Windows Server 2008 R2: Security Changes and Additions Part III

R2 security changes in Identity and Authentication

For our last installment in the Windows Server 2008 R2 security changes and updates, we have a slew of new features in the Identity and Authentication areas. Most of these changes are geared toward enhancing client that is running Windows 7; in fact many of these enhancements will only be seen if you have Windows 7 as a client. Some of the new features and changes include: Online Identity Integration This feature allows Windows 7 users to link their Windows account to an online ID (using PKU2U), Group policies allow you to control whether to allow or deny this feature in your domain. PKU2U allows certificate based authentication using SSPs. I have to admit the technology is cool but I think I would start with a policy of disabled until I got more comfortable with the idea, myself. PKU2U (Public Key Cryptography Based User-to-User) PKU2U allows you to authenticate users using certificates between systems that are not part of a domain. PKU2U works with Online Identity Integration to allow users to share resources. PKU2U uses SSP (security support provider) to negotiate peer to peer authentication. The extensions are treated and an authentication protocol and you can add or develop other SSP’s. Looking at PKU2U I can see some uses for it in networks where you have off-site people come to work, perhaps in audits or areas where they need access to internal resources. Extensions to the Negotiate Authentication package NegoExts is used to authenticate the SSP’s we spoke about earlier; this package negotiates SSPs between Microsoft and other software providers. These extensions are useful in securing federated applications like SharePoint and OCS 2007. They provide rich support for Office Live and Hosted Exchange services, paving the way for more SAAS applications within a domain. Smart card Plug and Play This new feature allows users to use smart cards without middleware, if the vendors have published their drives with Windows Update. This step helps to simplify the management of smart cards and streamline the process of implementing them. TLS v1.2 TLS has been upgraded to version 1.2, this version now supports: • Hash negotiation – client or server can negotiate any hash algorithm to use it as a built in feature. Cipher has been upgraded to SHA-256 • Certificate hash or signature control - Configure the certificate requester to accept only specified hash or signature algorithm pairs in the certification path • Suite B–compliant cipher suites - Two cipher suites have been added to make TLS Suite B compliant (TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA384) Restriction of NTLM authentication New group policy setting allows the restriction of NTLM authentication on Windows Server 2008, Windows 7 and Domain Controllers. Windows Server 2008 R2 has resources for auditing and restricting NTLM authentication in your domain. I say goodbye old friend, but then again your time is long past due. Better authentication methods are available and it is time to retire NTLM. These restrictions are a step in the right direction. Windows Biometric Service Enables administrators and users to use fingerprint biometric devices to log on to computers, grant elevation privileges through UAC, and perform basic management of the fingerprint devices. Administrators can manage biometric devices in Group Policy (enable, limit, or block their use). It is great that there is finally more support for controlling biometric devices on the server; this is a welcome addition to Server security features. Other changes include: DES ciphers are not enabled by default in Kerberos, where NTLM is used it requires minimum 128-bit encryption. Those are the additions and changes for Windows Server 2008 R2 security, enjoy and let me know if any of these new security features are working well for you in your environment.

Recent Posts Windows Server 2008 R2: Security Changes and Additions Part II Windows Server 2008 R2: Security Changes and Additions Part I Windows Mobile 6.5 leaves me un-impressed Exchange Server 2010 tools: Do not forget these tools in your Beta Tests 7 tools for Windows 7 rollouts ESF Database Migration Toolkit: From SQL to ORACLE without any fuss Slide Rocket: Create, Collaborate and share your slideshows in the cloud Remote Desktop Services: Some help to keep you from feeling 'Terminal'-ly lost ExRCA: Test your Exchange Server 2007 remote connectivity The iland Workforce Cloud: Go ahead keep your head and desktop in the cloud
Windows 7 Windows 7 Unveiled Will Windows 7 upgrade strategy keep XP users away…NO! Fun with Windows 7 Why Windows 7 will crush Linux Why XP users will switch to Windows 7 Why IT will adopt Windows 7
See my lists of great tools 12 killer freebie SharePoint add-ons Five great Windows open source tools 8 little-known technologies that instantly make Microsoft shops run smoother 9 wickedly useful Web sites for Windows administrators 12 cool cross-platform tools for Windows, Macs and Linux 20 great Windows open source projects you should get to know A Better Windows World Tools Library
Like this and want more? Check out the other tools I've written about in A Better Windows World. the Microsoft Subnet home page for more bloggers, news, humor, security alerts and more.

Plus, check out

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Take IDG’s 2020 IT Salary Survey: You’ll provide important data and have a chance to win $500.