Security and Policy Enforcement
Protecting the network is one of the toughest challenges in IT today. Network administrators must establish and enforce security policies that provide robust protection while being flexible enough to accommodate the connectivity needs of a growing number of internal and external users, device types, system configurations, and network connection types. In addition to several enhancements to Active Directory which help make Identity and Access Management more efficient, Windows Server 2008 includes several additional security and policy enhancements:
Network Policy and Access Services
Network Policy and Access Services in Windows Server 2008 delivers a variety of methods to help provide users with secure local and remote network connectivity, connect network segments, and allow network administrators to centrally manage network access and client health policies. With Network Access Services, you can more securely deploy virtual private network (VPN) servers, dial-up servers, routers, and 802.1X-protected wireless access. You can also deploy RADIUS servers and proxies, and use the Connection Manager Administration Kit to create remote access profiles that allow client computers to safely connect to your network.
Network Policy and Access Services in Windows Server 2008 provides the following network connectivity solutions:
- Network Access Protection. Network Access Protection (NAP) is a new client health policy creation, enforcement, and remediation technology that is included in the Windows Vista Business, Windows Vista Enterprise, and Windows Vista Ultimate operating systems, and in the Windows Server 2008 operating system. With NAP, administrators can establish and automatically enforce health policies which can include software requirements, security update requirements, required computer configurations, and other settings. See below for more information about NAP.
- Highly Secure Wireless and Wired Access. When you deploy 802.1X wireless access points, highly secure wireless access provides wireless users with a security-enhanced, password-based authentication method that is easy to deploy. When you deploy 802.1X authenticating switches, wired access helps you to secure your network by ensuring that intranet users are authenticated before they can connect to the network or obtain an IP address using Dynamic Host Configuration Protocol (DHCP).
- Remote Access Solutions. With remote access solutions, you can provide users with VPN and traditional dial-up access to your organization’s network. You can also connect branch offices to your network with VPN solutions, deploy full-featured software routers on your network, and share Internet connections across the intranet.
- Central Network Policy Management with RADIUS Server and Proxy. Rather than configuring network access policy at each network access server, such as wireless access points, 802.1X authenticating switches, VPN servers, and dial-up servers, you can create policies in a single location that specify all aspects of network connection requests, including who is allowed to connect, when they can connect, and the level of security they must use to connect to your network.
Network Access Protection
Exposure of client devices to malicious software, such as viruses and worms, continues to increase. These programs can gain entry to an unprotected or incorrectly configured host system, and then use this system as a staging point to propagate to other devices on the corporate network. Network administrators have a new platform to mitigate this threat with Network Access Protection (NAP) from Microsoft, a new set of operating system components included with Windows Server 2008 and Windows Vista that provides a platform to help ensure that client computers on a private network meet administrator-defined requirements for system health.
NAP enforces health requirements by monitoring and assessing the health of client computers when they attempt to connect or communicate on a network. Client computers that are not in compliance with the health policy can be provided with restricted network access until their configuration is updated and brought into compliance with policy. Depending on how NAP is deployed, noncompliant clients can be quarantined or automatically updated so that users can quickly regain full network access without manually updating or reconfiguring their computers.
With NAP, administrators can do the following:
- Help ensure the ongoing health of desktop computers on the LAN that are configured for DHCP or that connect through 802.1X authenticating devices, or that have NAP IPsec policies applied to their communications.
- Enforce health requirements for roaming laptops when they reconnect to the company network.
- Verify the health and policy compliance of unmanaged home computers that connect to the company network through a VPN server running Routing and Remote Access (RRAS) service.
- Determine the health and restrict access of visiting laptops brought to an organization by partners and other guests.
Designed for flexibility, NAP can interoperate with any vendor’s software that provides a System Health Agent (SHA) and System Health Validators (SHVs). NAP also includes an API set for developers and vendors to build their own components for network policy validation, ongoing compliance, and network isolation. Examples of third-party solutions that work with Network Access Protection would be antivirus, patch management, VPN, and networking equipment.
Windows Firewall with Advanced Security
Beginning with Windows Vista and Windows Server 2008, configurations of both Windows Firewall and Internet Protocol security (IPsec) are combined into a single tool, the Windows Firewall with Advanced Security MMC snap-in. On by default, Windows Firewall with Advanced Security consolidates and enhances two functions that were managed separately in previous versions of Windows:
- Filtering of all IP version 4 (IPv4) and IP version 6 (IPv6) traffic entering or leaving the system. By default, all incoming traffic is blocked unless it is a response to a previous outgoing request from the computer (solicited traffic) or unless it is specifically allowed by a rule created to allow that traffic. By default, all outgoing traffic is allowed, except for service hardening rules that prevent standard services from communicating in unexpected ways. You can choose to allow traffic based on port numbers, IPv4 or IPv6 addresses, the path and name of an application, the name of a service that is running on the computer, or other criteria.
- Protecting network traffic entering or exiting the computer by using the IPsec protocol to verify the integrity of the network traffic, to authenticate the identity of the sending and receiving computers or users, and to optionally encrypt traffic to provide confidentiality.
In previous versions of Windows, implementations of server or domain isolation sometimes required the creation of a large number of IPsec rules to make sure that required network traffic was protected while still permitting required network traffic that could not be secured with IPsec. This complexity is eased in Windows Server 2008 by a new default behavior that results in a more secure and easier-to-troubleshoot environment. |
