With the release of Windows Server 2003, Microsoft endeavored for the first time to produce secure code for a server release. They succeeded to a certain degree, since it took several months before the first security bug was found in WS03. With WS08, Microsoft wants to up the ante and is relying on some major security improvements from previous versions to bolster WS08 security. They include:
• Security Configuration Wizard This was from Service Pack 1 of Windows Server 2003 and is now an integral part of Server Manager.
• Windows Firewall with Advanced Security This provides comprehensive inbound and outbound protection to networks of all sizes.
• Active Directory Federation Services This lets users rely on the credentials from their own domain to access partner Web Services.
• Active Directory Domain Services This includes new features for the creation of identity management systems and for the auditing of all changes to the directory. New fine-grained password policies let you set different password policies for different groups of users in your organization.
• Active Directory Certificate Services This controls the use of PKI certificates in your organization.
• Active Directory Rights Management Services This controls the protection of intellectual property.
PA
RT
I
PA
RT
I
PA
RT
I
• Windows Defender This can help protect systems by stopping and removing spyware.
• Network Access Protection This serves as a quarantine network to protect against systems that do not meet your security policies.
• Pluggable Logon Authentication Architecture This provides a new means of integrating custom login tools, such as two-factor authentication, with Windows. • Read-Only DCs These let you provide this valuable service even in areas where
the server is not protected physically.
• Secure Socket Tunneling Protocol (SSTP) This provides an alternate means of creating a VPN link in situations where environments do not allow Internet Protocol Security (IPSec) traffic to cross the firewall.
Feature Security Configuration Wizard
Description: The Security Configuration Wizard is an attack-surface reduction mechanism for Windows servers. It guides administrators through a series of steps to increase the hardening of servers in any role.
Category: Security Infrastructure
Feature: ✓ New Improvement Update Replacement
Feature Source: WS08 Vista WS03 R2 ✓ WS03 Service Packs
Installation: ✓ By Default Add-on Through Server Manager Custom
Applies to: ✓ Small ✓ Medium ✓ Large Organizations
Replaced Feature
• Security Configuration and Analysis
Benefits
• Improves security through server hardening at several levels.
• Provides scriptable output that can be used to apply role-based security models to all servers.
Functions
• This feature is now integrated with the Server Manager interface and is applied by default when a new server role is activated.
• Supports the creation of role-based policies that secure servers at all levels, including services, feature sets, the registry, networking, TCP ports, and the file system.
• Provides support for policy testing as well as rollback in the event of errors.
• Provides the best explanation ever as to why components should be turned off or removed from the system.
• Uses XML format to output policies for application on other servers. Supports the inclusion of scripts that can be applied at system construction to ensure that all server roles are secured from the ground up.
Feature Windows Firewall with Advanced Security
Description: Provides a stateful host-based firewall that allows or blocks traffic according to user configurations to help protect users from malicious code and hackers.
Category: Security Infrastructure
Feature: ✓ New Improvement Update Replacement
Feature Source: WS08 Vista WS03 R2 ✓ WS03 Service Packs
Installation: ✓ By Default Add-on Through Server Manager Custom
Applies to: ✓ Small ✓ Medium ✓ Large Organizations
Replaced Features
• Previous versions of Windows Firewall
• Previous IPSec Security Policies
• Previous IPSec Security Monitor
Benefits
• Provides host-level protection from malicious intent.
• Interacts with hardware-based firewalls to provide complete server-level protection.
Functions
• Supports rule definitions for both incoming and outgoing traffic. For example, all inbound traffic can be blocked, except if it is solicited.
• Includes a new MMC 3.0 interface for improved manageability.
• Integrates firewall policies with IPSec settings.
• Complete support for Group Policy Object (GPO)—based configuration of all settings.
• Provides two interfaces for administration: the Windows Firewall applet in Control Panel and Windows Firewall with Advanced Security in Administrative Tools.
• Provides discreet exception rule creation, including support for IP port numbers, source or destination IP addresses, Transmission Control Protocol (TCP) or User Datagram Protocol (UPD) ports, types of interfaces—Network Interface Card (NIC), FireWire, or wireless, for example—types of traffic (such as IPv4 or IPv6), or even services.
Feature Active Directory Federation Services
Description: Active Directory Federation Services (ADFS) provides a means to support federated identity across the Internet through the use of Web Service architectures without having to open critical ports on the firewall.
Category: Security Infrastructure
Feature: ✓ New Improvement Update Replacement
Feature Source: WS08 Vista ✓ WS03 R2 WS03 Service Packs
Installation: By Default ✓ Add-on Through Server Manager Custom
Applies to: ✓ Small ✓ Medium ✓ Large Organizations
PA
RT
I
PA
RT
I
PA
RT
I
Feature Active Directory Federation Services Replaced Feature
• None, though it removes the need to expose Active Directory to the Internet
Benefits
• Provides a foundation for integrated identity management across boundaries.
• Lets organizations use their own Active Directories to access both internal and external partner resources.
Functions
• Extends Active Directory to the Internet by letting you rely on the internal directory to access partner resources. This helps reduce the number of security stores to manage.
• Provides a means to use Windows-based Authentication in Web applications on the Internet.
• Through the use of the Web Service foundation, ADFS provides interoperability with non-Windows environments that support the same foundation.
• Supports passive clients, such as Web browsers. Provides the foundation for Simple Object Access Protocol (SOAP)—based smart clients, such as cell phones, personal digital assistants (PDAs), and desktop and server applications.
Feature Active Directory Domain Services
Description: Active Directory Domain Services (ADDS) provides a means to create comprehensive identity management systems that serve to authenticate users, computers, and services in your network.
Category: Security Infrastructure
Feature: New Improvement ✓ Update Replacement
Feature Source: ✓ WS08 Vista WS03 R2 WS03 Service Packs
Installation: By Default ✓ Add-on Through Server Manager Custom
Applies to: ✓ Small ✓ Medium ✓ Large Organizations
Replaced Feature
• Active Directory from previous versions of Windows Server
Benefits
• Provides a foundation for integrated identity management within your network.
• Provides a central location for all identity management.
Functions
• The ADDS installation wizard (which can also be invoked using the DCPROMO.EXE command) has been reconfigured to provide better choices during setup. For example, administrators can select the options they need during installation, identify the site the server should belong to, determine forest and domain functional levels, and create DNS delegations directly in the wizard during installation. In addition, the wizard supports a completely unattended install in order to support the new Server Core, which provides no graphical interface at all.
• Active Directory Sites and Services includes new features that let administrators find domain controllers more easily, as well as work with read-only DCs and identify their password policy, also seeing which passwords have been sent to the RODC and which are currently stored in them.
(Continued)
Feature Active Directory Domain Services
• ADDS can also be restarted. This means that you can shut down the ADDS service on a domain controller (DC) to perform offline operations, such as database defragmentation and compression, without having to shut down and reboot the DC. ADDS services are not available from this server during this operation; this is one more reason for having more than one DC at all times.
• The Directory Services Restore Mode has not changed in WS08. This means that to restore objects to the NTDS.DIT database, you must still restart the domain controller in this protected offline mode.
• A new Directory Services audit policy can be set to capture all value changes in the directory. This lets administrators track the changes made to the directory at all times and makes it easier to roll back these changes.
• Fine-grained password policies let you set different password and account lockout policies for different groups of users in a domain.
• A new Snapshot Viewer lets you view objects that have been previously deleted from the directory. It functions much like the Previous Versions’ client with file shares. Once you have identified which snapshot to restore from, you can perform the correction in your Active Directory.
Feature Active Directory Certificate Services
Description: Active Directory Certificate Services (ADCS) provides a means to create and manage PKI certificates for users, computers, and services within your organization.
Category: Security Infrastructure
Feature: New Improvement Update ✓ Replacement
Feature Source: ✓ WS08 Vista WS03 R2 WS03 Service Packs
Installation: By Default ✓ Add-on Through Server Manager Custom
Applies to: Small Medium ✓ Large Organizations
Replaced Feature
• PKI services from previous versions of Windows Server
Benefit
• Provides a foundation for integrated certificate management within your network.
Functions
• A new console snap-in, Enterprise PKI or PKIView, now lets you view the health status of all of the enterprise certificate authorities (CAs) within your network. It also supports Unicode, allowing you to view certificate status in any language supported by Windows.
• Supports the Microsoft Simple Certificate Enrollment Protocol (MSCEP), which allows network devices such as routers and switches to enroll in the CA and obtain certificates of their own. This extends the chain of trust to these devices.
• Supports Online Certificate Status Protocol (OCSP), which, in some cases, can be used to eliminate the need for Certificate Revocation Lists (CRLs) and lets WS08 automatically distribute and update certificate revocation status information. OCSP provides information only about the single certificate at hand, as opposed to having to download and read an entire CRL. This speeds up the validation process.
PA
RT
I
PA
RT
I
PA
RT
I
Feature Active Directory Rights Management Services
Description: Active Directory Rights Management Services (ADRMS) provides information protection to help ensure that electronic information is secured from unauthorized use.
Category: Security Infrastructure
Feature: ✓ New Improvement Update Replacement
Feature Source: ✓ WS08 Vista WS03 R2 WS03 Service Packs
Installation: By Default ✓ Add-on Through Server Manager Custom
Applies to: ✓ Small ✓ Medium ✓ Large Organizations
Replaced Feature
• Windows Rights Management Server
Benefit
• Protect all organizational data from tampering and illegal use.
Functions
• Protects electronic information both inside and outside the firewall.
• Protects information both online and offline.
• Compliant with the Federal Information Processing Standards (FIPS).
• Supports two-factor authentication.
• Simple interface; easy deployment and configuration for persistent protection.
Feature Windows Defender
Description: Microsoft’s flagship anti-spyware tool, Windows Defender, provides protection from spyware and other malicious code.
Category: Security Infrastructure
Feature: ✓ New Improvement Update Replacement
Feature Source: WS08 ✓ Vista WS03 R2 WS03 Service Packs
Installation: ✓ By Default Add-on Through Server Manager Custom
Applies to: ✓ Small ✓ Medium ✓ Large Organizations
Replaced Feature • None
Benefit
• Helps protect servers from unwanted or malicious code installation through real-time protection and updated file definitions.
Functions
• Provides real-time protection from unwanted or malicious code.
• Supported by regularly updated definition files and the Microsoft Anti-spyware Research Center.
Feature Network Access Protection (NAP)
Description: Provides a framework that allows administrators to establish health requirements for device connections to the network and to prevent computers that do not meet these requirements from communicating with the network.
Category: Security Infrastructure
Feature: ✓ New Improvement Update Replacement
Feature Source: ✓ WS08 Vista WS03 R2 WS03 Service Packs
Installation: By Default ✓ Add-on Through Server Manager Custom
Applies to: Small ✓ Medium ✓ Large Organizations
Replaced Feature
• Network Policy Server replaces the Internet Authentication Service (IAS)
Benefits
• Helps ensure the security of the network by making sure all clients that connect to it comply with the policies you set.
• Will assist client systems in the update process during the quarantine.
Functions
• Checks the health of a system before allowing it to connect to network resources. If systems are deemed not healthy, they are placed in quarantine and given the opportunity to meet compliance by installing missing components. Once a healthy state has been achieved, the systems are taken out of quarantine and allowed access to resources.
• Checks the health and status of roaming laptops and ensures the health of internal desktop computers.
• Can help determine the health of visiting laptops before they connect to network resources.
• Can also verify the health and policy compliance of unmanaged home computers.
• Relies on the Network Policy Server (NPS) to monitor health policies for all clients, including Vista, XP SP2, and Windows Server 2008.
Feature Pluggable Logon Authentication Architecture
Description: Windows Server 2008 and Windows Vista rely on Credential Security Service Providers (CredSSP) to pass logon authentication data from the client to the server.
Category: Security Infrastructure
Feature: ✓ New Improvement Update Replacement
Feature Source: WS08 ✓ Vista WS03 R2 WS03 Service Packs
Installation: ✓ By Default Add-on Through Server Manager Custom
Applies to: ✓ Small ✓ Medium ✓ Large Organizations
Replaced Feature
• Graphical Interface for Networked Authentication (GINA)
Benefit
• Simplifies use of multiple logon technologies, such as two-factor authentication methods, on Windows systems.
PA
RT
I
PA
RT
I
PA
RT
I
Feature Pluggable Logon Authentication Architecture Functions
• Provides a simpler mechanism for integrating multiple logon technologies, for example, smart cards or fingerprint authentication, to the Windows model.
• CredSSP was formerly used with Terminal Services and Web Services to provide single sign-on (SSO); it has now been fully integrated with Windows.
• Provides a simpler model for storing multiple identities, such as username and passwords for different applications.
• Makes it easier for third parties to integrate additional logon technologies with Windows, because it is based on the .NET Framework environment.
Feature Read-Only Domain Controllers (RODCs)
Description: A new type of domain controller that makes it possible for organizations to deploy a domain controller in locations where physical security cannot be guaranteed. The RODC hosts a read-only replica of the ADDS database for a given domain.
Category: Security Infrastructure
Feature: New Improvement ✓ Update Replacement
Feature Source: ✓ WS08 Vista WS03 R2 WS03 Service Packs
Installation: By Default Add-on Through Server Manager ✓ Custom
Applies to: Small ✓ Medium ✓ Large Organizations
Replaced Feature
• Backup Domain Controller in Windows NT
Benefit
• Helps protect critical data on servers that you cannot physically secure.
Functions
• Maintains a read-only copy of the Active Directory database through unidirectional replication.
• Automatically uses Universal Group Membership Caching (UGMC) to replace the need for Global Catalog Servers.
• Relies on a Primary Domain Controller (PDC) Emulator running on Windows Server 2008 to function.
• Must run in a forest running a forest functional mode of WS03 or later.
• Relies on the RODC DNS service using new PROZs.
• Users can be granted administrative delegation to RODCs without receiving any access rights to any other DC in the forest. This allows them to log on locally and perform maintenance tasks without risk.
Feature Secure Sockets Tunneling Protocol (SSTP)
Description: A remote access tunneling protocol that is used to create VPN links that rely on the SSL instead of on IPSec. SSL VPNs pass through port 443.
Category: Security Infrastructure
Feature: ✓ New Improvement Update Replacement
Feature Source: ✓ WS08 Vista WS03 R2 WS03 Service Packs
(Continued)
Feature Secure Sockets Tunneling Protocol (SSTP)
Installation: By Default ✓ Add-on Through Server Manager Custom
Applies to: ✓ Small ✓ Medium ✓ Large Organizations
Replaced Feature • None
Benefit
• Creates simpler VPN tunnels because they rely on SSL instead of IPSec.
Functions
• Creates a link using port 443, which most firewalls keep open.
• Does not require any custom settings to pass through NAT links, Web proxies, or firewall transversals.
• Simpler to set up and maintain than any other VPN link.
• Powerful VPN model that can be used by businesses of all sizes.