Protecting the network is one of the toughest challenges in IT today. Network administrators must establish and enforce security policies that provide robust protection while being flexible enough to accommodate the connectivity needs of a growing number of internal and external users, device types, system configurations, and network connection types. In addition to several enhancements to Active Directory which help make Identity and Access Management more efficient, Windows Server 2008 includes several additional security and policy enhancements:
Network Policy and Access Services
Network Policy and Access Services in Windows Server 2008 delivers a variety of methods to help provide users with secure local and remote network connectivity, connect network segments, and allow network administrators to centrally manage network access and client health policies. With Network Access Services, you can more securely deploy virtual private network (VPN) servers, dial-up servers, routers, and 802.1X-protected wireless access. You can also deploy RADIUS servers and proxies, and use the Connection Manager Administration Kit to create remote access profiles that allow client computers to safely connect to your network.
Network Policy and Access Services in Windows Server 2008 provides the following network connectivity solutions:
Network Access Protection. Network Access Protection (NAP) is a new client health policy creation, enforcement, and remediation technology that is available for Windows XP, Windows Vista, and the Windows Server 2008 operating system. With NAP, administrators can establish and automatically enforce health policies which can include software requirements, security update requirements, required computer configurations, and other settings. For more information visit the NAP Web page.
Highly Secure Wireless and Wired Access. When you deploy 802.1X wireless access points, highly secure wireless access provides wireless users with a security-enhanced, password-based authentication method that is easy to deploy. When you deploy 802.1X authenticating switches, wired access helps you to secure your network by ensuring that intranet users are authenticated before they can connect to the network or obtain an IP address using Dynamic Host Configuration Protocol (DHCP).
Remote Access Solutions. With remote access solutions, you can provide users with VPN and traditional dial-up access to your organization’s network. You can also connect branch offices to your network with VPN solutions, deploy full-featured software routers on your network, and share Internet connections across the intranet.
Central Network Policy Management with RADIUS Server and Proxy. Rather than configuring network access policy at each network access server, such as wireless access points, 802.1X authenticating switches, VPN servers, and dial-up servers, you can create policies in a single location that specify all aspects of network connection requests, including who is allowed to connect, when they can connect, and the level of security they must use to connect to your network.
Network Access Protection
Exposure of client devices to malicious software, such as viruses and worms, continues to increase. These programs can gain entry to an unprotected or incorrectly configured host system, and then use this system as a staging point to propagate to other devices on the corporate network. Network administrators have a new platform to mitigate this threat with Network Access Protection (NAP) from Microsoft, a new set of operating system components included with Windows Server 2008 and Windows Vista that provides a platform to help ensure that client computers on a private network meet administrator-defined requirements for system health.
Visit the NAP Web page for more information.
Windows Firewall with Advanced Security
Beginning with Windows Vista and Windows Server 2008, configurations of both Windows Firewall and Internet Protocol security (IPsec) are combined into a single tool, the Windows Firewall with Advanced Security MMC snap-in. On by default, Windows Firewall with Advanced Security consolidates and enhances two functions that were managed separately in previous versions of Windows:
Filtering of all IP version 4 (IPv4) and IP version 6 (IPv6) traffic entering or leaving the system. By default, all incoming traffic is blocked unless it is a response to a previous outgoing request from the computer (solicited traffic) or unless it is specifically allowed by a rule created to allow that traffic. By default, all outgoing traffic is allowed, except for service hardening rules that prevent standard services from communicating in unexpected ways. You can choose to allow traffic based on port numbers, IPv4 or IPv6 addresses, the path and name of an application, the name of a service that is running on the computer, or other criteria.
Protecting network traffic entering or exiting the computer by using the IPsec protocol to verify the integrity of the network traffic, to authenticate the identity of the sending and receiving computers or users, and to optionally encrypt traffic to provide confidentiality.
In previous versions of Windows, implementations of server or domain isolation sometimes required the creation of a large number of IPsec rules to make sure that required network traffic was protected while still permitting required network traffic that could not be secured with IPsec. This complexity is eased in Windows Server 2008 by a new default behavior that results in a more secure and easier-to-troubleshoot environment.
