Windows Server 2012 security: Is it time to upgrade?

Though it received most of the attention from the media, Windows 8 was not the only significant release by Microsoft in the fall of 2012. The Redmond giant also launched the latest version of its server software, Windows Server 2012.

Enterprises that are running the 2008 version may question whether the 2012 edition offers enough new features to make an upgrade worth the investment, and with security being a prime concern for any organization running Windows Server software, security features will receive particular scrutiny. Let's delve into the security features of Windows Server 2012 to determine whether the latest version provides enough incentive to upgrade now.

From a security perspective, Windows Server 2012 represents a big step forward, with significant new security features and improvements in areas such as authentication and identity, authorization and isolation, and data protection. Some of the new features, including Secure Boot, are shared with Windows 8. Secure Boot allows only digitally signed Unified Extensible Firmware Interface (UEFI) drivers or bootloaders to be executed when the system boots up, which prevent device takeovers by bootkits. Another feature that secures the system startup is Early Launch Anti-Malware (ELAM), which ensures that only known, digitally signed antimalware programs can load right after Secure Boot finishes. This prevents fake antivirus programs from executing during the startup process.

Windows Server 2012 is a big step up from 2008, not only in terms of security features, but also the ease with which polices can be configured and implemented.

BitLocker drive encryption is easier to use on Windows Server 2012. In network protector mode, it automatically unlocks encrypted disks as long as the server is network connected and joined to its normal Active Directory domain. The implementation of DNSSEC is now fully interoperable and more straightforward to configure. Other administrative tools, termed Solution Accelerators, provide centralized security baseline management features that make configuring security settings easier and quicker. They include Microsoft Security Assessment Tool, Microsoft Baseline Security Analyzer and Microsoft Security Compliance Manager.

Kerberos, which supports claims and cloud authentication, has also been simplified, with the interface for deploying fine-grained password policy receiving significant improvements. Managed Service Accounts are now self-maintaining with extremely long passwords that automatically reset every 30 days. For companies that run their own Web servers, Internet Information Service (IIS) 8 contains new automated security responses. For example, Dynamic IP Restrictions allow IIS to automatically block malicious IP addresses based upon predefined conditions, and there is also better sandboxing of individual applications into multi-tenancy security sandboxes.

One area of information security that most organizations struggle with is data classification, specifically with ensuring that every file has the correct security setting applied to it. Windows Server 2012 tackles this problem head on with a new authorization and audit engine. It features advanced file and folder permissions in the form of Dynamic Access Controls, claims, expression-based access control entries and centralized authorization and auditing rules (known as Central Access Policies).

Documents can be automatically classified according to their contents or Active Directory attributes. For example, the Rights Management Service can be configured to automatically encrypt all documents that contain Health Insurance Portability and Accountability Act (HIPAA) information. Access to classified documents by devices, users and groups can be controlled based upon their attributes (known as claims), which are used for authentication and authorization.

Nearly any object, including a user, group or computer, can be assigned one or more claims, ranging from a laptop running Windows 8 with a MAC address of 00-xx-00 to a user who is a sales manager working from home. Complex rules can easily be created (e.g., sales managers can access documents with medium or lower data classifications from a Windows 8 device while working from home, but they must be onsite to access documents with a high data classification). Classifications can be used in conjunction with any Windows Server 2012 service that is classification-aware. This functionality greatly improves the effective implementation of most organizations' classification and data handling policies.

Central Access Policies are hosted in Active Directory, so it's simple to centrally deploy and manage them. It will undoubtedly take a little testing to fully appreciate the power of conditional expressions using user claims, device claims and resource properties, but they make granular control of enterprise data a reality.

While individual circumstances must always be accounted for when considering an upgrade, Windows Server 2012 is a big step up from 2008, not only in terms of security features, but also the ease with which polices can be configured and implemented. Its improved capabilities for implementing robust and correctly configured security controls make life a lot harder for would-be attackers. Microsoft's latest server software certainly checks the right boxes when it comes to security and a strong security-focused argument can be made for its early adoption.

About the author:
Michael Cobb, CISSP-ISSAP, is a renowned security author with more than 15 years of experience in the IT industry and another 16 years of experience in finance. He is the founder and managing director of Cobweb Applications Ltd., a consultancy that helps companies to secure their networks and websites, and also helps them achieve ISO 27001 certification. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Michael is also a Microsoft Certified Database Administrator and a Microsoft Certified Professional.