In Part 3 of my Windows Server 2012 series, I will summarize all security-related features.
Every new Windows version introduces security improvements. Cyber war is on, and no admin will dare to neglect this topic. My favorite new security enhancements are the new BitLocker features. I claimed more than two years ago that BitLocker encryption is a must. With the new deployment improvements, you will hardly find an excuse why you would still store your valuable data unencrypted.
Dynamic Access Control
I didn’t read this elsewhere, but it appears to me that Dynamic Access Control in Windows Server 2012 is another cloud feature. In conventional IT, data can only be at one place—in folders that are on your servers in your server room. Data in the cloud, however, can’t be easily localized. To ensure that only authorized people gain access to files in the cloud, traditional folder-based file access rules become difficult to handle. Essentially, Dynamic Access Control allows you or your users to tag files through applications (Office, for instance) and set access rights according to these tags. Thus access rights go with the file, at least as long as the file stays within the realm of your Active Directory. You will have to upgrade your Active Directory schema if you want to use Dynamic Access Control in Windows Server 2012.
- Introduction to Windows Server 2012 Dynamic Access Control
- Windows Server 2012 Dynamic Access Control Best Practices and Case Study Deployments in Microsoft IT
Windows Server 2012 – Dynamic Access Control
I think the main reason why many organizations restrained from deploying BitLocker hard drive encryption is that the encryption process is quite time consuming. The fact that BitLocker can now be provisioned before the installation, and that only used disk space has to be encrypted, will accelerate BitLocker deployment significantly. Also important from an admin’s perspective is that standard users can now change the BitLocker PIN or password. The new Network Unlock feature requires client hardware that has a DHCP driver implemented in its UEFI firmware. OS volumes protected by TPM + PIN or TPM + StartupKey can then be automatically unlocked at system boot when connected to a trusted corporate network.
Group Managed Service Accounts
Managed Service Accounts (MSAs) were introduced in Windows Server 2008 R2 and eliminate the need to manually administer passwords for service accounts. The new group Managed Service Account has the same functionality and can now be shared across multiple Windows Server 2012 systems.
- Group Managed Service Accounts Overview
- What’s New for Managed Service Accounts
- New-ADServiceAccount in Windows Server 2012
By default Active Directory managed service accounts are now Group Managed Service Accounts.
Security Auditing enables you to monitor various system objects (files, for instance) by defining Group Policy settings. The auditing data will appear in the Windows event log. Windows Server 2012 introduces a few improvements: expression-based audit policies (for instance, audit everyone who does not have a high security clearance and yet tries to access documents with high business value), merging Global Object Access Auditing policies from multiple GPOs, and information about file attributes of accessed files.
The most interesting new smart card feature is the support of virtual smart cards that emulate a physical smart card by using the Trusted Platform Module (TPM) chip, which is available in many business PCs. Also improved is smart card reader detection.
TLS/SSL (Schannel SSP)
New is TLS support for Server Name Indicator (SNI) Extensions, which allows you to host multiple SSL websites on a single IP and port combination. Also new is support of the Datagram Transport Layer Security (DTLS), which provides communications privacy for datagram protocols (UDP, for instance).
Please let me know if I forgot a security related feature in Windows Server 2012. In my next post I will discuss Windows Server 2012 virtualization features.