Managing user identities is a top priority for many businesses today. People need to access multiple systems and resources on the corporate network, using different types of devices. But because many of these systems don't communicate with each other, it's not uncommon to have multiple identities for the same person. As a result, managing these redundant identities becomes complex, wastes time, and increases security risks due to errors.
Overview
Microsoft Identity and Access solutions are a set of platform technologies and products designed to help organizations manage user identities and associated access privileges. With a focus on security and ease of use, these solutions help businesses boost productivity, reduce IT costs, and eliminate the complexity of identity and access management.
Microsoft Identity and Access solutions fall into five distinct areas:
Simplifies management of users and devices.
Secures access beyond user names and passwords.
Collaborates securely across organizational boundaries.
Safeguards confidential data—no matter where it goes.
Automates identity and access management.
Windows Server 2008 expands on the Microsoft Identity and Access foundation with several new features and technologies to help organizations improve operational efficiency, simplify compliance, and strengthen security.
What's New with Directory Services
Read-Only Domain Controllers. One of the most significant new features for Active Directory Domain Services (AD DS) in Windows Server 2008 is the read-only domain controller (RODC). An RODC allows you to easily deploy a domain controller that hosts a read-only replica of the domain database. This is well suited for locations where physical security of the domain controller can't be guaranteed, where network connectivity may have a negative impact on productivity, or where other applications must run on a domain controller and be maintained by a server administrator (who, ideally, is not a member of the Domain Admins group). All of these scenarios are common in branch office deployments.
An RODC holds the same objects and attributes that a writable domain controller holds. However, locally originating changes are not made to the RODC replica itself; instead, these changes are made on a writable domain controller and then replicated back to the RODC. This prevents changes made at branch locations from potentially polluting or corrupting the AD forest through replication.
Administrators may also specifically configure an RODC to store (cache) user credentials. The first time a user attempts to authenticate to an RODC, the RODC forwards the request to a writable domain controller. If the authentication is successful, the RODC also requests a copy of the user credentials. The Password Replication Policy determines if the credentials are allowed to be replicated and cached on the RODC. If the credentials are cached, the next time that user attempts to log on, the request can be directly serviced by the RODC until it is subsequently notified, through replication, of a credential change. Credential caching can increase end-user productivity by mitigating the effects of wide area network (WAN) latency or network connectivity issues that are commonly experienced by branch offices. AD DS also maintains a list of all credentials stored on RODCs and, if an RODC is ever compromised, an administrator may force a password reset for all user credentials stored on that RODC.
RODCs include a delegated promotion feature that allows installation and management to be delegated to non-administrative personnel at a branch office. Branch office personnel can complete an installation by attaching a server to the RODC account an administrator has previously created. This feature eliminates the need to use a staging site for branch office domain controllers, or to send installation media and a domain administrator to the branch location.
Active Directory Federation Services. Active Directory Federation Services (AD FS) is a server role in the Windows Server 2008 operating system. You can use AD FS to create a highly extensible, Internet-scalable, and secure identity access solution that can operate across multiple platforms, including both Windows and non-Windows environments. AD FS now includes a policy import/export feature to make it easier to set up a trust relationship between federation partners. A membership provider is added to allow role-based authorization to Windows SharePoint Services and Rights Management Services (RMS) for users from a federation partner, and administrators now have the ability to limit federation service deployment through Group Policy. Support for different certificate-revocation checking settings is now provided, as well.
Directory Service Auditing. Administrators now have more detailed auditing capabilities through the new Directory Service Changes audit policy subcategory. The Directory Service Changes audit policy captures the old and new values of changes made to Directory Service objects or their attributes. Administrators will know exactly who made a change, when the change was made, what object and/or attribute was changed, and what the beginning and ending values were. Directory Service auditing is captured in the Windows Event Log, and may be consolidated or actionable through Microsoft Operations Manager or other third-party tools. This detailed level of logging helps simplify Directory Service change management tracking and can enhance an organization's regulatory compliance.
Server Core Role. AD DS and Active Directory Lightweight Directory Services (AD LDS) are supported roles for Server Core installations of Windows Server 2008. Server Core is a new installation option that creates a low-maintenance environment ideal for specific role-based services. Server Core is designed to reduce management and servicing requirements, while limiting the attack surface of a Windows Server 2008 installation.
Service-Based AD DS. AD DS is service-based in Windows Server 2008; it may now be stopped and started using Microsoft Management Console (MMC) snap-ins or from the command line. A service-based AD DS simplifies management by reducing the time required to perform offline operations, such as an offline defragmentation or authoritative restore. It also improves the availability of other services that are running on a domain controller by keeping them active while performing AD DS maintenance. Any clients that are specifically bound to a stopped domain controller would simply contact another domain controller through discovery.
AD DS Snapshot Viewer. By exposing information about objects in snapshots of AD DS (taken over time), Snapshot Viewer helps you identify objects that have been accidentally deleted. These snapshots can be viewed on a domain controller without starting the domain controller in Directory Services Restore Mode. By comparing the various states of the objects as they appear in different snapshots, you can more easily decide which AD DS backup to use to restore the deleted objects.
Fine-Grained Password and Account Lockout Policy. Fine-grained password policies allow specification of multiple password policies and application of different password restrictions and account lockout policies to different sets of users within a single domain.
Install from Media. The install from media (IFM) option can be used to install an additional domain controller in an existing domain and to minimize replication traffic during the installation.
What's New with Strong Authentication
Cryptography API: Next Generation. Cryptography API: Next Generation (CNG) is a completely new infrastructure application programming interface (API) in Windows Server 2008 that implements the National Security Agency's Suite B protocols recommendation. Active Directory Certificate Services (AD CS) leverages CNG for its cryptographic needs. CNG is a long-term replacement for the CryptoAPI in previous versions of Windows.
In AD CS, classic cryptographic algorithms are still supported through certificate service providers (CSPs), while new cryptographic algorithms, such as elliptic curve cryptography (ECC), are supported through CNG key providers. One of the unique features of CNG is the ability for organizations to leverage custom cryptographic algorithms as required.
Granular Administration Model. AD CS employs new security features that provide granular control over who can enroll certificates, what certificates they can enroll, and who can be issued the certificates. These management features integrate AD DS security groups into the management tasks of enrollment agents and Certificate Managers.
V3 Certificate Templates. In AD CS, V3 certificate templates supersede the V1 and V2 certificate templates introduced in previous Windows versions; they support the latest Windows Server 2008 CNG cryptographic algorithms. V3 templates also provide a more secure method for client validation of domain controllers, and can encrypt client and server AD CS-related communications.
Enterprise-Wide Public Key Infrastructure (PKI) management. PKIView, available as part of the Windows Server 2003 Resource Kit, is now included as an MMC snap-in with the installation of AD CS in Windows Server 2008.
PKIView simplifies the management of an enterprise's PKI by combining vital certificate authority (CA) management tasks within a single administrative interface. This consolidated view removes geographical boundaries by providing globalized support through Unicode character support. Using the consolidated interface, administrators have:
A single, hierarchical view of the complete PKI infrastructure that is registered with, and participates in, an AD DS topology.
A parent/child relationship view―when a particular root CA is chosen, all subordinate CAs are detailed within the root's tree.
The ability to directly manage each node within the interface.
Color-coded indicators that signify the overall health of CAs, trees, or the enterprise PKI as a whole.
Support for the Latest Standards. AD CS in Windows Server 2008 introduces support for the latest standards, including the Online Certificate Status Protocol (OCSP), the Issuing Distribution Point Extension (IDP CRL), and the Simple Certificate Enrollment Protocol (SCEP).
What's New with Information Protection
Federated Collaboration. Windows Server 2008 delivers the first implementation of a fully integrated Federated Rights Management Services solution. This integration combines the aspects of Active Directory Federation Services (AD FS) with those of Active Directory Rights Management Services (AD RMS) to deliver an easily deployed external collaboration framework.
Prior to Windows Server 2008, rights-protected collaboration with external organizations required IT administrators to internally maintain a secondary set of credentials for use by external users. These were typically domain accounts or some form of Passport integration. With the integration of the features of AD RMS with AD FS, external users attempting to access an organization's protected content are initially authenticated by their home realm (domain controller), thereby eliminating the need to maintain a redundant set of credentials.
Once these external users are authenticated, AD RMS policies are enforced, and AD RMS will automatically provide the external user with appropriate content licenses to work with an organization's protected content. Administrators have granular control over how these external users interact with an organization's content and may also define templates to apply to multiple partner relationships. Federated Rights Management Services in Windows Server 2008 is fully compatible with existing Microsoft Office SharePoint Server 2007 deployments and fully supports down-level AD RMS clients.
Common Management Theme. AD RMS transitions to a more familiar management framework. The AD RMS Web-based administrative interface of the past moves to an MMC snap-in. Additionally, managing AD RMS becomes more prescriptive, with a task-oriented interface that provides quick links to required, recommended, and optional configuration tasks. Four new security groups allow administrators to delegate AD RMS management tasks to specific users or groups.
Windows BitLocker Drive Encryption. Windows BitLocker Drive Encryption is a data-protection feature that is available in Windows Vista Enterprise and Windows Vista Ultimate for client computers, and in all editions of Windows Server 2008. Windows BitLocker Drive Encryption is a new feature from Microsoft that addresses the very real threats of data theft or exposure from lost, stolen, or inappropriately decommissioned PC hardware.
Windows BitLocker Drive Encryption helps prevent a thief who boots another operating system or runs a software hacking tool from breaking the Windows Server 2008 file and system protections, or performing offline viewing of the files that are stored on the protected drive. The feature ideally uses Trusted Platform Module (TPM) 1.2 to protect data and to help ensure that a computer that is running Windows Server 2008 has not been tampered with while the system was offline. Windows BitLocker Drive Encryption enhances data protection by bringing together two major subfunctions: full drive encryption and the integrity checking of early boot components.
Read more about Windows BitLocker Drive Encryption.
