Another great set of changes and additions to Windows Server 2008 R2 security comes in the Authorization and Access Control areas. Some of the biggest (and most welcome) changes are to User Account Control (UAC)
User Account Control (UAC)
In Windows Server 2008 R2, UAC has reduced the number of prompts for standard users. Some common Admin tasks that do not require UAC prompts are:
• Install updates from Windows Update
• Install drivers (via Windows Update or the operating systems)
• View (but not change) Windows settings
• Pair Bluetooth devices to the computer
• Reset the network adapter and perform other network diagnostic and repair tasks
The UAC experience can be configured in the Control Panel by users with local Admin rights. UAC includes the ability to change the messaging behavior for Administrators and Standard users using the local security policies.
It is great to see UAC finally get more user friendly, perhaps by Windows 8 we will have a UAC that we can be happy with, but this is a good step in that direction.
AppLocker
This is an upgrade from the software restriction policies. You can create rules for applications, but AppLocker does not require constant rule changes with each application update. AppLocker features a simplified rule structure; Applocker is enforced regardless if the user is logged in interactively or remotely (this applies even to administrators remotely logged into the machine). Test out rules using the audit only mode and easily create rules with the rule creation wizard. Certain versions of Windows 7 will extend the ability of Applocker further. Finally Windows has provided usable admin tool for restricting software on an end users machine.
Enhanced Storage Access
Another new feature is Enhanced Storage Access this will add group policy settings to manage Enhanced Storage devices. These policies enable you to use Group Policy to manage enhanced storage devices and administer policies for the Certificate and Password Authentication Silos on your network. The policies include:
• Allow Enhanced Storage certificate provisioning
• Allow only USB root hub connected Enhanced Storage devices
• Configure list of approved Enhanced Storage devices
• Configure list of approved IEEE 1667 silos
• Do not allow password authentication of Enhanced Storage devices
• Do not allow non-Enhanced Storage removable devices
• Lock Enhanced Storage when the machine is locked
It is great to have a way to better lock down and protect removable storage devices without needing to rely on third party tools.
Managed Service Accounts
Managed Service Accounts are another new feature added for security in Server 2008 R2. The idea of the managed service account is to provide a applications like Exchange Server and SQL Server to have automatic password management (which better isolates these services) . Provides simplified service principal names (SPN) management for applications. Managed service accounts can be managed only through PowerShell; there is no GUI interface. For domains in mixed mode you can also use service accounts on Windows Server 2003 and Server 2008 domain controllers,this yet another way overdue feature that I am glad to see finally arrive to Windows Server security.
Stay tuned tomorrow for part III of our series when we will look at changes to Identity and Authentication in Windows Server 2008 R2!
Recent Posts
Windows Server 2008 R2: Security Changes and Additions Part I
Windows Mobile 6.5 leaves me un-impressed
Exchange Server 2010 tools: Do not forget these tools in your Beta Tests
7 tools for Windows 7 rollouts
ESF Database Migration Toolkit: From SQL to ORACLE without any fuss
Slide Rocket: Create, Collaborate and share your slideshows in the cloud
Remote Desktop Services: Some help to keep you from feeling 'Terminal'-ly lost
ExRCA: Test your Exchange Server 2007 remote connectivity
The iland Workforce Cloud: Go ahead keep your head and desktop in the cloud
Windows 7
Windows 7 Unveiled
Will Windows 7 upgrade strategy keep XP users away…NO!
Fun with Windows 7
Why Windows 7 will crush Linux
Why XP users will switch to Windows 7
Why IT will adopt Windows 7
See my lists of great tools
12 killer freebie SharePoint add-ons
Five great Windows open source tools
8 little-known technologies that instantly make Microsoft shops run smoother
9 wickedly useful Web sites for Windows administrators
12 cool cross-platform tools for Windows, Macs and Linux
20 great Windows open source projects you should get to know
A Better Windows World Tools Library
Like this and want more? Check out the other tools I've written about in A Better Windows World.
Plus, check out the Microsoft Subnet home page for more bloggers, news, humor, security alerts and more.
Ron Barrett, Director of e-Strategy for ClipTraining , is an independent trainer, author and consultant. He has been a technology professional for over 12 years, working for several major financial services firms and dotcoms. Ron is a specialist in network infrastructure, security, and IT management. He is the author of Office Communications Server 2007 R2: How-To , as well as co-author of Windows Server 2008: How-To and The Administrator’s Guide to Microsoft Office 2007 Servers. Ron has been a co-author or technical editor for several other books on Windows administration. Along with book writing, Ron has contributed to several industry magazines such as Redmond, Datamation and Windows IT Pro. Beyond writing, Ron has spoken at several technology conferences for CPAmerica, AICPA and MCP’s TECHMENTOR. Recently Ron has joined ClipTraining as the Director of e-Strategy in an effort to further the company’s presence via the Internet and social networking channels.
Ron's latest book, Windows Server 2008 How-To has been selected as the September 2009 book giveaway on Microsoft Subnet. To enter the monthly book giveaway, visit the Microsoft Subnet home page.
The Leader in Network Knowledge
Post new comment