Steve Lamb's Blog

Security Matters

What is the best security feature of Windows Server 2008?

What is the best security feature of Windows Server 2008?

  • Comments 10
  • Likes

There are plenty to choose from including the following:

  • Read Only Domain Controller
  • BitLocker on the server
  • Active Directory Rights Management
  • Active Directory Certificate Services
  • Integrated firewall with IPSec task based interface
  • Architectural improvements
  • Increased scope of Active Directory Group Policy

My personal favourite new security feature is Network Access Protection(NAP). This technology can fundamentally change the threat landscape experienced by managed machines on your network as you can prevent machines that fail to meet policy from connecting to those that are compliant - it's a fundamental feature of the entire network infrastructure and is available on clients from XP SP3 (due soon) to Vista and Server 2008 - you don't have to change your entire infrastructure to take advantage of NAP.

NAP can enforce policy compliance for the following points of entry:

  • Remote Access (VPN or dial up)
  • DHCP
  • IPSec
  • Port based authentication - NAP can integrate natively with CISCO's Network Admission Control (NAC).

One of the best aspects of NAP is the ability to automatically bring clients into compliance without user intervention. You can also define policy for machines that are not currently NAP aware and enable them to seamlessly access corporate resources. I expect that the open source community may provide NAP support at some point too.

There are a wide range of options for remediation including System Centre Configuration Manager, Microsoft Forefront. There are a very large number of third party security products that integrate too both for assessment and remediation.

I strongly encourage you to deploy NAP in "reporting mode" in the first instance to access how many client connection requests would be declined due to failure to comply with the stated policy - once a high enough percentage of your machines comply then consider moving into enforcement mode.

I will explain much more soon.

Comments
  • Steve, will this be covering more than your presentation at the 2008 launch last week? I was very keen to learn more, as you gave a great insight to NAP!!!

  • Tim> Thank you. YES - what would you like to know?

    I'm also covering it on our upcoming launch tour taking place in 5 cities across the UK from April to May

  • Hi Steve,

    This for me was the highlight of the event, well maybe 2nd to free smoothies but nevermind.

    We would like to know more about NAP, I love the aspect "Sorry  guv not with that AVG crap your not coming in"

    Could you give me a link or dates to when the launch tour is coming up north.

    Thanks Alot!

  • Hi Steve,

    I have to say NAP was a highlight of the event,

    Well maybe 2nd to the free Smoothies, Anyway, I love the aspect of "Sorry guv your not coming in with that AVG crap".

    Could you me a link or any dates as to when your coming up north with the luanch tour?

    Thanks Alot!

  • Hi Steve,

    NAP is very high on my list of new features to play with especially as it would be integrated in a Cisco NAC.

    Do you know as to whether or not places are still available for the upcoming launch tour?

    Thanks and am really looking forward to future NAP blogs.

    P.S. Where did you take the photo of the "don't touch anything as it might explode" sign? :-)

  • Steve, you talked about policy compliance and in your demo you detailed this by taking the firewall offline. What I keen to know is how granular can you go with the NAP policies, and also forgive me if I am wrong but can this cover devices plugged into the workstation such as removable storage devices?

    One more question, do you know of any implemetations of NAP with Cisco NAC?

    Many thanks!

  • Matt> thank you for your kind words. I'll blog about the dates for the tour

  • David> There are some places available - few and far between for some venues.

    I'll address your interest in NAP/NAC in posts over the next few weeks.

    I took the photo on Sailsbury Plain on the tank range on a bank holiday weekend whilst on a Jeep Club outing - my best friend owns a Jeep that he foolishly let me drive!

  • Tim> I'll go into more detail in posts over the next couple of weeks.

    You can go as granular as the Health validator (on the client) will allow - that's entirely dependant upon whomever writes it. The Microsoft SHVs don't cover removable storage devices BUT YOU COULD (or someone could) easily extend it.

    I don't know of a live mixed production environment but I'm sure they exist - will dig and share what I can

  • The best place to start is the Network Access Protection (NAP) "landing page" on the Microsoft website.

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment