Modernizing Authentication — What It Takes to Transform Secure Access
While Windows 7 has all the sexy TV commercials (who knew so many good looking people "invented" the new operating system?), Microsoft has been busy updating Windows Server, with the 2008 R2 version released last year and an upcoming SP1 planned for sometime in the next few months.
There are many noteworthy features in R2, with the most noticeable a pretty new look similar to the interface in Windows 7 for task bars and menus. But, despite the similarities, under the covers, R2 is very different than the first version of Server 2008, and we'll look at the networking-related security features here, including beefed up support for Network Access Protection (NAP), Microsoft's much ballyhooed endpoint security solution, as well as improved group policies, remote access features, firewall, virtualization, and Web servers.
A look at NAP
Earlier 2008 versions were more difficult to validate the endpoint system healthiness, requiring separate health policy servers for different health validation configurations. Now a single server can be used to specify multiple configurations to match particular circumstances, so that PCs on your LAN have to match criteria that are different from users connecting via remote access or occasional laptops that are brought in by consultants. Health checks can test to see if the firewall is enabled, look for current anti-virus and anti-spyware signatures, and whether automatic updates are enabled.
NAP has also been integrated into the Windows 7 Action Center, so that warnings about not passing a particular endpoint health check are now part of the items displayed there.
Greater reliance on group policy settings and domain authenticationhttps://o1.qnsr.com/log/p.gif?;n=203;c=204634421;s=15939;x=7936;f=201702151714490;u=j;z=TIMESTAMP;a=20304455;e=i
If you haven't managed your groups by security settings, now is the time to start. More of NAP is implemented in this fashion, so membership truly does have its privileges.
R2 works with Microsoft's System Center Configuration Manager (SCCM) to enforce installation of mandatory software, such as anti-virus and firewalls, as well as automated patch management and automated software installation. Sadly, there are still two different management consoles for SCCM and Network Policy Server, and you'll need to work with both of them if you are going to setup your overall endpoint security. The good news is that there is a selection of policy templates in both management tools to make things a bit easier to build your policies from scratch.
Remote access features
Microsoft has created a new remote access mechanism that it calls DirectAccess. It is just one of the many new elements of remote access implemented in Microsoft's Forefront Unified Access Gateway 2010. This product was announced earlier this year and requires R2 to run. The Gateway has many features, such as integrated access to SharePoint and Exchange, and can provide a portal to various Web applications. It will require IPv6 across your enterprise, which could be a problem for those organizations that have not yet rolled this protocol out. DirectAcess is only for Windows 7 clients. Otherwise, Microsoft has updated its VPN support making it easier for users to roam across the enterprise without having to re-enter their authentication credentials.
The R2 Server features various endpoint health validation measures as part of Microsoft's NAP.
Earlier Windows Server versions could only have a single firewall policy active at any given time. If you had a server with multiple network adapters installed, this made for awkward configurations. In R2, you can have a different firewall policy mapped to each adapter.
Microsoft's Hyper-V, the built-in hypervisor, has been significantly enhanced with R2. You can now do live migration of running virtual machines, which makes for a more reliable and higher available service. The server now supports dynamic storage additions, so that you can reconfigure VMs while they are running, again making them more flexible and reliable. And Hyper-V will support up to 32 physical CPU cores, so you can build higher density VM collections.
Internet Information Server (IIS), Microsoft's built-in Web server, has undergone some sprucing up too with R2, which includes version 7.5. Windows Power Shell commandlets have been integrated into the Web server, enabling more power scripting and uses of the Web services from within this environment. The overall IIS core has been hardened for security breaches, by having each application pool run in its process and with fewer privileges too. IIS is also better integrated with .Net applications. Finally, Web DAV has been enhanced to make it more flexible for managing and publishing Web-based content.
David Strom is an international authority on network and Internet technologies based in St. Louis, MO. He has written extensively on these topics for more than 20 years for a wide variety of print publications and Websites, including as editor-in-chief at Network Computing, DigitalLanding.com, and Tom's Hardware.com. You can find him online at Strominator.com and e-mail him email@example.com.