Windows Server 2012 doubles down on security

From UEFI to full-disk encryption to improvements in IIS, Windows Server 2012's security features alone provide reason enough to upgrade

With the shift to the new Metro user interface, a lot of people are wondering if Windows 8 is right for them. Those considering an upgrade to Windows Server 2012 should have no such hesitation. As InfoWorld's Oliver Rist said in June: "When Microsoft calls this a 'major' release, the company isn't kidding. Windows Server 2012 really does change the game, and that's across all roles: file sharing, identity, storage, virtual desktop infrastructure, and certainly server virtualization and cloud."

I would add that security improvements alone may justify the purchase for many enterprises. Here's a quick walkthrough of the significant new security features found in Windows Server 2012.

True UEFI and Secure Boot
Like Windows 8, Windows Server 2012 has replaced the traditional ROM-BIOS with the new and improved industry boot standard known as UEFI (Unified Extensible Firmware Interface). Microsoft is using the security-hardened 2.3.1 version, which prevents boot code updates without appropriate digital certificates and signatures. Windows 8 and Windows Server 2012 go further and pick up the trustworthy and verified boot process, extending it to the entire Windows OS boot code with a feature known as Secure Boot. Taken together, UEFI and Secure Boot significantly reduce the risk of malicious code, such as rootkits and boot viruses, from taking control of the operating system.

Data center-ready BitLocker drive encryption
BitLocker is finally usable on server systems. Prior to Windows Server 2012, implementing BitLocker on a server meant using either Trusted Platform Module (TPM) chip-only mode, which is the weakest protector in the many offered, or required that a server administrator be present for each boot with a PIN, password, or USB key. That doesn't work so well in a lights-out data center.

A few new BitLocker protectors were added in Windows Server 2012 (and Windows 8) to allow server administrators to enable disk encryption without all the hassles. In particular, many administrators will love the network protector mode, which will automatically unlock the encrypted disk as long as the server is network connected and joined to its normal Active Directory (AD) domain.

But enhanced BitLocker goes even further, with support for hardware encrypted disks (known as SED and ED disks), AD account or group protectors, and cluster-aware encryption that allow the disk to properly failover and be unlocked to any member computer of the same cluster. With these new enterprise-intended features, Windows Server 2012 will be far easier to encrypt with BitLocker than its predecessor.

Early Launch Anti-Malware
Another Windows Server 2012 feature shared with Windows 8, ELAM (Early Launch Anti-Malware) ensures that only known, digitally signed antimalware programs can load right after Secure Boot finishes (although it does not require UEFI or Secure Boot). This way, legitimate antimalware programs can get into memory and start doing their job before fake antivirus programs or other malicious code. Prior to ELAM, a malicious program could do "interrupt or vector chaining" and load before other legitimate programs, thus allowing them to lie to the operating system or antimalware programs.

DNSSEC
It's no exaggeration to say that DNS resolution without DNSSEC is not trustworthy. DNSSEC requires that authoritative DNS servers sign their responses and prove that they own the zone by handing out digital certificates and digitally signed records.

Windows Server 2008 R2 (and Windows Vista and later clients) had DNSSEC capabilities, but they did not interoperate well with non-Microsoft platforms. Since every DNS server in the chain of a resolution request must be running interoperable DNSSEC, and most of the Internet does not run Microsoft DNS or DNSSEC, this was a problem. Windows Server 2012 solves it, not only making DNSSEC interoperable (supporting the latest RFCs and crypto), but also significantly easier to configure.

To put it bluntly, configuring DNSSEC in Windows Server 2008 R2 was a nightmare! It required superlong command-prompt commands, only worked with static zones, and required re-signing anytime a record was updated. Now DNSSEC is GUI-rich and Active Directory integrated, with automated re-signing. DNSSEC is so significantly updated and easy to use that I expect most enterprises to be enabling it along with their first few Windows Server 2012 DNS servers. There's no reason not to now.

Data classification
Documents can be automatically classified according to their contents or Active Directory attributes. These classifications can then be used in conjunction with other Windows Server 2012 features that are now classification-aware. For example, the Rights Management Service can automatically encrypt documents that contain certain content or classifications. You can even automatically control which users and groups can access which documents based upon content or classification. This is neat stuff, and it's all built-in.

Dynamic Access Controls and Expression-Based Authorization Rules
Windows Server 2012 features very advanced file and folder permissions, especially in the form of Dynamic Access Controls, Claims, Expression-Based Access Control Entries, and Centralized Authorization and Auditing Rules (known as Central Access Policies).

First, nearly any object -- such as a user, group, computer, and so on -- can have or be given one or more attributes known as claims. Claims are something you either are ("I'm a Dell laptop with MAC address of 00-aa-00-62-c2-06") or any attribute associated or assigned to an object ("a manager in the finance group working from home"). These claims can then be used for authentication and authorization.

For example, only finance users working from home on Microsoft Surface Pro or iMac devices can use the private VPN and access the finance SharePoint server, and within it, only documents with "medium" or lower data classification. Perhaps finance documents with a "high" data classification require users to be onsite using domain-joined and controlled computers. Security decisions support Boolean logic. Compare that to the pre-Windows Server 2012 method where you could only define security decisions based upon the user account and their group memberships.

Kerberos improvements
Kerberos has proven itself to be a robust and secure authentication protocol. Windows Server 2012 improves it for simpler use. Not only does Kerberos support claims and cross-forest (and cloud) authentication, but DCs automatically do group compression and the maximum Kerberos ticket size has been increased to 48KB. Prior to Windows Server 2012, it was easy for users belonging to more than a 100 groups to create something called token bloat, which caused authorization problems. Kerberos Constrained Delegation has been improved to work across domains and forests. Prior to Windows Server 2012, constrained delegation required the front- and back-end servers to be in the same domain. Lastly, Kerberos now supports RFC 6113, otherwise known as Kerberos armoring. Essentially, a protected channel is created between domain-joined clients and the domain controller to protect pre-authentication data, which makes Kerberos even harder to hack.

Group Managed Service Accounts
Managed Service Accounts (MSAs) were introduced in Windows Server 2008 R2. Once these new service accounts are created in AD, they can be attached to particular computers and services to become self-maintaining service accounts, which have extremely long passwords that automatically reset every 30 days (along with machine password changes).

Windows Server 2012 improves MSAs in several ways. Windows 2012 debuts Group Managed Service Accounts (gMSAs), which introduce a new type of security principal. Using them, a single gMSA can be shared across multiple computers. Previously it was one MSA per computer. MSAs and gMSAs require a schema update, and gMSAs only work on Windows 8 and Windows Server 2012 services. MSAs now also have some support for clustering and load balancing.

Internet Information Service 8
Internet Information Service (IIS) 8 contains many new security improvements, especially around automated security responses and multitenancy protections. Dynamic IP Restrictions is a feature that allows IIS to automatically block abusive IP addresses based upon predefined conditions, such as concurrency or frequency of HTTP requests. This applies to FTP logons as well. In IIS 7, IP address restriction was static and manual. IIS 8 also works harder to sandbox individual applications into multitenancy security sandboxes.

GUI-based, fine-grained password policies
In Windows Server 2003 and before, password policy could only be set locally and at the domain level. This was a severe pain if you wanted to set one password policy for one group of users and another for other users -- for example, to require that Domain Admins use 15-character passwords, while regular user accounts needed only 12 characters.

Windows Server 2008 introduced FGPP (Fine Grained Password Policy), which allowed the creation and enforcement of different password policies below the domain level. Unfortunately, in Windows Server 2008, this could only be accomplished using special Active Directory editing tools and PowerShell.

Windows Server 2012 offers its own FGPP GUI under the new Active Directory Administrative Center, which also houses the Active Directory Recycle Bin and the Active Directory PowerShell Viewer; it essentially replaces Active Directory Users and Computers. It makes creating FGPP a piece of cake -- and it's easier to work with, which means more companies will use it. You can also right-click a user and find the resulting password policy (called Resultant Password Settings), which is great if multiple FGPP policies have been applied to a single user.

There are many other features sure to delight security administrators, including PowerShell 3.0 (with more than 2,000 cmdlets), the ability to load and unload a GUI on server core versions, and multiple, significant improvements in availability and clustering.

All told, Windows Server 2012 has hundreds of new security features, far more than can be covered here. It's a whale of an upgrade across the board -- and it takes security to the next level.

Copyright © 2012 IDG Communications, Inc.

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!