Security
is an area that continues to improve as we are constantly being
challenged to stay one step ahead of unsavory characters with ill
intentions. In fact, the tools, roles, and features in this chapter are
all about staying ahead of the bad guys. Of course, Windows Server 2008
R2 will include some innovative and improved security enhancements.
Let’s
take a look at these and divide them into categories for clarity. Of
course, some of the security changes that are listed may also be
mentioned in other chapters, under enhancements to particular roles in
Windows Server 2008.
Changes to Security
In
Windows Server 2008 R2, the changes to security will be far reaching.
Let’s look at each major area of change, beginning with server roles.
Server Roles
The following is a list of security changes in server roles in Windows Server 2008 R2:
Active Directory Certificate Services: Certificate Enrollment Web Service enables certificate enrollment over HTTP.
DNS:
Domain Name System Security Extensions (DNSSEC) allows you to sign and
host DNSSEC-signed zones for added security to the DNS role.
Network Access Protection: This role service can now be viewed from the System and Security item within the Control Panel.
Distributed File System: Read-only domain controllers have read-only SYSVOL
folders to prevent alteration of files in the folder. Read-only
replicated folders will be added to prevent file additions or changes.
Active Directory Domain Services:
Authentication mechanism assurance will be added to control access to
resources, based on whether the user logs on using certificate-based
logon and the type of certificate used.
Web Server (IIS): Request filtering will be added to allow you to restrict types of HTTP requests that IIS will process.
Networking:
Direct Access will provide remote, Internet-connected users with access
to network resources, without using gateway technologies such as
Terminal Services or VPNs.
Authorization and Access Control
The following is a list of security changes in Authorization and Access Control in Windows Server 2008 R2.
User Account Control (UAC):
In Windows Server 2008 R2, UAC has reduced the number of prompts and
can be configured in the Control Panel. UAC will also be enhanced for
Windows 7.
AppLocker:
This is an upgrade from the software restriction policies. You can
create rules for applications, but AppLocker does not require constant
rule changes with each application update.
Enhanced Storage Access: Six Group Policy settings will be added to manage Enhanced Storage devices.
Managed Service Accounts:
Managed Service Accounts provides automatic password management and
service principal names management for applications. Managed service
accounts can be managed only through PowerShell; there is no GUI
interface.
Identity and Authentication
A
host of changes will be made to identity and authentication for Windows
Server 2008, including changes to Kerberos and NTLM authentication and
the addition of the following new features:
Online identity integration
Extensions to the Negotiate Authentication package
PKU2U in Windows
Smart card Plug and Play
TLS v1.2
Restriction of NTLM authentication
Windows Biometric Service
Security Policies and Security Policy Management
Security
auditing in Windows Server 2008 R2 and Windows 7 will enable granular
audit policies (which have been available since Windows 2000). In
addition, these more granular policies can now be centrally managed
through Group Policy.