BitLocker Full-Drive Encryption
BitLocker is a full-drive encryption solution
that first debuted in Vista as a way to
protect data stored on easily lost and stolen
executive notebook computers. It requires
hardware based on Trusted Platform Module
1.2 to store encryption keys and can be
configured via Group Policy. What’s unique
about BitLocker is that unlike other disk
encryption solutions, it protects both online
and offline volumes and includes boot-time
protection as well.
On the server, BitLocker is particularly
valuable for machines stored in branch
offices, because those servers are often less
well physically protected than the machines
back in the home office. If a thief walks off
with a BitLocker-protected server, he or
she won’t be able to access any of the data
stored on the system’s hard drives. BitLocker
also works really well with some of the
other technologies discussed here, including
read-only domain controller (which
follows), to create a truly secure and useful
branch office solution.
Read-Only Domain Controller
RODC is new functionality that lets administrators
have the option to configure the
AD database as read-only, which means
only locally cached user passwords are
stored on the machine and AD replication is
unidirectional, rather than bidirectional.
So why would you want to do this?
Today, many organizations are installing
servers in branch offices and other remote
locations, and these servers often connect
back to the home office using slow
or unreliable WAN links. That makes AD
replication—and even authentication—an
arduous and lengthy process. With RODC,
the server is typically set up and configured
in the home office, shipped to the remote
location, and then switched on.
Like BitLocker, RODC is an excellent
solution for physically insecure remote
servers. Indeed, if you combine RODC with
other new Server 2008 technologies such as
BitLocker and Server Core, you can configure
the most secure remote server possible.
That way, even hackers who gain physical
control of the server can’t take over your
network. And removing the stolen RODC
from your AD is as simple as checking a
switch: Only those users who logged on
to that machine will need to change their
passwords. You won’t have to institute
an organization-wide emergency, because
only local accounts will have been cached
on that machine.
RODC is somewhat limited in that it
can only support a subset of the roles and
functionality normally supported on Server
2008. For example, while RODC-based
servers can support technologies such
as Active Directory Federation Services
(ADFS), DHCP, DNS, Group Policy, DFS,
Microsoft Operations Manager (MOM),
and Microsoft Systems Management Server
(SMS), they don’t support such technologies
as Microsoft Exchange.
Microsoft Internet Information Services 7.0
The new Web server in Server 2008 is driven
by a major new update to Microsoft Internet
Information Services (IIS). Like the server
itself, IIS 7.0 is completely componentized
so that only those components needed
for the desired configuration are installed
and, thus, need to be serviced. It sports a
drastically improved management console,
supports Xcopy Web-application deployment
and delegated administration, and is
backed by a new XML-based configuration
store, which replaces the previous monolithic
configuration store.
Terminal
Services You’ll see some major changes in Terminal
Services in Server 2008. The new Terminal
Services RemoteApp (TS RemoteApp)
functionality lets admins remotely deploy
individual application windows to desktops
instead of entire PC environments with
separate PC desktops, which can be confusing
to users. These applications download
and run on user desktops and, aside from
the initial logon dialog box, function and
look almost exactly as they would were they
installed locally. This functionality requires
the new Remote Desktop client, which
shipped in Vista and can be downloaded
for Windows XP SP2 and above (for more
information see the Microsoft download
site at www.microsoft.com/downloads).
TS Gateway lets you tunnel Terminal
Services sessions over HTTPS outside the
corporate firewall, so that users can access
their remote applications on the road without
having to configure a VPN client. This
is particularly useful because VPN connections
are often blocked at wireless access
points, whereas HTTPS rarely is.
Terminal Services offers a few small but
useful changes as well. These include TS
Easy Print, which makes it easy to print to
local printers from remote sessions, 32-bit
color support in Terminal Services sessions,
and seamless copy-and-paste operations
between the host OS and remote sessions.
Network Access Protection
Microsoft first planned to ship simple and
easily configurable network quarantining
functionality in Windows 2003, and it’s here
at last in Server 2008 with Network Access
Protection (NAP). This DHCP-based feature
lets you set up security policies for your network:
When a client system connects, NAP
examines the device to make sure it meets
the requirements of your security policies. Those that do are allowed online. Those
that do not—typically machines that only
connect infrequently to the network, such
as those used by travelling employees—are
pushed aside into a quarantined part of
the network, where they can be updated.
How these updates happen depends on
the configuration of your environment, but
once that’s complete, the system is given
full access again and allowed back on the
network.
NAP includes remediation failback to
Windows Update or Microsoft Update if
the local Windows Server Update Services
(WSUS) server is unavailable, and it’s compatible
with Cisco’s Network Admission
Control (NAC) quarantining technologies.
This is important for corporations that
have standardized on Cisco’s technologies
and for those who need something more
than Microsoft’s DHCP-based approach to
quarantining.
Continue on Page 3
Register
