Windows Server 2003 R2 is a revision to Windows Server 2003. It is designed to address some of the security and functionality issues of the original release. R2 promises to be the definitive Windows Server operating system until Microsoft releases Longhorn Server sometime in the future. In this article, I will take a look at what types of security enhancements you can expect from R2.
Before I begin…
R2 has been in beta for quite some time, and the first release candidate is slated to come out in about a week. Although I have a beta copy of R2, I am limited in what I can tell you about it. At the time I was accepted into the R2 beta program, I was forced to sign a strict nondisclosure agreement. Therefore, to keep the folks at Microsoft happy, this article will be based only on information that is publicly available.
Curtain goes up on new features
Microsoft has included a number of new security features in R2. For example, it is slated to include new single sign-on capabilities. This will improve security because users will have fewer passwords to remember.
Another huge improvement in R2 is an Active Directory federation technology formerly known as TrustBridge. The idea behind Active Directory federation is that an administrator can create a trust relationship with an external domain (a domain in a separate forest) without causing the entire forest to trust the external domain. Furthermore, administrators will be able to delegate administrative tasks, such as user management, to administrators in the external domain. That allows a company's trusted partners to have a degree of control within their networks.
Rumor has is that R2 will have a new shut off feature that is designed to automatically disable a user's Active Directory account in certain circumstances. I wasn't able to find any research material that goes into greater detail about this feature, but I did hear someone talk about it at TechEd. The speaker said this feature would be useful for companies that hire temporary employees. The user accounts could be set to automatically disable themselves after a certain date.
One security feature that you won't find in R2 is Network Access Protection. Network Access Protection is based on the quarantine mode feature that's found in Windows Server 2003. The idea is that external users connecting to your system through a VPN or dial-up link can seriously compromise your security if they do not have a current patch set and current antivirus protection. The Windows Server 2003 version of this tool allows you to quarantine a remote user until the necessary security mechanisms have been applied. Once applied, the user can access the rest of the network.
The Windows Server 2003 quarantine mode works well, but you practically need a Ph.D. in computer science to configure it. Network Access Protection is designed to enhance quarantine mode's capabilities and make it easier to configure. It was originally slated to be R2's primary security feature. However, Microsoft chose to remove Network Access Protection from R2 and include it in Longhorn instead.
R2 will offer a greatly improved data replication engine. The idea is that if a file changes, Windows can replicate the bytes that have changed rather than having to copy the entire file. This feature will greatly reduce bandwidth use.
In addition to a new replication engine, Microsoft has made other changes to the file system. Administrators will be able to better monitor and control disk space consumption. A new feature will allow administrators to place disk space quotas onto individual directories. There is a new file screening technology that can prevent certain types of files from being stored. For example, you could create a policy that prevents executable files from being stored in a data directory.
About the author:Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. He has served as CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. As a freelance technical writer, he has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies. You can visit his personal Web site at www.brienposey.com.
More information from SearchWindowsSecurity.com