#1 – Server Core
As most can attest to, when you reduce the amount of software installed on a server, you reduce the machines attack footprint and hopefully reduce the number of issues caused by software incompatibilities. With Server Core in WS08, Microsoft has given companies something they have been wanting for years; a basic install with just the components required for a particular role. While you could accomplish this in the past by shutting off services that were not in use, it was more of a workaround than a real solution. The new Server Core feature of WS08 allows you to install a server into one of the following based roles: Web Services, Hyper V, Active Directory Domain Services (AD DS), AD Lightweight Directory Services (AD LDS), DHCP Services, DNS Services, File Services and Print Services. 

Before you go all out and start firing up Server Core installs, you should be aware of some Server Core restrictions. The first thing to note is that there is no Explorer shell with Server Core, only a command prompt. So if you are going to install an application or configure a setting, you should brush up on your scripting. Secondly, you cannot upgrade a machine to a server core install, so you will need to come up with another plan if you want to do an in-place upgrade of your 2003 file servers to the 2008 File Services role. Finally, since there is no Explorer shell, you will need to test your various management applications to see if they still install/run on Server Core. On the bright side, you can still use Remote Desktop Protocol (RDP) to connect to a Server Core box and you can still manage your applications remotely with Microsoft Management Consoles (MMCs).

#2 – Read Only Domain Controller
Imagine these scenarios: you have a remote office that needs a domain controller (DC) to speed up log-ons, but you can’t guarantee the security of the servers. Or, perhaps you have an application at a remote site that runs better with a local DC, and that site only has space for a single server. In the past, you had to install a local DC with a copy of everyone’s passwords and hope that the servers never fell into the wrong hands, or, in the single server scenario, you had to juggle the access needs of the application owners with the security needs of the IT group. 

Microsoft has addressed these concerns in WS08 with the Read Only Domain Controller (RDOC)/Read Only DNS Server. RDOCs are DCs that only contain the passwords for people at the remote location and, if configured as a DNS server, have a read-only copy of the DNS directory partitions. This way, if the server is ever stolen or compromised, the only passwords someone can get from the AD database are the passwords for the local users. A second feature of an RDOC is that it gives IT the ability to delegate administrative privileges for a particular server to the application owners without giving them the rights to modify the domain.

To use RODCs, the domain/forest must be in Server 2003 mode, you must run the adprep command with the /rodcprep and the Primary Domain Controller (PDC) emulator for the domain must be running Server 2008. Once those requirements are met, you can deploy RODCs and make your remote/branch offices more secure.  

#3 – Bit Locker
Taking a page from Vista, WS08 now supports the Bit Locker technology. Bit Locker is different from Encrypted File System (EFS) in that it allows administrators to encrypt the entire contents of the drive and not just the individual files. Once a drive is encrypted with Bit Locker, the only way to read the data is to have access to the correct encryption keys. This helps protect against the threat where someone steals a hard drive and installs it into another system or installs a parallel install onto the same drive and reads the data through another OS.

To enable Bit Locker, your machine must have a Trusted Platform Module (TPM) installed at the hardware level. TPM allows the OS to do the integrity checks on the boot files as the OS starts-up. If your hardware does not support TPM, you can also store the encryption keys on a USB flash drive.

Finally, you must have a separate, unencrypted, active/system partition for the WS08 boot files. Should you ever lose a server and need to recover the data after you install Bit Locker, Bit Locker requires that you provide a recover password during installation. If needed, the recovery password can also be stored in AD. When you combine Bit Locker with the other branch office solutions like RODCs, you increase your flexibility in unsecured remote locations.

#4 – Password Policy Changes
When I taught Microsoft Certified Systems Engineer (MCSE) classes, one of the hardest things for people to understand was that there was only one password policy for all user ID’s in a domain. This always caused confusion because people were constantly showing me that they could create a group policy object (GPO) with password settings and wanted to know why it didn’t go into effect on the users in that Organizational Unit (OU).

Eventually I was able to show them that their new policy only affected the local user IDs on the computers in that OU and didn’t do anything for the AD user accounts. To get around this limitation, some companies set up multiple AD domains so they could vary the password options or they used complex password filters or even worse, they would turn off their password policies long enough to reset a password to something that wouldn’t work with the standard password policy.

After years of asking, Microsoft finally gave us the ability to run multiple password policies. Now you can have that long, complex password policy for the end users and a short, non-complex password policy for the legacy applications. Unfortunately, setting the varying password policies is not as simple as creating a new GPO and applying it to your users. To create multiple password policies in WS08, the domain must be at WS08 functional level and you must be in the Domain Admins group. If you meet those requirements, you can create the Password Setting Objects (PSOs) in the directory. Once the PSO has been created and you have assigned a precedence value to it, you can link that PSO to global groups or user IDs in the domain.

#5 – Active Directory Rights Management Services
If you have ever worked with Rights Management Services (RMS) in the past, you know it was difficult to install, difficult to manage and use in a federated environment.  It didn’t let you set permissions for delegated administration, it didn’t work well with mobile devices and it didn’t support non-Microsoft applications. Since RMS was a separate download, it also seemed like an add-on product to the OS. In WS08, most of that has changed with Active Directory Rights Management Services (AD RMS).

In WS08, AD RMS comes with the OS and you can add it as a server role. It also gives you the ability to manage the RMS installation through an MMC interface versus the management website of the past. Since it supports Federation with Active Directory Federation Services (ADFS), companies can share protected documents amongst their federated partners. ADFS must, however, be setup before AD RMS and you must use the Vista RMS client or the RMS SP2 client.

Additionally, installation is now easier because the AD RMS servers can “self sign” their server licensor certificate (SLC) rather than contacting Microsoft to get the SLC assigned. Delegated administration has been greatly improved with the addition of four new AD RMS groups that have different permissions based on the specific role being performed.  Unfortunately, mobile devices still have issues with AD RMS if they are not running on Windows Mobile 6 and third party application support is still an issue without third party add-ons.

The theme for Microsoft’s recent Windows Server 2008 launch in Los Angeles was “Heroes Happen {Here},” and assuring that the WS08 is deployed effectively with the security features mentioned will allow any IT organization to become the “hero” of their enterprise.  To find our more information on any of the topics mentioned above, visit the Windows Server 2008 Reviews Guide and Microsoft TechNet.  Both sources can provide full accounts of the new and improved features and functionality.  

About the Author: Rich Getteau is NetIQ's Domain Expert on Windows, AD and Messaging

Comments (1)

Subscribe to this comment's feed

...
written by gtkwatkins , June 13, 2008

Brilliant article. I would like to see more stuff written by this guy. He really knows his stuff.

report abuse

vote down

vote up

Votes: +2