Devoting devices to guests takes away the I/O bottleneck, but it also aids availability through redundancy. A dead LAN card or host bus adapter, or a downed route, won't be felt by users or applications as long as you've done the network and peripheral redundancy you'd build into any enterprise plan. However, you may opt to skip some of that homework because all but catastrophic contingencies short of a whole server going up in smoke are adequately covered by Hyper-V. Continuity and load distribution architecture and management are addressed by Hyper-V's snapshot, guest instance migration, and direct access to virtual disk images for offline virtual machines.

The Bottom Line Microsoft Windows Server 2008 Microsoft, microsoft.com/server Very Good  8.5 criteria score weight Management 7 20% Performance 9 20% Scalability 10 20% Features 8 15% Security 9 15% Value 7 10% Cost: Standard: $999 with 5 CALs, $1,199 with 10 CALs. Enterprise: $3,999 with 25 CALs. Datacenter Edition: $2,999. Windows Web Server 2008: $469. Platforms: 32-bit or 64-bit AMD or Intel x86, or Intel Itanium CPU, with minimum speed of 1.4GHz. Memory and disk requirements vary by edition and features. Author’s recommended minimums for Windows Server 2008 Standard are 1GB of server RAM per virtual instance and 40GB of local hard disk for boot and swap. The GUI-less Server Core’s requirements are much lower. Bottom Line: You couldn’t ask for more, or for less. Windows Server 2008’s fine-grained, modular configurability lets you shrink the OS footprint down to virtualization guest-friendly size, and Server Core drops the Windows GUI to dramatically reduce the memory requirements of a virtualized guest. This server OS presents a minimal attack surface for guest and host instances, and generally removes the requirement for add-in server and client security. It isn’t a server in a box, but it’s Microsoft’s richest server OS by far. About our Reviews and Scoring Methodology

A whole new level of manageability is enabled by what I consider to be an essential add-on to Windows Server 2008. Microsoft's System Center Virtual Machine Manager adds intelligent monitoring, provisioning, and placement of virtual machine images and workloads across your network. System Center Virtual Machine Manager is fantastic once you make the effort to wrap your mind around its concepts and the shortcomings in its user interface. I lived in System Center Virtual Machine Manager's Workgroup Edition during my testing, a $499 package that runs up to five physical servers, and I can't imagine being without it. The full System Center suite, which is scaled and licensed for enterprise use, includes Virtual Machine Manager.

Big services for small clients
Windows Server 2008 covers another flavor of virtualization in the form of Terminal Services. A mainstay of Windows Server, the big news in this release is its HTTPS tunnel, or Terminal Services Gateway. Edge security often blocks inbound access to the TCP ports needed by Terminal Services. The Terminal Services Gateway allows remote clients normally blocked by firewalls to access Terminal Services, without the hassle of VPN, but with full security and auditing.

Terminal Services Gateway will undoubtedly get played by competitors as an exploitable backdoor, but it's a much smarter way to control user access (internal as well as external) to network services. Terminal Services Gateway requires the application of Remote Access Policies (RAP) that define and enforce the characteristics of clients permitted access to Terminal Services, and remote services in general. A client that doesn't meet RAP's health tests and policies, such as a notebook that's plugged into your network by an internal hacker, can't get in through Terminal Services or any other means. Period.

Seriously? Absolutely. BitLocker local disk encryption can be defined as an enforced remote access policy. Users like encryption for privacy, but IT will love BitLocker. It uses a client system's Trusted Platform Module (TPM) to create a file access authentication path that users cannot bypass, even if they boot from a nonencrypted drive or overwrite the boot blocks on the local drive. If policies allow users to work with local copies of sensitive files, the TPM can ensure that files are unreadable away from the network, and they can't be copied to removable media.

More to the point, if you have a lapse in security that allows a user inside the firewall to suck in a database of customer information, when they get their client home they won't be able to read the files they've stolen. All access to Windows Server 2008 is revocable at the user, client computer, or group level. To absolutely, positively terminate employees' or contractors' network access, and access to locally stored files, the administrator need only create and distribute a new certificate. This is one of many simple ways to change the locks in Windows Server 2008.

This, too, will raise the hackles of those who don't like the idea of systems that users can't control, but they should know that BitLocker and RAP do not preclude the use of other operating systems, and they can be undone by someone with administrative privileges (another reason to extend these sparingly). Used properly, RAP, TPM, and BitLocker can obviate the necessity for client-side security agents and hardware such as USB crypto keys.