다음을 통해 공유

What is the best security feature of Windows Server 2008?

  • 아티클

There are plenty to choose from including the following:

  • Read Only Domain Controller
  • BitLocker on the server
  • Active Directory Rights Management
  • Active Directory Certificate Services
  • Integrated firewall with IPSec task based interface
  • Architectural improvements
  • Increased scope of Active Directory Group Policy

My personal favourite new security feature is Network Access Protection(NAP). This technology can fundamentally change the threat landscape experienced by managed machines on your network as you can prevent machines that fail to meet policy from connecting to those that are compliant - it's a fundamental feature of the entire network infrastructure and is available on clients from XP SP3 (due soon) to Vista and Server 2008 - you don't have to change your entire infrastructure to take advantage of NAP.

NAP can enforce policy compliance for the following points of entry:

  • Remote Access (VPN or dial up)
  • DHCP
  • IPSec
  • Port based authentication - NAP can integrate natively with CISCO's Network Admission Control (NAC).

One of the best aspects of NAP is the ability to automatically bring clients into compliance without user intervention. You can also define policy for machines that are not currently NAP aware and enable them to seamlessly access corporate resources. I expect that the open source community may provide NAP support at some point too.

There are a wide range of options for remediation including System Centre Configuration Manager, Microsoft Forefront. There are a very large number of third party security products that integrate too both for assessment and remediation.

I strongly encourage you to deploy NAP in "reporting mode" in the first instance to access how many client connection requests would be declined due to failure to comply with the stated policy - once a high enough percentage of your machines comply then consider moving into enforcement mode.

I will explain much more soon.

Comments

  • Anonymous
    January 01, 2003
    The best place to start is the Network Access Protection (NAP) "landing page" on the Microsoft website.

  • Anonymous
    January 01, 2003
    Matt> thank you for your kind words. I'll blog about the dates for the tour

  • Anonymous
    January 01, 2003
    Tim> I'll go into more detail in posts over the next couple of weeks. You can go as granular as the Health validator (on the client) will allow - that's entirely dependant upon whomever writes it. The Microsoft SHVs don't cover removable storage devices BUT YOU COULD (or someone could) easily extend it. I don't know of a live mixed production environment but I'm sure they exist - will dig and share what I can

  • Anonymous
    January 01, 2003
    The comment has been removed

  • Anonymous
    January 01, 2003
    David> There are some places available - few and far between for some venues. I'll address your interest in NAP/NAC in posts over the next few weeks. I took the photo on Sailsbury Plain on the tank range on a bank holiday weekend whilst on a Jeep Club outing - my best friend owns a Jeep that he foolishly let me drive!

  • Anonymous
    March 27, 2008
    Steve, will this be covering more than your presentation at the 2008 launch last week? I was very keen to learn more, as you gave a great insight to NAP!!!

  • Anonymous
    March 27, 2008
    The comment has been removed

  • Anonymous
    March 27, 2008
    The comment has been removed

  • Anonymous
    March 27, 2008
    The comment has been removed

  • Anonymous
    March 28, 2008
    Steve, you talked about policy compliance and in your demo you detailed this by taking the firewall offline. What I keen to know is how granular can you go with the NAP policies, and also forgive me if I am wrong but can this cover devices plugged into the workstation such as removable storage devices? One more question, do you know of any implemetations of NAP with Cisco NAC? Many thanks!