S 4.408 Overview of new security-relevant functions of Windows Server 2008

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: Administrator

Due to the minimal standard installation of the operating system, the introduction of Windows Server 2008 resulted in a significant increase of the basic security as only the services actually necessary require activation and configuration after basic installation. Moreover, further security-relevant tools and functions have been developed or approved under Windows Server 2008.

The following overview shows the principal security-relevant new functions of Windows Server 2008 and refers to safeguards with further details.

Server Manager

The Server Manager is the central administration tool of a Windows Server 2008. It can be used to configure roles or features, to administrate the firewall, or to manage services. Partially, the stated configurations can also be made via the Security Configuration Wizard (SCW) that is an integral part of the system under Windows Server 2008 and higher.

Server Core Installation

The Server Core is a minimal system that is mainly without a graphic interface. The benefits of a Server Core are as follows:

• Required software maintenance is reduced.
• Required administration efforts are reduced.
• Only a reduced number of points of attack for the system remain.

Further details on the particularities of the Server Core are included in S 4.416 Use of Windows Server Core.

Authorisation Manager

The Authorisation Manager offers a role-based security architecture for the Windows systems and applications, and was enhanced under Windows Server 2008. It is particularly important for administration of Hyper-V as there is a role-based separation of administration of host and guest systems (see S 2.490 Planning the use of virtualisation using Hyper-V).

BitLocker drive encryption

The BitLocker drive encryption introduced with Windows Vista can now also be used under Windows Server 2008 (see S 4.337 Use of BitLocker drive encryption).

Encrypting file system

Under Windows Server 2008 and higher, the following new functions have been introduced for use of EFS:

• storage of the encryption certificate on a chip card
• encryption of files on a user basis in the client's cache
• further group policy options

Further information on EFS are included in S 4.147 Secure use of EFS under Windows.

User Account Control

Under Windows Server 2008 and higher, the User Account Control can also be used for server systems (see S 4.340 Use of the Windows User Account Control UAC in Windows Vista and higher).

AppLocker

Under Windows Server 2008 R2 and higher, the previously used software restriction policies were replaced by AppLocker. This can be used to control file access and to prevent the execution of certain file types such as .exe or .bat as well as the call-up of DLLs (see S 4.419 Application control in Windows 7 and higher by means of AppLocker).

Active Directory

Numerous new functions have been introduced for Active Directory. The most important new functions are:

• Active Directory services can be installed as dedicated role. Thus, a minimal installation of the Active Directory or the allocation of individual roles of the AD to independent systems is possible.
• Read-Only Domain Controller (RODC) was introduced as a system with read-only access to the Active Directory.
• Administered service accounts for central administration of services and passwords via the Active Directory or by using Managed local accounts have been added.
• The password and account lockout policies can be configured granularly to allow for improved adjustment of password policies within a domain.

Further details are described in the safeguards S 4.414 Overview of new functions for Active Directory under Windows Server 2008 and higher and S 4.284 Handling of services under Windows Server 2003 and higher.

Windows firewall with advanced security

The host firewall of a Windows Server 2008 is activated by default after installation and blocks incoming and, if applicable, outgoing connections.

Its function is state oriented, and it filters all IPv4 and IPv6 connections. Applications with network communication can be separately approved or blocked by the administrators.

In case of role changes of the server or activation of features, the required ports or protocols are automatically activated in the rules.

DirectAccess

The VPN technology described in detail in S 4.411 Secure use of DirectAccess under Windows offers an integrated solution for secure access to approved resources within a Windows Server 2008 R2 environment.

It should be taken into account that only the two Windows 7 versions Enterprise and Ultimate are able to access resources activated by a DirectAccess server under Windows Server 2008 R2.

Network access protection

The network protection access is a new technology introduced under Windows Server 2008 and Windows Vista. The network access protection can be used to define central rules for securing access to the network.

Further information on NAP are included in S 4.410 Use of network access protection under Windows.

New functions of Windows security monitoring

Under Windows Server 2008 and Windows Vista and higher, basic changes to the security monitoring have been made.

Significant changes are described in detail in S 2.489 Planning of system monitoring under Windows Server 2008:

• change of protocol format to an XML-based format,
• introduction of new numbering of the event IDs,
• the possibility to collect events on a central Windows system.

Moreover, further new functions have been added for Windows Server 2008 R2 and Windows 7; however, these functions can only be used with these two versions:

• Global object access monitoring
  
  System Access Control Lists (SACL) can be used to monitor access to files or folders with particular need of protection. This is helpful for verification that all critical data of a system are protected by adequate rights.
• Presentation of access control entries
  
  Lists with Access Control Entries (ACE) can be used to show the effective rights Allowed or Denied for an object. This can be used to show the effective group memberships of a monitored object, for example.
• Advanced settings for monitoring policies
  
  The 53 new categories introduced under Windows Server 2008 and Windows Vista extend the nine basic monitoring settings in the local policies and/or monitoring policies. Under Windows Server 2008 R2 and Windows 7, these can be administered via the monitoring functions in the group policies. Using your own scripts or the Auditpol.exe tool is not required any more.

New functions of the group policies

Due to the close connection and similarity of Windows Server 2008 (R2), Windows Vista and Windows 7, the new functions stated in detail in safeguard S 2.326 Planning the Windows XP, Vista and Windows 7 group policies also apply to Windows Server systems of version 2008 and higher. The most important new functions of Windows Server 2008 and higher are:

• introduction of new categories for policy administration
• new format and new functions of administrative template files (ADMX, see also safeguard S 2.368 Handling of administrative templates under Windows Server 2003 and higher)
• new starter group policy objects (GPO, see S 2.491 Use of roles and security templates under Windows Server 2008)
• the possibility to use comments for GPOs and the policy settings

Furthermore, the following have been introduced under Windows Server 2008 R2:

• use of Windows PowerShell Commandlets for group policies,
• improvement of the present starter group policy objects,
• new user interface and additional policy settings for administration of the administrative templates.