The Long and the short of it on how Windows Server 2008 will improve security

Securing data is the hot topic across the public sector. In the latest of his regular columns, Gareth Hall explains how Windows Server 2008 will address security issues. 
 

Over the last couple of months, I have written about the overall Windows Server 2008 story and explained how we are grouping its improvements into four areas:

• A solid foundation for your business
• Security
• Built for the Web
• Virtualisation

This month, I would like to focus on security in more detail – especially as I know that security is never far from an NHS IT manager’s mind, and is a particularly hot topic in the public sector at the moment. “Security is never far from an NHS IT manager’s mind...”

What does security mean for a server?

I tend to group the security features of Windows Server 2008 into two areas – internal server security and additional functionality that you can use to improve the security of the desktops and users across your trust.

Internal Server Security

Windows Server 2008 is the most secure Windows Server ever. Its hardened operating system is a result of the Security Development Lifecycle (SDL) approach that we now take when developing products.

This ensures that security is considered at every stage of the development process and the server cannot be released without significant security testing. I won’t go into it in detail here, but rest assured, the development teams now make security their number one priority.

We do recognise, however, that no operating system - from any vendor - is 100 per cent secure, so we are continuing to make it easier to update your servers as Microsoft Update provides them. I would like to highlight a couple of areas of interest here, though:

Secure startup and shield up at install: Secure startup works with hardware-based security to protect against data theft by protecting the operating system when a system is offline or while the operating system is being installed.

Windows Service Hardening: Windows Service Hardening helps to stop malware from being able to propagate to other machines on the network. It restricts critical Windows services from doing abnormal activities in the file system, registry, network, or other resources that could be used to allow malware to install itself or to attack other computers.

Inbound and outbound firewall: A feature of the advanced security functionality provides the ability to support firewall interception of both incoming and outgoing traffic. This is a powerful feature that can enable a trust IT manager to block a peer-to-peer application if they need to. “In addition to the internal improvements within Windows Server 2008, we have invested in technology and developments to enable trusts to deploy additional security functionality across their organisation.” 

Driving security across your trust

In addition to all the internal improvements within Windows Server 2008, we have invested in technology and developments to enable trusts to deploy additional security functionality across their organisation.

Network access protection, in particular, should be of interest to the NHS - not because it deals with PC “health”, but because it should be a cost effective way of managing the huge number of mobile PCs roaming the health service and moving between trust networks.

Additionally, for the huge number of branch offices in the NHS - GP clinics, primary care trust sites and so on - the read only domain controller, especially when coupled with Bitlocker drive encryption, brings important security benefits. This is one of the areas where we have seen significant interest from early adopter customers.

Network Access Protection (NAP): This is a new framework that allows an IT administrator to define health requirements for the network and to restrict computers that do not meet these requirements from communicating with the network.

For example, health requirements may be defined to require all updates to the operating system to be installed, or to have antivirus or antispyware software installed and updated. In this way, network administrators can define the baseline level of protection all computers carry when connecting to the network.

Microsoft BitLocker provides additional security for your data through full volume encryption on multiple drives, even when the system is in unauthorised hands or running a different operating system time, data, and control.

Read-Only Domain Controller (RODC): A new type of domain controller configuration in the Windows Server 2008 operating system makes it possible for organisations to easily deploy a domain controller in locations where the physical security of a domain controller cannot be guaranteed.

An RODC hosts a read-only replica of the Active Directory directory services database for a given domain. Prior to this release, users who had to authenticate with a domain controller, but were in a remote clinic or surgery that could not provide adequate physical security for one, had to authenticate over a wide area network (WAN). In many cases, this was not an efficient solution.

Placing a read-only Active Directory database replica closer to branch users means they can benefit from faster logon times and more efficient access to authentication resources on the network, even in environments without the physical security required to deploy a traditional domain controller.

Find out more

As I mentioned last week, the early adopter customers we are working with are already getting the benefit of these technologies. We will make much more information available about this as we get closer to launch.

But if you want to try Windows Server 2008 for yourself, you can get the Release Candidate (and huge amounts of information) via the Windows Server 2008 website. For more detailed security information, click here for all the info you will ever need.

• See Gareth's previous column, The long and the short of it on the “solid foundation” of Windows Server 2008

About the author: Gareth Hall is Windows Server Product Manager for the UK, and is responsible for launching Windows Server 2008 in the UK next year. He previously worked in the NHS team at Microsoft, and before that as an IT and Information Manager in the NHS.