By Yuval Shavit, Features Writer
Even though the most notable new component of Windows Server 2008 is almost without question its Hyper-V built-in virtualization tool, the latest server operating system from Microsoft also has some important security upgrades. Many are standard patches that work out of the box, but there are also several Windows Server 2008 security features that will require configuration changes or modifications to your customer's IT infrastructure. Some Windows Server 2008 security improvements target an organization's back-end infrastructure, while others focus on protecting specific files.
Server 2008 infrastructure security
As we mentioned in the first installment of this Hot Spot Tutorial, one of the most anticipated features in Server 2008 is Server Core, a bare-bones installation that lets IT managers create lean infrastructure servers. Server Core servers do away with any inessential Windows components -- including the GUI and .NET -- and are meant to serve any one of nine server functions, called roles. Because Server Core installations use fewer components than a full-blown Windows Server 2008 installation, they have fewer possible security holes and require fewer patches.
Server Core installations can be used as servers for Active Directory Domain Services, Active Directory Lightweight Directory Services, DHCP, DNS, file hosting, print services, streaming media services, Hyper-V hosting and Internet Information Services (IIS). Server Core cannot host dynamic Web pages, so it is only appropriate for IIS servers that host static pages.
Another important Windows Server 2008 security feature is the ability to set up a read-only domain controller (RODC) for Active Directory servers in branch offices. AD information on RODC servers can't be changed or replicated to other AD servers, so the whole organization's security isn't compromised if there's a breach at the branch office. RODC servers can also store user information without passwords, and Windows Server 2008 allows for more granular control of password policies, said Rand Morimoto, president and CEO of Convergent Computing (CCO), an Oakland, Calif., consulting firm. CCO was part of Windows Server 2008's early adoption program and has about 240 clients that use the OS in production, Morimoto said.
Microsoft is also throwing its hat into thenetwork access control (NAC) ring with Network Access Protection (NAP), a Windows Server 2008 security technology that ensures devices are authenticated and fully patched before they're allowed to connect to a company's LAN. An unsafe computer on a NAP-enabled network is typically given limited access to the LAN. Depending on the NAP configuration, those devices may only be able to access external Internet pages, or they may be isolated to a subsection of the intranet that lets them upgrade to become compliant.
For now, NAP can only test computers loaded with a relatively modern Windows OS: Vista, Server 2008 and Windows XP service pack 3 are the only systems that can run the NAP client. Other machines will be marked as dangerous and quarantined or monitored, according to the policy you help set up at the client's site.
A NAP deployment can be complex and time-consuming, especially if security is a major concern. Most NAC technology is intended to guard against accidental breaches, like a consultant bringing in a laptop infected with a Trojan. If your client needs a more secure setup that will also guard against intentional attacks, it'll need to invest in network upgrades such as 802.1x security.
Like other NAC technologies, one of NAP's primary goals is to make guest access to your customer's networks more secure. But, also like other NAC technologies, adoption is still at the beginning of the curve. None of CCO's clients have implemented NAP yet, although Morimoto said several are considering deploying it within the next year.
Windows Server 2008 encryption
Windows Server 2008 includes a drive encryption option, called BitLocker, which encrypts a server's entire hard drive, rather than individual files on it. Although it may not be immediately obvious why an IT department would want to encrypt an immobile server's disk, branch offices often can't afford reliable physical security, Morimoto said. Some may even use standard desktop computers for their servers, he said, and IT managers will want to know that sensitive data on those computers is safe if they're stolen.
Server 2008 also lets companies protect individual files using its Active Directory Rights Management Services (AD RMS), a DRM-like encryption service. Although RMS -- without its "AD" prefix -- has been available since Server 2003, the new version integrates RMS with Active Directory's federated security model and makes it easier to manage policies. AD RMS not only encrypts files, but lets IT administrators control who can read, copy, print or otherwise work with those files.