Windows XP
Windows Vista
Windows 7
Windows Azure
Windows Server
Windows Phone
Windows Server

Windows Server 2012 : Enhancements for Flexible Identity and Security (part 2) - Active Directory Unification for Various Directory Services

7/26/2014 9:20:14 PM

DNSSEC—Zone Signing

Zone signing in DNSSEC provides better infrastructure security by depending on signed security for changes, updates, and other aspects of communications with DNS servers within a Windows Server 2012 environment. DNSSEC is critical for organizations looking to implement zone signing and better DNS management.

Transport Security Using IPSec and Certificate Services

Not new to Windows, IPsec has finally gotten several new Group Policy management components added to aid in the implementation and management of IPsec in the enterprise. Also not new to Windows, but something that has become critical to organizations lately is Microsoft’s offering around public key infrastructure (PKI), specifically certificate services. It seems like everything security related is somehow connected to certificates, whether that is file encryption, email encryption, remote mobile device certificate access, or transport security using IPsec. 

Security Policies, Policy Management, and Policy Enforcement Tools

Completely new to Windows Server 2008, and updated in Windows Server 2012, and a major focus for organizations, are security policies and policy management related to security systems. It used to be we would just lock down systems, make sure they were secure by default, and use our best judgment and best effort to secure a network. However, with laws and regulations, and even human resource departments getting involved in information security, all IT security practices now rely on set security policies being defined so that IT can implement technologies to address the organization policies related to information security.

Tools such as the Network Policy Server in Windows Server 2012 allow policies to be defined, and the Network Policy Server enforces those policies, specifically related to remote logon access, access over wireless network connections, or the integration of Network Access Protection (NAP) in querying a device and making sure the device (desktop, laptop, or mobile device) has the latest patches, updates, and antivirus software as required by management to ensure a device is secure.

BitLocker for Server Security

BitLocker is a technology first introduced with Windows Vista that enables an organization to do a full partition encryption of all files, documents, and information stored on the encrypted partition. When BitLocker was first introduced in Windows Server 2008 as a server tool, it was hard to understand why a server would need to have its drive volume encrypted. It made sense that a laptop would be encrypted (in case of theft, so that no one could get access to the data on the laptop hard drive). BitLocker has proven to be beneficial for servers that are placed in remote locations such as in a simple wiring closet or under a cash register in the situation of a retail store as the point-of-sale system. Servers with sensitive data are prevalent in enterprise environments, and BitLocker benefits organizations for security.

So, BitLocker provides encryption of the volume of a Windows Server 2012 server. For organizations that are concerned that the server might be physically compromised by the theft of the server or a physical attack on the system, BitLocker is a great component to implement on the server system.

Windows Rights Management Services

Windows Rights Management Services (RMS) was available as a downloadable feature pack in Windows 2003 and is now included as an installable server role in Windows Server 2012. Windows RMS sets the framework for secured information sharing of data by encrypting content and setting a policy on the content that protects the file and the information stored in the file.

Organizations have been shifting to RMS rather than the old secured file folder primarily because users who should be saving sensitive information into a file folder frequently forget to save files in the folder, and thus sensitive information becomes public information. By encrypting the content of the file itself, even if a file with sensitive information is stored in the wrong place, the file cannot be opened, and the information in the file cannot be accessed without proper security credentials to access the file.

In addition, RMS allows the individual saving the file to set specific attributes regarding what the person would like to be secured about the file. For example, a secured file in RMS can be set to not be edited, meaning that a person receiving the file can read the file, but he or she cannot select content in the file, copy the content, or edit the content. This prevents individuals from taking a secured file, cutting and pasting the content into a different file, and then saving the new file without encryption or security.

RMS also provides attributes to enable the person creating a file to prevent others from printing the file. The file itself can have an expiration date, so that after a given period of time, the contents of the file expire and the entire file is inaccessible.

Active Directory Unification for Various Directory Services

Active Directory in Windows Server 2012 hasn’t changed to the point where organizations with solid AD structures have to make changes to their directory environment. Forests, domains, sites, organizational units, groups, and users all remain the same. There are several improvements made in Active Directory and the breadth of functionality provided by directory services in Windows Server 2012.

The changes made in Active Directory are captured in the name changes of directory services as well as the introduction of a read-only domain controller (RODC) service introduced in Windows Server 2008.

Active Directory Domain Services

In Windows Server 2008, Active Directory was renamed to Active Directory Domain Services (AD DS), and Windows Server 2012 continues with that new name. Active Directory Domain Services refers to what used to be just called Active Directory with the same architectural design and structure that Microsoft introduced with Windows 2000 and Windows 2003. In Windows Server 2012, administration is now done through the Active Directory Administrative Center, shown in Figure 2.


Figure 2. Active Directory Administrative Center.

The designation of domain services identifies this directory as the service that provides authentication and policy management internal to an organization where an organization’s internal domain controls network services.

For the first time, AD DS can be stopped and started as any other true service. This facilitates AD DS maintenance without having to restart the domain controller in Directory Services Restore Mode (DSRM).

Active Directory Lightweight Directory Service

Another name change in the directory services components with Windows Server 2008 from Microsoft is the renaming of Active Directory in Application (ADAM) to Active Directory Lightweight Directory Services (AD LDS). ADAM has been a downloadable add-in to Windows 2003 Active Directory that provides a directory typically used in organizations for nonemployees who need access to network services. Rather than putting nonemployees into the Active Directory, these individuals—such as contractors, temporary workers, or even external contacts, such as outside legal counsel, marketing firms, and so on—have been put in ADAM and given rights to access network resources such as SharePoint file libraries, extranet content, or web services.

AD LDS is identical to ADAM in its functionality, and provides an organization with options for enabling or sharing resources with individuals outside of the organizational structure. With the name change, organizations that didn’t quite know what ADAM was before have begun to leverage the Lightweight Directory Services function of Active Directory for not just resource sharing but also for a lookup directory resource for clients, patients, membership directories, and so on.

Active Directory Federation Services

That leads to the third Active Directory service, called Active Directory Federation Services, or AD FS. AD FS was introduced with Windows 2003 R2 and continues to provide the linking, or federation, between multiple AD forests, or now with Windows Server 2012 AD FS, the ability to federate between multiple Active Directory Domain Services systems.

Effectively, for organizations that want to share information between AD DS environments, two or more AD DS systems can be connected together to share information. This has been used by organizations that have multiple subsidiaries with their own Active Directory implemented to exchange directory information between the two organizations. And AD FS has been used by business trading partners (suppliers and distributors) to interlink directories together to be able to have groups of users in both organizations easily share information, freely communicate, and easily collaborate between the two organizations.

Read-Only Domain Controllers

Another change in Active Directory in Windows Server 2008 that was continued in Windows 2012 was the addition of a read-only domain controller (RODC). The RODC is just like a global catalog server in Active Directory used to authenticate users and as a resource to look up objects in the directory; however, instead of being a read/write copy of the directory, an RODC maintains only a read-only copy of Active Directory and forwards all write and authentication requests to a read/write domain controller.

RODCs can also be configured to cache specified logon credentials. Cached credentials speed up authentication requests for the specified users. The cached credentials are stored in cache on the RODC system, not every object in the entire global catalog. If the RODC is shut down or powered off, the cache on the RODC is flushed, and the objects in cache are no longer available until the RODC connects back to a global catalog server on the network.

The RODC is a huge advancement in the area of security, being that a RODC cannot be compromised in the same manner that a global catalog server can be in the event of a physical theft of a domain server. Organizations that require the functionality of a global catalog server for user authentication that have the global catalog server in an area that is not completely secure, such as in a remote office, in a branch office location, or even in a retail store outlet, can instead put a RODC in the remote location.

Other -----------------
- Windows Server 2012 : DHCP,IPv6 and IPAM - Exploring DHCP (part 3) - Creating IPv4 DHCP Scopes
- Windows Server 2012 : DHCP,IPv6 and IPAM - Exploring DHCP (part 2) - Installing DHCP Server and Server Tools
- Windows Server 2012 : DHCP,IPv6 and IPAM - Exploring DHCP (part 1)
- Windows Server 2012 : DHCP,IPv6 and IPAM - Understanding the Components of an Enterprise Network
- Windows Server 2012 : Configuring IPv6/IPv4 interoperability (part 7) - ISATAP
- Windows Server 2012 : Configuring IPv6/IPv4 interoperability (part 6) - Configuring a DHCPv6 server, IPv6 transition technologies
- Windows Server 2012 : Configuring IPv6/IPv4 interoperability (part 5) - Stateless address autoconfiguration,Stateful address autoconfiguration
- Windows Server 2012 : Configuring IPv6/IPv4 interoperability (part 4) - IPv6 address assignment - Manual address assignment
- Windows Server 2012 : Configuring IPv6/IPv4 interoperability (part 3) - IPv6 address representation
- Windows Server 2012 : Configuring IPv6/IPv4 interoperability (part 2) - Default IPv6 functionality
- First look: Apple Watch

- 10 Amazing Tools You Should Be Using with Dropbox
- How to create your first Swimlane Diagram or Cross-Functional Flowchart Diagram by using Microsoft Visio 2010 (Part 1)

- How to create your first Swimlane Diagram or Cross-Functional Flowchart Diagram by using Microsoft Visio 2010 (Part 2)

- How to create your first Swimlane Diagram or Cross-Functional Flowchart Diagram by using Microsoft Visio 2010 (Part 3)
Popular tags
Microsoft Access Microsoft Excel Microsoft OneNote Microsoft PowerPoint Microsoft Project Microsoft Visio Microsoft Word Active Directory Biztalk Exchange Server Microsoft LynC Server Microsoft Dynamic Sharepoint Sql Server Windows Server 2008 Windows Server 2012 Windows 7 Windows 8 Adobe Indesign Adobe Flash Professional Dreamweaver Adobe Illustrator Adobe After Effects Adobe Photoshop Adobe Fireworks Adobe Flash Catalyst Corel Painter X CorelDRAW X5 CorelDraw 10 QuarkXPress 8 windows Phone 7 windows Phone 8 BlackBerry Android Ipad Iphone iOS
Popular keywords
HOW TO Swimlane in Visio Visio sort key Pen and Touch Creating groups in Windows Server Raid in Windows Server Exchange 2010 maintenance Exchange server mail enabled groups Debugging Tools Collaborating
Top 10
- Microsoft Excel : How to Use the VLookUp Function
- Fix and Tweak Graphics and Video (part 3) : How to Fix : My Screen Is Sluggish - Adjust Hardware Acceleration
- Fix and Tweak Graphics and Video (part 2) : How to Fix : Text on My Screen Is Too Small
- Fix and Tweak Graphics and Video (part 1) : How to Fix : Adjust the Resolution
- Windows Phone 8 Apps : Camera (part 4) - Adjusting Video Settings, Using the Video Light
- Windows Phone 8 Apps : Camera (part 3) - Using the Front Camera, Activating Video Mode
- Windows Phone 8 Apps : Camera (part 2) - Controlling the Camera’s Flash, Changing the Camera’s Behavior with Lenses
- Windows Phone 8 Apps : Camera (part 1) - Adjusting Photo Settings
- MDT's Client Wizard : Package Properties
- MDT's Client Wizard : Driver Properties
Windows XP
Windows Vista
Windows 7
Windows Azure
Windows Server
Windows Phone
2015 Camaro