Branch Office Infrastructure

Solutions
Base Client Services Guide

Version 3.0

Published: February 2008

Revised: September 2008
For the latest information, please see
microsoft.com/BranchOffice
Copyright © 2008 Microsoft Corporation. All rights reserved. Complying with the applicable copyright laws is
your responsibility. By using or providing feedback on this documentation, you agree to the license agreement
below.

If you are using this documentation solely for non-commercial purposes internally within YOUR company or
organization, then this documentation is licensed to you under the Creative Commons Attribution-
NonCommercial License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc/2.5/ or
send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

This documentation is provided to you for informational purposes only, and is provided to you entirely "AS IS".
Your use of the documentation cannot be understood as substituting for customized service and information
that might be developed by Microsoft Corporation for a particular user based upon that user’s particular
environment. To the extent permitted by law, MICROSOFT MAKES NO WARRANTY OF ANY KIND, DISCLAIMS
ALL EXPRESS, IMPLIED AND STATUTORY WARRANTIES, AND ASSUMES NO LIABILITY TO YOU FOR ANY
DAMAGES OF ANY TYPE IN CONNECTION WITH THESE MATERIALS OR ANY INTELLECTUAL PROPERTY IN THEM.

Microsoft may have patents, patent applications, trademarks, or other intellectual property rights covering
subject matter within this documentation. Except as provided in a separate agreement from Microsoft, your
use of this document does not give you any license to these patents, trademarks or other intellectual property.

Information in this document, including URL and other Internet Web site references, is subject to change
without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-
mail addresses, logos, people, places and events depicted herein are fictitious.

Microsoft, AcitveX, ForeFront Client Security 2007, System Center Configuration Manager 2007, Windows 2000,
Windows Server 2003, Windows Server 2008, Windows XP, and Windows Vista are either registered trademarks
or trademarks of Microsoft Corporation in the United States and/or other countries.

The names of actual companies and products mentioned herein may be the trademarks of their respective
owners.

You have no obligation to give Microsoft any suggestions, comments or other feedback ("Feedback") relating to
the documentation. However, if you do provide any Feedback to Microsoft then you provide to Microsoft,
without charge, the right to use, share and commercialize your Feedback in any way and for any purpose. You
also give to third parties, without charge, any patent rights needed for their products, technologies and services
to use or interface with any specific parts of a Microsoft software or service that includes the Feedback. You will
not give Feedback that is subject to a license that requires Microsoft to license its software or documentation to
third parties because we include your Feedback in them.

Solution Accelerators microsoft.com/technet/SolutionAccelerators

Contents

Solution Accelerators microsoft.com/technet/SolutionAccelerators

iv Guide Title (for single guide/doc accelerator or accelerator title (for multi-guide/doc accelerator)

Solution Accelerators microsoft.com/technet/SolutionAccelerators

Introduction
For many years, designing IT infrastructures that are capable of supporting branch sites
has been a challenging task. The complexities introduced by the limitations in available
network bandwidth, performance issues, and geographic separation, have a significant
impact on an organization’s ability to implement an appropriate single IT solution for all of
its sites. As wide area network (WAN) bandwidth and performance grows, client and
server technologies are also introduced (or enhanced) so that they provide better support
for branch operations. However, although the situation will improve, there will always be a
fundamental difference between the design for a geographically distributed IT
infrastructure and the design for a single site. The addition of branch sites introduces a
number of significant constraints that modify the options that are available to solution
designers.
This guide, as part of the Branch Office Infrastructure Solution (BOIS) series, updates the
design that was described in the Core Client Services section of Chapter 3 of the “Branch
Office Infrastructure Solution for Microsoft Windows Server 2003 Release 2” guide and
specifically deals with the changes that are introduced by the Microsoft Windows®
Server® 2008 and Microsoft Windows® Vista® operating system. Although many of the
fundamental design principles in this guide remain the same, there are some important
implementation details that have changed, especially with the introduction of improved
services like Windows Firewall with Advanced Security in Windows Vista. This guide
provides the necessary updates needed to ensure that your branch infrastructure takes
advantage of the latest base client services design approaches.

Goals and Objectives

This guide introduces the design considerations that involve delivering base client
services to service-based branch environments using new technologies, including
Windows Server 2008 and Windows Vista. The branch environment is typically part of a
larger network that supports an organization's main sites and data centers. However, the
addition of branch sites introduces a number of significant constraints that modify the
options that are available to solution designers. This guide describes how to look at the
specific requirements of base client services in branch environments within the larger
context of an organization's IT services.

Audience
The primary audience for this guide is the experienced IT professional who is responsible
for designing the base client functionality for a branch site infrastructure. Additionally, IT
professional’s responsible support and operations of systems within the branch
infrastructure may also benefit from this guidance.

Base Client Services

As part of the branch infrastructure design, there are a number of services that are based
on the client workstations that you must consider and plan for. These services include the
configuration of mappings to branch shares, printing configurations, and access to
remote control features. The following section provides information and links to further
information that you should consider for these services.

Solution Accelerators microsoft.com/technet/SolutionAccelerators

2 BOIS Base Client Services Guide

Optimizing Client Access to Files and

Printers
Providing optimized access to the various data sources on a client based at a branch site
can be a challenge. Figure 1 provides a simple example of the design reference for
optimizing client file and printer processes in branch site infrastructures.

Figure 1. Optimizing client access to files and printers design reference

Understanding which resources will be required and how those resources can be
provided will help to ensure that the user experience in the final design meets the
required functionality. Consider also the issues in the following list:
• Client operating system. The optimization features that are available to the design
depend heavily on the client operating systems that must be supported. You should
not underestimate the costs of supporting multiple operating systems in a branch site.
If possible, the project should rationalize the client operating systems at these branch
sites to help minimize ongoing support costs.
• Drive mapping standards. To optimize the client's experience of file services, you
might consider mapping local drives to commonly used shares. Implementing this in
a uniform manner also helps with the support and management of the service. The
following table shows an example of drive mapping for a user at a branch site.
Table 1. Drive Mapping Planning Example
Drive Letter Drive Role
A: Local floppy disk (if present)
B: Second local floppy disk (if present)
C: Local hard disk
D: Local optical disk (CD or DVD)
E: Keep free for local Plug and Play devices
F: Keep free for local Plug and Play devices
G: Keep free for local Plug and Play devices

Solution Accelerators microsoft.com/technet/SolutionAccelerators

BOIS Base Client Services Guide 3

Drive Letter Drive Role

H: Keep free for local Plug and Play devices

I: Un-assigned
J: Un-assigned
K: Un-assigned
L: Un-assigned
M: Reserved for future use
N: Reserved for future use
O: Organization drive; data shared across all sites
P: Public drive; data shared to all users at the site
R: Departmental drive; data shared among members of the same department
S: Reserved for future use
T: Reserved for future use
U: User drive; user specific files redirected to the file server
V: Free for user assigned mappings
X: Free for user assigned mappings
Y: Free for user assigned mappings
Z: Free for user assigned mappings

After these mapping standards have been applied, you should use them as the
default configuration for all of the users; this improves the user experience and eases
future support. Windows is not limited to using letters of the alphabet to provide drive
mappings, so additional drives can be provided directly as required. However, users
typically find it easier to work with drive mappings that use letters.
• Data protection. User files stored on client workstations are at higher risk than those
stored on servers that are backed up. By using Windows Vista Folder Redirection
and Offline Files features, it is possible to redirect user data to the shared drive on a
file server and still maintain a local, synchronized, file cache that can be used when
the computer is unable to connect to the local file server. For more information about
configuring these features, see the “Managing Roaming User Data Deployment
Guide” at http://go.microsoft.com/fwlink/?LinkId=73760.
• Mobile users. If users access different computers and want to maintain common
sets of configuration settings for their desktop environment, you should consider
using Windows Roaming Profiles. This feature enables you to manage a profile that
users are able to access from any client computer on the organization's network.
Windows Roaming Profiles can also have a significant impact on network traffic, so
you should carry out testing before you implement it in the environment. For more
information about Windows Vista features for mobile user data, see the “Managing
Roaming User Data Deployment Guide” at
http://go.microsoft.com/fwlink/?LinkId=73760.
You should consider the following issues related to the optimization of printers for client
connections:
• Printing requirements. Each client at a branch site may have specific printing
requirements. Examples include special security requirements, specific format
printing, offsite printing, and high volume printing.
• Physical printer location. Printers can be located both onsite and offsite. The printer
location tracking feature of Windows Server 2008 can help users locate printers that

Solution Accelerators microsoft.com/technet/SolutionAccelerators

4 BOIS Base Client Services Guide

are nearest to them. For more information about this feature, see "Enable printer
location tracking," at http://go.microsoft.com/fwlink/?LinkId=57499
• Physical printer connection. How clients will connect to the printer. This could
include the following connections: Universal Serial Bus (USB), network, parallel, and
wireless (802.11, IrDA, and Bluetooth).
• Printer driver optimization. Network traffic generated by printing can be significant,
especially if print jobs cross a WAN. Understanding the print process and resulting
network loads is an important part of the print service design (see the “BOIS Print
Services Guide” for more information).

Client Malware Defense

It is important to protect clients in the branch site from malware. Malware takes many
forms, so it may be necessary to use a number of techniques and applications to provide
an effective defense.
Figure 2 shows the design reference for the malware service of branch site clients.

Figure 2. Client malware protection design reference

Typically, a common client defense configuration would consist of the following elements:
• Client operating system. You should ensure that the client operating system is
capable of providing the required level of malware protection, either directly or with
the addition of third party protection applications.
• Administrative overhead. You should consider the amount of time that it will take to
manage the configurations and reports of the malware protection system on each
workstation. Systems that are not designed for a business network environment can
prove expensive to operate.
• System updates. Client systems should be regularly updated to ensure that the
latest operating system security updates are applied. You can automate this process
by using the Windows automatic system updates option on Windows Vista clients. In
business environments, it is beneficial to test updates before they are deployed. You
can achieve this by using either the Windows Server Update Service (WSUS) or
Microsoft® System Center Configuration Manager (SCCM) 2007. For more
information, see the Update Services topic in the “BOIS Base Management Services
Guide”.
• Host-based firewall. This is a software-based local firewall that is capable of
blocking malware attacks. Windows Firewall with Advanced Security, provided with
Windows Vista and Windows Server 2008, is an example of this type of firewall that
has the additional benefit of being manageable through Group Policy. While previous

Solution Accelerators microsoft.com/technet/SolutionAccelerators

BOIS Base Client Services Guide 5

versions of Windows Firewall that were included with Windows XP did not prevent
infected hosts from transmitting malicious packets, Windows Firewall with Advanced
Security supports inbound and outbound filtering based on port, service, and several
other filter types. This version also has integrated support for IPSec and Network
Access Protection, which can help to isolate internal network attached devices from
devices that do not meet security policies or comply with health check processes.
• Malware scanners. This scanner should provide checks on all files being moved
from, or to, the client computer in real time. You should also consider a more system-
intensive, on-demand scanner to ensure that the system has not been attacked.
Historically, two basic categories of scanners have been provided. These are:
• Antivirus scanners. These scanners focus on protection from malicious software
that infects files on a computer and then tries to replicate copies of itself to other
computers on the network.
• Anti-spyware scanners. These scanners provide defense against applications
that try to steal information from a computer by using a number of hidden
techniques such as keyboard monitoring or browser hijacking.
Many of these scanners are now being upgraded to prevent both types of attacks.
For example, the Microsoft Forefront Client Security service helps to protect business
desktops, mobile computers, and file servers from threats such as spyware and
rootkits, as well as viruses and other traditional attacks. For more information about
this service, see "Microsoft Forefront Client Security" at
http://www.microsoft.com/forefront/clientsecurity.
Note Microsoft also provides Windows OneCare™ computer protection and maintenance
software and services and Windows Defender services to protect client workstations.
However, these services are generally provided for the home environment, so they are not
considered to be part of the business solution discussed in this guide.
• Least user privileges. You should configure the local users’ account to have the
least amount of privileges that enable them to perform their normal job functions. If
necessary, you can consider providing local users with access to a second
administrator account for the occasions when more access is required, however, they
should not use this account for normal daily activities.
• User guidelines. You should provide users with a short and concise set of guidelines
so that they can understand how they can limit their own vulnerability to attacks by
being aware of unusual system behavior, file downloads, Internet scams, and so on.
For more information about designing an effective malware protection system, see the
“Microsoft Antivirus Defense-in-Depth Guide”, at
www.microsoft.com/technet/security/topics/serversecurity/avdind_0.mspx

Client Remote Control

A branch site does not typically have onsite technical support, so providing remote control
features can provide significant benefits. Windows Vista provides two remote control
features called Remote Assistance and Remote Desktop that users can access to receive
support from a hub site. The Remote Assistance feature enables clients to invite a remote
support specialist to see their local desktops and, optionally, take control of their
computers. This option is typically recommended for environments where direct remote
control ability would be an unacceptable security risk. For more information about how
this process works in Windows Vista, see “Remote Assistance and Resulting Internet
Communication in Windows Vista” at
http://technet2.microsoft.com/WindowsVista/en/library/cdfa2f21-56e5-44da-aa5a-
f22987be13511033.mspx.
Figure 3 shows the design reference for the client remote control service of branch site
clients.

Solution Accelerators microsoft.com/technet/SolutionAccelerators

6 BOIS Base Client Services Guide

Figure 3. Client remote control design reference

If the support model of the organization allows direct (uninvited) remote control, the
Remote Desktop feature must be enabled because it is disabled by default. You should
review the following considerations while designing these services as part of the branch
site solution:
• Calling operating system. If a number of different operating systems will be used to
control other systems, you may need to consider different remote control solutions.
You can use Windows Remote Desktop on supported versions of Windows directly,
or you can use other platforms if they support Microsoft ActiveX® controls. You can
use the Remote Desktop Web Connection inside a Web browser to initiate remote
control sessions. For more information about Remote Desktop Web Connection, see
“Appendix F: Remote Desktop Web Connection in Windows Vista” at
http://technet2.microsoft.com/WindowsVista/en/library/cdfa2f21-56e5-44da-aa5a-
f22987be13511033.mspx.
• Target client operating system. You must also consider the operating system that is
being controlled. You can control the following operating systems by using Remote
Desktop:
• Windows Vista (clients)
• Windows XP® operating system (clients)
• Windows Server 2008 (servers)
• Microsoft Windows Server™ 2003 (servers)
• Microsoft Windows 2000 operating system (servers)
• Administrative overhead. One of the key goals in the client configuration design
should be to help minimize the administrative overhead of supporting clients in a
branch site.
• Security requirements. Enabling the Remote Desktop and Remote Assistance
features creates a service that could be the target of an attack. If you are enabling
these services, you should ensure that the accounts have strong passwords in place.
• Group Policy. You can enable Remote Assistance and Remove Desktop by
using Group Policy. policy settings are located at
Computer Configuration\Administrative Templates\System\Remote Assistance
• For more information about configuring Remote Assistance see “Remote
Assistance and Resulting Internet Communication in Windows Vista” at
http://technet2.microsoft.com/WindowsVista/en/library/cdfa2f21-56e5-44da-aa5a-
f22987be13511033.mspx

Solution Accelerators microsoft.com/technet/SolutionAccelerators

BOIS Base Client Services Guide 7

• Remote Desktop policy settings are located at

Computer Configuration\Administrative Templates\Windows
Components\Terminal Services
• For more information about deploying Remote Desktop in the organization, see
“Appendix F: Remote Desktop Web Connection in Windows Vista” at
http://technet2.microsoft.com/WindowsVista/en/library/cdfa2f21-56e5-44da-aa5a-
f22987be13511033.mspx
• Network topology. Any firewall that blocks port 3389 will not allow a Remote
Assistance or Remote Desktop connection to function through it. This includes host-
based firewalls on client computers themselves, so you must enable this port if you
anticipate that remote control may be required.

Summary
Branch clients can require varying levels of support compared to hub site clients, but all
clients share the need for basic services that give access to resources, protect from
malicious users, and allow effective client management and support. These base client
services can be achieved cost-effectively by using a combination of homogenous
technologies and built-in core client services, which enables you to use your existing
software. However, the requirements for each site should be carefully examined to
determine which approach to supplying these core services best meets your existing and
future needs.

Additional Resources
For more information about base client services for Windows Vista and Windows Server
2008, please refer to the following resources:
For more information and guidance related to BOIS, see the Branch Office home page at:
http://www.microsoft.com/branchoffice

For more information about the features available in Windows Server 2008, see the
Windows Server 2008 TechCenter at:
http://technet.microsoft.com/en-us/windowsserver/2008

For more information about reduced profile server core installations, see the “Server Core
Installation Option for Windows Server 2008 Step-by-Step Guide” at
http://go.microsoft.com/fwlink/?LinkID=105293

For more information about server virtualization in Windows Server 2008, see the
Windows Server 2008 Hyper-V TechCenter at
http://go.microsoft.com/fwlink/?LinkId=101268

For more information about Windows Vista management capabilities, see the Windows
Vista Management Features page at
http://technet.microsoft.com/en-us/windowsvista/aa905069.aspx

For information about Microsoft client security using ForeFront 2007, see "Microsoft
Forefront Client Security" at http://www.microsoft.com/forefront/clientsecurity

Solution Accelerators microsoft.com/technet/SolutionAccelerators

8 BOIS Base Client Services Guide

Feedback
Please direct questions and comments about this guide to satfdbk@microsoft.com.

Solution Accelerators microsoft.com/technet/SolutionAccelerators