Question : Plan for Security Changes and Additions in Windows Server 2008 R2

As with other portions of Windows Server 2008, R2 includes changes and additions to security. What will these changes and additions mean for how you plan and implement security in Windows Server 2008 within your organization?

Answer : Plan for Security Changes and Additions in Windows Server 2008 R2

Security is an area that continues to improve as we are constantly being challenged to stay one step ahead of unsavory characters with ill intentions. In fact, the tools, roles, and features in this chapter are all about staying ahead of the bad guys. Of course, Windows Server 2008 R2 will include some innovative and improved security enhancements.

Let’s take a look at these and divide them into categories for clarity. Of course, some of the security changes that are listed may also be mentioned in other chapters, under enhancements to particular roles in Windows Server 2008.

Changes to Security

In Windows Server 2008 R2, the changes to security will be far reaching. Let’s look at each major area of change, beginning with server roles.

Server Roles

The following is a list of security changes in server roles in Windows Server 2008 R2:

  • Active Directory Certificate Services: Certificate Enrollment Web Service enables certificate enrollment over HTTP.

  • DNS: Domain Name System Security Extensions (DNSSEC) allows you to sign and host DNSSEC-signed zones for added security to the DNS role.

  • Network Access Protection: This role service can now be viewed from the System and Security item within the Control Panel.

  • Distributed File System: Read-only domain controllers have read-only SYSVOL folders to prevent alteration of files in the folder. Read-only replicated folders will be added to prevent file additions or changes.

  • Active Directory Domain Services: Authentication mechanism assurance will be added to control access to resources, based on whether the user logs on using certificate-based logon and the type of certificate used.

  • Web Server (IIS): Request filtering will be added to allow you to restrict types of HTTP requests that IIS will process.

  • Networking: Direct Access will provide remote, Internet-connected users with access to network resources, without using gateway technologies such as Terminal Services or VPNs.


For more information on these new technologies, see

Authorization and Access Control

The following is a list of security changes in Authorization and Access Control in Windows Server 2008 R2.

  • User Account Control (UAC): In Windows Server 2008 R2, UAC has reduced the number of prompts and can be configured in the Control Panel. UAC will also be enhanced for Windows 7.

  • AppLocker: This is an upgrade from the software restriction policies. You can create rules for applications, but AppLocker does not require constant rule changes with each application update.

  • Enhanced Storage Access: Six Group Policy settings will be added to manage Enhanced Storage devices.

  • Managed Service Accounts: Managed Service Accounts provides automatic password management and service principal names management for applications. Managed service accounts can be managed only through PowerShell; there is no GUI interface.


For more information on these new technologies, see

Identity and Authentication

A host of changes will be made to identity and authentication for Windows Server 2008, including changes to Kerberos and NTLM authentication and the addition of the following new features:

  • Online identity integration

  • Extensions to the Negotiate Authentication package

  • PKU2U in Windows

  • Smart card Plug and Play

  • TLS v1.2

  • Restriction of NTLM authentication

  • Windows Biometric Service


For more information on these new technologies, see

Security Policies and Security Policy Management

Security auditing in Windows Server 2008 R2 and Windows 7 will enable granular audit policies (which have been available since Windows 2000). In addition, these more granular policies can now be centrally managed through Group Policy.

Random Solutions  
programming4us programming4us