Sunday, July 6, 2014
Windows Server 2008
includes an impressive array of new security applications and features that
further enhance enterprise deployments, particularly within hostile
environments or under potentially threatening scenarios. Today’s Internet is a
brightly illuminated world that casts shadows, and from those shadows arise
criminal aspirations that seek to infiltrate, pilfer, and undermine
Internet-accessible businesses. Microsoft has stepped up its Windows Server
2008 defenses to better serve the computing public that can’t always defend
against unforeseen, persistent, or stealthy attack.
The following
paragraphs briefly summarize some of the new and newly enhanced security
features of the Windows Server 2008 family:
• Bit Locker Drive
Encryption is a security feature of both Windows Vista and Windows Server 2008
(again sharing a common base) to provide strong cryptography protection over
stored sensitive data within the operating system volume. Bit Locker encrypts all
data stored in the Windows volume and any relevant configured data volumes,
which includes hibernation and paging files, applications, and application
data. Furthermore, Bit Locker works in conjunction with Trusted Platform Module
(TPM) frameworks to ensure the integrity of protected volumes from tampering,
even — and especially — while the operating system isn't operational (like when
the system is turned off).
• Windows Service
Hardening turns Internet-facing servers into bastions resistant to many forms of
network-driven attack. This restricts critical
Windows services from
performing abnormal system activities within the file system, registry, network,
or other resources that may be leveraged to install Malware or launch further
attacks on other computers.
• Microsoft Forefront
Security Technologies is a comprehensive solution that provides protection for
the client operating system, application servers, and the network edge. In the
Forefront Client Security role, you may provide unified malware protection for
business notebooks, workstations, and server platforms with easier management
and control. Server security can fortify Microsoft Exchange messaging
environments
or protect Office
SharePoint Server 2007 services against viruses, worms, and spam.
• Internet Security and
Acceleration (ISA) Server provides enterprise worthy firewall, virtual private network (VPN), and Web caching solutions to protect IT environments against
Internet-based threats. Microsoft’s Intelligent Application Gateway is a
remote-access intermediary that provides secure socket layer (SSL) application
access and protection with endpoint security management.
• User Account Control
(UAC) enables cleaner separation of duties to allow non-administrative user
accounts to occasionally perform administrative tasks without having to switch
users, log off, or use the Run As command. UAC can also require administrators
to specifically approve applications that make system-wide changes before
allowing those applications to run. Admin Approval Mode (AAM) is a UAC
configuration that creates a split user access token for administrators, to
further separate administrative from non-administrative tasks and capabilities.
• Windows Firewall and
Advanced Security is an MMC snap-in that handles both firewall and IP Security
(IPSec) configurations in Windows Sever 2008. This edition is the first to have
the Windows Firewall enabled by default. It can create filters for IPv4 and
IPv6 inbound or outbound traffic and protect information entering or exiting the
computer through IPSec. This component replaces both the firewall applet and
the IPSec and IPSec-related tool sets.
• Network Access
Protection (NAP) is a policy enforcement platform built into Windows Server
2008 that maintains a social health order for the network environment by
specifically requiring that connecting client computers meet certain criteria.
Such requirements include having a current, functional firewall enabled with
recent operating system updates already in place. NAP helps create custom
health code requirements driven through policy enforcement to validate
compliant computers before making any connections to the protected network.
