Windows Server 2008 R2: Security Changes and Additions Part II

R2 security changes in Authorization and Access Control

Another great set of changes and additions to Windows Server 2008 R2 security comes in the Authorization and Access Control areas. Some of the biggest (and most welcome) changes are to User Account Control (UAC) User Account Control (UAC) In Windows Server 2008 R2, UAC has reduced the number of prompts for standard users. Some common Admin tasks that do not require UAC prompts are: • Install updates from Windows Update • Install drivers (via Windows Update or the operating systems) • View (but not change) Windows settings • Pair Bluetooth devices to the computer • Reset the network adapter and perform other network diagnostic and repair tasks The UAC experience can be configured in the Control Panel by users with local Admin rights. UAC includes the ability to change the messaging behavior for Administrators and Standard users using the local security policies. It is great to see UAC finally get more user friendly, perhaps by Windows 8 we will have a UAC that we can be happy with, but this is a good step in that direction. AppLocker This is an upgrade from the software restriction policies. You can create rules for applications, but AppLocker does not require constant rule changes with each application update. AppLocker features a simplified rule structure; Applocker is enforced regardless if the user is logged in interactively or remotely (this applies even to administrators remotely logged into the machine). Test out rules using the audit only mode and easily create rules with the rule creation wizard. Certain versions of Windows 7 will extend the ability of Applocker further. Finally Windows has provided usable admin tool for restricting software on an end users machine. Enhanced Storage Access Another new feature is Enhanced Storage Access this will add group policy settings to manage Enhanced Storage devices. These policies enable you to use Group Policy to manage enhanced storage devices and administer policies for the Certificate and Password Authentication Silos on your network. The policies include: • Allow Enhanced Storage certificate provisioning • Allow only USB root hub connected Enhanced Storage devices • Configure list of approved Enhanced Storage devices • Configure list of approved IEEE 1667 silos • Do not allow password authentication of Enhanced Storage devices • Do not allow non-Enhanced Storage removable devices • Lock Enhanced Storage when the machine is locked It is great to have a way to better lock down and protect removable storage devices without needing to rely on third party tools. Managed Service Accounts Managed Service Accounts are another new feature added for security in Server 2008 R2. The idea of the managed service account is to provide a applications like Exchange Server and SQL Server to have automatic password management (which better isolates these services) . Provides simplified service principal names (SPN) management for applications. Managed service accounts can be managed only through PowerShell; there is no GUI interface. For domains in mixed mode you can also use service accounts on Windows Server 2003 and Server 2008 domain controllers,this yet another way overdue feature that I am glad to see finally arrive to Windows Server security. Stay tuned tomorrow for part III of our series when we will look at changes to Identity and Authentication in Windows Server 2008 R2!

Recent Posts Windows Server 2008 R2: Security Changes and Additions Part I Windows Mobile 6.5 leaves me un-impressed Exchange Server 2010 tools: Do not forget these tools in your Beta Tests 7 tools for Windows 7 rollouts ESF Database Migration Toolkit: From SQL to ORACLE without any fuss Slide Rocket: Create, Collaborate and share your slideshows in the cloud Remote Desktop Services: Some help to keep you from feeling 'Terminal'-ly lost ExRCA: Test your Exchange Server 2007 remote connectivity The iland Workforce Cloud: Go ahead keep your head and desktop in the cloud
Windows 7 Windows 7 Unveiled Will Windows 7 upgrade strategy keep XP users away…NO! Fun with Windows 7 Why Windows 7 will crush Linux Why XP users will switch to Windows 7 Why IT will adopt Windows 7
See my lists of great tools 12 killer freebie SharePoint add-ons Five great Windows open source tools 8 little-known technologies that instantly make Microsoft shops run smoother 9 wickedly useful Web sites for Windows administrators 12 cool cross-platform tools for Windows, Macs and Linux 20 great Windows open source projects you should get to know A Better Windows World Tools Library
Like this and want more? Check out the other tools I've written about in A Better Windows World. the Microsoft Subnet home page for more bloggers, news, humor, security alerts and more.

Plus, check out

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2009 IDG Communications, Inc.

IT Salary Survey: The results are in