Some noteworthy compliance-related improvements in Server 8 include Hyper-V enhancements around scalability, virtual networking and multi-tenancy including performing multiple live migrations of virtual machines to new hosts. These will be good for business continuity, more granular network segmentation within Hyper-V itself and improved security configuration standardization.
Windows Server 8 also has built-in disk de-duplication which can help with your information classification and retention policies and even reduce compliance and other legal liabilities by helping you better manage – and secure – unstructured information. There’s even an improved chkdsk for disk repairs that runs much more quickly and efficiently.
Perhaps the visibility of a new server OS and the ability to start with a clean slate will prompt network administrators to take advantage of the often-overlooked benefits and capabilities of Windows Server 2008. This is a big compliance gap that many businesses have trouble getting their arms around.
It’s not all rosy with Windows Server 8, however. One concern that stands out to me is regarding the new Metro application model. Arguably not as critical as it will be on workstations where much of the development and execution of business applications is done but the fact is that new types of applications can introduce system complexities that may complicate compliance and security. In addition to traditional Win32, .NET and related applications, we’ll now have a presumably wider attack footprint with new Metro applications based on the WinRT APIs.
Another compliance-related concern is multi-server patching and continuous availability in Windows Server 8 via workflow scripting in PowerShell. When I think of PowerShell, I think of long, convoluted commands that only serve to create further complexities which, frankly, the average network admin can’t afford to take on. Microsoft is attempting to fix that by making PowerShell more streamlined and useful. We’ll see.
Finally, all of Microsoft’s touting of cloud services makes me a little nervous. My concern is that businesses – especially those on the smaller end who don’t have much (if any) in-house expertise – are going to prematurely jump on the cloud bandwagon without asking the tough questions and thinking through all of the cloud’s compliance and security issues.
I do believe that Microsoft has our best interests in mind with Windows Server 8. Incremental improvements in compliance and security are welcome. In fact, in the grand scheme of things, incremental improvements should be our main goal with all things related to managing information risks.
ABOUT THE AUTHOR
Kevin Beaver is an information security consultant, expert witness, and professional speaker with Atlanta-based Principle Logic, LLC. With over 22 years of experience in the industry, Kevin specializes in performing independent security assessments revolving around information risk management. He has authored/co-authored 10 books on information security. Kevin can be reached at www.principlelogic.com or you can follow in on Twitter at @kevinbeaver or connect to him on LinkedIn.
This was first published in January 2012