DNSSEC—Zone Signing
Zone signing in DNSSEC provides
better infrastructure security by depending on signed security for
changes, updates, and other aspects of communications with DNS servers
within a Windows Server 2012 environment. DNSSEC is critical for
organizations looking to implement zone signing and better DNS
management.
Transport Security Using IPSec and Certificate Services
Not
new to Windows, IPsec has finally gotten several new Group Policy
management components added to aid in the implementation and management
of IPsec in the enterprise. Also not new to Windows, but something that
has become critical to organizations lately is Microsoft’s offering
around public key infrastructure (PKI), specifically certificate
services. It seems like everything security related is somehow
connected to certificates, whether that is file encryption, email
encryption, remote mobile device certificate access, or transport
security using IPsec.
Security Policies, Policy Management, and Policy Enforcement Tools
Completely new to Windows Server 2008, and
updated in Windows Server 2012, and a major focus for organizations,
are security policies and policy management related to security
systems. It used to be we would just lock down systems, make sure they
were secure by default, and use our best judgment and best effort to
secure a network. However, with laws and regulations, and even human
resource departments getting involved in information security, all IT
security practices now rely on set security policies being defined so
that IT can implement technologies to address the organization policies
related to information security.
Tools such as the Network Policy Server
in Windows Server 2012 allow policies to be defined, and the Network
Policy Server enforces those policies, specifically related to remote
logon access, access over wireless network connections, or the
integration of Network Access Protection (NAP) in querying a device and
making sure the device (desktop, laptop, or mobile device) has the
latest patches, updates, and antivirus software as required by
management to ensure a device is secure.
BitLocker for Server Security
BitLocker is a technology first introduced
with Windows Vista that enables an organization to do a full partition
encryption of all files, documents, and information stored on the
encrypted partition. When BitLocker was first introduced in Windows
Server 2008 as a server tool, it was hard to understand why a server
would need to have its drive volume encrypted. It made sense that a
laptop would be encrypted (in case of theft, so that no one could get
access to the data on the laptop hard drive). BitLocker has proven to
be beneficial for servers that are placed in remote locations such as
in a simple wiring closet or under a cash register in the situation of
a retail store as the point-of-sale system. Servers with sensitive data
are prevalent in enterprise environments, and BitLocker benefits
organizations for security.
So, BitLocker provides encryption of
the volume of a Windows Server 2012 server. For organizations that are
concerned that the server might be physically compromised by the theft
of the server or a physical attack on the system, BitLocker is a great
component to implement on the server system.
Windows Rights Management Services
Windows Rights Management Services (RMS) was
available as a downloadable feature pack in Windows 2003 and is now
included as an installable server role in Windows Server 2012. Windows
RMS sets the framework for secured information sharing of data by
encrypting content and setting a policy on the content that protects
the file and the information stored in the file.
Organizations have been shifting to RMS
rather than the old secured file folder primarily because users who
should be saving sensitive information into a file folder frequently
forget to save files in the folder, and thus sensitive information
becomes public information. By encrypting the content of the file
itself, even if a file with sensitive information is stored in the
wrong place, the file cannot be opened, and the information in the file
cannot be accessed without proper security credentials to access the
file.
In addition, RMS allows the individual saving
the file to set specific attributes regarding what the person would
like to be secured about the file. For example, a secured file in RMS
can be set to not be edited, meaning that a person receiving the file
can read the file, but he or she cannot select content in the file,
copy the content, or edit the content. This prevents individuals from
taking a secured file, cutting and pasting the content into a different
file, and then saving the new file without encryption or security.
RMS also provides attributes to enable the
person creating a file to prevent others from printing the file. The
file itself can have an expiration date, so that after a given period
of time, the contents of the file expire and the entire file is
inaccessible.
Active Directory Unification for Various Directory Services
Active
Directory in Windows Server 2012 hasn’t changed to the point where
organizations with solid AD structures have to make changes to their directory
environment. Forests, domains, sites, organizational units, groups, and
users all remain the same. There are several improvements made in
Active Directory and the breadth of functionality provided by directory
services in Windows Server 2012.
The changes made in Active Directory are
captured in the name changes of directory services as well as the
introduction of a read-only domain controller (RODC) service introduced
in Windows Server 2008.
Active Directory Domain Services
In Windows Server 2008, Active Directory was
renamed to Active Directory Domain Services (AD DS), and Windows Server
2012 continues with that new name. Active Directory Domain Services
refers to what used to be just called Active Directory with the same
architectural design and structure that Microsoft introduced with
Windows 2000 and Windows 2003. In Windows Server 2012, administration
is now done through the Active Directory Administrative Center, shown
in Figure 2.
Figure 2. Active Directory Administrative Center.
The designation of domain services
identifies this directory as the service that provides authentication
and policy management internal to an organization where an
organization’s internal domain controls network services.
For the first time, AD DS can be stopped and
started as any other true service. This facilitates AD DS maintenance
without having to restart the domain controller in Directory Services
Restore Mode (DSRM).
Active Directory Lightweight Directory Service
Another name change in the directory services
components with Windows Server 2008 from Microsoft is the renaming of
Active Directory in Application (ADAM) to Active Directory Lightweight
Directory Services (AD LDS). ADAM has been a downloadable add-in to
Windows 2003 Active Directory that provides a directory typically used
in organizations for nonemployees who need access to network services.
Rather than putting nonemployees into the Active Directory, these
individuals—such as contractors, temporary workers, or even external
contacts, such as outside legal counsel, marketing firms, and so
on—have been put in ADAM and given rights to access network resources
such as SharePoint file libraries, extranet content, or web services.
AD LDS is identical to ADAM in its
functionality, and provides an organization with options for enabling
or sharing resources with individuals outside of the organizational
structure. With the name change, organizations that didn’t quite know
what ADAM was before have begun to leverage the Lightweight Directory
Services function of Active Directory for not just resource sharing but
also for a lookup directory resource for clients, patients, membership
directories, and so on.
Active Directory Federation Services
That leads to the third Active Directory
service, called Active Directory Federation Services, or AD FS. AD FS
was introduced with Windows 2003 R2 and continues to provide the
linking, or federation, between multiple AD forests, or now with
Windows Server 2012 AD FS, the ability to federate between multiple
Active Directory Domain Services systems.
Effectively, for organizations that want to
share information between AD DS environments, two or more AD DS systems
can be connected together to share information. This has been used by
organizations that have multiple subsidiaries with their own Active
Directory implemented to exchange directory information between the two
organizations. And AD FS has been used by business trading partners
(suppliers and distributors) to interlink directories together to be
able to have groups of users in both organizations easily share
information, freely communicate, and easily collaborate between the two
organizations.
Read-Only Domain Controllers
Another change in Active Directory in Windows
Server 2008 that was continued in Windows 2012 was the addition of a
read-only domain controller (RODC). The RODC is just like a global
catalog server in Active Directory used to authenticate users and as a
resource to look up objects in the directory; however, instead of being
a read/write copy of the directory, an RODC maintains only a read-only
copy of Active Directory and forwards all write and authentication
requests to a read/write domain controller.
RODCs can also be configured to cache
specified logon credentials. Cached credentials speed up authentication
requests for the specified users. The cached credentials are stored in
cache on the RODC system, not every object in the entire global
catalog. If the RODC is shut down or powered off,
the cache on the RODC is flushed, and the objects in cache are no
longer available until the RODC connects back to a global catalog
server on the network.
The RODC is a huge advancement in
the area of security, being that a RODC cannot be compromised in the
same manner that a global catalog server can be in the event of a
physical theft of a domain server. Organizations that require the
functionality of a global catalog server for user authentication that
have the global catalog server in an area that is not completely
secure, such as in a remote office, in a branch office location, or
even in a retail store outlet, can instead put a RODC in the remote
location.
