Top 5 Security Changes in Server 2008 R2

As with any list which talks about the “top” anything, the resulting article is subject to the opinions of its author. In this case, the top 5 security features which have been added or enhanced in Server 2008 R2 are, in my opinion, the most important.

There are a number of different additions to this product which have enhanced the Windows Server experience both with security and with usability. The following features have added to the R2 product improving its security.

Listed in no particular order, here are my top 5 security changes in Server 2008 R2.

While not enabled by default, this feature uses a certificate based authentication infrastructure and a Windows Server 2008 R2 domain functional level to offer an additional level of security when users login using a certificate-base method.

Administrators have the ability to control access to files, folders and printers by differentiating a user who has logged in with a certificate based method vs. a simple username/password combination. When a user logs in with a certificate based method, an additional administrator designated universal group membership is included with the user access token.

Server 2008 R2 and Windows 7 Enterprise and Ultimate offer the ability to utilize the DirectAccess functionality. DirectAccess offers the ability to connect into an organizational network whenever the client connects to an Internet based computer.

DirectAccess also offers the ability to maintain software and policies which can be a big deal when dealing with remote users. All enterprise destined traffic is authenticated and encrypted and provides the same access control as if the client was physically attached to the local organizational network. Unlike with many VPN options available, DirectAccess was designed to work over a number of different connections including behind existing Network Address Translation (NAT) devices.

3. DNS Security Extensions (DNSSEC)

Server 2008 R2 includes support for DNS security extensions which enable the ability to have a secure DNS infrastructure. DNSSEC adds the ability to have origin authority, data integrity and authenticated denial of existence to the DNS servers.

With DNSSEC, the DNS server administrator has the ability to perform a number of tasks which were not available previously, these include:

  • Ability to sign a zone and host signed zones
  • Support new DNSSEC resource records: DNSKET, RRSIG, NSEC and DS

Clients that support the DNSSEC security extensions (Windows 7) can verify the authenticity of the DNS zone data by verifying the signature of the zones requested.

4. User Account Control (UAC) Changes

The functionality of the UAC has changed with the release of Server 2008 R2 so that the administrators can have a more streamlined experience and be able to control this experience more closely.

With these changes, users with administrative privileges can configure the UAC experience using the control panel. The local administrators have also been provided with additional security policies that enable the ability to change the behavior of local administrators in Admin Approval mode and standard users.

The Windows Server 2008 R2 built-in administrator account also does not run in admin approval mode, but all subsequently created administrators do.

5. Windows Security Auditing

While the ability to log a variety of security events has existed in a number of older Windows Server products, Windows Server 2008 R2 includes a number of enhancements which expand and simplify the deployment and management of auditing policies. These changes include:

  • Global Object Access Auditing – This enhancement offers the ability to create a computer side system access control list (SACL) for either the file system or registry. The SACL is then applied to all objects of that type.
  • “Reason for Access” Reporting – This enhancement offers the ability to view a list which provides the privileges which were used to permit or deny access to a specific element.
  • Advanced Audit Policy Settings – There are now an additional 53 new settings which can be used in place of the nine based auditing settings. These can be used to more specifically target the types of behavior which are being investigated.

There are a number of other features which could have been included on this list including the AppLocker feature. However, the reviewed features above ranked above it in this author’s opinion. Hopefully, the addition of these features to Windows Server 2008 R2 will make the security of organizational networks easier to manage and maintain.

Comments