Tighter security in Server 2008
- By Paul Ferrill
- Nov 12, 2007
Microsoft Corp. unveiled a significantly more secure server operating system in showcasing its new Windows Server 2008 last week at the Microsoft Windows Server Technical Summit held in Redmond, Wash.
Microsoft's approach to security in Server 2008 expands on the defense-in-depth approach hinted at in the company's release of Windows Vista. At the core of the OS, this translates into hardening of Windows Services, reducing the size of high-risk attack surfaces while increasing the number of layers a threat would have to penetrate to inflict damage. As you go up the stack, it includes components such as Bitlocker encryption for protecting sensitive information on the server.
Server 2008 has taken the lead from Vista in turning off features directly affecting the security posture of the system in the default configuration. By default, the Windows Firewall is now enabled. And the Server 2008 firewall has been improved to include new intelligent rules to make it easier to specify settings such as authentication and encryption levels.
Network Access Protection (NAP) is probably the single biggest security-related feature for Server 2008. It's essentially the same as Cisco's Network Access Control (NAC) in that it allows you to decide which client machines get access to your network based on a set of predetermined conditions. When any client machine attempts to authenticate to the network, it must first pass a minimum check for software updates, antivirus and any other security-related policy deemed essential. If those conditions aren't met, the machine will be given access to only a remediation server where, in many cases, the offending issues can be taken care of automatically. The NAP client agent is embedded into Windows Vista, although it must be turned on, and will be a part of Windows XP SP3.
Internet Information Server 7 (IIS7), which ships with Windows Server 2008, also includes a number of improvements on the security front. A new configuration file and management tool makes it easy to add or remove functions. Limiting functions means reducing the overall attack surface and the level of effort required to maintain a strong security posture. Managing an IIS web server previously required administrator privileges. IIS7 introduces delegated role-based management over H
Remote management has been significantly enhanced through both the Microsoft Management Console and a new secure Windows Remote Shell. WS-Management support is available as well as WMI, giving IT administrators more options for managing remote systems through scripts. Neither of these functions is enabled by default. They must be explicitly turned on for security reasons.
Other enhancements include read-only domain controllers for enhanced remote-office applications, rights management services for protecting documents, data and e-mail from unauthorized access and enhanced authentication through Active Directory Federated Services.