred, if available. This preference has the following implications for applications that hook into the TCP/IP stack:

  • Applications and services that are IPv6-compatible can have a much-improved peer-to-peer connection success rate on IPv4 networks due to the built-in NAT traversal capabilities of Teredo (which encapsulates IPv6 inside IPv4 across NATs).
  • IPv6 traffic will be created by the Windows Vista and Windows Server 2008 stack regardless of whether the network supports IPv6 or not. Therefore, for example, all Windows Vista and Windows Server 2008 systems will have at least one IPv6 address (for link-local) and will attempt DNS lookups for both IPv4 and IPv6.
  • The Windows Vista and Windows Server 2008 stack will always prefer using IPv6 when it can find an IPv6 address for the remote system it needs to talk to. Network communication will take place for any IPv6 compatible application or service if both systems in a session have IPv6 addresses (e.g. sharing files on a LAN will usually be done over IPv6).

Why It's Important

Versions of the Windows operating system beginning with Windows Vista prefer the use of IPv6 over IPv4.

However, if IPv6 is not utilized within the network infrastructure, leaving IPv6 enabled on the systems will not have an impact on internet communications, web browsing, etc. as the NIC would only be configured with a Link Local address, which is a non-routable address and can only communicate with systems on its same subnet, bounded by a router. 

IPv6 is an integral part of the operating system and several Windows components rely on it.

IPv6 should be left enabled.

Impact Areas Availability

Functionality

Performance

Setting ParameterDisable/Enable this property

  • Click Start, click Run, and then type cmd in the Run box.
  • Type:
    netsh int 6to4 set state state=disabled/enable
    netsh int teredo set state type=disabled/enable
  • Open Device Manager.
    Under Network Adapters, double-click the network adapter that you want.
    Check/Uncheck IPv6

Notes

Best practice is not to change the IPv6 setting. 

Nice article:

Why you should leave IPv6 alone
By John Losey, Technet  

10. Data Execution Prevention

Description

Data Execution Prevention (DEP) helps prevent an application or service from executing code in a non-executable memory region. DEP is a security feature available in Windows 2008.

In others words, DEP blocks a malicious program in which a virus or other type of attack has injected a process with additional code and then tries to run the injected code. 

On a system with DEP enabled, execution of the injected code causes an exception. DEP blocks programs that take advantage of exception-handling mechanisms in Windows.

Why It's Important

Data Execution Prevention may accidentally shut down legitimate process from valid applications or services, particularly third-party installers used by software developers that release their products for download through the Web, or software programs that are less commonly used. 

DEP normally does not display or show any warning or acknowledgment message letting you know that DEP has shut down a process, thus leaving you in a dark why your setup file cannot run, or why your computer cannot start a service and etc.

Impact Areas

Security

Availability

Functionality

Setting Parameter

  • Click Start, click Run, and then type cmd in the Run box.
  • To Disable:
    bcdedit.exe /set {current} nx AlwaysOff
  • To Enable:
    bcdedit.exe /set {current} nx AlwaysOn

NotesBest practice depends on the applications installed on the Server. If all the applications support DEP than it is suggest enabling DEP, otherwise disable DEP. Nice article:

Windows Vista Security, Review of Data Execution Prevention
By Rubersy Ramos, C# Corner

About the Author
Martin Perlin