When Microsoft released Windows 2003 Server, one of the biggest selling points of the new operating system was...
security -- shipping the product in a locked-down state, for instance, and adding in features (such as the firewall) to provide some default security.
With R2, things are a little different. There are three basic categories of new security or security-related features in R2: extensions to Active Directory for "federated access," new AD storage modes and a new set of updating and network access control features found only in Windows 2003 Small Business Server R2. Most of the new "security" features in R2 are not like those associated with previous iterations of Windows -- the firewall, for instance, or reducing the "attack surface" for Windows itself. And, they may not be as immediately useful the way other features were, but they are interesting functional changes that open some new possibilities for the way Windows can be used to manage an organization.
ADFS, or Active Directory Federation Services, comes as one of the more highly touted new security functions in R2. The idea has come wrapped in a great deal of perplexing language, but the basic idea isn't that complicated. If you have two completely distinct organizations with different Active Directory forests, ADFS lets certain credentials be shared between forests. This way a user could sign onto one of multiple "federated" forests with the same credentials, the same profile information -- the same everything, really -- and only need one password to do it. Microsoft's theory is that if you have one easy-to-remember password that is relatively strong, that's better than having many comparatively weak passwords that you might have to write down to remember (and thus have discovered).
Active Directory Federation Services isn't just for desktop users in an organization; one of the things Microsoft specifically built ADFS for is to allow companies to build Web interfaces that allow single sign-on (SSO) across domains. Microsoft has pitched this whole package of federation technology as "extending Active Directory to the Internet."
For instance, if you have a whole family of Web sites all built using ADFS, you could allow a user to register in one site and use his credentials to sign on to all the rest (and, of course, retain his profile information). ADFS also has extensions to allow this sort of thing to be used in non-AD environments as well, through a set of W3 standards called the Web Services Architecture.
Know them from ADAM
Another new Active Directory feature in R2 is Active Directory Application Mode, or ADAM -- a subset of Active Directory that applications throughout an organization can use to store data in a directory format without needing an additional solution. You can also use ADAM to store custom data in Active Directory without making schema changes, so you could use regular AD for authentication and ADAM for more personalized per-user / per-application data. Customizing ADAM is done with the same tools as Active Directory itself -- the LDIFDE command-line tool or the ADSI Edit snap-in. If you have experience working with one, then using the other isn't a big obstacle.
Update Services updated
Microsoft offers not one but several ways to push updates out to desktops and servers: Microsoft Update, Windows Server Update Services, and Systems Management Server. WSUS is the middle tier among the three; it lets you scan Microsoft Update servers for available downloads and then selectively push them out to your network based on what's needed.
WSUS in Windows 2003 Small Business Server R2 has some new features that are exclusive to SBS R2 -- among them, a daily reporting feature. It provides you with continually updated information about how other Windows machines are faring in your organization as far as patches and updates go. If a new Windows XP or Windows 2000 Professional machine joins an SBS2003 R2 domain and it isn't up to snuff as far as updates go, you'll find out without having to audit that machine personally.
Guard the gates
Some of the other security features rolled into SBS2003 R2 are about keeping people in as much as they are about keeping intruders out. The premium edition of SBS2003 R2 includes ISA Server 2004, which not only lets you define basic user access policies (i.e., who gets to use the Internet and who doesn't), but it also can provide detailed and granular per-user settings -- for instance, allowing only Internet access to specific sites during specific hours.
One rather annoying downside to using SBS2003 R2 -- as opposed to the full Windows Server 2003 R2 -- is that ISA Server 2004 cannot be upgraded to ISA Server 2006 due to the way SBS2003 R2's setup tools are integrated into ISA 2004 and vice versa. If you want to upgrade to ISA later, that might make you think twice about using SBS in this context.
About the author: Serdar Yegulalp is editor of the Windows Power Users Newsletter. Check it out for the latest advice and musings on the world of Windows network administrators -- and please share your thoughts as well!