Hands on: Windows Server 'Longhorn' Beta 3 review

1 2 3 4 5 Page 4
Page 4 of 5

Branch office scenario enablement

Business are growing all the time and opening up new offices, and those office, of course, require technology support. Perhaps your organization is already teeming with satellite offices that not only need full integration with your Active Directory investment, but also require some security considerations. Possible threats to your branch office IT assets include the following:

  • A thief physically stealing your branch office's domain controller and then attempting to crack the passwords contained in the replicated copy of the directory stored on the controller.
  • Someone attempting to remove a hard drive from a file server and access sensitive information on an unauthorized basis.

Two new features of Windows Server Longhorn are designed to help mitigate these threats: the read-only domain controller and BitLocker drive encryption. Let's discuss each briefly.

A read-only domain controller (RODC) is just that -- it receives information replicated to it from full domain controllers, but it doesn't permit any changes to be made to its own copy of the directory database, and thus no information can be replicated back to the full DCs in the domain it's a member of.

The advantages of this structure include the following:

  • You reduce the risk of someone attacking a branch office location and sending poisoned data throughout the entire Active Directory database.
  • The RODC caches only the credentials of users and computers that have authenticated to the RODC and those whose credentials are allowed to be cached under the Password Replication Policy. This reduces the possibility that accounts can be cracked from a stolen branch office domain controller.
  • By default, the RODC does not cache administrator credentials, so the keys to the kingdom are more fully protected.
  • The Kerberos authentication tickets issued by the RODC will be valid only for systems within its scope, so it can't issue falsified tokens to get nefarious users onto the full network.

The RODC is a Server Core-designated role, which means there's hardly any need for administration locally. No GUI also means a smaller attack surface. Everyone wins with that.

Going along with the idea of securing sensitive information in a tender place, BitLocker, the whole-drive encryption feature introduced with Windows Vista, is the latest in encryption software. BitLocker, when enabled, secures all of the data on a drive and requires decryption keys, like any other software, to unlock the data. However, unique to BitLocker is the fact that the keys are stored within either a Trusted Platform Module chip on board your system or a USB flash drive that you insert upon boot-up.

You get protection for the entire Windows volume including both user data and system files, the hibernation file, the page file and temporary files.

The boot process itself is also protected by BitLocker -- the feature creates a hash based on the properties of individual boot files, so if one is modified and replaced by, for example, a Trojan file, BitLocker will catch the problem and prevent the boot. It's a very useful feature not only for servers that don't have great physical security, but also for mobile users and laptops that have a pretty good chance of being lost or stolen at some point during their lifetimes.

Windows Server 2003 R2 made some incremental improvements to branch office support, but Windows Server Longhorn, at least in its current Beta 3 form, appears to take branch office support to a higher level. Those of you with vulnerability-plagued remote offices that need to be part of your domain should certainly take a look.

Other security enhancements

There is a laundry list of security enhancements to the Windows Server Longhorn product. A few of the most interesting or potentially most useful features include:

Network Access Protection (NAP). NAP allows you to define policies that state a minimally acceptable level of client health for any device on your network. The criteria could include service pack level, update level, the presence of antivirus software, successful return of a quick security/malware scan and so on. NAP works with your network hardware -- Cisco gear in particular -- to enforce these policies. When a client doesn't meet the baseline requirements for machine health, it is kicked off the network and is only able to speak with certain machines that you designate, typically ones that contain software that enable the machine to heal itself. NAP is revolutionary and a fantastic security tool.

Network Policy and Access Services. With NPAS, you have a one-stop service for all network security policies and access control services. You can deploy VPN servers, dial-up machines and routers. You can set up a RADIUS server and proxies and create remote access policies through the Connection Manager Administration Kit. NPAS also allows you to configure secure wired and wireless access as necessary to better protect communications on your network.

New behaviors in the Windows firewall with advanced security. For one thing, the firewall is on by default now; that's a much-anticipated change that proved impossible during the Windows Server 2003 time frame. Additionally, all incoming traffic is blocked by default unless it is solicited traffic, or unless it is specifically allowed by a rule created to allow that traffic. The new interface combines the firewall tools with the controls you previously found in the IPsec snap-ins, IP Security Policies and IP Security Monitor, so management is a little bit easier with everything in one place.

There are numerous other security improvements within Windows Server Longhorn Beta 3, all of which are incremental and serve to further harden the base on which Windows on the server operates. Any security improvements are welcome.

1 2 3 4 5 Page 4
Page 4 of 5
7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon