Security continues to be a key concern for IT, and Microsoft is listening to those concerns. It's taking some of the best ideas from recent editions of Windows Server and making those ideas much easier to deploy. On top of that, Microsoft is overhauling key technologies such as NTFS and replacing good old BIOS to provide new security features that used to take third-party products. Windows Server 2012 has lit up the look of security for Windows in the enterprise.
DirectAccess for all
IT is clamoring for an integrated remote access option, but has yet to find the right balance between the security needs of the enterprise and the ease of use end users want. DirectAccess, which debuted in
The trouble with DirectAccess was the setup and troubleshooting. A need for Microsoft User Access Gateway, implementation of IPv6 and encryption created a recipe for failed deployments.
Windows Server 2012 security has dropped the complexities and extra cost by folding DirectAccess into the Remote Access Server role, with DirectAccess and VPN available on the same option checkbox. The settings for DirectAccess are integrated into the Remote Access Management console window.
The wizard checks your prerequisites and sets up the Network Location Server, the IP-HTTPS and IPv6 translation services, such as NAT64. In fact, the hassle from IPv6 technologies is pretty much eliminated. The whole thing has been reduced from scores of pages of documentation down to a single wizard, which is incredibly helpful in getting your DirectAccess deployment rolling.
Better identification for file security
After the push to move every file into SharePoint, Microsoft understands the need to keep thinking about files, file servers and file permissions without having to wrap a Web server around it for security. It begins at the low level with the upgraded Server Message Block 3.0 (SMB 3.0) protocol.
Not only does SMB 3.0 provide several performance enhancements to take advantage of the latest networking, it also includes integrated encryption. This is not IPSec, which requires the encryption of every packet, and is an implementation and troubleshooting overhead that few are willing to undertake. Instead, the encryption is set up at the file or folder level. SMB 3.0 is using AES-CCM for encryption and AES-CMAC for signing.
A simple checkbox option enables the encryption; the caveat is that both the client and server must support SMB 3.0 to use encryption. This means Windows Server 2012 and Windows 8 are needed to make encryption work, which may take a while on the client side. If you don't have the latest OS installed on all clients, don't enable encryption because it will not allow older clients access.
Dynamic Access Control (DAC) is another file-level technology focused on permissions. Today's environments have users that span multiple job types and organizations that access files from different types of devices. Access control requirements no longer stop at the firewall; they extend into the Internet.
Dynamic Access Control aims to tackle the latest challenges with a significant upgrade to NT file system (NTFS) and file services. DAC adds to the standard share and file permissions with a new layer that relies on policies that can add file permissions, group memberships and tags on files to the mix. When mixed with Active Directory Federated Services and Identity Management through Rights Management Services, the permissions can extend outside of the network.
This ability works for access control, auditing and encryption through a claims-based system. For example, a tag on a file can trigger a policy to automatically encrypt a file. A tag can also require additional group membership to allow access, such as being a member of the R&D Users and the Special Projects groups. This is great for controlling access based on several regulatory requirements and accessing certain files on a need-to-know basis.
This can also break down to the device level, which can be very useful as IT migrates to integrate mobile devices and bring your own device. With the claim based on user identity, device identity and policy, the concept of file permissions becomes less about what conflicting groups you have a user in, and more about having your policies in order. The access denial message even gets an upgrade. You can now customize the message users receive and even integrate a request for access into the pop-up.
Securing startup in Windows Server 2012
Windows is now protected at an even more basic level. As the BIOS boot-strapper technology is replaced with Unified Extensible Firmware Interface, administrators can take advantage of Secure Boot. This is a controversial technology in some circles because it locks down what operating system you can actually use. It can be a hassle for Linux users, but for enterprise IT, the benefit is removing boot-level attacks from unauthorized firmware, drivers and OSes.
BitLocker sees continued improvement by making a BitLocker drive unlockable over a network connection on domain-joined computers, called Network Protector Mode. You can also secure drives before Windows is even installed, making deployment scenarios easier. In addition, administrative rights are no longer required to change passwords and PINs, adding to ease of use. Performance improvements are enabled by the encrypted space in use, reducing long lead times to encrypt what are essentially zeros on the hard drive.
Windows Server 2012 has brought an impressive focus on security. Windows Server 2012 security has improved good ideas such as DirectAccess and has overhauled other ideas such as NTFS to enable claims-based access. The changes are certainly worth fast-tracking into your data center.
About the author
Eric Beehler has been working in the IT industry since the mid-1990s and has been playing with computer technology well before that. His experience includes more than nine years' experience with Hewlett-Packard's Managed Services division, working with Fortune 500 companies to deliver network and server solutions, and most recently IT experience in the insurance industry, working on highly available solutions and disaster recovery. He currently provides consulting and training through his co-ownership in Consortio Services, LLC.
This was first published in March 2013